25 Nov 2015
I had the opportunity to interview Matt Mullenweg about an ambitious project that included more than a year and a half of development to create an all new WordPress.com interface, both for the web and a desktop app. The project was codenamed Calypso, and we talked about many aspects of Calypso, as well as a variety of subjects that relate to it.
Why did you make such a big bet on Calypso?
Matt has talked for a while now about his vision that WordPress can become an "app platform," and this is an example of what that meant to him.
He also notes how he's always looking for things that will "move the needle" for greater WordPress adoption. We were both thinking about the same statistic: that roughly 96% of WordPress.com users (and probably a high number of WordPress.org users too) essentially abandon their websites after a short tenure. So anything that can increase that number, to say 8% or 15% of folks that stick with it long term, can make a huge difference.
How do you think about investing in feature development for WordPress.com, and how it affects WordPress as well?
When Matt considers where he wants to invest Automattic developer and designer time, he says he thinks of WordPress as a whole first, before considering specifics for WordPress.com. He'd rather see WordPress.com as a gateway to a self-hosted install. And whether someone stays on .com or moves to a self-hosted install, he wants to help ensure that their problems are solved.
It's new to me, but Matt says he's been saying it for years, that he calls WordPress websites "WordPresses," after a long time internal debate about whether to call WordPress.com websites sites or blogs.
WordPress.com as a network versus a platform
The new homepage for logged in users, or users in the WordPress.com app, defaults to the Reader view of the interface, versus the writing view. This intrigued me, as I don't personally think of WordPress.com as a read-first ecosystem, but rather a place to write. I think more of Tumblr or Medium when I think of a destination for reading, where I may also write.
Matt and I talked about the merits of WordPress as a network versus a platform. He thinks it can be both. And I think this touches on one of the big goals for Calypso that we haven't discussed yet: to make WordPress a better network.
To me, WordPress.com is a platform, but WordPress (both .com and Jetpack enabled sites) are ripe to be a hugely successful network, through the huge number of websites and independent publishers that are interconnected via WordPress.com.
There is more evidence that this is a goal for them too, with the launch of Discover WordPress along with the release of the new interface. Discover WordPress is a project by the editorial team to surface the best writing across WordPress.com and Jetpack enabled websites.
Furthermore, beyond the human curated content, much could be done in the future algorithmically. We didn't get as much into this stuff as I would've liked, but I think it's an enormous growth area for Automattic.
Open sourcing Calypso
The Calypso project code is fully open source, and is a top trending project on Github right now. There are few requirements to run the code locally, so you can pretty quickly get a working web view.
How can the community anticipate the future, with more abstracted implementations of WordPress?
As WordPress projects continue to use REST APIs to create fully custom frontends, backends, and inbetweens, I was curious what Matt thinks the community can do to anticipate and educate users on how to deal with these scenarios, that may fragment WordPress and be confusing for people who expect WordPress plugins and code to interact well with one another.
He doesn't think it's too much of a problem, but says it's important that we experiment and learn from our experiments; he was hesitant to call the potential for confusion fragmentation as much as experimentation. Either way, I do think education and documentation will be important as other folks continue to use parts of WordPress to make impressive things, without supporting every specific thing that can also run on WordPress.
An example of this is the WordPress.com app itself. You can manage Jetpack enabled sites through it, but that doesn't mean you get everything in the editor you'd get with a WordPress.org site, like custom fields and other plugin functionality that the desktop app doesn't support.
What is Automattic's differentiating factor?
I wanted to know what Automattic's differentiating factor is, in Matt's mind. He defaulted, I guess unsurprisingly, to "everything," but as I pushed him a little further, he dug a bit more into some of the things that make Automattic interesting.
From a self-hosted perspective, WordPress.com integrated tools like Stats, VaultPress, and Akismet are difficult to match with other tools.
For WordPress.com, he thinks the potential power of the Reader and network can be compelling. I agree there that the diversity of the WordPress.com and Jetpack author audience could make for a compelling Reading product, that has more potential than I see right now in a competitor like Medium, which is quite tech heavy.
Matt says, "We've built up a lot of trust in the community, and that goodwill definitely pays back." Part of what makes it hard to identify Automattic's specific differentiator is that they do a lot of things. Matt acknowledged this, but counters by saying that they work hard on user experience and being a good community citizen.
How have teams changed at Automattic over time?
Automattic scales by splitting teams when they get too big. Today, there are 46 teams. Some of those teams are embedded in larger teams and have some hierarchy, but the company is still quite flat for a company of 400 people.
The rule of thumb Matt wants to maintain is that someone should have no more than 10 people that report directly to them, though he has around 23.
According to the standards of the tech world, Automattic's scale in terms of the number of employees may be somewhat ordinary, but they have still had massive and consistent change over the decade of the company's existence. And they are hiring as fast as they can to this day.
