Sarah Gooding – Page 3 – The Blog Pros

January 21, 2022

WP Career Summit Opens Registration, Calls for Speakers and Sponsors

WP Career Summit is a new event hosted by the Post Status community that will take place on April 8, 2022. The summit is the first of its kind in the WordPress space – an event entirely focused on job seekers and employers.

Attendees will have the opportunity to network with each other, check out job postings, visit live virtual sponsor tables, and connect with companies that are actively hiring.

“Back in 2020 I saw companies posting jobs and I saw friends posting a need for jobs, and I thought we needed to find a way to match those people with companies,” WP Career Summit organizer Michelle Frechette said. “So I built wpcareerpages.com and started tweeting a job thread every Wednesday.”

After awhile of regularly tweeting the Wednesday job thread, Frechette found that it started to take off. Depending on the week, her threads would get anywhere from 2k-18k impressions.

“Clearly, there is a need,” she said. “I’ve had people tell me they’ve found their new job through those tweets. As a result of that project and conversations with Allie Nimmons around underrepresentation, underrepresentedintech.com was born, and projects and people started getting paired up through that site.”

Frechette said when she first joined the team at Post Status, she was tasked with writing about underrepresentation and job-related content, topics for which she has a passion. She pitched the idea of a career conference to Cory Miller, the club’s new owner, and he loved it.

“My hope is that this summit is the start of even bigger conversations in the WordPress community about connecting talent with opportunity, especially for those graduating from training and education and starting their careers,” Frechette said. “If we can get younger talent into WordPress, in my opinion, we should see even more growth in our ecosystem.”

The call for speakers and sponsors is now open. Jonathan Wold is managing the sponsorship Aspect of the event and Post Status has hired Dan Maby from Big Orange Heart to run the tech part of the conference using the platform he developed and uses for WordFest.

Organizers are looking for speakers who are particularly adept at job hunting or who are knowledgeable about how to recruit and hire talent. Selected speakers will share their expertise in 30-minute recorded presentations and will receive a $200 stipend for participating. WP Career Summit will be a virtual event but will have 15 minutes of live Q&A time immediately following each session.

Registration is now open and is free, thanks to the event’s sponsors. Attendees will be emailed information about how to log in and participate closer to the event.

January 11, 2022September 9, 2024

WordPress 5.9 to Introduce New API for Locking Blocks

The advent of block themes delivers more creative power into the hands of users, but there are times when theme authors may want to lock down key elements of a design and its designated content areas. First introduced in Gutenberg 11.6, the upcoming WordPress 5.9 release will include a new API for locking blocks.

Template level locking has been available in Gutenberg for a few years, allowing developers to lock the template on the UI so that users can’t manipulate the blocks. This new API offers more granular control that can be applied on the block level and override template locking.

“Instead of applying a lock to all inner blocks, you can apply it selectively to individual blocks via the lock attribute,” Marcus Kazmierczak said in the dev note. “The block level locking would supersede the inherited templateLock value. You can choose to lock moving or removing a block.”

One of the primary use cases for locking individual blocks, cited in the ticket proposing the new API, is where one might lock the “post-content” block of a single template so users can’t remove it.

“Another use case that we’re building for is having a Checkout Block with different blocks that act as fundamental steps, we don’t want people to delete or move those steps since they’re fundamental and their order is also important, but we want to allow people to select them, access settings, and insert blocks in between them,” WooCommerce engineer Seghir Nadir said.

Kazmierczak’s dev note demonstrates how developers can lock a specific block in a pattern and explained how block level locking is not inheritable.

“If a block is locked from being removed, its children can still be removed,” Kazmierczak said. “If you want to apply locking on children as well, add templateLock to the inner block component, or templateLock attribute to supporting blocks.”

For more information on the new locking mechanism, check out the Block Editor Handbook and the code examples in the dev note.

January 3, 2022

WordPress 5.9 to Fix Lazy Loading Performance Regression, Resulting in 30% Faster Page Loads in Some Cases

WordPress sites may soon see a slight performance improvement on page loads, thanks to a fix for a performance regression in the core lazy loading feature. An analysis published in July 2021 showed that lazy loading applied too aggressively can have a negative impact on performance and that it’s better to eagerly load the images within the initial viewport.

WordPress’ default of lazy loading all images was causing slower performance on the Largest Contentful Paint metric (LCP) metric, which Google defines as “the render time of the largest image or text block visible within the viewport, relative to when the page first started loading.”

Google-sponsored WordPress contributors wrote a fix that avoids lazy-loading images above the fold and thoroughly tested it as part of their efforts to evaluate the impact of various past performance initiatives. The delayed LCP will be fixed in WordPress 5.9.

