21 Feb 2017

feedWordPress Planet

WPTavern: Solving the Mystery of How People Actually Use WordPress

I'm in favor of WordPress collecting more anonymized usage data that could help make informed decisions on changes or improvements to core, such as tracking changes to the WordPress user interface, which buttons or settings are used most often, etc.

A good example of when this data could have come in handy is the recent removal of the justify and underline buttons from the editor in WordPress 4.7. During the discussion on whether they should be removed or not, a number of people questioned if there was any user data available that would indicate how much they're used and help gauge the impact of removing them.

The only data available to help make an informed decision was provided by Mel Choyce. Choyce shared statistics from WordPress.com and its variety of editor interfaces that indicated Bold, Italic, and Links are used the most while Lists and Blockquotes are the second most used buttons.

The Center and Left alignment buttons are used often, but the data doesn't determine if people are using them to align text or images. Information on which headings are used most was not available. The team did not have any usage data specific to the WordPress core editor.

In the ticket, Andrew Ozz, who maintains the TinyMCE component, chimed in and agreed that good user data is needed.

In an effort to obtain usage data before removing the buttons, Ozz created a small plugin to perform testing with five existing and first-time users. Interestingly, he discovered that both types of users clicked on the kitchen sink button to display the second row of buttons and didn't click the button to hide them again.

Ozz also shared other results from his limited testing.

I know these test results are extremely limited and cannot be used when making a decision, but they are an indication of what 'real' testing may reveal. In this case it shows that moving buttons to the bottom row will have no effect on the usage of these buttons as they will still be visible at all times.

This super limited testing also indicated another (much bigger) problem: somebody mentioned this some time ago (think it was @mor10), around 20% of the WordPress users don't even know there is a second editor toolbar, and some feel 'pretty stupid' after discovering it. I think this is bad UX and something that can be fixed easily by having the second toolbar open by default, and fixing it is more important and will improve the UX for these 20% of users a lot.

Imagine how useful it would be for core developers or others if there was usage data like this on a grander scale that could fuel rapid improvements and help discover and eliminate pain points.

Matt Mullenweg, co-creator of the WordPress project, has closed the ticket with the Telemetry Proposal as it's not within the three project focus areas for 2017.

"There is no part of current or potential WP development that is being held back by the lack of this existing, as there are easy and current ways to answer questions with data to the extent it would inform our decisions," Mullenweg said.

Morten Rand-Hendriksen responded to the closure saying that the quantitative user testing falls squarely within the Customizer focus area.

"I would argue since the release of the Customizer some years back, it has gone through a multi-year large-scale quantitative user test with incremental tweaks and improvements," Rand-Hendriksen said.

"This is in line with standard agile development. At this juncture, the Customizer can be considered mature, and moving a mature solution forward requires hard data on usage, use cases, and user needs. This goes beyond standard user testing to large-scale data collection, which is what this ticket aims at addressing."

Perspective From a WordPress Release Lead

There are WordPress core developers who have shown interest in a similar system. At the start of the WordPress 4.7 development cycle, Drew Jaynes, who led the WordPress 4.2 release cycle, expressed interest in creating an opt-in data collection system.

The idea received positive feedback that included people offering to help. I asked Jaynes what his thoughts are on such a system and how it could benefit core development.

"There's some discussion about what form that collection should take initially, but I think there's consensus that it should be opt-in, and take one of two forms (or a hybrid of the two): active (surveys in the admin) or passive (anonymized usage) data collection," Jaynes said.

"Either way, I think having this data available would benefit the entire community, regardless of the obvious practicable application within core development.

"All of that data can and should be used to inform decision-making in WordPress going forward. The core team really needs to hit the reset button on the concept of the 80/20 rule, including what and whom it represents.

"We should be building modern WordPress for the modern WordPress user, and resting on Matt's instincts coupled with the core team's experience is no longer enough to maintain positive forward momentum."

Jaynes cites the editor as an example of where having the data would be helpful and that without it, pursuing an idealized 'modern editor' in WordPress is premature. The data could also help provide insight into improving the new user experience.

"A common complaint is that the WordPress admin can be really overwhelming to new users," Jaynes said. "Having real data about how frequently the various core screens are used could really inform decisions about maybe paring it down, or hiding some things over time that are used less and less."

While collecting data could help with making informed decisions, he doesn't think it should stop the core team from experimentation.

"I think having real, citable data could really reduce the amount of backlash we've seen with a few releases in the last couple of years," Jaynes said. "Areas where core team decisions left some group of users feeling jilted."

"It's worth mentioning that there's absolutely value in allowing the core team to experiment, as long as we're careful not to latch onto something that got merged as the only way we'll ever need to solve that problem; that's where we get into trouble."

Who Are The 80/20 Users of WordPress?

The most striking statement in Rand-Hendriksen's proposal is that WordPress development is occurring without having any idea who the 80% or 20% of users are.

"During the development of WordPress 4.7, I was involved in several conversations centered around assumed use of features," Rand-Hendriksen said.

"The general argument was that based on the 80/20 rule, certain features should be added while others should be removed. I kept bringing up the well-known fact we don't have a clue what features 80%, or even 20%, of WordPress users actually use so any claim of validity in the 80/20 rule is guesswork at best."

Collecting usage data is standard practice. Microsoft Windows, Mozilla Firefox, Chrome, iOS, and a number of other software projects have opt-in data collection systems that are used to improve the product. They also provide insight into how customers are using their products.

WordPress development on the other hand relies on the support forums, data collected from WordPress.com, limited user testing, verbal feedback at WordCamps, and other small data points. Collecting usage data from WordPress could show trends and provide evidence for changes related to the decisions not options philosophy of WordPress development.

Collecting usage data isn't going to solve all of WordPress' woes but having it available to make more informed decisions is better than not having any data at all. Although an opt-in data collection system in WordPress won't be a core focus any time soon, it's encouraging to see the idea has merit and is something some core developers are interested in seeing become a reality.

I'd gladly opt-in and share my usage data with WordPress.org as long as it was anonymized and displayed publicly in aggregate. Would you?

Note: There is a poll embedded within this post, please visit the site to participate in this post's poll.

21 Feb 2017 2:07am GMT

WPTavern: BuddyPress 2.8 Boosts Minimum PHP Requirement, Adds Twenty Seventeen Companion Stylesheet

BuddyPress 2.8 "San Matteo," was released last week, led by long-time BuddyPress contributor Slava Abakumov. The release was named for San Matteo Panuozzo, an NYC pizza restaurant that specializes in panuozzo, a more portable pizza-sandwich hybrid. Following suit with the previous release, 2.8 focuses on improvements for developers and site builders, the project's new target audience as of 2016.

As part of an effort to modernize the plugin's codebase and prepare it for better integration with the BP REST API project, this release boosts the minimum PHP requirement to 5.3. In BuddyPress versions 2.7+, the plugin will display a notice in the dashboard if it detects that the server doesn't meet the minimum requirements for running 2.8. The change is not likely to affect many BuddyPress sites as only a small sliver (5.7%) of WordPress sites are running on PHP 5.2.

This release also adds a companion stylesheet for Twenty Seventeen. This stylesheet is important for providing a good first impression of BuddyPress for those who are trying try out the plugin with WordPress' latest default theme. A new BP codex page gives sample code for changing Twenty Seventeen's default two-column layout to be a full-width layout.

The 2.8 release brings improvements to the "Activate Pending Accounts" screen, making it easier for site managers to confirm or reject new registrants. Clicking on the username of a pending account will now display profile data that the user entered at signup.

Other improvements for developers include the following:

BuddyPress 2.8 was made possible by 44 volunteer contributors. For a full list of all the changes in this release, check out the official 2.8.0 changelog.