The challenge of customizing WordPress sites
A couple of years ago, someone from Automattic told me how concerned they were about the WordPress customizer's ability to scale, both for use on mobile devices, and as a utility that could manage a lot of features. And I wanted to know how Matt thinks that has evolved, now that the customizer is in such significant use on both WordPress.com and for self-hosted websites.
As he notes, the customizer has undergone a lot of positive iteration over the last several releases, and today the WordPress.com and WordPress.org customizers are using the same base code; whereas for a while WordPress.com had their own custom implementation.
But he still says that, "If we're candid with ourselves, … customization is still the worst part of WordPress, you know? It's the hardest. It's where people get stuck. It's where there's a real gap between the promise and what people are able to realize and create when they get started using WordPress."
It's not as much a problem with the use of themes, or if you can code, but for new users, "it's their biggest struggle."
One idea that I have is to have a more Medium-like interface be the "default" view, versus a changing default theme. That way, WordPress.com could be more opinionated about the default view, and change the theme at will, or along with trends, versus giving new users the default theme of a particular year and then that theme is untouched unless the user decides to switch.
Matt said they have that a bit on the Reader view, but that is what someone in the WordPress.com network would see, versus what an outside website visitor would see.
Anyway, there are definitely challenges ahead for enabling customizations and, more importantly, just ensuring sites look good for users. I think that this is an area where other platforms - like Medium and Squarespace, though in different ways - are doing a good job.
The first line of the Automattic creed
Additionally to the natural desires that Automattic employees should have to learn, they created internal resources for helping people, and are considering releasing some of that material, maybe in the form of webinars or an online conference.
Matt said Automatticians will also be sharing what they learn at other conferences, like the upcoming A Day of REST, where two Automatticians will be speaking.
Did you know all Automattic properties are on Hacker One, the bug bounty community? If you find a security bug, you can get a bounty if you report it. I didn't know this until the Calypso launch.
How is Automattic thinking about revenue?
With my napkin math and a few small things I know about Automattic, I'd guesstimate they are somewhere in the neighborhood of $100 million in annual revenue. I didn't even attempt to get confirmation of this, because I know they don't reveal this kind of information. So instead I wanted to get more insights of how Matt thinks about revenue at Automattic.
Generally, he says they put their focus in, "three main buckets." They use that focus both for revenue purposes and product purposes. Those areas are WordPress.com, Jetpack, and WooCommerce.
They group things like VaultPress and Akismet under Jetpack; so it's basically their WordPress.org SaaS revenue stream. Those are paid subscription products. They have been transitioning that offering, as Matt shared, "a big trend over the past few years, has been to move away from a la carte upgrades, and have more bundles."
They've discovered that bundled plans of $100 per year and $300 per year have been successful. Here are those plans, for both WordPress.com and WordPress.org, as shown in the new WordPress.com/Calypso interface:
It appears they get most of their revenue from this stream. I do know, and have previously reported, that at least at one point, WordPress.com VIP accounted for upwards of 25% of overall revenue, and though that gross number has gone up over the years, its percentage of overall revenue has gone down, meaning that these paid plans have outpaced VIP, growth-wise. I'd guess VIP revenue is now less than half of that 25% number now, but can't confirm it.
Total sites, versus engagement
There are a lot of WordPress.com websites, but as Matt noted, it's a vanity metric due to the fact that such a small percentage are active, engaged users. So they are trying more to track engagement versus total sites.
I tried to get him to share the number of active websites, but that's not something he could share.
Helping site owners monetize, and WooCommerce integration to WordPress.com
I talked about the roadmap some, and asked Matt about what they may offer in the future to help authors monetize their sites. They currently have a WordAds program, but that is a pageview driven strategy, and I'd love to see them introduce a way for authors to get paid via a tip jar, private paid posts, or subscription system like I've heard Medium is investigating. It's not on their current roadmap, but he says he'd be open to it.
He also noted that since WooCommerce is now "part of the family," that there may be future monetization opportunities through that, though he said they don't have current plans for a hosted version of WooCommerce on WordPress.com. I was honestly pretty surprised by this:
In the beginning, our focus is really going to be on people hosting their stores, you know, with web hosts. Because, part of the beauty of why WooCommerce is so popular is the flexibility, and I don't think the usability is there - yet - to be competitive with, like, a Shopify, or a BigCommerce. So, it's just a lot of work to do there.
Matt said he thinks of WooCommerce as how WordPress was around version 1.5. He called it, "very early days", in that people are using it and see the potential, but says, "there's just so much to work on and improve to make it accessible to a wider audience."
He says the Woo team is now 63 people, and a number of Automatticians are doing "Wootations," or rotations with the Woo team.
What to expect next in the new WordPress.com interface
They are still working on a lot of things for the new interface. There are certain things that aren't there yet. For instance, showing and hiding your sites you are personally attached to still requires the regular admin. I actually experienced this myself. Some parts of the interface are pretty circular and confusing.
But they plan to do more going forward; their values on the project state that, "we are here for the long haul." They want to see what there is demand for, and what other people do with the open source nature of the project.