“This can be improved by skipping addition of loading='lazy' for the first content image or iframe, which in the vast majority of cases will appear within the initial viewport,” Felix Arntz said in the dev note. “WordPress can only make educated guesses around that and not be 100% certain, but an analysis taking into account 50 popular themes showed that the enhancement brought LCP improvements across the board, up to 30% faster page load.”

In the future, this implementation may be able to drill down further into the block content on the page and eagerly load whatever images the theme identifies as being within the viewport.

“Have you thought about how we could have more precise heuristics going forwards that can take the semantics and structure of blocks into account to get a sense for what is actually deferrable?” Matias Ventura commented on the ticket in process. “For example, an image block or a site logo used in a header template part would be strong indicatives of being above the fold. ‘The first image of the content’ seems instead like a rudimentary measure, that varies a lot depending on preceding layout. With block themes we should have some ahead-of-time awareness of layout which we can use to produce more meaningful instructions.”

Felix Arntz said he already has detecting the header template part on his radar and is willing to refine the implementation as the world of block themes expands.

“The refinement of the lazy-loading implementation should notably improve LCP performance for most sites that rely on it, while not having adverse effects for sites where the default heuristics described above do not apply to,” Arntz said. “That is only a solid starting point though. In the future, specifically with the more semantic content specification that block-based themes will facilitate, we will be able to further fine tune the lazy-loading implementation by using the available block information.”

November 8, 2021

WordPress Polyglots Team Launches New Monthly Newsletter

WordPress’ Polyglots team has published the first edition of a new monthly newsletter aimed at helping contributors stay informed and engaged with the team’s activities.

WordPress has been translated by volunteers for more than 15 years since version 1.2, with the earliest contributions from the Hindi, French, Japanese, and Norwegian communities. Since that time the Polyglots team has grown to include the work of 55,427 translation contributors. They have also adopted more efficient tools like P2 and Slack to stay connected, but some translators find it difficult to follow the constant stream of posts and meetings.

The monthly newsletter was launched to provide a short-format digest of all the significant happenings and discussions in the translation community. It will include news related to upcoming releases and Polyglots tools, condensed so contributors don’t have to keep a close eye on the team’s P2 blog, Slack channels, or RSS feed.

The first edition features a brief summary of the month-long WordPress Translation Day 2021 event, which brought in 697 new translation contributors. Altogether the contributor teams submitted 518,710 approved translation strings during 22 local and six livestream events.

The majority of people using WordPress are using it with a translation. As of October 2021, 55.36% of WordPress sites are running a translated site. That figure is slowly inching upward as WordPress adoption grows in the non-English speaking world.

Even if you’re not a member of the Polyglots team, this newsletter is a good way to stay up-to-date with the exciting frontier of WordPress translations. Subscribers can sign up to receive monthly Polyglots updates directly via email.

October 15, 2021September 9, 2024

WordPress 5.9 Go/No-Go Update: All Proposed Features Are Moving Forward

The go/no-go deadline for deciding on features for WordPress 5.9 was set for October 12 but the conversation was pushed back two days. Today, the core leadership for this release announced that everything in the previously-proposed scope for 5.9 will be moving forward.

Users can expect block themes, template and template part editing flows, the new default Twenty-Twenty Two block theme, the Styles interface, design tools, the Navigation Block, all manner of UI improvements, and pattern insertion directly from the Pattern Directory. Héctor Prieto, who is assisting with technical project management on the release, emphasized that many of these features are still in progress:

To note, not all of the above are currently ready, but there is some level of confidence that they can be by the time of 5.9.

A new WordPress 5.9 Must-Haves project board on GitHub shows a broad overview of the issues contributors are focusing on to get the release ready.

Prieto also published an exhaustive transcript of the meeting. There were no strong objections on specific features moving forward but there seemed to be a general acknowledgment that some features are still in a beta state. Those present at the meeting agreed that some kind of beta label might be advantageous where users could be directed to the Gutenberg plugin for faster updates to features that are still not fully polished.

One particularly challenging feature has been navigation. “I think from my perspective, the thing I was a bit worried about was the navigation menu flows, which I think we did a lot of progress over the last few weeks,” Gutenberg lead engineer Matías Ventura said. “And I think we need to set some good boundaries there.

“There has been a lot of work in also supporting sort of mega menus where you have in your sub-menus, you have images and paragraph any sort of block, which is cool. But there’s also like the 80% of cases where you just have a few links, and we need to ensure that that experience is as best as we can make it. I think we’re in a better place. And I think we’ll get there.”

Beta 1 is expected November 16, and the official release is scheduled for December 14. If you want to see an early demo of WordPress 5.9, check out the recording of the meeting below:

September 24, 2021September 9, 2024

WooCommerce 5.7.0 Patches Security Issue that Could Potentially Leak Analytics Reports

WooCommerce shipped version 5.7.0 through a forced update for some users earlier this week. The minor release was not billed as a security update but the following day WooCommerce published a post explaining that the plugin was vulnerable to having analytics reports leaked on some hosting configurations:

On September 21, 2021, our team released a security patch to address a server configuration setup used by some hosts, which under the right conditions may make some analytics reports publicly available.

