WordPress 4.7.5 was released today with fixes for six security issues. If you manage multiple sites, you may have seen automatic update notices landing in your inbox this evening. The security release is for all previous versions and WordPress is recommending an immediate update. Sites running versions older than 3.7 will require a manual update.

The vulnerabilities patched in 4.7.5 were responsibly disclosed to the WordPress security team by five different parties credited in the release post. These include the following:

• Insufficient redirect validation in the HTTP class
• Improper handling of post meta data values in the XML-RPC API
• Lack of capability checks for post meta data in the XML-RPC API
• A Cross Site Request Forgery (CRSF) vulnerability was discovered in the filesystem credentials dialog
• A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files
• A cross-site scripting (XSS) vulnerability was discovered related to the Customizer

Several of the vulnerability reports came from security researchers on HackerOne. In a recent interview with HackerOne, WordPress Security Team Lead Aaron Campbell said the team has had a spike in reports since publicly launching its bug bounty program.

“The increase in volume of reports was drastic as expected, but also our team really hadn’t had to process any invalid reports before moving the program public,” Campbell said. “The dynamics of the Hacker Reputation system really came into play for the first time, and it was really interesting to figure out how to best work within it.”

If WordPress continues to sustain the same volume of reports on its new HackerOne account, users may see more frequent security releases in the future.

WordPress 4.7.5 also includes a handful of maintenance fixes. Check out the full list of changes for more details.

WordPress 4.8 Beta 1 is available for testing and has a couple of features that will likely have a big impact.

New Image, Video, and Audio Widgets

WordPress 4.8 has three new core widgets and adds a visual editor to the Text widget. Adding video, audio, or images to text widgets typically involves using custom HTML.

Each of the new widgets in 4.8 takes advantage of the WordPress Media Library. Because the widgets use the media modal, users can insert content from a URL. This is particularly convenient for the Video widget as most videos are not stored locally.

Here is what the core widgets look like on Twenty Seventeen after they’ve been configured.

Core Widgets on The Frontend

The text widget now has a visual editor with a couple of basic formatting tools available. The visual editor supports Keyboard shortcuts. However, it does not support oEmbed. Like the post editor, you can switch between Visual and HTML mode. The HTML version of the editor benefits from the upgrade as it provides users with the same formatting tools that are available in the visual editor.

Text Widget HTML Mode

Link Boundaries

Link boundaries are a byproduct of the ongoing work to Gutenberg, WordPress’ new block-based editor. If you’ve ever written links in the visual editor, you may have noticed that sometimes it’s difficult to move the cursor outside of the link element.

In WordPress 4.8, link boundaries provide a visual cue of when the cursor is inside a link element. This video recorded by Matias Ventura provides a visual demonstration of how link boundaries work.

Inside Link Boundary Outside Link Boundary

During testing it felt like this was more of a bug fix to how the visual editor behaves rather than a new feature.

Dashboard News Widget Includes Upcoming Local WordPress Meetups

There are 1,180 WordPress meetups registered on Meetup.com and close to 100 WordCamps scheduled for this year. In an effort to remind users of the WordPress communities that exist around them world-wide, the WordPress News Dashboard widget has been modified to include Meetups and WordCamps near a user’s location.

News Widget Shows Upcoming Meetups and WordCamps

The widget will try to guess your location automatically. If it’s incorrect, clicking the Pencil button opens a box where you can type in your city. The bottom of the widget includes links to the WordPress Meetup landing page, WordCamp Central Schedule, and the WordPress.org news blog.

WordPress 4.8 Sets the Stage for Gutenberg

It should be noted that WordPress 4.8 will not include Gutenberg. It does, however, lay the foundation for Gutenberg to arrive in a future release.

The easiest way to install and test WordPress 4.8 Beta 1 is to install and activate the Beta Tester plugin on a staging site. Once activated, visit Tools > Beta Testing and select Point release nightlies and then update WordPress.

If you believe you’ve encountered a bug, you can report it to the Alpha/Beta section of the WordPress support forums. Please provide as much detail about the bug as possible. WordPress 4.8 is tentatively scheduled for release June 8th.

A year and a half after the initial release of the controversially-named Hookr plugin, its creator, Christopher Sanford, has rebranded the plugin as WP Inspect. The plugin provides a WordPress hook/API reference for developers and displays the actions and filters that fired as the page loaded. At launch Sanford was fairly committed to the Hookr brand, despite criticism, due to an oversaturated market for WordPress developer plugins. After 3,500 downloads, Sanford decided to rebrand and put the plugin in the official directory.