21 Feb 2017 12:33am GMT

20 Feb 2017

feedWordPress Planet

WPTavern: Composing a WordPress Development Environment with Docker

This post was contributed by guest author Peter Suhm. Peter is a web developer from the Land of the Danes. He is the creator of WP Pusher and a huge travel addict, bringing his work along with him as he goes.

In the last few years, a wave of virtualization technologies have swept through our WordPress development environments. The one that's sounded the most promising to me has been Docker: lightweight and flexible. Yet, until recently, getting Docker up and running was an overwhelming task - especially on a non-Linux machine. If you managed to get it up and running in a virtual machine (using Vagrant or similar), getting port-forwarding to work would make you give up and just use Vagrant instead.

Now it's different.

With (a stable) Docker for Mac and Windows and Docker Compose at hand, getting Docker up and running is easy and pain-free. With Docker Compose you can tell Docker exactly what you want your WordPress development environment to look like and it will take care of it.

What is Docker?

Docker is a technology that makes it really simple to create isolated containers for your applications and websites to run in. These containers can be combined and modified to fit the needs of your applications. Docker is utilizing the Linux Containers technology (LXC) where multiple isolated environments can share the same Linux kernel - making it very lightweight compared to something like Vagrant.

The Docker ecosystem is built around containers. In the Docker Hub, you can find an endless number of containers that other people have built or you can build your own using a Dockerfile. When building your own, you can start from scratch using the base Ubuntu image or extend someone else's image.

You can share local directories with your containers and link the networks, so they can talk to each other - just like you know it from other virtualization technologies. However, this is where it gets complicated which leads me to Docker Compose:

What is Docker Compose?

Docker Compose is what makes Docker available to mortals like you and me. As the name implies, Docker Compose is a tool for composing Docker containers. That means defining your services (containers), setting up the network between them, sharing local directories with them, and a few more things.

With Docker Compose you create a simple file in the root of your project that describes the setup required by your application/website. For a WordPress theme that might mean a container to run WordPress, a container to run MySQL and a container to run Gulp or Grunt. This can very easily be defined in a docker-compose.yml file that can then be shared with your team members. This means that you can now share your WordPress theme, including an isolated WordPress environment to run it in. Hurray for virtualization!

Why use Docker?

There are a few reasons why Docker is an attractive technology for me. Here are the most important requirements I have for my development environment and how Docker solves them:

My Docker development environment

This is the very simple Docker setup I use for development of my WP Pusher plugin: A WordPress and a MySQL container. Both of them use the official Docker Hub images, so setting it up is very easy.

My docker-compose.yml file looks like this:

It describes two services: a MySQL 5.7 database and WordPress running on PHP 5.6 and Apache. The database is using a volume on my local machine, so data will be persisted every time I shut off the container. My current directory (in this case a plugin) is mounted into the wp-content/plugins directory. This allows me to work on my plugin in a completely isolated WordPress environment - without installing anything, besides Docker, on my Mac. The WordPress container forwards port 80 to my local machine, so I can access it as "localhost" in my browser.

If you want to try it for yourself, and have Docker installed on your machine, just add the file to your plugin (or theme) and run:

$ docker-compose up -d

In order to see which containers are running, just run:

$ docker ps

This a very simple setup that is easy to extend and build upon.

I hope this post made you curious about Docker and WordPress. Thanks for reading along!


20 Feb 2017 6:23pm GMT

18 Feb 2017

feedWordPress Planet

WPTavern: Disqus Hits Sites with Unwanted Advertising, Plans to Charge Large Publishers a Monthly Fee to Remove Ads

When Disqus announced it would be releasing new, subscription-based versions later this year, users didn't expect to have the new advertising model injected into their sites without notice. Disqus CEO Daniel Ha said the company would release finalized pricing and provide more details well in advance of its planned March release, but users are reporting that the advertising has already been forced into their comments without warning.

Why did @disqus just add a bunch of ads to my site without my permission? https://t.co/CzXTTuGs67 pic.twitter.com/y2QbFFzM8U

- Harry Campbell (@TheRideShareGuy) February 1, 2017

"We are one of the lucky 5% who now has to pay if we don't want really irrelevant and horribly spammy links just plopped on our site with zero warning," BabyCenter Social Media Manager Dina Vernon Freeman said. "Unless our users (mainly millennial parents) should care about overpaying for dentures! We're looking for other platforms ASAP."

Brian O'Neill, who manages Slugger O'Toole, a site with more than 70,000 readers, was also hit with unwanted advertising on his site.

"Disqus has started to put ads into our comments section of our site without even telling us," O'Neill said in a post explaining the new ads to the site's readers. "As you can imagine I am extremely annoyed at this - I hate crappy online ads as much as you do. Supposedly we can remove the ads if we pay them $10 a month, but as yet there is no mechanism on their site to do this." O'Neill said he is also exploring alternative commenting systems if he is unable to remove the advertising.

Disqus responded to user complaints with a post to clarify that advertising will remain optional for more than 95% of the sites on Disqus.

"Larger, commercial, sites that elect to use the free version of Disqus will be supported by configurable advertising and have the option to earn revenue through the Reveal program," Disqus Marketing Manager Mario Paganini said. "For small, non-commercial sites, advertising will be optional. These sites will be able to use Disqus' ads-optional subscription, free of charge."

Publishers asked in the comments when the option to pay to remove ads will become available, as an option to pay isn't currently in place.

"Larger sites will be able to run a paid subscription version of Disqus that includes the ability to remove ads along with additional features," Paganini said. "We are aiming to have this available in the next couple of months. We will be making periodic updates on our blog and talking to publishers in the meantime."

Disqus is moving to focus on its larger publishers but has already attracted angry criticism from publishers that were not properly informed of the changes. Over the years the company has experimented with different ways of monetizing the commenting platform, often frustrating users in the process of making important changes.

In 2014, Disqus began experimenting with advertising in the form of "Sponsored Comments" that users could not turn off without contacting support. This move drew criticism from WordPress co-founder Matt Mullenweg who essentially called out the ads as little more than comment spam. After a negative reaction from its community, Disqus quietly discontinued the Sponsored Comments and scrubbed the announcement post from the internet.

Disqus Delivers Low-Quality Ads

Disqus has struggled to land on an effective advertising model that will convince users to get on board. Its Reveal advertising program is notorious for serving low-quality ads and has inspired little confidence in users who have tried it. The following is one of the tamer examples:

"I think if you had somewhat decent advertising you might convince people that it's worth it, but I had to yank it from one of my sites because it was all 'Ron Paul wants you to buy gold!' and '22 times the photos showed too much!'" Paul King, an author who writes for multiple publications, commented on Disqus' most recent advertising announcement. "Just put in a tier of non-spam advertising that's actually relevant or charge based on comments or something."

Twitter is filled with complaints from users who are dissatisfied with the questionable quality of Disqus' advertising. Many are searching for alternatives.

@disqus We've disabled ads straight away (they are literally ALL scams) - if you force those ads on us, we're dropping you like a hot potato

- That's Nonsense (@thatsnonsense) February 6, 2017

Why @disqus think it's acceptable to serve disgusting, misogynistic ads (OR ANY ADS) on people's blogs without asking is beyond me.

- Rosie (@RosieLondoner) February 6, 2017

I'm removing #disqus from https://t.co/PSlovlA6Tm since they've suddenly turned on (notably creepy) ads with no warning.

- James Britt 🎧 (@jamesbritt) February 1, 2017

This recent move to turn on advertising without publishers' permission is another communication blunder in the same vein as the previous attempt at Sponsored Comments. Disqus has failed to find a communication strategy that respects users' content while leading the company towards its goals at the same time. With spam-quality ads deploying network-wide, the company can certainly expect that some users will be willing to pay the $10/month to turn them off. Sadly, the experience of paying to turn off offensive ads feels more like getting mugged on your way to work than upgrading your service.