Matt also noted that he'd like to "loop back" to content blocks (code named CEUX) - the project that stalled last year. And he's like to see what can be done around collaboration, editing, and the suggestion process.
Power and ease of use
One of the biggest challenges for WordPress is to continue to get easier to use, as other avenues for sharing information have gotten easier and easier, while continuing to enable powerful, feature rich implementations of WordPress.
Matt thinks this balance is important, and that we must continue to improve in both directions to continue WordPress's growth.
I really enjoyed my first audio interview with Matt. He says we can expect more announcements around WordCamp US, which starts next week.
The Calypso project is a fascinating one, and it's a great example of what we should continue to expect: powerful, catered tools that run on a RESTful API. They aren't always going to be tools for use everywhere, but we can expect to continue to see WordPress used in innovative ways, and be an exceptional platform for all kinds of applications.
And finally, at the end of the interview, I pitched Matt on one of my most harebrained ideas. The naming conflict between WordPress.com and WordPress was really bad with this project, as nearly everyone not deeply embedded within the WordPress world got it wrong, and conflated Automattic's WordPress.com with WordPress the software.
And I think Jetpack's brand has really blossomed. I think there is an argument to be made that Automattic could change the name of WordPress.com to Jetpack, and both Automattic and WordPress would win from the change. It wouldn't be easy, but all I asked from him, is whether he'd read my post if I wrote one to give the pitch. He said he would, so expect that sometime soon.
Thanks to Matt for the interview, and thanks to Mark Armstrong for helping me get going with the new WordPress.com app and arranging the interview.
25 Nov 2015 7:13pm GMT
Earlier this year, the WordPress plugin directory was redesigned. As part of the redesign, download counts were replaced with the number of Active Installs to reflect more accurate data. The WordPress theme directory has finally followed suit by replacing download counts with the number of Active Installs.
As you can see from the above screenshot, the Twenty Fifteen default theme included in WordPress 4.1, 4.2, and 4.3, is active on more than one million sites. Active themes are those that are activated and in use on a site. Themes that are installed and not activated are not counted, neither are child themes.
In the Themereview Slack Channel, Tom Usborne explains why active installs for child themes should be counted.
I think an argument for child themes to be included in the active installs count can be made. For example, we offer a completely blank child theme for our customers so they can make CSS and PHP adjustments. This means our install count isn't accurate on w.org, even though those people are using the theme actively.
Dion Hulse, WordPress lead developer, agrees that child themes should be counted but the team doesn't have the data yet. Some theme authors are concerned that new themes will have a tough time making it on the popular themes page.
Originally, the popular themes page was determined by the number of downloads over the previous week, which led to some authors to try to game the system. Hulse says, "The actual comparison between active installs and the previous week's downloads were very similar, except for a handful of themes that had a lot more downloads than installs."
Hulse plans to experiment with the algorithms to give newer themes a chance, "I'm also looking at ranking popular themes based on the age of the theme and installs, which will help promote some of the newer themes," he said.
Thanks to active install counts for themes, we can see which default WordPress theme is the most popular.
- Twenty Fifteen 1+ Million
- Twenty Fourteen 800K+
- Twenty Twelve 500K+
- Twenty Eleven 500K+
- Twenty Ten 300K+
- Twenty Thirteen 300K+
Download counts are a terrible way to determine a theme or plugin's popularity which is why I support this change. It's more accurate and helps to further level the playing field for authors. Are you a fan of the change and if you're a theme author, what other stats would you like to see?
25 Nov 2015 8:31am GMT
24 Nov 2015
Justin Tadlock, founder of Theme Hybrid, is looking for beta testers for a new plugin aimed at theme developers. The plugin is called Theme Designer and allows authors to manage themes in the WordPress backend. It also displays them on the frontend similar to WordPress.com and WordPress.org's theme pages.
Tadlock has moved beyond using WordPress pages to display and manage themes, "I'm not sure what everyone else is doing, but I've been building and tweaking a custom solution for a number of years. I've just never packaged it up and made it useful for others," he said.
Under the hood, it uses a custom post type, taxonomies, custom metadata, and a number of hooks. Theme Designer can pull data from the WordPress.org theme directory API and store it on your site. There's also a built-in feature set for adding custom meta fields to the edit theme screen.
In addition to managing themes, Tadlock plans to create add-ons and integrate Theme Designer with other plugins. He's already created an add-on for Easy Digital Downloads and it's possible he'll create one for WooCommerce.
Tadlock's First Commercial Plugin
During the beta testing period, Theme Designer will be free of charge. When the beta is complete, Tadlock will charge for access making it his first major commercial plugin. Theme Designer will come in two flavors, a supported and non-supported version.
The supported version gives customers a developer level membership to Theme Hybrid which is currently $35 a year. The non-supported version contains the plugin only. Both versions will have free lifetime updates.