“Based on the usage and positive feedback, I wanted to target a broader audience, which led to both the re-brand and submission to the WordPress Plugin repository,” Sanford said. “Leveraging the plugin repo, it will be much easier to coordinate/communicate updates, which is somewhat lacking today.”

The 1.0.0 release of WP Inspect includes mostly bug fixes and technical debt cleanup with two major enhancements:

• WP Inspect will only be active under specific roles, with Administrators being enabled by default. (Previously it was active for everyone.)
• Action detail now requires no additional clicks. (Before, if users wanted to inspect an action, they would have to click the action name.)

Sanford said WP Inspect will be migrating to a module-based architecture that will allow users to create their own tooling. He is also planning to release several commercial modules that will expand the debugging capabilities of the plugin. He said he doesn’t anticipate the type of demand or usage that would warrant a marketplace for third-party modules, but he’s open to the idea.

With the plugin now rebranded and released, Sandford is using his time to create the infrastructure to offer Hookr as a SaaS product for commercial theme and plugin developers.

“Depending on membership level, users can interface with HookrAPI to get additional details for debugging,” Sandford said. “Users may submit their current codebase for ‘comment coverage’ analysis, which is great for determining the quantity and quality of inline code documentation. Finally, users may submit their projects to HookrAPI for real time code parsing and documentation to be included with their commercial theme or plugin.

Sanford plans to launch a sister site to the online Hookr.io reference, under another “G-rated” name with a simplified interface, as well as an offline version of Hookr. These will lay the groundwork for the next item on the roadmap: native mobile applications with offline data.

WordPress 4.7.5 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.7.4 and earlier are affected by six security issues:

1. Insufficient redirect validation in the HTTP class. Reported by Ronni Skansing.
2. Improper handling of post meta data values in the XML-RPC API. Reported by Sam Thomas.
3. Lack of capability checks for post meta data in the XML-RPC API. Reported by Ben Bidner of the WordPress Security Team.
4. A Cross Site Request Forgery (CRSF)  vulnerability was discovered in the filesystem credentials dialog. Reported by Yorick Koster.
5. A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files. Reported by Ronni Skansing.
6. A cross-site scripting (XSS) vulnerability was discovered related to the Customizer. Reported by Weston Ruter of the WordPress Security Team.

Thank you to the reporters of these issues for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.7.5 contains 3 maintenance fixes to the 4.7 release series. For more information, see the release notes or consult the list of changes.

Download WordPress 4.7.5 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.7.5.

Thanks to everyone who contributed to 4.7.5.

photo credit: weiss_paarz_photos Gavel – Courtroom and Gavel – (license)

The District Court for the Northern District of California has denied a motion to dismiss a complaint of breach of contract and copyright infringement claims in a case regarding the GPL. The plaintiff, Artifex Software Inc., is the creator of Ghostscript, an AGPL-licensed PDF interpreter. In 2016, the company filed a lawsuit against Hancom, a South Korean software company that incorporated Ghostscript into its Hangul word processing software without complying with the GPL.

Ghostscript is available for free for those who use it in compliance with its AGPL license. Artifex also offers a commercial license of Ghostscript that is required if the user is including it and distributing it within an application that is not licensed under the AGPL. Richard Stallman outlined this common practice of “selling exceptions” to the GPL in 2010, saying that he has considered it acceptable since the 1990’s, because “this approach has made it possible for important programs to become free software.”

According to the complaint, Hancom failed to purchase a commercial license and also did not distribute the source code as required by the AGPL:

Because Defendant did not have a commercial license for Ghostscript, its use and distribution of Ghostscript constituted consent to the terms of the GNU GPL…In addition, Defendant’s website stated that it had licensed Ghostscript under the GNU GPL. Nonetheless, Defendant failed to comply with key provisions of the GNU GPL. In particular, because Defendant integrated Ghostscript into its software without revealing to the end-user that Ghostscript was part of the Hancom software, the GNU GPL required Defendant to distribute its software with the accompanying source code. Defendant did not do so and thus violated the GNU GPL, terminating Defendant’s license to use Ghostscript. Defendant’s failure to obtain a commercial license deprived Plaintiff of a licensing fee, or, alternatively, its failure to comply with the GNU GPL deprived Plaintiff of the opportunity “to further promote the advancement of interpreter technologies.”