The Disqus Comment System plugin has been hovering around 200,000 active sites for the past two years and its ratings continue to plummet on WordPress.org. Unless Disqus is able to dramatically improve its advertising network before its official March release, we may see a mass exodus to other commenting systems.

18 Feb 2017 12:16am GMT

17 Feb 2017

feedWordPress Planet

WPTavern: How to Check if Installed Plugins Are No Longer in the Plugin Directory

When we wrote about why plugins sometimes disappear from the WordPress plugin directory, it generated a healthy discussion in the comments. One of the topics of discussion brought up is whether or not users should be notified when a plugin disappears and if so, how?

Currently, when a plugin is hidden on the directory, users are not notified. If it's removed due to a security vulnerability and the author chooses not to fix it or move the plugin somewhere else such as GitHub, users are left in the dark.

Donna Cavalier shared a recent example of why users should be notified. Contact Form DB is a popular plugin that saves contact form submissions from many popular Contact Forms plugins to the database. As of October 30th, 2016, it was actively installed on more than 400K sites.

Approximately one month ago, the plugin was hidden due to a security vulnerability. Instead of releasing a patch, Michael Simpson, creator of Contact Form DB, moved the plugin to GitHub and subsequently released a new version that patched the vulnerability. Simpson says the person on the plugin review team that he spoke with was condescending, unprofessional, and rubbed him the wrong way.

"I'm happy to address any issues and meet any standards, but I'm at the limit of my patience," Simpson said.

"I try to be a good citizen and give back to the community. I've put in countless hours for close to seven years now. When I'm treated like this, it seems WordPress doesn't value me or my contribution to its community.

"Anyway, I put the code on GitHub and I will continue to support it. But at this point I'm not sure I want to deal with people like this to re-list the plugin on this site. I don't need the frustration."

If you use Contact Form DB, please update to 2.10.30 as soon as possible as it contains the aforementioned security fix.

It's impossible for Contact Form DB users to automatically install updates from GitHub without installing an updater plugin. This leaves thousands of sites at risk.

How to Know When Installed Plugins Are No Longer in the Directory

In the comments of our article, Tavern reader Central Geek shared links to a couple of plugins aimed at providing useful information such as, whether a plugin has been abandoned and better plugin compatibility information.

One of the plugins he mentions is called No Longer in Directory, developed by White Fir Design. The plugin adds a page to the WordPress backend that informs users if any of the plugins that are installed are available in the plugin directory. It also separately lists installed plugins that haven't been updated in two years or more.

The check is performed using the plugin directory's folder name. The author notes that this could lead to plugins that have never been in the plugin directory to be flagged if they use the same name as a plugin that was in the directory in the past. If you encounter this situation, you're encouraged to create a new thread on the plugin's support forum.

So far, No Longer in Directory is actively installed on more than 1K sites. Out of a total of six reviews, its average rating is 4.8 out of 5 stars. I tested the plugin with WordPress 4.8 alpha and didn't encounter any issues.

If this is a feature you'd like to see implemented in WordPress, consider voting for it. So far, the idea has 43 votes with a five-star average rating. Mika Epstein, Plugin Directory Representative, responded to the idea four years ago noting that it was being worked on.

As Epstein mentioned in our previous article, explaining WHY a plugin has been closed is complex.

"Obviously the last thing we want are people getting hacked, but it presents us with a few options and they all have flaws," she said.

"We've not been able to determine a way to tell people 'This plugin is gone, don't use it' and 'This plugin is gone, but use it if you want.' without putting users at risk."

If a Plugin Is Permanently Removed From the Directory, Users Should Be Notified

I believe users should be informed if a plugin is permanently removed from the directory. It doesn't make sense to notify users if it's temporarily hidden due to violating a guideline or a security issue. Plus, between upgrade and admin notices, users are receiving enough notifications as it is.

I'm unsure if the notification should be an admin notice as we've already documented how plugin authors are using them to advertise. Users are increasingly getting annoyed by them and they're usefulness is in decline.

There's also the question as to who is responsible for informing users. This responsibility should fall squarely on the plugin author. If I was a plugin author and not interested in someone adopting my plugin and wanted it removed from the directory, I'd do so by pushing out one last update.

I'd explain in the plugin's description and changelog that support and updates would no longer occur and that users should seek alternatives. I might even suggest a few that come to mind. Then, after about a month, I'd submit a request to the plugin review team to permanently remove it.

This would give users a heads up and plenty of time to seek out an alternative. The Post Template plugin is a good example of this idea in action. Here is the notice it displayed on all of its settings pages before it disappeared.

Since version 4.0.0, the plugin has been released under a commercial license. New features such as addition of custom fields to the templates have been added. Furthermore, this version is discontinued, which means that no further bug fixes, new features and compatibility fixes for new WordPress versions will be implemented. If you want to buy the latest version of Post Template, please visit the plugin web page.

By notifying users ahead of time, the responsibility shifts to the user to find an alternative.

Simpon said he'll work to get the plugin re-listed but it may take some time as he's swamped with work. At the time of publishing, the plugin is not available on WordPress.org.

An Unfortunate Situation for Users of Contact Form DB

While users sympathized with Simpson over his decision, I think it's partly irresponsible. If a plugin has a security vulnerability, patching it and making it available as soon as possible should take precedence over how one feels about a situation.

Instead of putting aside differences and pushing out an update to patch a security vulnerability, Simpson chose to move the plugin and the patched version to GitHub. The decision not to work with the plugin review team has put thousands of sites at risk with no easy way for users to update.

Hopefully, Simpson will work with the team to get a patched version of Contact Form DB back onto the directory as soon as possible. Until then, if you use Contact Form DB, please update to 2.10.30 manually as it patches the security vulnerability.

17 Feb 2017 8:52am GMT

16 Feb 2017

feedWordPress Planet

WPTavern: WPWeekly Episode 263 – Plugins Disappearing, WordCamp Miami, and OSTraining

In this episode, Marcus Couch and I discuss the news making headlines including, WordCamp Miami in its 9th year, OSTraining partnering with GoDaddy to release training videos, and why plugins sometimes disappear from the WordPress plugin directory. We also provide an update on the REST API vulnerability that is actively being exploited to deface webpages.

Stories Discussed:

WordPress REST API Vulnerability Exploits Continue
Google Webmaster Tools Fixes Confusing Messages About Updating WordPress
WordCamp Miami 2017 to Host JavaScript Track, AMA Spots, and 2-Day Kids' Camp
OSTraining Partners with GoDaddy to Launch Free WordPress Beginner Course on YouTube
Why Plugins Sometimes Disappear From the WordPress Plugin Directory

Plugins Picked By Marcus:

Mobile Featured Image allows users to add a featured image specifically for mobile devices. The new image can be a resized version of your featured image or an entirely new image targeted especially at mobile viewers.

FB Messenger Bot for WooCommerce automatically messages clients from your Facebook page, WooCommerce, or Gravity Forms. The plugin creates a 'send to Facebook' button at the end of the WooCommerce Sales process or on the Gravity Forms thank you page.

Restrict New Users by Domain makes it easy to whitelist or blacklist email domains that new users can use when registering. If using the whitelist, only new users who enter an email domain on the whitelist will be allowed to create an account. If using the blacklist, a user who enters an email domain on the blacklist will be unable to register.

WPWeekly Meta:

Next Episode: Wednesday, February 22nd 3:00 P.M. Eastern

Subscribe To WPWeekly Via Itunes: Click here to subscribe

Subscribe To WPWeekly Via RSS: Click here to subscribe

Subscribe To WPWeekly Via Stitcher Radio: Click here to subscribe

Listen To Episode #263:

16 Feb 2017 11:01pm GMT

Post Status: LoopConf in review

LoopConf is a developer centric conference, and LoopConf "2.1" took place in Salt Lake City in early February. This second iteration of the event was a great one, with informative, diverse talks, a laid back atmosphere, and it was very well organized - which is especially impressive considering the challenges that mother nature caused. As an added bonus, you can now watch all the talks for free.