This was technically classified as a broken access control vulnerability, according to the WPScan.

WordPress.org pushed an automatic update to affected stores beginning on September 21, for all sites that have not explicitly disabled automatic updates. The WooCommerce team created a patch for 18 versions back to 4.0.0, along with 17 patched versions of the WooCommerce Admin plugin. Those whose filesystem is set to read-only or who are running WooCommerce versions older than 4.0.0 will not have received the automatic update and should proceed to manually update their sites.

WooCommerce recommends users update to the latest version, which is now 5.7.1, or the highest number possible in your release branch. The security announcement post has detailed instructions for how store owners can check to see if their report files may have been downloaded.

More than 5 million WordPress sites use WooCommerce. At the time of publishing, 59.8% are running on version 5.4 or older. Only 12.8% are using the lates 5.7.x release. It’s not possible to see how many sites are still vulnerable, because WordPress.org only displays a breakdown for the major branches users have installed. Some site owners running older versions may still be active in applying security patches but not prepared to update to the latest release.

WooCommerce 5.7.1 was released earlier today after the team received multiple reports of broken sites following the 5.7.0 update. This release includes fixes for regressions and new bugs identified in the previous update.

September 8, 2021August 31, 2024

Automattic Acquires Social Image Generator Plugin, Plans to Integrate with Jetpack

Automattic has acquired the Social Image Generator plugin, a commercial product that automatically creates social share images for WordPress content from a set of fully customizable templates. The plugin launched in February 2021, with a starting price of $39/year but is now closed to new sales. Daniel Post, the plugin’s creator, is joining Automattic to continue developing it as a new addition to Jetpack’s social media tools.

Automattic is always on the prowl for companies that are doing something interesting in the WordPress ecosystem. The Social Image Generator plugin expertly captured a new niche with an interface that feels like a natural part of WordPress and impressed our chief plugin critic, Justin Tadlock, in a recent review.

“Automattic approached me and let me know they were fans of my plugin,” Post said. “And then we started talking to see what it would be like to work together. We were actually introduced by Chris Coyier from CSS-Tricks, who uses both our products.”

The Social Image Generator plugin has always been a commercial-only product, which tends to limit a plugin’s reach within a market that has been so heavily trained on the freemium model. Its acquisition will undoubtedly get it into the hands of more WordPress users.

“I briefly considered building a freemium plugin but I decided to focus on paid licenses to make sure I could provide great support to all users and, frankly, to see how well it would be received compared to a freemium plugin,” Post said.

Current customers will be able to continue using the plugin “without any changes in the near term,” according to the announcement on the Jetpack blog. Those who have strong opinions about the long-term future of the plugin are encouraged to schedule a session with Jetpack Customer Research to open a dialogue.

“I look forward to the future functionality and user experience improvements that will come out of this acquisition,” Jetpack General Manager James Grierson said. “The goal of our social product is to help content creators expand their audience through increased distribution and engagement. Social Image Generator will be a key component of helping us deliver this to our customers.“

I would not be surprised to see this plugin available on one of Jetpack’s paid tiers in the near future, alongside the Publicize module’s other paid features (scheduling social media posts, tracking and viewing sharing history, and re-sharing existing content). Social Image Generator makes WordPress content more engaging on social media, has built-in support for WooCommerce, and can be extended for use with other plugins. It’s a strategic acquisition where Automattic gains an engineer as well as a new way to make Jetpack subscriptions more compelling.

“We are still figuring out our exact approach, but the initial plans are to integrate the Social Image Generator features with the existing Jetpack social tools like Publicize,” Post said. “The ability to see exactly what your social media post will look like before publishing it right from your WordPress site is incredible, and a big reason why I’m so excited about this acquisition.”

September 3, 2021

Worldwide WordPress Virtual 5K Set for October 1-30, 2021

Automattic is organizing its 2nd annual Worldwide WordPress 5K during the month of October this year. Registration for the race is free and participants will have the opportunity to donate to a charity of their choice, with Automattic matching donations up to $50,000.

Just like the first Worldwide WP 5K that was held in 2015, the race will be virtual. Anyone is welcome to run, walk, bike, or swim the 5K any time between October 1-31. The requirements are fairly loose in that you can use any exercise app to track your run if you want. Participants are also encouraged to share a selfie, a screenshot of your route, and write a blog post that includes the #wwwp5k tag. Automattic will use the hashtag to include pictures on the official race site.