Although Hancom is said to have removed Ghostscript from its software in August 2016, Artifex is asking for a court order for Hancom to stop the infringement and seeks compensation for damages. Artifex also requests that the court require Hancom to distribute to each licensee of Hangul and Hancom Office the complete source code for the products in accordance with the GPL.

Hancom responded by filing a motion to dismiss the complaint on the grounds that Artifex had not demonstrated the existence of a contract, how it was breached, or the damages caused by a breach.

An order issued by Magistrate Judge Jacqueline Scott Corley ruled that Artifex has sufficiently established the existence of a contract:

The GNU GPL, which is attached to the complaint, provides that the Ghostscript user agrees to its terms if the user does not obtain a commercial license. Plaintiff alleges that Defendant used Ghostscript, did not obtain a commercial license, and represented publicly that its use of Ghostscript was licensed under the GNL GPU. These allegations sufficiently plead the existence of a contract.

Furthermore, the ruling also recognized the damage that results from a company failing to comply with an open source license, citing the 2008 ruling on Jacobsen v. Katzer, another open source licensing dispute:

Indeed, as the Federal Circuit has recognized, there is harm which flows from a party’s failure to comply with open source licensing: “[t]he lack of money changing hands in open source licensing should not be presumed to mean that there is no economic consideration” because “[t]here are substantial benefits, including economic benefits, to the creation and distribution of copyrighted works under public licenses that range far beyond traditional license royalties.” Jacobsen v. Katzer, 535 F.3d 1373, 1379 (Fed. Cir. 2008).

Although QZ.com and other media outlets are reporting that this is a groundbreaking ruling that makes open source licenses an enforceable contract, the case has not yet gone to trial. The court has simply denied Hancom’s arguments that because the company didn’t sign anything, the GPL does not constitute a contract. The ruling states that Artifex’s allegations regarding the dual licensing structure for its product are enough for the company to begin the process of pleading damages for its claim that Hancom breached its contract. It is not a ruling about whether or not copyleft licenses are enforceable.

Artifex is now free to pursue its case of breach of contract and copyright infringement claims against Hancom, but it’s still very early and may end in a settlement. Hancom is ordered to file its answer by May 18 and both parties are scheduled to appear for an Initial Case Management Conference on June 15.

One of the most important things that distinguishes self-hosted WordPress from WordPress.com is the ability to install custom themes and plugins. A recent change to WordPress.com’s Business Plan removes this limitation, allowing customers to install most third-party plugins and themes.

WordPress.com Comparison Chart

In a WordPress.com support thread created in February, a user asked how to install plugins on WordPress.com. Volunteers responded with the usual explanation that plugins can not be installed on WordPress.com and that they would need to use the self-hosted version of WordPress instead.

A few days ago, Valedeoro, a member of WordPress.com’s support staff, updated the thread announcing that third-party plugin support had recently been opened to customers on the WordPress.com Business Plan.

Quick update on third-party plugins: We’ve recently opened the opportunity to install plugins for Business Plan users. Keep in mind that most features are covered already by the plugin included in your WordPress.com account, so it is possible that you do not need any additional plugins.

Further into the thread, a second support staff member acknowledged that WooCommerce can be installed. A third support staff member confirmed that the ability to install most third-party plugins and themes was added to the Business Plan.

Details of the changes have not been published yet. “We’re still in an experimentation phase,” Automattic representative Mark Armstrong said. “It’s something we’ve rolled out to Business Plan users over the last couple weeks, and we’re looking forward to continued testing.”

This move would place WordPress.com squarely in the managed WordPress hosting space. If installing custom plugins and themes becomes a permanent feature, it will be interesting to see how it affects the confusion between WordPress.com and self-hosted WordPress.

Dave Winer has one rule that matters and a number of other good points on making standards and protocols.

WordPress now has its own official HackerOne account where security researchers can responsibly disclose vulnerabilities to the security team. The project’s page was previously listed under Automattic’s profile before HackerOne launched its free community edition for open source projects. WordPress has now transitioned to its own account, which also includes sister projects BuddyPress, bbPress, GlotPress, and WP-CLI, along with all of their respective websites.