Originally planned for Miami last year, LoopConf was postponed due to a hurricane in southern Florida - hence the ".1" above - and rescheduled closer to organizer Ryan Sullivan's home in Salt Lake City. Despite the postponement, most attendees were still able to make it, and some folks (like me) could only go to the newly scheduled event.

Salt Lake City was unseasonably warm, making it a pleasant few days, mixed with great food and company. It was also a pleasure to be able to meet more people from local companies, including the newly minted BlueHost and MOJO headquarters downtown.

Post Status was at LoopConf as a media partner, and Brian Richards and I took a lot of pictures, as well as several video interviews.

What to know about LoopConf

In our first video interview, Ryan talked about the origins of LoopConf, and described what he hoped attendees would get out of the event:

I hope to see a future LoopConf 3, and I think the venue and atmosphere worked really well in Salt Lake City.

A small sampling of valuable talks

There were many great talks. I didn't attend them all, as I was working on other stuff for much of the two days, but the feedback was pretty universally positive, and every talk I did attend, I found valuable.

The competitive landscape for WordPress

The first day kicked off with a great talk by Pantheon co-founder Josh Koenig, who spoke on the competitive landscape for WordPress, including opportunities and risks. It was a really excellent start to the event.

Empathetic communication

I met Sharon Steed prior to her talk, and she spoke about empathetic communication. And due to her own journey as a communicator, going through life with a stutter, it has impacted how she thinks about communication and how she advises her clients.

There were two quotes I loved: "Technology cannot replace the social aspect of face-to-face communication." And, "Silence kills collaboration." I think greater empathy in our ecosystem and society in general is pivotal.

Put an "S" on it

I don't know anyone who knows more about HTTPS than Zack Tollman, who directed the effort to make WIRED's website fully HTTPS. They learned many lessons, and he shares them in his outstanding talk.

Bootstrapping a WordPress business

The most recent podcast episode featured a video interview and extended audio interview with WP Engine founder and LoopConf keynote speaker Jason Cohen, which I highly recommend you check out. Jason is full of knowledge, and my interview with him pairs well with his keynote talk.

Jason's talk will certainly get you thinking about whether you should raise your prices, that's for sure.

Watch them all!

Don't take my word for which talks to see. I just feature these because I got a lot out of them in the moment. However, in general I found this lineup to be one of the most proficient groups of speakers I've seen yet at a WordPress event.

Check out the whole playlist.


Here are pictures from the three days of workshops and talks.

You are welcome to use these pictures however you wish. If you'd like to credit Brian Richards or myself, or Post Status, we'd appreciate it - but it's not required. Pictures he took show Canon 6D in the meta description, and pictures I took show Canon 70D in the description.

More interviews from LoopConf

I'll have more interviews from LoopConf over the coming days and weeks. I chatted with several core contributors and developers about specific experiences they've had with WordPress. Keep an eye out for those!

A fun, niche event with a lot of value

LoopConf was pretty laid back, and did a lot of things really well.

For one, I'm super jealous of how quickly they got the videos uploaded, and they've generously made them available for free for everyone. Also, there were no noticeable event hiccups, and the team was always available to help with whatever attendees may need.

The venue itself was really nice, as you can hopefully see in the pictures, and the whole place was laid out in a way that made both the talks and the hallway track highly accessible. And sponsors were in the center of the whole event, which was great.

I found that the size of the event (I'd guess around 200 people) made it so that conversations were easy to have, and we were able to go in-depth. And because everything from breakfast to dinner to the after party were at the venue, it made everything super convenient.

If and when there's a LoopConf 3, you should go! I've also found this general theme to be true at other niche WordPress events - including A Day of REST (specific to the REST API in WordPress, which you should go to next month!) and PressNomics (a WordPress business event, which you should go to in April!), and even my own Publish event (which may have a second iteration later this year).

To learn more about LoopConf, check out the website. And definitely take advantage of all of those free videos!

16 Feb 2017 8:00pm GMT

15 Feb 2017

feedWordPress Planet

WPTavern: Matt Mullenweg Responds to Security Rant: Digital Signatures for WordPress Updates Are Important but Not a Priority

Scott Arciszewski, Chief Development Officer for Paragon Initiative Enterprises, who is most widely known for his cryptography engineering work, published a post on Medium criticizing Matt Mullenweg, co-creator of the WordPress open-source software project, for not caring enough about security. Arciszewski has since retracted the post but you can read it via the Wayback Machine.

Arciszewski is working on a project known as libsodium, a core extension to PHP 7.2 which allows for encryption, decryption, signatures, password hashing and more. Its goal is to enable developers to build higher-level cryptographic tools.

WordPress' automatic update system is handled through api.wordpress.org. Since updates do not have a digital signature, if api.wordpress.org were compromised, attackers could send malicious updates to thousands or millions of sites. This scenario was at the forefront of people's minds late last year after Wordfence published details of a complex security vulnerability that could have compromised the update servers.

Arciszewski suggests offline code signing and elliptic curve cryptography as solutions, "The key that can produce a valid signature for a file isn't stored on the server (only the file itself and a valid signature are), so even if the server gets hacked, attackers can't just add trojan horse malware to the file," he said.

OpenSSL is an extension of PHP and is commonly used as public-key cryptography but it only supports RSA which Arciszewski deems inadequate. Since WordPress is written in PHP and supports versions 5.2-7+, Arciszewski needed to create a solution that was as compatible. This inspired him to create sodium_compat that adds Ed25519 signature verification to WordPress' automatic updater.

Arciszewski submitted a number of patches to WordPress but was told by Dion Hulse, WordPress core developer, that the sodium_compat library could not be merged into core until it passed a security audit by a third-party. Audits can cost a lot of money so Arciszewski's plan was to see if Automattic could take on some of the cost or crowd-source the funds. However, his project was put on hold after Mullenweg informed Hulse to stop working on the feature as it's not related to the three core focus areas of the Editor, Customizer, and the REST API.

Arciszewski described the decision as irresponsible and that every user has a reason to be alarmed, "The WordPress team has shown that they are not responsible enough to govern their impressive ownership of the Internet (with the exception of some folks powerless to correct the organization's course)," he said. "This act of negligence will put the rest of the web in harm's way."

Update Signing is Important but Not a Priority

Mullenweg responded to the post on Medium.com with one of his own and reiterated the WordPress development team's commitment to security.

"Everyone involved takes their responsibility very seriously, and the growth of WordPress has meant many thoughtful, hard-working people have gotten involved and think of the security of WP sites holistically, from every angle," he said.

Mullenweg also clarified what attacks would be stopped by implementing digital signatures to WordPress updates.

"It could stop a man in the middle attack, where someone modifies the update files on the network in between your blog and WordPress.org, or it could stop a situation where the part of .org that serves the update is compromised but the signing part isn't, and someone decided to send out updates even though they know they'll be rejected," he said.

The team is unaware of any WordPress sites that have been attacked this way. While the possibility exists, the extent of the damage would likely be limited. The update servers are monitored around the clock and since many large webhosting companies automatically scan their customer's sites for malware, the malicious update would likely be discovered quickly.

Mullenweg describes what would happen if an update server was compromised.

"We would turn it off really quickly, notify the world there was an issue, fix the problem, turn it back on, and notify the specific sites or hosts as able," he said. Although WordPress powers 27.5% of the top 10 million sites tracked by Alexa, it's highly unlikely that number of sites would be compromised.

He goes on to say that there are easier ways to compromise a WordPress site and listed the biggest issues to WordPress security based on impact.

  1. Sites not updating core.
  2. Sites not updating plugins.
  3. Sites not updating themes.
  4. Weak passwords, without brute-force protection or two-factor authentication.
  5. Hosts (professional or ad-hoc) not scanning and fixing sites.
  6. Hypothetical issues not seen in practice, which distract from the above existing priorities.