To participate in the beta testing process, grab the free plugin from GitHub. Pull requests and reporting issues are welcomed. It's important to note that Theme Designer is only compatible with WordPress 4.4 and is a work in progress so it should not be used on a live site.
24 Nov 2015 10:26pm GMT
Stanko Metodiev, project manager for Devrix, shares his experience contributing a patch to WordPress core for the first time. While browsing Trac, Metodiev discovered a bug report with the menu customizer.
Although a patch was already attached to the ticket, it didn't work, "The change didn't fix the issue for me, so I submitted a new patch to adjust the size by a few more pixels," Metodiev said.
The change was merged into core by WordPress lead developer, Helen Hou-Sandí.
It's a small change but as I learned from my experience contributing to core, every merged patch is important no matter how small it is. Metodiev offers the following advice to new contributors, "Don't be scared and don't be shy. The core team is hospitable, especially for first timers and they will give guidance and advice if needed, so feel free to contribute patches!"
Since his experience with WordPress 4.3, Metodiev continues to contribute to core and has seven merged patches in WordPress 4.4. If you're thinking about contributing patches to core but don't know where to start, I highly encourage you to read the Core Contributor Handbook. In it you'll find best practices, testing techniques, and how to submit patches to Trac.
24 Nov 2015 8:55pm GMT
The reaction to yesterday's Calypso announcement has really blown me away.Here's a tiny selection of of the coverage, analysis, and reactions to Calypso and the new WordPress.com:
"…I am personally extremely excited about this. Not only because the new UI is really nice and pleasant to use but also because this finally shows the modern side of WordPress, or at least starts to…" VersionPress
- Craig Mod (@craigmod) November 24, 2015
"What I love most about the whole project is the lessons it has for everyone regarding innovation." Chris Lema
"So why did Automattic, the company behind WordPress.com, go through this painful rewriting process? WordPress.com now feels and works like a modern web app. It's back in the game against newcomers, such as Medium." TechCrunch
"Calypso looks like a huge leap forward for a project that seemed to stagnate for many years." The Next Web
"Clean, responsive, faster than ever… WordPress is such a great success story. I'm very happy I chose to use it over six years ago." Mac Stories
- ? Chris Messina ? (@chrismessina) November 23, 2015
"Calypso is a great example of what's possible with the WordPress REST API." WP Tavern
"I think the new WordPress.com editor, and the corresponding WordPress.com app, are a great improvement to the writing experience… [T]he investment they've made is a smart one." Post Status
- Owen Williams (@ow) November 23, 2015
"… the fastest and most streamlined WordPress experience so far." 9 to 5 Mac
- Mikeal Rogers (@mikeal) November 24, 2015
So far, we've seen articles in French, Indonesian, German, Spanish, and Russian. Calypso is a trending repo on GitHub. The news was on top of TechMeme, and voted to the top of Product Hunt, and even Hacker News.
One of my favorite takes was from Om Malik, in "Some Thoughts on the New WordPress.com and Mac App":
I view the shift to this newer, more flexible model as a way for WordPress.com to adapt to become a growing part of the open web. Blogging has always been mistaken for its containers, tools, the length of the posts or just a replacement for the rapid-fire publishing of old-fashioned news. In reality, blogging is essentially a philosophy built on the ethos of sharing.
Today sharing on the internet is a major social behavior: We share photos, links, videos, thoughts, opinions, news. Except instead of sharing on a blog, we do the sharing in increasingly proprietary and corporate silos: Instagram, Facebook, YouTube, Twitter, Periscope and LinkedIn. You see, the blogging ethos is alive and well. However, the old blogging tools have to embrace change.
At the end of the day, it's not about technology for technology's sake, it's about technology at the service of human voices. Embracing change to support the free, open web where everyone has a voice.
Finally, it was a weird coincidence we didn't even notice, but the Calypso announcement was ten years to the day after we opened up WordPress.com.
24 Nov 2015 7:42pm GMT
23 Nov 2015
In the last two years, Automattic has made significant improvements to WordPress.com and Jetpack. From managing plugins, themes, and other updates to New Dash and a revamped post editor. The individual changes represent iteration but when seen as a whole, show off an entirely new WordPress.com.
Automattic has announced that the improvements its made in the last two years are part of an internal project named Calypso. The company also released a WordPress.com desktop application for the Mac and open sourced the code on GitHub.
My Experience with Calypso
Over the weekend, I tested the application on my Macbook Pro. I initially thought it was inconsistent as there were many instances where a button opened a browser and took me outside the app. However, Calypso has gone through a number of updates and most of the inconsistencies have disappeared.
Most of what you're able to accomplish in the WordPress backend you can do in the app including, editing posts, creating drafts, and moderating comments.
Although there is the occasional Beep….Beep….Boop, the application is fast. Some of the pages within the app feel like they load faster than their browser counterparts. Some things still require action from within a browser such as applying updates. This doesn't make sense considering the Jetpack Manage module is enabled.