The WordPress Security team launched its HackerOne profile privately at first and had been inviting reporters to use it when they reported security issues via email. Having the profile public makes it possible for the team to work together on triaging the issues that are submitted. WordPress Security Czar Aaron Campbell said the new system will reduce the time spent on responding to commonly reported issues, allowing the team to spend its time more effectively.

“We have about 40 people with access to triage reports, although, like most volunteer groups, not everyone is usually triaging at the same time,” Campbell said.

The project also launched bug bounties to reward reporters for responsibly disclosing security issues and Campbell said the team has awarded more than $3,700 in bounties to seven different reporters.

“So far bounties have ranged from $150 to $1,337,” Campbell said. “Anything that qualifies for a cash bounty will be $150+. We have a few swag bounties (hoodies) for really small things that will be going out soon as well (finishing getting everything set up with the swag store to do this now).”

Campbell confirmed that $1,337 is not the upper limit of the bounties and that there are bugs that could qualify for larger bounties.

“Bounties are calculated based on bug severity, the product or site it’s on (WordPress core being weighted more heavily than say the swag store), and also the quality of the report,” Campbell said. Automattic is sponsoring the bounty payouts on behalf of the WordPress project.

Peer reviewed by @boonebgorges

Naturkontakt (Nature contact) is the home for members of the Swedish Society for Nature Conservation (SSNC), Sweden’s largest environmental NGO with over 200,000 members. This is a private site where SSNC members can read and publish internal news about the organisation, take part in forum discussions, and join or create groups to help them organise their work. Members of SSNC can create WordPress user accounts using their membership numbers from the organization’s CRM (Customer Relationship Management) software.

Background

Naturkontakt has been around since the 90’s, powered by FirstClass. By 2010, that platform had become outdated and its market share was declining. This led some members to write proposals to find a new platform. Their goal was to select a platform which would serve as a hub for all the different aspects of SSNC’s mission and vision. These include “spreading knowledge, charting environmental threats, proposing solutions, and influencing politicians and authorities, both nationally and internationally. Under democratic forms, we work regionally in 24 county branches and locally in 270 community branches.”

Moving to WordPress

In 2011, SSNC acted on their decision to set up a new web-based platform for internal communications and contacted us at Klandestino to work on this project. After evaluating different platforms, we chose WordPress. Some deciding factors include WordPress’ open source licensing, our experience working with the platform, and the plethora of different plugins that extended WordPress to make it suitable for online communities.

The first iteration of the new Naturkontakt site was launched in 2011, powered by WordPress and WP Symposium. This was quite a while ago but as I recall (plus email logs), the choice stood between BuddyPress and WP Symposium. At that time, WP Symposium already had a forums component while BuddyPress lacked a solid forum integration. Remember that this was the time of the stand-alone bbPress forums which took a tortuous and unstable route to integrate to both WordPress and BuddyPress.

bbPress 2.0 to the Rescue

A year after we launched the new site, we undertook an evaluation which revealed some pain points. To name a few, WP Symposium had limited extensibility, some security issues, and major problems with performance. With those challenges in mind, we researched again into other community solutions for WordPress. By that time, the new bbPress 2.0 plugin was available and it worked very well with BuddyPress.

It was an easy decision to switch from WP Symposium to BuddyPress and bbPress. The major tasks were the arduous migration of data and continuous testing. This new set up has stood the test of time, we’re really pleased with it. The BuddyPress-bbPress combination gave us a running start with forums, groups, profiles, and messages, which are some of the required pieces of functionality needed on Naturkontakt.  

Further development of Naturkontakt 2.0 led to the introduction of multisite features to the community. Fortunately, BuddyPress works very well in a multisite environment. Each local organisation (group) of SSNC could have their own subsite to publish news.

To make this work as smoothly as possible, we wrote custom plugins for the following functionalities:

• Many-to-many relationships between groups and subsites. For example, the group coordinating work on forest issues could be connected to the subsite publishing news about forest issues.
• File archives for groups so that members can upload and version docs, PDFs, images, etc.
• Sitewide search, a plugin that indexes all content from the entire multisite network into a “ghost” site to make it possible to have a centralised search throughout the entire network and blog/archive pages that lists posts from all sites.
• A drag and drop front page workflow where the editors of the site can search for and list articles from all sites on the network on the main site front page.

This second version of Naturkontakt was released in late 2012. Since then, the basic functionalities have remained more or less the same. The site did get a facelift a few years ago when we focused on making the site work better on phones and tablets.