Mullenweg confirms that he offered to donate to the audit of sodium_compat a day before Arciszewski published his post. Even if the library passed an audit, the code couldn't immediately be added to core, "You would also need to do some significant work on the server-side to isolate the signing from the update server, so it's worthwhile in the first place," he said.

And if the code were added to core, only the sites that updated to the version that has the cryptographic library and the update checking would be able to take advantage of it. WordPress.org would still need to send updates to older versions that don't have update checking. These sites would still be vulnerable to receiving a malicious update.

Mullenweg says that digital signatures and update signing will end up in WordPress eventually but it's not a priority as there are other security issues in front of it, "We are prioritizing those issues above a nice-to-have, defense in-depth effort," he said.

"A good approach would be to build the server-side first, because doing that properly, say with an HSM, is the difficult and important part; then get the packages signed; then test out verification in a plugin because we don't want to break auto-updates; and then finally merge into core and set the client to reject non-signed updates. On the client side we need to pick a cryptography library, and get it audited."

Mullenweg ended his post explaining why he published his response on Medium instead of his personal site. "Seems to be the most popular place for rants like this. I also wanted to try out the famous Medium editor," he said.

What's Next For sodium_compat

While the prospects don't look good for his library being added to WordPress in 2017, Arciszewski says there are plenty of other PHP projects that could benefit from it, "For their sake, I'm still strongly inclined to pursue an independent third-party cryptography audit, and attempt to crowd-fund the cost," he said.

15 Feb 2017 11:48pm GMT

BuddyPress: BuddyPress 2.8.0 – “San Matteo”

BuddyPress 2.8.0 "San Matteo" is now available for download from the WordPress.org plugin repository, or right from your WordPress Dashboard. "San Matteo" focuses on various improvement for developers, site builders and site managers.

For Developers & Site Builders

Modernizing the Codebase

To continue the migration of legacy code to modern standards and techniques necessary for the BP REST API project and other new features moving forward, BuddyPress 2.8 requires at least PHP 5.3. This will allow us to build better, robust, and secure code, benefiting developers and users now and in the future.

More helpful "Activate Pending Accounts" screen

When you click on the username on the "Users > Manage Signups" page, you can now view profile data entered by the user at the time of registration.

Support for List-Unsubscribe header in emails

Allow users to unsubscribe from BuddyPress email notifications in some email clients such as Gmail (web), when properly configured.

Twenty Seventeen Companion Style sheet

BuddyPress looks great in WordPress's latest default theme with the new Twenty Seventeen companion style sheet.

To change the default two-column page layout to a full-width layout as seen in the image, add the following code to the functions.php file of your Twenty Seventeen child theme.

More hooks for Messages

We've added new filters and actions for different methods throughout the Messages component.

A more flexible Group search

The new search_column parameter allows developers to specify which columns should be matched, as well as where wildcard characters should be placed, when searching via BP_Groups_Group::get().

Alphabetical sorting for Groups widget

The groups widget can now be sorted alphabetically, in addition to sorting the results by recently active, popular, and newest groups.

Enable choice of PHPMailer

Developers can specify which PHPMailer should be used when sending BuddyPress with a new filter.

Localization Improvements

We continue to improve our localization internals, making it easier for translation editors to ensure that BuddyPress will be available for everyone in their own language.

Developer Reference

Regular updates to inline code documentation make it easier for developers to understand how BuddyPress works.

Accessibility Upgrades

Continued improvements for universal access help make BuddyPress back- and front-end screens usable for everyone (and on more devices).

…and much more!

Read about all the bug fixes and feature enhancements introduced in BuddyPress 2.8.0 at our official 2.8.0 changelog.

Thank You to Our Contributors

Many, many thanks to all those who contributed during this development cycle. This is a volunteer-run project, and these contributors freely gave of their time and expertise to make BuddyPress better than ever:

Andrea Tarantini (dontdream), Ankit K Gupta (ankit-k-gupta), angeljs, Boone B Gorges (boonebgorges), Brandon Allen (thebrandonallen), Bunty (bhargavbhandari90),chetansatasiya (ketuchetan), Chirag Patel (chiragpatel), danbp, David Cavins (dcavins), Dennis (wpdennis), Diana K. Cury (Dianakc), finzend, Hugo (hnla),J.D. Grimes (jdgrimes), John James Jacoby (johnjamesjacoby), Jonas Lundman (jonas-lundman), jonieske, jreeve, lakrisgubben, Laurens Offereins (Offereins), lgreenwoo,maccast, Mathieu Viet (imath), mchansy, mercime, Michael Beckwith (tw2113), modemlooper, Mustafa Uysal (m_uysl), Nick Momrik (nickmomrik), Paul Gibbs (DJPaul),paresh.radadiya (pareshradadiya), Petya Raykovska, r-a-y, rekmla, Renato Alves (espellcaste), Roger Coathup (rogercoathup), Salvatore (DarkWolf),Sanket Parmar (sanket.parmar), Slava Abakumov (slaffik), Stagger Lee (stagger-lee), Stephen Edgar (netweb), Sven Wagener (mahype), wordpressrene.


BuddyPress 2.8 is called "San Matteo" after a great pizza restaurant in New York City. San Matteo specializes in the "panuozzo", a pizza-sandwich hybrid native to Salerno, Italy. The proprietor of San Matteo is a friendly fellow who insists on speaking Italian even to customers who don't understand a word of it. If you find yourself in the neighborhood, be sure to stop by for a great pizza.

Time to Go Get 2.8.0!

Grab BuddyPress 2.8.0 "San Matteo" from the wordpress.org plugin repository, or right from your WordPress Dashboard.

Questions, comments, feature requests, or bug reports? Please use our support forums or our development tracker.

15 Feb 2017 10:38pm GMT

HeroPress: Not every hero wears a cape

Pull Quote: Sometimes the biggest heroes are the people who notice that someone else feels out of place, extend their hand, and welcome them in.

I almost didn't go to my first WordCamp

I started working with WordPress in 2010. A client requested I use WordPress and a Revolution theme they'd purchased to build their new site. When I was done, I submitted it to the theme showcase, and Brian Gardner reached out to tell me how much he'd liked it.

I continued working with Brian and his themes as Revolution became Revolution 2, and then StudioPress and Genesis. That led to me designing and developing Family Tree, one of the first commercial themes targeted at women entrepreneurs. It was released in May of 2011.

Right around the release of my first theme, Brian asked if I was going to be at WordCamp San Francisco. There was going to be a Genesis Connect event there, and he wanted me to be there. I really wanted to go, but didn't know how I was going to pull it off.

See, after a years long struggle I had recently been diagnosed with bipolar disorder.

I was trying to rebuild my design career with WordPress, but I was really struggling.

I felt like flying to San Francisco to see my internet friends was a luxury I couldn't afford.

But when I mentioned it to my wife, she told me we'd find a way. She started hitting travel sites and found a cheap airline ticket. Then she went on AirBnB and booked me a couch in the lobby of an art gallery in the Tenderloin-it was the cheapest thing we could find. I left on August 11, 2011, three days before my 40th birthday.

My first day of WordCamp SF was a nightmare

I have pretty severe social anxiety, so my plan was to maintain a low profile and keep to myself until I could meet up with some of my Genesis friends. About 20 minutes into the first talk I went to I was totally lost, so I thought I'd sneak out and hit lunch early. It seemed like a solid plan.

My foot had fallen asleep during the presentation, though, and as I stood up to sneak out my ankle buckled and I fell. Every head in the auditorium whipped around to stare at me slowly rolling down the aisle. It was painfully obvious to me that not only did I not belong, but I had just made a very public ass of myself and was mortified.