When managing themes, I noticed at least two of the them don't include the white bottom bar making the titles difficult to read. Also, the details link loads a browser window to the backend of the site I'm managing. It feels like an interruption instead of a seamless experience. There should be no reason to load a browser window except for previewing a post.
If you're familiar with or use the WordPress.com post editor, the editor in Calypso is pretty much the same.
For years I've written posts with meta boxes on the right and getting used to them on the left will take a while. The editor has most of the features available in WordPress. For example, oEmbed support which many other third-party WordPress apps don't have.
When the application is in full-screen mode, it looks great and blocks out distractions. In the most recent update however, the Preview button acts like a Save button and doesn't show a preview of the post. This is likely a bug and will be fixed in a later version.
Overall, it's convenient to have access to most of WordPress' features without interacting with a browser. For those who use a Mac, I can easily see Calypso being the preferred way to interact and manage WordPress sites.
As Matt Mullenweg mentions in his post, there's still a lot of work left to do, "This is a beginning, not an ending. (1.0 is the loneliest.) Better things are yet to come, as all of you dig in." Calypso is available for free but you'll need a WordPress.com account which is also free.
If you own a Mac and test drive Calypso, please share your experience with us in the comments.
23 Nov 2015 6:01pm GMT
Today, Automattic released their official WordPress.com Mac app, that was codenamed Calypso during development, that allows users to manage both WordPress.com and Jetpack enabled websites using a desktop interface. The code behind the app is also the foundation for a new version of the WordPress.com browser editor.
Here's a quick video walkthrough:
The new WordPress.com app development occurred over the course of at least 18 months, according to the press release, with input from more than 140 Automatticians. Andy Peatling, who has been at Automattic since 2008, was the project lead.
If you could rebuild the admin from scratch
Matt Mullenweg said that Automattic wanted to completely rethink the WordPress admin experience, without the burden of backward compatibility that WordPress core must hold sacred:
What would we build if we were starting from scratch today, knowing all we've learned over the past 13 years of building WordPress? At the beginning of last year, we decided to start experimenting and see.
Calypso was an ambitious project. Not only does it bring the WordPress editing and publishing experience to a Mac app, but pretty much the entire WordPress.com admin experience is now available on the desktop, from stats to theme shopping.
While the app is definitely geared toward the experience one would expect on a WordPress.com website, you can also manage Jetpack enabled websites with it. The Jetpack Manage feature must be enabled for it to work, and I admit I struggled to get it to function with my own (personal) website. However, I'm sure it'll get any kinks worked out, and anyone looking for basic website management, but are on WordPress.org, may enjoy the experience.
Open sourcing WordPress.com
The most important part of the announcement is that Automattic is open sourcing Calypso and the many APIs that help drive it.
I'm really glad they chose to open source it. I agree with Matt that both the app and the broader community will benefit from the decision; though I don't doubt it may have been a tough sell to investors.
I also agree with Ben Thompson (a former Automattician, by chance), who once said that proprietary software itself isn't necessarily what makes a company successful, but rather, "companies that are built on software but differentiated by a difficult-to-replicate complement to said software."
In Automattic's case, open sourcing the techniques to build the app isn't giving away what is most valuable. What is most valuable to them is what they gain from the open source nature of the software, that will allow them to improve the experience for their vast WordPress.com user base.
Calypso is a good step forward for WordPress.com
I've worried for a while now that Automattic may be letting their audience slip, by falling behind the ease of use of other tools, like Medium. I think the new WordPress.com editor, and the corresponding WordPress.com app, are a great improvement to the writing experience, and I think that the investment they've made is a smart one.
I'll be digging more into the code and developer components of the new APIs and the Mac app soon. I didn't have access to that data prior to launch.
The new app is available for download from WordPress.com now, or you can of course test drive the browser version directly on WordPress.com. You can also see the developer features, code on Github, the backstory from Andy Peatling, and see both WordPress.com's announcement, as well as Matt's.
23 Nov 2015 5:06pm GMT
One of the hardest things to do in technology is disrupt yourself.
But we're trying our darndest, and have some cool news to introduce today. When I took on the responsibility of CEO of Automattic January of last year, we faced two huge problems: our growth was constrained by lack of capital, and the technological foundations of the past decade weren't strong enough for the demands of next one.
The first has a relatively straightforward answer. We found some fantastic partners, agreed on a fair price, issued new equity in the company to raise $160M, and started investing in areas we felt were high potential, like this year's WooCommerce acquisition. This "war chest" gives us a huge array of options, especially given our fairly flat burn rate - we don't need to raise money again to keep the company going, and any capital we raise in the future will be purely discretionary. (Since last May when the round happened we've only spent $3M of the investment on opex.)
The second is much harder to address. The WordPress codebase is actually incredible in many ways - the result of many thousands of people collaborating over 13 years - but some of WordPress' greatest strengths were also holding it back.