Throughout the pandemic, much of the social running industry has gone online and virtual races have become more common. Although they don’t carry the same energy as in-person races, virtual races help friends keep setting fitness goals and encourage each other through online challenges. Joining in the Worldwide WordPress 5K is a great way to connect with friends around the world for an offline challenge that benefits your health.

There is plenty of time to start training to reach a goal ahead of October and lots of resources available for running your first 5K. If all other motivations fail, maybe Wapuu can get you off the couch. The lack of in-person WordCamps has left some people hankering for new WordPress swag, and the 5K wapuu is ready to deliver. Participants can choose from a wide array of official gear, including hoodies, t-shirts, water bottles, tank tops, pins, socks, and more. Those who prefer not to run but still want to take part in the charitable event can give directly through the donation page.

August 11, 2021September 8, 2024

Google Site Kit Plugin Ships Hot Fix for Critical Error That Caused Broken Websites

Google published an update to its Site Kit plugin for WordPress this afternoon with a hot fix for a critical issue affecting an unknown number of users. Reports of broken websites were popping up on Twitter and in the plugin’s support forum on WordPress.org. Users affected by the issue reported having a critical error on all sites using Site Kit, which forced deactivation of the plugin in recovery mode. In some cases it prevented them from accessing their dashboards.

“On Wednesday, August 11, we identified a fatal error in the Site Kit plugin that could be triggered by other plugins or themes using an unprefixed version of Composer,” Google Site Kit Support Lead Bethany Chobanian Lang said in a pinned post on the support forum.

Version 1.38.1 contains a hot fix for this issue, since it was critical enough to take down users’ websites. The plugin’s maintainers began investigating the issue less than 24 hours ago but are still not sure which plugins trigger the error due to their usage of Composer.

“The reports do not include which specific plugins or themes were causing this, but the error message clearly highlighted the code in Site Kit that was the problem,” Google Developer Relations Engineer Felix Arntz said. “Technically, that problematic code had been in Site Kit since several versions ago (months back), so maybe another plugin/theme recently got updated with new code that exposed the problem.”

After looking at popular plugins, Arntz said he hasn’t been able to find one so far that would have triggered the problem. Given Site Kit’s broad usage, other affected sites are bound to turn up once users realize there is a problem. Google launched the plugin in 2019 and has since amassed more than a million active installations. The majority of the plugin’s user base is running older versions, which may or may not be affected by the current issue.

WordPress.org shows 35.6% of the plugin’s users are on version 1.38.x. The hot fix is not backported for older releases, but users running Site Kit version 1.38 with background updates enabled should automatically receive the fix.

July 30, 2021September 8, 2024

PublishPress Adopts Organize Series Plugin

PublishPress, makers of the PublishPress and PublishPress Blocks plugins, have adopted the Organize Series plugin from Darren Ethier. Organize Series is a 15-year-old plugin for organizing and displaying posts in a series, useful for novel writers, educators, magazine sites, and anyone breaking their longer content up into a series.

PublishPress is also adopting seven extensions for the plugin that add features like custom post type support, shortcodes, the ability to add a post to multiple series, bulk publishing, and more.

Ethier, who works as an engineer at Automattic, said he began losing interest in maintaining the plugin and knew it was time to search for a new owner.

“Most of you have noticed that I haven’t been actively contributing to Organize Series or it’s extensions for some time now and it’s been bugging me,” he said. “I’ve been gradually losing interest in maintaining the plugin as I’ve expanded my developer horizons and as a result, I’ve struggled with making the time to work on it.”

Ethier connected with PublishPress by describing his situation in a post on the Post Status community and agreed to transfer his plugin and extensions in exchange for a donation to a charity.

“Darren asked us to make a charitable donation as part of the handover,” PublishPress founder Steve Burge said. “We chose the American Journalism Project. Over 2,100 communities in the U.S. have lost their local newspaper since 2004. The AJP is trying to reverse that trend. It is a non-profit that is investing in local news. Their goal is to help grow newsrooms that hold the powerful accountable, combat disinformation, and deepen civic participation.”

Burge assured current users that the free version of Organize Series will remain free on WordPress.org with all of its current features and some improvements. The company will also keep the extensions freely available on GitHub but Burge said they plan to release a commercial version with updated versions of the extensions.

With the adoption of Organize Series, PublishPress now has nine plugins available in its niche collection of publishing extensions as part of its mission to “help WordPress publishers succeed.” In the near future, Organize Series’ website content will be transferred over and the company will be changing the plugin’s name to “PublishPress Series.”

July 8, 2021

Awesome Motive Acquires SearchWP

Awesome Motive, the company behind MonsterInsights, OptinMonster, WPForms, and several other popular products, has acquired SearchWP, a commercial plugin that enhances WordPress’ search functionality. No changes have been announced for the plugin and Awesome Motive CEO Syed Balkhi says it will be “business as usual” for current customers.