Then the WordPress Community stepped in

There was already a huge crowd in the courtyard when I managed to slink out of the auditorium. I felt like someone had dropped me back into my junior high cafeteria. I stood in the massive line, wanting nothing more than to find a quiet corner to nurse my wounded pride, call my wife, maybe cry a little, and tell her that coming had been a huge waste of time and money.

If that's how my day had panned out, my WordPress story might have been a lot different. Instead, I ran into my first ambassador of the WordPress community.

This kind of goofy guy in front of me started chatting me up.

I told him it was my first WordCamp. He asked me where I was from, and we discovered we lived maybe an hour away from each other: me in San Diego, him in Orange County. He invited me to eat lunch with his group. And that's how I wound up sitting at a table eating lunch with Steve Zehngut and his crew.

These people were more like me: marketers and designers, theme authors and SEO specialists, food bloggers and digital nomads. I started to feel like I might belong there, after all. The phone call I made to my wife after lunch was about how much fun I was having, and how many cool people I was meeting.

Later that day I went to dinner with the crew from Genesis and met even more amazing people I'd only known online. After that, there was a huge Genesis Connect happy hour. The more people I met and talked to, the more friends I made. On Sunday, before one of the final presentations, an auditorium of my new friends sang "Happy Birthday" to me. (I won't lie-it was cool but also almost as embarrassing as falling down the first day, lol!)

One person can make a difference

If Steve hadn't asked me to eat lunch with his group that day, I might have never gone to another WordCamp. Instead, when WordCamp San Diego 2012 came around Dre Armeda encouraged me to submit a speaker application, and I gave my first talk. For six years now I've spoken at every local WordCamp that's accepted my speaker application, trying to inspire other people to get and stay involved in our community.

I spent some time looking at the 2011 WCSF attendees list when I was writing this essay. Some of my best friends (and best WordCamp stories) can be directly linked to that list. Even the people I may not have met at that event came into my life because of that event.

Six degrees of a lunch invitation

I don't remember whether or not I met Alex Vasquez in San Francisco, but he's one of the people who actually wants an honest answer when he asks how I've been. I'm pretty sure I didn't meet Andy Stratton there, but I eventually travelled to Baltimore to speak at the WordCamp he and Drew Poland organized. I'm positive I didn't cross paths with Karim Marucchi, but he eventually became my boss, mentor, and go-to puppy picture friend. And those are just the connections from one event that happened 6 years ago.

WordCamp San Francisco taught me that being a hero doesn't have to be a huge, dramatic thing.

Sometimes the biggest heroes are the people who notice that someone else feels out of place, extend their hand, and welcome them in. Of all of the lessons I've learned in WordPress, that's the most important one. Thanks, Steve!

(P.S. If anyone knows where I can find some adult Superman Underoos in stock, LMK. WordCamp San Diego is coming up at the end of March, and I never got Steve a proper thank you gift.)

The post Not every hero wears a cape appeared first on HeroPress.

15 Feb 2017 12:00pm GMT

14 Feb 2017

feedWordPress Planet

WPTavern: Open Source Leadership Summit to Live Stream Keynote Sessions February 14-16

The Linux Foundation's Open Source Leadership Summit is happening in Lake Tahoe, CA, February 14-16, 2017. The invitation-only event brings together open source technology leaders to collaborate across different projects and share best practices.

The organizers will be live streaming all of the keynote sessions for free throughout the three-day event for a total of 17 presentations. A few sample topics and speakers include:

Anyone who wants to join the keynote sessions via live stream will need to sign up ahead of the event. The keynotes will be broadcast in Pacific Daylight Time and viewers can return to the signup page to watch live. Viewers are encouraged to use the event's official #lfosls hashtag to tweet about the sessions as they are watching.

14 Feb 2017 6:32am GMT

WPTavern: Why Plugins Sometimes Disappear From the WordPress Plugin Directory

Nearly 50K publicly available plugins call the WordPress plugin directory home but once in awhile a few of them seem to disappear. There is usually a good reason for why this happens but the only information available to the public is a page that says the plugin cannot be found. If the plugin is popular enough, concerned users will contact us and ask to investigate what happened.

Mika Epstein, Plugin Directory Representative, says there are a number of reasons for why a plugin can end up hidden from view, "The most well-known, but not the most common, is security issues," Epstein said.

"Plugins are removed and, by default, hidden mostly because we're on bbPress 1.0 and there is not as granular a control with post statuses when compared to WordPress itself."

The plugin review team has three options to choose from when altering a plugin's visibility, active, closed, and disabled. Although rarely used, when a plugin is disabled, it is hidden from view but updates are able to be pushed out.

I asked Epstein why there's not more detailed information when a plugin is hidden and the answer is complex, "The lack of information is partly technical as bbPress 1.0 is limited and partly because we can't all agree on the right way to disclose, when to disclose, and when not to disclose," she said.

"Obviously the last thing we want are people getting hacked, but it presents us with a few options and they all have flaws. We've not been able to determine a way to tell people 'This plugin is gone, don't use it' and 'This plugin is gone, but use it if you want.' without putting users at risk."

Epstein uses WooCommerce and Jetpack as examples, "Let's say I close Jetpack today and tell people 'WordPress decided not to support it anymore.' But tomorrow I close WooCommerce and tell people 'I can't tell you why.' That means an intelligent person knows that WooCommerce is probably vulnerable."

It's a conundrum without an easy solution. The team typically closes plugins which makes the plugin's page disappear. This has the added benefit of making it more difficult to determine if the plugin ever existed. Then the team contacts and works with the developer directly.

Most closures are done with the knowledge of the plugin author as they are often the ones who request that their plugins be closed.

The New WordPress Plugin Directory Will Modernize Plugin Administration

Announced at WordCamp Europe 2016, the WordPress plugin directory redesign has been in open beta for about eight months.

WordPress Plugin Directory Redesign

In addition to bringing a fresh new look to plugin pages, the migration away from bbPress to WordPress will help make the plugin review team's job easier, "Like far too many things in Plugin Land, everything depends on modernizing the backend to something that is functional." Epstein said.

"Once the new directory is out and I have some more people trained to do reviews properly, then we'll have the bandwidth to sit down and really figure out a best solution.

"A stopgap might be making the page say 'This plugin is no longer available.' But I'm personally not sure if that would make FUD better or worse."

If you discover that a plugin you rely on has suddenly vanished from the directory, don't panic. Depending on the issue, plugins usually reappear within a week unless the author has requested that it be closed.

To learn what's involved and how the plugin review team does its job, listen to episode 231 of WordPress Weekly. I also encourage you to read our detailed interview with Epstein published in 2014, in which most of the information is still accurate.

14 Feb 2017 3:37am GMT

13 Feb 2017

feedWordPress Planet

WPTavern: WordPress REST API Vulnerability Exploits Continue

photo credit: Code & Martini by Ivana Vasilj - cc license

It has been nearly two weeks since the WordPress security team disclosed an unauthenticated privilege escalation vulnerability in a REST API endpoint in 4.7 and 4.7.1. The vulnerability was patched silently and disclosure was delayed for a week to give WordPress site owners a head start on updating to 4.7.2. Last week hundreds of thousands of vulnerable sites had already been defaced and the damage reports are still rolling in.

Over the weekend the attacks increased and WordPress security firms have seen more attempts blocked by their firewalls. Sucuri, the website security firm that reported the vulnerability to WordPress, was tracking the "Hacked by w4l3XzY3" campaign last week and estimated 66,000 defacements. That particular campaign has now passed 260,000 pages indexed by Google. It is one of nearly two dozen defacement campaigns targeting the vulnerability.

"During the past 24 hours we have seen an average growth in defaced pages per campaign of 44%," Wordfence CEO Mark Maunder said on Friday. "The total number of defaced pages for all these campaigns, as indexed by Google has grown from 1,496,020 to 1,893,690. That is a 26% increase in total defaced pages in just 24 hours."