The WordPress codebase contains a sea of institutional knowledge and countless bug fixes. It handles hundreds of edge cases. Integrates constant security improvements. Is coded to scale. Development moves at a fast clip, with six major releases over the past two years and more around the corner. Its power and flexibility is undeniable: WordPress just passed a huge milestone, and now powers 25% of the web. You can run it on a $5-a-month web host, or scale it up to serve billions of pageviews on one of the largest sites on the web, WordPress.com.
The basic paradigms of wp-admin are largely the same as they were five years ago. Working within them had become limiting. The time seemed ripe for something new, something big… but if you're going to break back compat, it needs to be for a really good reason. A 20x improvement, not a 2x. Most open source projects fade away rather than make evolutionary jumps.
So we asked ourselves a big question. What would we build if we were starting from scratch today, knowing all we've learned over the past 13 years of building WordPress? At the beginning of last year, we decided to start experimenting and see.
Today we're announcing something brand new, a new approach to WordPress, and open sourcing the code behind it. The project, codenamed Calypso, is the culmination of more than 20 months of work by dozens of the most talented engineers and designers I've had the pleasure of working with (127 contributors with over 26,000 commits!).
- Incredibly fast. It'll charm you.
- 100% API-powered. Those APIs are open, and now available to every developer in the world.
- A great place to read, allowing you to follow sites across the web (even if they're not using WordPress).
- Social, with stats, likes, and notifications baked in.
- Fully responsive. Make it small and put it in your sidebar, or go full-screen.
- Really fun to write in, especially the drag-and-drop image uploads.
- Fully multi-site for advanced users, so you can manage hundreds of WordPresses from one place.
- Able to manage plugins and themes on Jetpack sites, including auto-upgrading them!
- 100% open source, with all future development happening in the open.
- Available for anyone to adapt to make their own, including building custom interfaces, distributions, or working with web services besides WordPress.com.
This is a beginning, not an ending. (1.0 is the loneliest.) Better things are yet to come, as all of you dig in. Check out these links to read more about Calypso from different perpsectives:
- Download the Mac desktop app, or sign up to be notified about Windows or Linux.
- Learn about Calypso from the developer's point of view.
- See the user announcement on WordPress.com.
- Browse the GitHub repository.
- Hear about the backstory from Calypso's lead, Andy Peatling.
This was a huge bet, incredibly risky, and difficult to execute, but it paid off. Like any disruption it is uncomfortable, and I'm sure will be controversial in some circles. What the team has accomplished in such a short time is amazing, and I'm incredibly proud of everyone who has contributed and will contribute in the future. This is the most exciting project I've been involved with in my career.
With core WordPress on the server and Calypso as a client I think we have a good chance to bring another 25% of the web onto open source, making the web a more open place, and people's lives more free.
If you're curious more about the before and after, what's changed, here's a chart:
23 Nov 2015 5:01pm GMT
20 Nov 2015
Luca Fracassi, founder of Addendio, an alternative search engine for the WordPress plugin and theme directories published an in-depth look at the WordPress plugin directory. The post includes data that shows the number of plugins added to the directory per year, what year the plugins were last updated, and other metrics.
My favorite data point is the number of plugins approved per year. Based on this data, it looks like it's going to be another record year for the directory. The five active team members including, Mika Epstein, Pippin Williamson, and Samuel Wood have their work cut out for them.
According to the data, about 22K plugins have been updated in the last 24 months representing a little more than half the directory. This means that approximately half of the plugins in the directory are displaying a notice that the plugin hasn't been updated in two years.
Fracassi says that based on the data, "Two out of ten plugins are updated after three years. If you pick a free plugin that is released today, there's a 80-90% chance that in three years time you won't have any more updates."
There are a number of possibilities as to why a plugin doesn't get updated for two years or more.
- The developer burns out or moves on.
- The plugin doesn't need an update.
- Lack of donations.
- Support is too much of a burden.
- No time.
The data doesn't spell doom and gloom for users but it clearly shows that many plugins within the directory don't have a long shelf life. I encourage you to read Fracassi's post and review the data he's collected. Also check out our guide on how to choose a WordPress plugin.
20 Nov 2015 7:36pm GMT
Now that the WordPress plugin directory is using language packs, translated plugins will start to show up in international directories. For some plugin banners however, this is a problem. For Right to Left languages, the icons and titles are displayed on the opposite side of the banner.
To fix this issue, plugin directories have implemented Right to Left support for plugin banners. To take advantage of RTL support, create a new banner and add -rtl to the end of the file name. Banner images live in the assets directory.
Here's an example of a plugin banner on the Hebrew directory that has RTL support.
Although RTL banners are active on WordPress.org, they are not available in core. Banners won't display properly but the team is working on adding it in time for a WordPress 4.4.1 release.
20 Nov 2015 5:36pm GMT
In this short and sweet episode of WordPress Weekly, Marcus Couch and I discuss the news of the week including, WordCamp Europe 2016, a credit card scam hitting freelancers, and Envato Sites. We also unmask the anonymous buyer who purchased Aesop Interactive.