Going forward with PHP 7

Last year, after a month of capacity/speed problems, a new evaluation showed that some long-delayed upgrades had to be made. We started a new project to focus mainly on stability and speed improvements. We finished the project just right before this article was written.

We implemented the following improvements:

• Combed through the codebases. We searched for deprecated functions and places where custom functionality could be replaced with newly added functionality from BuddyPress, WordPress, and bbPress. We decreased the number of active plugins by a third because of the new features that had been rolled into the above-mentioned projects.
• Switched over to Elasticsearch/ElasticPress. Our custom sitewide search has served its purpose well. However, since it’s only been used on this platform its development has fallen behind. And compared to new technologies such as Elasticsearch it didn’t cut the mustard. By switching to Elasticsearch we have offloaded a lot of the most expensive queries currently done by WordPress to a server/platform that’s fine-tuned for that kind of work.
• Upgraded to PHP 7. This was the last part of the project. We’ve seen major improvements in the response time from the server, on average about 50%-70% decrease in response times! That is, of course, very important on a dynamic site such as for any community where static page caching often isn’t an option.

In conclusion

Our stats show the continued growth of the SSNC community, even though the competition from Facebook can be really hard. One of the major advantages of using WordPress, BuddyPress, and bbPress is that SSNC owns its own data.

Of course, there are always things to improve on. When we completed the recent project to improve performance, despite limited budgets and time constraints, we were all satisfied and hopeful that the site will be around for many more years. We also expect that upcoming development work will be focused more on the user interaction elements of the site, hopefully by building upon and extending the great work that has gone into BP Nouveau. <3

To end on a personal note I’d like to thank all of the wonderful contributors to BuddyPress who have welcomed me into the community and helped me along with trac tickets and patches. Beyond my satisfaction with Naturkontakt and working with SSNC (whom I share a lot of political views with), and the functionality that BuddyPress has provided for the project, the best part of having worked on this site is that I also feel that I’ve become part of a community that tries to do something constructive about the unpleasant grip that Facebook has over our personal and professional lives.

 

WordPress has grown a lot over the last thirteen years – it now powers more than 28% of the top ten million sites on the web. During this growth, each team has worked hard to continually improve their tools and processes. Today, the WordPress Security Team is happy to announce that WordPress is now officially on HackerOne!

HackerOne is a platform for security researchers to securely and responsibly report vulnerabilities to our team. It provides tools that improve the quality and consistency of communication with reporters, and will reduce the time spent on responding to commonly reported issues. This frees our team to spend more time working on improving the security of WordPress.

The security team has been working on this project for quite some time. Nikolay Bachiyski started the team working on it just over a year ago. We ran it as a private program while we worked out our procedures and processes, and are excited to finally make it public.

With the announcement of the WordPress HackerOne program we are also introducing bug bounties. Bug bounties let us reward reporters for disclosing issues to us and helping us secure our products and infrastructure. We’ve already awarded more than $3,700 in bounties to seven different reporters! We are thankful to Automattic for paying the bounties on behalf of the WordPress project.

The program and bounties cover all our projects including WordPress, BuddyPress, bbPress, GlotPress, and WP-CLI as well as all of our sites including WordPress.org, bbPress.org, WordCamp.org, BuddyPress.org, and GlotPress.org.

When HeroPress started I didn’t plan on having contributors from western Europe, any more than the U.S.  As it turns out, we ended up with lots of people from both places. I’d still love to get people from Spain, Portugal, Italy, and Ireland. If you know anyone in those places with a great WordPress story, please have them fill out the contributor form.

Going Back To My Roots

Over The Atlantic

Uncomfortable doesn’t mean walk away

Burning the Midnight Oil

The Bumpy Journey of Becoming

How to Learn WordPress Without Doing It on Your Own

Living A Better Life Thanks To WordPress

A Sense Of True Freedom

My Road to WordPress

Getting A Life

WordPress is What We Make of It

Coming Home

Moving On From Moving On Stage

The post HeroPress Geography: Western Europe appeared first on HeroPress.

We’re planning a smaller WP release early next month, bringing in three major enhancements:

• An improved visual editor experience, with a new TinyMCE that allows you to navigate more intuitively in and out of inline elements like links. (Try it out to see, it’s hard to describe.)
• A revamp of the dashboard news widget to bring in nearby and upcoming events including meetups and WordCamps.
• Several new media widgets covering images, audio, and video, and an enhancement to the text widget to support visual editing.