Maunder referenced a Google Trends chart which he said demonstrates the success the defacement campaigns have had over the past week. The spike began on the day WordPress disclosed the vulnerability.


However, White Fir Design, another company that offers security services, disputes Wordfence's claims that 1.8 million pages were hacked. The ~2 million pages figure is cited in reports from BBC, The Enquirer, Ars Technica, CIO.com, and other publications. White Fir Design contends that the hacked pages that have been indexed by Google are not an accurate representation.

Sucuri CTO Daniel Cid also does not fully agree with Wordfence's assessment of the situation. After doing some research over the weekend, Sucuri estimates more than 50,000 sites hacked with 20-30 pages per site defaced. This would be roughly a million on the lower end of the estimate and ranges up to 1.5 million.

Sucuri is also starting to see more serious attempts on the REST API vulnerability in the form of remote code execution (RCE) attacks on sites using plugins that allow for PHP execution from within posts and pages. One such campaign attempts to inject a PHP include to add content from a compromised site and then inject a backdoor hidden in /wp-content/uploads.

"Defacements don't offer economic returns, so that will likely die soon," Cid said. "What will remain are attempts to execute commands (RCE) as it gives the attackers full control of a site - and offers multiple ways to monetize - and SPAM SEO / affiliate link / ad injections. We are starting to see them being attempted on a few sites, and that will likely be the direction this vulnerability will be misused in the coming days, weeks and possibly months."

Hackers are targeting any sites that haven't updated to 4.7.2 - there doesn't seem to be any pattern among them. A quick look at the Google results for the most active campaigns shows that compromised sites include blogs, media, government, education, sports, medical, and technology websites.

Why the REST API is Enabled by Default

The WordPress REST API is enabled by default, as the plan is for more admin and plugin functionality to rely on the REST API in the future. After the recent attacks, several users commented on the vulnerability disclosure to ask why it is enabled by default.

"The security issue is in a feature I do not use on any of my sites (REST API) and yet still, this feature is first enabled by default and second since WordPress 4.7 you even need a plugin - which could introduce further security issues - to disable the feature?" one user (@helios2121) commented on the post. "Please rethink your approach to security. Make features that not everyone needs opt-in. Or at least give a way to opt out without requiring additional plugins."

Morten Rand-Hendriksen opened a trac ticket to discuss disabling the REST API by default and only enabling it when the site admin requests it, or a theme or plugin is dependent on it.

Core Committer Sergey Biryukov confirmed that the plan is to introduce more core functionality that relies on REST API. "Turning off the REST API is like turning off admin-ajax.php - both will break your site," Biryukov said.

Rand-Hendriksen asked why the content endpoints cannot be protected by default while allowing the REST API to be on by default for admin purposes. Another user asked why the Users endpoint isn't protected by default (i.e. https://news.microsoft.com/wp-json/wp/v2/users or https://www.obama.org/wp-json/wp/v2/users), which "makes it easier than ever to get all the usernames" on any site using 4.7+.

"If you really want to disable the REST API on your site(s), this is our current recommendation: restrict it to authenticated users," Core Committer James Nylen said. "However, we want to continue to increase adoption and usage of the REST API, and I expect that even this modification will break more and more WP functionality as time goes on, such as API-driven themes and embeds."

Nylen recommends the Disable JSON API plugin for those who want to follow that recommendation on sites using WordPress 4.7+. The plugin currently has more than 10,000 active installs.

The WordPress security team worked diligently to mitigate the attacks by helping hosts and security firms put protections in place before the issue was made public. However, the full disclosure of the vulnerability was buried on the Make/Core blog, a site that is not widely read among regular WordPress site owners. The link to the disclosure was published as an addendum to the previous post on the WordPress news blog a week later.

"While I appreciate the responsible disclosure of this issue and the effort to resolve it, I hope you consider making future announcements via a new post on the WordPress News site, rather than just appending an update to a previous post," user @johnrork commented on the official disclosure. "I am probably not the only one who could have avoided being compromised had this shown up as a new item in my RSS reader on Wednesday."

Those who read the Make blogs had a head start on fixing their own sites and/or their clients' sites. Those who depend on the WordPress news blog for information on security updates probably read the post when it was initially published and never returned to see the update a week later. An issue this severe warranted WordPress' transparency in a new post on its news blog. This would have also automatically sent out a tweet to more than half a million followers on the official WordPress account and the Facebook account which has more than a million likes.

Fortunately, the number of vulnerable sites that also have plugins that could allow attackers to piggyback on this vulnerability is a much smaller number. Defaced sites are embarrassing but easy to fix. In most cases administrators need only update to 4.7.2 and roll back the defaced posts to the most recent revision. Most site owners have no idea how fast exploits begin to pop up after public disclosure, but this situation provided a gentle reminder of the importance of updating WordPress and the benefit of leaving automatic updates on.

13 Feb 2017 10:59pm GMT

11 Feb 2017

feedWordPress Planet

WPTavern: 10up Unveils ElasticPress.io: Elasticsearch as a Service for WordPress Sites

10up launched ElasticPress.io this week, its new Elasticsearch SaaS product with plans starting at $299/month. Elasticsearch is an open source, distributed search engine that speeds up searching by using JSON documents to store data in indices. The indices store mapping fields to the corresponding documents and the engine searches the index instead of a site's entire database.

Elasticsearch can perform near-real-time searches and is highly scalable, but the setup is technically demanding. It is used by many large companies, such as GitHub, Soundcloud, Etsy, Netflix, Cisco, and Samsung. It is also one of the most popular enterprise search engines for WordPress sites, as searching WordPress tables with thousands or even millions of records is simply not going to be fast.

The WordPress plugin directory has a dozen plugins for using and extending Elasticsearch but 10up's ElasticPress is by far the most popular with more than a thousand installs. After supporting the plugin for several years, along with many enterprise clients using Elasticsearch, 10up decided to create a hosted service that integrates with ElasticPress.

"The reason we created this solution for our clients, and that we're now making this public, is that we don't think anyone has provided a super easy, end-to-end (plugin to hosted service) that offers all of the benefits of Elasticsearch and our ElasticPress plugin, while being completely agnostic to your site hosting," 10up founder Jake Goldman said.

ElasticPress.io is an end-to-end solution that is specifically tailored for those using the ElasticPress plugin. This is one of the key differences between managing your own Elasticsearch infrastructure with a service like AWS. ElasticPress.io controls both the hosting and the plugin, allowing the service to optimize performance for both.

"There are a number of really neat use cases for ElasticPress on our roadmap that add either risk (security) or headaches (complicated setup and management procedures) if you can't control both ends," Goldman said. "For instance, there are optional Elasticsearch modules (just like there are optional Apache and Nginx modules) for features like indexing media that many hosted Elastic services don't enable by default or support. We also want to be able to index and handle content that isn't public, and many hosted Elastic services aren't locked down / secured end-to-end with the website by default."

How ElasticPress.io's Pricing Compares to Competitors

Elastic, the creators of Elasticsearch were one of the first companies to launch Elasticsearch as a service in 2012. Two years later the company raised $70 million in a Series C funding round. Dozens of other Elasticsearch as a service companies have sprouted up since then, with pricing ranging from under $20 to tens of thousands of dollars depending on the resources offered.

The ElasticPress.io service is the first of its kind in the WordPress ecosystem. Most hosting companies do not have it built into their enterprise level plans. WordPress.com VIP is one of the few that offers Elasticsearch for sites on its plans which range from $5,000 - $25,000 per month. WP Engine has an Elasticsearch solution as part of its Labs program, which is based on a fork of ElasticPress. However, the solution has not yet been officially added to the company's enterprise plans.

@10up @mgibbs189 @cabgfx @sbangnielsen @SearchWP ElasticPress plus lower cost providers is still extremely powerful for under $12 a month

- Scott Kingsley Clark (@scottkclark) February 10, 2017

For the most part, developers who have to implement Elasticsearch for a WordPress site are faced with hosting their own instance and managing it themselves. This is the most cost effective option but comes with a great deal more responsibility.