“We have built a lot of internal tools to improve our website search that I’m really looking forward to sharing with the WordPress community,” Balkhi said.

“We will be combining Jon’s vision with our own experience, so you can literally have the best search plugin in the industry without the high costs.”

In 2013, when Jon Christopher launched SearchWP, he quickly carved out a slice of the WordPress search market among early competitors. The freemium model was already popular in those days with plugins like Relevanssi, but Christopher chose to launch SearchWP as a commercial-only product.

“There was already freemium competition, and I felt that the pricing model (which is the same today) was stronger given the product itself,” Christopher said. “I saw the pricing model as something that would help SearchWP stand out, and I also wanted to avoid opening the doors to overwhelming amounts of support requests right from the start.

“I had no idea if SearchWP would be successful given the landscape, I built it first to scratch my own itch while knowing that even if no one bought it, I would 100% use it in my own work, and use it a lot.”

His gamble paid off and the plugin has been used on more than 30,000 WordPress sites. Christopher had one support contractor but otherwise had been running the business alone for the past eight years. WordPress’ growing market share has made one-person plugin businesses difficult to maintain once they become very popular, as seen in the recent sale of ACF to Delicious Brains.

“I was looking ahead and considering what would be best for SearchWP’s customers,” Christopher said. “I want SearchWP to live as long as it possibly can. If I’m by myself it’s a bit of a risk to continue that way as the business continues to grow. I know that I prefer to build things from the ground up, and I also know that I’m not the guy to build (or manage) a team, it’s not my strong suit. Given all of those pieces it was clear to me that it was a good time to consider selling.”

Christopher described the 2013 WordPress ecosystem as more “scrappy,” as developers launched product businesses and worked to figure it out along the way.

“There are pros and cons to an environment like that, but it was fantastic from my perspective,” he said. “Over time that feeling went away as companies grew, matured, and playbooks began to take shape. That cycle has continued over time and especially in the last 18 months we’re getting a look at where WordPress is headed – lots of big players in a really big space.”

For those who are jumping into the waters with a new product business, Christopher underscored the need for strong marketing.

“I think that a lack of serious marketing will in fact be a limiter in today’s WordPress economy,” he said. “Products that have been around a long time have a natural momentum that’s really tough to beat, but that momentum doesn’t come without friction. In order to keep up with where WordPress is going, I do feel like you need assets (and capital) aimed directly and solely at marketing for the long haul.”

Balkhi did not elaborate on Awesome Motive’s immediate plans for the search plugin but said the company will be executing on a 12-month plan to make it easier for beginners and non-technical business owners to set up in less than 10 minutes.

June 11, 2021September 9, 2024

WordCamp Europe 2021 Gutenberg Demo: “The Block Editor Gets Ready to Become a Site Builder”

Matt Mullenweg and Matías Ventura joined WordCamp Europe to chat about what’s happening with the Gutenberg project and celebrate the progress contributors have made over the past four years.

“For me, 2020 was the year that really felt like people started to see the vision of Gutenberg from four or five years ago, when it was very abstract and they saw it as kind of like the old WYSIWYG editor with some extra lines on it or something,” Mullenweg said. “The first 17 or 18 years of WordPress democratized people putting text into a box. Now we’re democratizing design, allowing people to control the boxes.”

Ventura commented on how transformative patterns have been for making page design approachable for users.

“Perhaps it was a smaller part of the roadmap initially but it’s becoming a centerpiece – especially because it allows…world class designers to provide a starting point for users and users get to learn design as they are interacting with themes,” Ventura said. He began his WordPress developer journey by “tinkering with themes,” as many others did, and believes that blocks can unlock a similar experimental learning experience.

“I think we are getting into a chapter where people will be able to tinker with things that were sort of hidden for you in WordPress – more advanced things like queries and loops, that we can now expose through blocks,” Ventura said. “They can be stepping stones for people to learn how to work with WordPress.”

Mullenweg commented on how things that previously would have required a fairly experienced WordPress developer to do, like creating a home page with a column that shows five recent posts from a particular category, and another column that shows featured posts in a different category, you can now do with just a few clicks.

“It’s no code – it’s like expanding the layers of accessibility of what people are able to do with WordPress,” Mullenweg said. “That, to me, is very core to our mission.”

Mullenweg and Ventura debuted a new “Gutenberg highlight” video that covers current and new features coming to the block editor, as it “gets ready to become a site builder.” These kinds of marketing videos are so valuable because users don’t always know what is possible, even if the tools are approachable for anyone to use.

The video demonstrates new design features for different blocks, including the transform live previews, dragging media into container blocks, inline cropping without leaving the editor canvas, the template editor, duotone image filters, more customization options for navigation, improvements to the list view browser, and the new global styles design that is coming soon.