The first beta of 4.8 is now available for testing. You can use the beta tester plugin (or just run trunk) to try the latest and greatest, and each of these areas could use a ton of testing. Our goals are to make editing posts with links more intuitive, make widgets easier for new users and more convenient for existing ones, and get many more people aware of and attending our community events.

Four point eight is here
Small changes with a big punch
Big ones come later

On this episode of WordPress Weekly, I’m joined by James Farmer, co-founder and CEO of Incsub. Farmer has been involved in the WordPress community for 11 years and in that time, he and I have butted heads, mildly speaking.

Last year, Farmer looked back at the last 10 years of being a WordPress entrepreneur. In that post, he shares emails and conversations he has had in the WordPress community that are cringe-worthy. Because of the extremely poor interactions I’ve had with Farmer in the past, I’ve kept away from his work and the projects he is associated with.

In the past few months, I’ve read interviews with Farmer where he appears to have turned over a new leaf. In an interview on Torquemag congratulating him on WPMU Dev’s Smush Image Compression plugin winning the Plugin Madness competition, Farmer is asked what advice he would give to aspiring plugin developers?

“Make the free version as brilliant as you possibly can. Give back to the community as much as you can and it’ll come back to you in spades,” Farmer said. “Contribute to the wordpress.org support forums and community, commit code if you can, speak at WordCamps, and be as helpful and useful as possible, it’ll ALL be worth it, I promise.”

When asked what’s the most important lesson he’s learned as CEO and co-founder of WPMU Dev, he responded:

That is a very good question, and one I think I’m actually probably not able to answer as there are basically so so many important things.

I think though if I had to pick one, it goes along the same lines as my last answer: the more you give out, the more you give of yourself and the more, kinda, selfless that you are… the more you get back. And, sadly (and from painful experience), the opposite is also true.

Because of the way he answered these questions and my curiosity for his career in WordPress, I invited him on WordPress Weekly. We talked about his entrepreneurial career and some of the failures along the way. He explains the genesis behind the Smush Image Optimization Plugin and shares what it’s like to be part of the WordPress community in Australia.

My favorite part of the interview is when Farmer describes his experience at WordCamp Europe a few years ago that fundamentally changed his perception of the WordPress community.

After this interview, I can confidently say that the past between us is water under the bridge. I look forward to future conversations with Farmer and taking a closer look at his company’s products.

Stories Discussed:

bbPress 2.6 Beta 3 Likely as Team Focuses on Solid Data Migration Path
VersionPress 4.0 Tentatively Scheduled to Ship in September
WordPress 4.8 Release Targeted for June 8
WPHugs: A Community Devoted to Educating, Discussing, and Raising Awareness of Mental Health

WPWeekly Meta:

Next Episode: Wednesday, May 17th 3:00 P.M. Eastern

Subscribe To WPWeekly Via Itunes: Click here to subscribe

Subscribe To WPWeekly Via RSS: Click here to subscribe

Subscribe To WPWeekly Via Stitcher Radio: Click here to subscribe

Listen To Episode #272:

Nealy a year ago, VersionPress 3.0 was released. This version added new search capabilities, bulk undo, and a number of bug fixes. It was the first release since it became a free, open source project.

In a post on the project’s development blog, Borek Bernard, co-founder of VersionPress, describes what the team is focusing on for 4.0 which includes a tentative release schedule.

VersionPress 4.0 beta is planned to ship in June with 4.0-final scheduled to ship in September. In addition, the team will be labeling the project as a Developer Preview to better indicate its production-readiness.

“With every major release, you rightfully ask about the status of the project when it comes to production-readiness,” Bernard said. “The answer is ‘your mileage may vary’ but we feel we should better indicate that it’s only really intended for developers, currently. Therefore, we’ll be adding the ‘Developer Preview’ label for the project as a whole.”

VersionPress 4.0 beta 1 will support Jetpack and WooCommerce via plugin definitions. Updates to internal data structures, compatibility fixes with WordPress 4.7, and other improvements are also slated to be in 4.0.

Bernard also provides an outline of what to expect from the project in the near future. The team hopes to release Version 5.0 later this year or early next year with definitions for the most popular plugins. It will also be the first version rolled out on the project’s upcoming platform. Version 6.0 is expected a year after that.