Plugins Picked By Marcus:
PayPal Multiple Emails for WooCommerce allows you to set up a second PayPal email address so you can use a different PayPal account to process payments in WooCommerce when a product in a specific product category is added to the customer's shopping cart
WP Video Floater allows you to insert a video to a page and as the user scrolls down, the video is pushed to the bottom-right.
Customize Submit Button for Gravity Forms lets you customize the submit button in Gravity Forms by switching it to a button element and changing its CSS classes
Next Episode: Wednesday, November 25th 9:30 P.M. Eastern
Subscribe To WPWeekly Via Itunes: Click here to subscribe
Subscribe To WPWeekly Via RSS: Click here to subscribe
Subscribe To WPWeekly Via Stitcher Radio: Click here to subscribe
Listen To Episode #213:
20 Nov 2015 8:06am GMT
18 Nov 2015
What's the coolest uses and applications built on top of WordPress APIs that you've seen? I'm looking for some examples to highlight in the State of the Word next month.
18 Nov 2015 3:25pm GMT
Out of the box, WordPress allows you to configure the default avatar that displays for commenters that don't have one. The choices leave a lot to be desired. Thanks to a new plugin created by Lee Willis, called Wapuuvatar, you can replace default avatars with images of Wapuu.
If you're not familiar with Wapuu, it's the official, GPL Licensed mascot of the WordPress project. Throughout the year, a number of WordCamps and local communities across the world have created local versions of the character. In fact, the Tavern has its own Wapuu.
The plugin has two settings. You can either replace the default avatar with random Wapuus or replace all Gravatars with Wapuu. Wapuuavatar uses a library of images from the official Wapuu GitHub repository and art work created by Michelle Schulp. Here's how it looks in action on WP Tavern.
Wapuuavatar is an easy way to replace boring avatars with works of art. The plugin works without issue on WordPress 4.4 beta 4 and is available for free on WordPress.org.
18 Nov 2015 2:24am GMT
17 Nov 2015
Within the last few weeks, we've received emails from readers wanting to know why it's taking so long for new themes to be reviewed on WordPress.org. Some theme authors are having to wait two months or more for their first review.
Ashley Evans submitted her theme in June and she's yet to complete the review process. Throughout that time period, both Evans and the reviewer experienced delays in responding to each other. A few months into the review, the reviewer disappeared and Evans was assigned a new reviewer two days ago.
Understandably, the experience has discouraged Evan's from submitting anymore themes to the directory:
Back in August, I said, 'Screw it' and released the theme as a free download on my blog. This process has basically made me vow to stick to adding plugins to the repo and stop adding any more themes.
I'm not blaming the theme review team since I can only imagine how much stuff they have to wade through. It's just sad that the process has discouraged me from ever doing it again.
The System is Broken
Members of the WordPress Theme Review team agree that the system is broken. In June, the team published its suggested roadmap to improve multiple facets of the review process. One of the items on the list to help cut down the review queue is the auto-approval of theme updates. However, the team is still hard at work trying to code and implement changes to improve the system.
Help Them Help You
One of the items high on the team's to-do list is to put more effort towards education. In order to do that, Justin Tadlock says the team has to free up resources, "We need to free up our biggest resources, which are the team members themselves. However, we can't free up those people when they're spending 100% of their time doing reviews."
The most important thing theme authors can do to speed up the review process is to check that your theme meets the Theme Review Requirements. According to Tadlock, "The majority of themes submitted don't follow the guidelines which considerably slows down the process. Themes will often have 20-30 issues or more. If we can get to a point to where the majority of submissions only have a few minor issues, we really wouldn't have a queue."
Theme authors who test their themes against Theme Unit Test Data and the Theme Check Plugin substantially improve the system for everyone. What the team needs most is help. Tadlock offers three ways contributors can get involved to improve the situation.
- Doing reviews.
- Tackling Meta Trac tickets related to the theme directory.
- Writing tutorials.
Tadlock isn't sure how to get theme authors to raise the quality of their themes before the initial review, "That's the sort of feedback I want to see from fellow theme authors. What do we need to do to help them get their themes ready before submission?"
How to Get Involved
The team is always in need of more theme reviewers. Reviewing themes is a great way to learn theme development and what not to do. If you're interested in reviewing themes, read the following document from the Theme Review Handbook. It explains how to set up a testing environment with an example of a testing workflow.
Exercising patience is a difficult thing to do if you've already waited eight weeks or more for the first review. However, fixing the system is going to take time. If you want to know about the status of your theme and it has an assigned reviewer, you should ask for a status update within the ticket. If your theme doesn't have an assigned reviewer, you can ask about its status in the Theme Review Team Slack channel with a link to the theme.
17 Nov 2015 5:20pm GMT
Imperva, an international cyber security company founded in 2002, published its 2015 web application attack report. The report includes a thorough analysis of attack data obtained through its WAF or Web Application Firewall.