Check out the video below and you can also watch Mullenweg and Ventura’s conversation that was recorded during the event.

March 9, 2021September 9, 2024

WordPress 5.7 Introduces Drag-and-Drop for Blocks and Patterns, Streamlined Admin Color Palette, and One-Click Migration from HTTP to HTTPS

WordPress 5.7 “Esperanza” was released today, named for Esperanza Spalding, an American jazz bassist who became an accomplished singer, songwriter, and composer in her early 20’s.

Versions 9.3 – 9.9 of the Gutenberg plugin are rolled into this update, bringing hundreds of enhancements and bug fixes that make working in the block editor more efficient and enjoyable.

One of the highlights is the new drag-and-drop capabilities in the block inserter. Users can now drag blocks and block patterns directly into the post content area, making page building even faster.

Many of the user-facing editor enhancements in this release give the user more control when using existing blocks:

Full height alignment: Blocks such as the Cover block now can have an option to expand to fill the entire viewport.
Buttons block: The Buttons block now supports vertical alignments, and you can set the width of a button to a preset percentage.
Social Icons block: You can now change the size of the icons in the Social Icons block.
Font size in more places: You can now change the font size in the List and Code blocks

This release also improves the UI for block variations to include the icon and description for the variation in the block inspector and a new dropdown to allow for switching between variations. Reusable blocks have been updated to be saved at the same time the post is saved. Quite a few more improvements have been added in version 10.1 of the Gutenberg plugin, which is not yet included core. If you use Reusable blocks frequently, you may want to install the plugin to take advantage of the expanded UI.

In addition to all the editor improvements, WordPress 5.7 introduces a streamlined color palette for the admin. It standardizes the palette to seven core colors and a range of 56 shades. One of the benefits is that all the shades meet the requirements for WCAG 2.0 AA recommended contrast ratio against white or black.

Theme and plugin developers who want to better match the admin color scheme can easily reference the new standardized shades to make their products more at home in the WordPress admin. WordPress’ existing core classes have also been updated with the new color palette so plugin authors can use them to work within the new standardized palette.

One of the most exciting technical enhancements in 5.7 is a new one-click migration from HTTP to HTTPS. WordPress can now detect if the user’s hosting environment has support for HTTPS and update with the click of a button, handling mixed content rewrites where possible. This feature is available on the Site Health recommendations screen.

WordPress 5.7 continues the ongoing cleanup after the update to jQuery 3.5.1, which will eventually result in the removal of jQuery Migrate plugin. It fixes numerous jQuery deprecations in external libraries, cleaning up many JQMIGRATE warnings.

Developers may also be interested in the new filter-based Robots API included in 5.7. It enables the central management of the content of the robots meta tag injected into the page, and includes a setting to toggle whether search engines are allowed to display large media from the site. By default, a max-image-preview:large robots directive which will be injected into the robots meta tag based on the new setting.

Version 5.7 also includes native support for lazy loading iframes, a follow-up to WordPress’ support for lazy loading for images that came in 5.5. This should improve loading for pages that include embeds and other types of iframes.

Check out the WordPress 5.7 field guide for technical details on everything new in this release. This update is the result of work from 481 volunteer contributors who collaborated on 250 tickets on Trac and more than 950 pull requests on GitHub.

February 23, 2021

WordPress 5.7 Lets Administrators Send Password Reset Links

It’s that time in the release cycle when all the dev notes are rolling out ahead of the next major update. These notes include technical summaries of all the goodies coming in the next release. If you haven’t been paying close attention, there are always a few happy surprises in there that pop up as conclusions to tickets that contributors have been working on for years.

The new password reset feature coming in WordPress 5.7 allows administrators to manually send a password reset link to users, resolving a five-year old ticket. Instead of having to instruct a user about where to go to click on the lost password link and follow the steps, this new feature lets administrators push a button in the admin to send the link. If you have ever had to support clients or a community of users who may not be very technically inclined, this new password reset feature will save lots of time in helping users regain access to their accounts.

The “Send password reset” link is available in several places. Administrators can find the link on the Users screen, as well as in the bulk actions dropdown menu.

It is also available on the individual user screen with a button and a note clarifying that this action will not change the user’s password or force the user to change it.

The password reset email notification includes the site name, username, a password reset link, and the IP address where the request originated:

This password reset request originated from the IP address [IPADDRESS].

There is an open discussion on the original ticket regarding whether this email notification should include the administrator’s IP address.

“The IP address (while fraught with privacy concerns) is the only thing validating that this email came from the website and is not a phishing email,” contributor Gabriel Mariani said. “Unless there is a better way to validate the authenticity of the email I’d say it would be worthwhile to keep it.”

Others see the IP address as useful only if a user is attempting to verify that it is their own IP address or collecting the information to prevent a phishing attack. Giving out the administrator’s IP address doesn’t seem pertinent to either of those concerns.