"Elasticsearch is a quickly evolving platform, and they don't exactly have the same commitment to infinite backwards compatibility that WordPress has these days," Goldman said. "Major Elasticsearch upgrades can break old integrations. That means the site owner needs to either worry about automatic version upgrades breaking their site, or has to manage their upgrades carefully. By controlling the integration with Elastic on the website site and controlling the hosting, we can carefully handle version upgrades for customers while making sure nothing breaks."

10up is aiming at the higher end of the market where customers are looking for convenience and access to the creators of ElasticPress for support. Goldman anticipates many of those customers will be similar to the product's existing customers who simply need a robust keyword search or related content engine that will "just work." ElasticPress.io is also targeting smaller and mid-tier businesses that are experiencing performance bottlenecks with WordPress' native query engine.

"Those customers are typically relying on rather complicated faceting / filtering of content, the classic use-case being a WooCommerce store where customers are constantly filtering on a handful of unique (unique = hard to cache) meta data all the time," Goldman said. "That's where ElasticPress really shines: our native WooCommerce support and optimization take those very taxing queries and makes them lightning fast."

As the service is fairly unique in the WordPress space, ElasticPress.io's pricing has room to evolve as 10up learns from its customers. The plans currently range from $299 - $999 per month with increasing storage space and tiered support response times. Goldman said they haven't ruled out other pricing points and may explore more pricing options in the future.

11 Feb 2017 6:33am GMT

Post Status: Jason Cohen, founder of WP Engine, on growing your company well — Draft Podcast

Welcome to the Post Status Draft podcast, which you can find on iTunes, Google Play, Stitcher, and via RSS for your favorite podcatcher. In this episode, I interview Jason Cohen, the founder of WP Engine and current CTO.

I talked to Jason about a whole lot of things, mostly to do with growing well. Whether you're growing revenue, company size, or personal development - this is a conversation about growth, and how to do it well.

Unlike many entrepreneurs in the WordPress space, WP Engine isn't Jason's first business. He's done this before, and made plenty of mistakes. He talks about what he's done differently at WP Engine and how its made him a happier person.

This interview took place at LoopConf, and Jason was a keynote presenter. His LoopConf talk pairs well with our discussion.

You can catch the first segment on video, and the entire conversation is on the audio podcast.


Direct Download


Sponsor: iThemes

This episode is sponsored by iThemes. The team at iThemes offers WordPress plugins, themes and training to help take the guesswork out of building, maintaining and securing WordPress websites. For more information, check out their website and thank you to iThemes for being a Post Status partner.

Photo by Brian Richards for Post Status

11 Feb 2017 4:31am GMT

10 Feb 2017

feedWordPress Planet

WPTavern: In Case You Missed It – Issue 17

photo credit: Night Moves - (license)There's a lot of great WordPress content published in the community but not all of it is featured on the Tavern. This post is an assortment of items related to WordPress that caught my eye but didn't make it into a full post.

Interviewed for WordPress.tv

A few weeks ago, Marcus Couch and I were interviewed by John Parkinson. Parkinson is a volunteer moderator and performs community outreach for WordPress.tv. In the interview, we discuss the benefits of WordPress.tv, the WordPress community, WordCamps, and more. I encourage you to check out his other community interviews as well.

WooCommerce and WordPress Used to Sell Stress Cubes

CNBC has an interesting story that features a 24-year-old who made $345K in two months selling Stress Cubes, a knock-off of the Fidget Cube. The Fidget Cube raised nearly 6.5M dollars in crowdfunding money.

The Fidget Cube experienced significant delays in shipping due to manufacturing issues. The 24-year-old contacted suppliers in China, purchased 1,000 plastic cubes, created a similar product, and shipped it to market before the Fidget Cube had a chance to reach backers. He used WordPress and WooCommerce to sell Stress Cubes grossing him nearly $350K in two months.

Why WordPress in Education

Jared Bennett explains how the Hamilton Wentworth District School Board uses WordPress. "We run over 100 individual school websites on a WordPress Multisite Network, and back in May of 2011, we launched the HWDSB Commons: a second Multisite Network which now hosts over 8,000 blogs for over 30,000 users," Bennett said.

Bennett shares links to plugins the team created to solve specific issues such as comment moderation in BuddyPress and blocking specific modules in Jetpack. Since WordPress is free as in beer, it allows his school board to spend public money in a more responsible way.

"In the WordPress ecosystem we operate in, I pay for functionality to be developed, and I share it openly on platforms like the WordPress plugin repository, or on sites like Github," Bennett said.

"The money you would have spent to enable the previously developed functionality, you can now spend on something else, something that I might benefit from. Think about how much more responsible this model is, particularly when we are talking about spending public money.

"We are all contributing; and the community benefits from those contributions; and our money - and the functionality of our platforms - improves exponentially faster than if we were all spending our money paying the private company over and over for code that has already been paid for by previous customers."

To learn more about WordPress in education, listen to episode 261 of WordPress Weekly where we interview Cameron Barrett, founder of SchoolPresser, LLC. Barrett explains how he negotiated and helped migrate Newark New Jersey's public school system from a proprietary CMS to WordPress.

WP101 Plugin Now Has WooCommerce and Jetpack Videos

The WP101 plugin has added Jetpack and WooCommerce training videos. This is in addition to the Yoast SEO and WordPress training videos.

Huge update for our WP101 Plugin! It now includes WooCommerce and Jetpack videos. That's 90 videos for your clients! https://t.co/6jtzj1JgkC pic.twitter.com/CByYvd61Xi

- WordPress 101 (@WP101) February 8, 2017

Adding Meta Fields to a Widget Sidebar Section

Example for how to add meta fields/controls to a widget sidebar section in the customizer: https://t.co/aMadLioQn6 #javascript #WordPress

- Weston Ruter ⚡ (@westonruter) February 9, 2017

WP Sessions Developer Survey

WP Sessions is conducting a developer survey to find out about the tools developers use. Results will be anonymized and shared in aggregate in a few weeks.

Widget Logic Has a New Maintainer

Widget Logic, a popular plugin actively installed on more than 300K sites, has a new maintainer named WPChef. The plugin was created nine years ago by Alanft. Prior to WPChef gaining commit access, the last time Widget Logic was updated was two years ago.

After gaining access, WPChef released Widget Logic 5.7.0. This version fixed a PHP 7 compatibility issue, a conflict with WPML, added a new default load logic point, and a Ukrainian translation. In addition to bug fixes, a global admin notice to install Limit Login Attempts Reloaded was also added. Limit Login Attempts Reloaded is a separate plugin owned and maintained by WPChef.

Limit Login Attempts Reloaded Admin NoticeThe wording of the notice and appearing globally caused some users to be concerned or upset. Some users responded to the update by writing 1-star reviews. After a user described the notice as sounding like fake news, WPChef changed it.

From SupportPress to Help Scout!

The WordPress.org community team is moving away from SupportPress to Help Scout. The move opens up a number of possibilities as Help Scout offers a lot of features that are non-existent in SupportPress.

Moving from SupportPress to Help Scout

Plush Wapuu!

In what is a traditional part of this series, I end each issue by featuring a Wapuu design. For those who don't know, Wapuu is the unofficial mascot of the WordPress project.

#Wapuu army is taking over #WordCamp US 😍#wcus #wcus2016 pic.twitter.com/Giyt3KFsnF

- Musannif (@mzahir) December 3, 2016

This plush Wapuu which was given away at WordCamp US 2016 as part of the event's swag was a huge hit with attendees and their children. I have one myself and the quality is superb.

That's it for issue seventeen. If you recently discovered a cool resource or post related to WordPress, please share it with us in the comments.

10 Feb 2017 10:16pm GMT