In the report, Imperva's application defense center group analyzed 297,954 attacks and 22,850,023 alerts on 198 of the applications it protects behind its WAF. The data is from January 1st, 2015 - June 30th, 2015 and provides a solid overview of the number and types of attacks web applications are experiencing.
The report covers a lot of ground but for the purpose of this site, I'm focusing on WordPress.
Automated tools recorded the web applications' traffic and malicious events were documented in log files. Imperva's application defense center group analyzed the data using special-purpose software and its knowledge base.
You can find more information that explains how the data was analyzed on page seven of the report.
WordPress Is the Most Attacked CMS Application
Out of the 198 applications protected, Imperva identified 55 that are CMS-based, 20 WordPress applications, 11 Drupal, and 24 that are based on 11 other CMS frameworks.
According to the report, CMS applications suffered an average of three times more attacks than non-CMS applications. WordPress applications suffered from 3,497 attacks in the reported period which is 250% more than non-CMS Applications. Note from the above image that spam attacks against WordPress outnumber all other types of attacks.
Imperva says the attraction to CMS applications, especially WordPress is not new.
CMS frameworks have an open nature, with open developer communities that generate a never-ending sequence of plug-ins and add-ons, with varying levels of security. This situation has led to corresponding never-ending flow of CMS vulnerabilities, with WordPress as the leading CMS taking the lead also in the amount of published attacks.
Furthermore, the fact that WordPress and other CMS applications resemble each other facilitates automated scanning attacks that work effectively on all applications of this type with only minimal adjustments.
Varying levels of security in plugins have led to many vulnerabilities making WordPress the leader in the amount of published attacks.
Proportions of Attacks
Taking spam attacks out of the equation, the most popular attack type against WordPress applications is (RCE) Remote Command Execution with (RFI) Remote File Inclusion taking second place.
- Remote Command Execution (RCE) is an attack that allows the attacker to execute operating system commands in a system shell. The attack exploits applications that suffer from insufficient input validation in conjunction with passing this input to a system shell. The attacker's payload is executed with the same privileges of the vulnerable application and can lead to full compromise of the server.
Even though the other monitored CMS applications are written in PHP, RFI attacks on WordPress are significantly higher than all other applications. Imperva offers one possible explanation:
Attackers don't target a specific application, but start with scanning the Internet for vulnerable applications. A Low Hanging Fruit approach that is simple and effective for the detection of potential RFI targets, would be to run a WordPress test and mount an RFI attack in case of success.
The report goes on to show geographic attack trends, PHP vs non-PHP attack incidents, traffic volume, case studies, and more.
No Need to Panic
Even though it's only six months of data, the results don't surprise me. WordPress is used on a quarter of the top 10 million websites ranked by Alexa so of course its going to be the most attacked CMS.
The data in the report reinforces my belief that every public site online is likely being scanned or attacked multiple times a day. Unless you're using a service or plugin that logs these types of attacks, its hard to know how popular of a target a site is.
If you're aware of a plugin or service that provides a user-friendly interface that shows and explains the attacks it's protecting against a site, please send me a link in the comments.
Basic Security Principles
It's imperative that you use a strong password and two-factor authentication. Consider using a service like Clef that allows you to login to WordPress without a password. I also highly encourage you to read the WordPress security whitepaper to learn how WordPress protects itself against common attacks mentioned in Imperva's report and how to responsibly disclose a WordPress security vulnerability.
17 Nov 2015 2:11am GMT
16 Nov 2015
If you're running or opening a new WordPress business, you should read Adam Soucie's warning on the dangers of accepting credit cards. Soucie, a WordPress Developer based in Orlando, Florida describes what happened after working with a client that claimed to be hearing disabled.
Soucie went through the usual process of sending over a contract, bringing in a designer, discussing scope, and sending over an invoice. The client then claimed to be in the hospital and requested help to pay for one of the contractors involved in the project because he didn't accept credit cards. According to Soucie, this should have been the red flag:
But I ignored it because I've also been a trusting person who is sympathetic to people with disabilities. Plus I figured I had proof of everything, so I'd be protected. I was so wrong.
To make a long story short, the 'client' was paying with stolen credit cards and the other contractor was in on the scam. I discovered the scam when they started getting pushy about the contractor receiving his payments. When leaving to make the final payment, I got a call from the person whose credit card info was stolen. I reached out to my 'client' and she had disappeared.
As the merchant, Soucie was liable for the transaction. After not receiving help from the FBI Cyber Crimes division and the credit card companies, QuickBooks, Soucie's payment processor, went after him for the total amount of $10,000. He was able to get the amount slightly reduced after working with QuickBooks. What looked like an awesome project quickly turned into a nightmare.
I highly encourage you to read his article as it includes tips to protect yourself and why you shouldn't be too trusting. What advice do you have for freelancers who accept credit card payments? What signs should freelancers look for to avoid fraudulent scams like this one?
16 Nov 2015 6:26pm GMT