“I could use my phone to send a reset, and I would have no idea what my IP was,” Mika Epstein said. “And that can easily be faked. Omitting the IP actually reduces the data being sent out that could be used by bad-actors.

“I think it’s more likely we’d have a savvy bad actor than end users who would need to ask for a password reset but also know what a valid IP is and how to ask about it.”

This part of the email text may be iterated on in subsequent patches or future releases of WordPress. Check out the dev note for more discussion on this feature, along with information about further customizing the notification email.

February 2, 2021

WordPress 5.7 Will Make It Easier to Migrate From HTTP to HTTPS

The next major release of WordPress will make it much easier for users to migrate their sites from HTTP to HTTPS. It introduces new capabilities to detect if the user’s hosting environment has support for HTTPS and provides a one-click update process, handling mixed content rewrites where possible.

“A major pain point in WordPress has been the migration of a WordPress site from HTTP to HTTPS: While changing the Site Address and WordPress Address to use HTTPS is trivial, updating references to the old URLs in existing content is not,” WordPress Core Committer Felix Arntz said in the ticket proposing the feature. “It cannot be accomplished within core UI and requires use of more advanced tools, such as WP-CLI or plugins like Better Search Replace, which is a no-go for most users.”

In WordPress 5.6, there is no clear guidance in the Site Health screen about how to migrate to HTTPS, even though it shows as an issue. The user would need to learn more about how to update it manually, starting with changing the site URLs.

In WordPress 5.7, if HTTPS is supported, the Site Health Status screen will notify users and guide them with a new button that updates the site with a single click. It also migrates the site content on the fly to use HTTPS for URLs. Arntz recorded a video demo of the update:

This change also comes with new environment variables and filters that allow hosting providers to change the URLs linked in the HTTPS status check in Site Health, so they can more effectively manage it for their customers’ hosting options. This is similar to how hosts can modify URLs for updating the PHP version, which has had a positive impact on getting sites running on supported versions of PHP.

It’s important to note that the streamlined HTTP to HTTPS migration in 5.7 does not handle updating content in the database. Also, if a site’s URLs are controlled by constants, the update is not possible to complete automatically. In these instances, the HTTPS status check on the Site Health screen will inform the user why the site would need to be manually updated.

More technical details are available in the ticket and commit message, and a dev note should be forthcoming.

January 6, 2021

All in One SEO Plugin Turns on Automatic Updates without Notifying Users, Removes Functionality in Latest Release

Buried in the changelog of a series of minor releases that dropped before the Christmas holiday, All in One SEO plugin users were given the surprise gift of automatic updates. After a seemingly endless run of releases (12 updates during a span of six weeks at the end of 2020), the plugin’s developers decided to change its auto update policy so that it defaults to “on.” The plugin is installed on more than 2 million WordPress sites.

Version 4.0.8, released December 21, 2020, flipped on automatic updates without notifying users of the change. Despite having auto updates turned off for the plugin, many users discovered the change when they were notified by email that their sites had been updated without permission.

Frustrated users took to the plugin’s support forums to report the issue and find out how it was possible.

“Multiple sites have updated to 4.0.11 without my permission and while all auto updates are disabled,” one user said. “I/we do not want to hear that ‘it shouldn’t happen’ and we are looking into.

“Your once reliable plugin has destroyed hundreds of pages of social meta data on multiple sites, broken layout (and this after I fixed the problems and told you last week, I will be disabling all updates).”

Others commented on the issue, citing problems with a previous major release as the source of many bugs that followed.

“The rollout of version 4, and auto-updating without any chance to backup first was a blunder by AIOSEO,” plugin user Derek Haines said. “It has cost me hours, days, and now weeks to fix the problems caused.”

The All in One SEO plugin team apologized for the inconvenience users experienced but said they could not reproduce it on their end. The plugin’s settings page has a toggle for auto updates but it is just a wrapper for WordPress’ auto updater.

“I just wanted to give you an update and let you know that we’ve decided to remove our own auto-update functionality all together since this issue seems to be happening on a limited amount of websites and we aren’t able to reproduce it on our end,” Arnaud Broes said.

The problem was also discussed in the Advanced WordPress Facebook group.

“All In One SEO Pack apparently turned auto updates on, and in a few cases I found sites where those updates failed,” Eric Karkovack reported. “I had no idea they were turned on and in one case a site was inaccessible.”

Karkovack noted that there was only a small mention in the changelog, despite the plugin liberally using the dashboard notification UI for sales.

William Earnhardt, WordPress core contributor and developer at Bluehost, offered some insight as someone who has worked on core as well as plugins installed on a massive scale.

“In my experience if you are weighing the two options, auto-updates prevent significantly more issues and support requests than they create,” Earnhardt said. “So I’m strongly in the camp of enabling them by default, with a mechanism for preventing or disabling for those who prefer (core makes this possible with filters and now with per-plugin UI).

“I think when making these decisions, we as developers have to consider what is best for the broadest number of users and be realistic about the type of users we have. If a user is already not updating plugins regularly, it is unlikely they are going to have the awareness to flip a toggle to turn auto-updates on. So opt-in makes them mostly useless.”

Earnhardt agreed that notifying users of the change would have been a good idea, but admin notices are already “frequently abused and quite noisy.”

“It would likely be missed if not persistent, but really should only show after the update and then go away,” he said. “Is that enough when combined with a note in the changelog? Probably for most, but I’m sure some would disagree.”

As promised nine days ago, All in One SEO’s developers have now removed the functionality from the plugin in its first update of 2021, version 4.0.12 released today. It is noted in the changelog: “Fixed: Completely remove auto updates wrapper to let WordPress handle updates.”

December 17, 2020September 9, 2024

Contact Form 7 Version 5.3.2 Patches Critical Vulnerability, Immediate Update Recommended

Contact Form 7 has patched a critical file upload vulnerability in version 5.3.2, released today by plugin author Takayuki Miyoshi. The plugin is installed on more than five million WordPress sites.

“An unrestricted file upload vulnerability has been found in Contact Form 7 5.3.1 and older versions,” Miyoshi said. “Utilizing this vulnerability, a form submitter can bypass Contact Form 7’s filename sanitization, and upload a file which can be executed as a script file on the host server.”

The vulnerability was discovered by Jinson Varghese Behanan from Astra Security on December 16, 2020, and Miyoshi released a fix less than 24 hours later. Behanan highlighted a few ways this vulnerability might be exploited:

Possible to upload a web shell and inject malicious scripts
Complete takeover of the website and server if there is no containerization between websites on the same server
Defacing the website

Astra Security plans to publish more details on the vulnerability in two weeks after the plugin’s user base has had more time to update to the patched version.

Version 5.3.2 removes control, separator, and other types of special characters from the filename to fix the unrestricted file upload vulnerability. At the time of publishing, more than a million Contact Form 7 updates have been downloaded today. Approximately 20% of the plugin’s user base is protected from the vulnerability. Now that it has been patched and published, Contact Form 7 users who do not update will be more at risk of having the vulnerability exploited.

December 8, 2020

Automattic Acquires MailPoet

Automattic has acquired MailPoet, a popular email marketing solution for WordPress, to give WooCommerce store owners more integrated email management capabilities in the admin. The plugin is used by more than 300,000 websites for everything from building a mailing list to managing transaction and abandoned cart emails. The nine-year old company is now a team of 11 that will be joining Automattic.

MailPoet launched in 2011 under the name WYSIJA (“What you send is just awesome”), a branding misstep that founder and CEO Kim Gjerstad readily acknowledged as “a terrible idea.” The name was difficult to spell and remember. It was changed early on but the company was stuck with the “WYSIJA” slug in the WordPress plugins directory, a common issue for many plugins that have rebranded.

When MailPoet version 3 was released in 2017, the company was finally able to get the “mailpoet” slug in the plugin’s URL on WordPress.org. Version 2, which still has more than 100,000 users, has support for multisite and uses the old email designer, among other differences. MailPoet 2 has received security updates for the past three years and plans to continue these following the acquisition.

Gjerstad reported that nearly a quarter of MailPoet users are running WooCommerce stores. The plugin’s developers have been expanding its WooCommerce functionality over the past three years with features that help store owners catch customers’ emails at checkout, measure revenue per email, send automated emails using purchase data based on products purchased or product categories, customize store emails, and recover abandoned carts.

Earlier this year MailPoet introduced its own SMTP solution to ensure emails sent from the plugin land in recipients’ inboxes, instead of flagged as spam. This silent background feature includes store emails as well, bringing higher deliverability without users having to depend on separate SMTP plugins.

In WooCommerce’s acquisition announcement, CEO Paul Maiorana said adding MailPoet “helps accelerate our roadmap toward a fully-integrated commerce experience.” Last year Maiorana and Gjerstad met at WordCamp U.S. and exchanged ideas about a partnership.

“As our conversation progressed in the following months, we came to realize that we shared a common vision for stores; with store owners being able to access email right in their dashboard,” Gjerstad said.

Maiorana said Automattic’s initial focus of the acquisition is to work together on improving the experience for WooCommerce users, but the company plans to “evolve our collaboration in a way that can benefit the entire WordPress community.” MailPoet’s FAQ’s on the announcement reiterate that all WordPress users will continue to be able to use the plugin, even if they do not have a WooCommerce store. There are no immediate changes planned for the plugin’s features.