To contribute to VersionPress, you can get in touch with the founders through Gitter or visit the project’s Github page where pull requests are welcomed.

Version 3.3.2 of the Akismet plugin for WordPress is now available. This update fixes a bug that was preventing some JavaScript from executing in wp-admin in some older browsers.

To upgrade, visit the Updates page of your WordPress dashboard and follow the instructions. If you need to download the plugin zip file directly, links to all versions are available in the WordPress plugins directory.

वर्डप्रेसने मुझे मेरे ज़िंदगी में कुछ अलग करने का मौक़ा दिया।

Udaipur is known as the city of lakes, is one of the beautiful city in Rajasthan and that is where I come from. Since the beginning, I have been close to Udaipur. With the studies and growing up here, the thought of leaving this beautiful city have never occurred to me. Everything I have achieved in life could never have been possible without the support of my parents.

The 6 months after the graduation have been the most troublesome. At the time it felt as if finding a job was a big challenge, but I never gave up. There is a saying that “No work is big or small. It’s not the stature of work that matters, but what you learn from working that counts” and that is when I started to look for a job out of my field of expertise. My life had a new turn and me, fortunately, got a job at KPO and that was a new beginning of my life.

How I got into WordPress

Before joining into IdeaBox I don’t know much about WordPress. Before knowing about WordPress my identity was just a beginner. By keep working on WordPress I got so much involvement in that. WordPress gave me a chance in my life to prove that I could do something different and I felt like I have the skills and potential and I could do something. I got my confidence back. I always try to learn something new in WordPress.

I do theme development in WordPress. I have learned so much from WordPress. I can proudly say I am the part of WordPress community. One thing I got a chance to learn is in life, there is no shortcut for success. Whatever person get in life is only because of the hard work.

I have completed 3 years in WordPress and I love to be a part of it. I love WordPress and it has the wonderful community. In my free time, I do WordPress translations. I try to contribute in every possible way by giving support, translating and any other things.

First Speaking Experience at WordCamp

WordCamp Udaipur got organized recently. In that, I was the organizer and speaker. It was the amazing experience which I never felt before. After WordCamp only I get to know that how big community it is. When I become the speaker of the WordPress is the most memorable and the greatest experience of my life. I will never forget this moment in my life.

One thing is I was part of the organizing team and my first session. I was totally nervous. The session went so well and all nervousness went away in happiness. Because I realized that talking in front of these many people is not an easy task. So, I was very Happy. If I get a chance to perform In WordPress community, I will do my contribution in any way.

Thank you note

Thanks to WordPress for changing my life and I want to especially thank my parents for supporting and believe me always.

---

सफलता का कोई शॉर्टकट नहीं है

उदयपुर को झीलों के शहर के रूप में भी जाना जाता है, यह राजस्थान के खूबसूरत शहर में से एक है और यही वह जगह है जहाँ से मैं हूं। शुरुआत से ही मैं उदयपुर में रहने और पढ़ाई के साथ और यहां पले बड़े होने की वजह से इस खूबसूरत शहर को छोड़ने का विचार मुझे कभी नहीं आया। जीवन में जो कुछ भी हासिल किया है, वह मेरे माता-पिता के समर्थन के बिना कभी संभव नहीं हो सकता था।

पढ़ाई पूरी होने के ६ महीने बाद तक सबसे ज्यादा परेशानी रही। समय के साथ ऐसा महसूस हुआ जैसे काम ढूंढना काम करने से ज्यादा कठिन था, लेकिन मैंने अपना मनोबल टूटने नहीं दिया और धैर्य से काम लिया। जैसा कि कहा जाता है “कोई काम बड़ा या छोटा नहीं है, किसी काम को करने से जो आप सीखते है वह मायने रखता है” और तब मैंने अपने विशेषज्ञता के क्षेत्र से हटकर नौकरी खोजना शुरू कर दिया। मेरी जिंदगी का एक नया मोड़ था और मुझे सौभाग्य से केपीओ में नौकरी मिली और यही वह जगह थी जहां मेरे जीवन की एक नई शुरुआत शुरू हुई।

कैसे मैंने WordPress को जाना

आइडियाबॉक्स में शामिल होने से पहले मुझे वर्डप्रेस के बारे में अधिक जानकारी नहीं थी। वर्डप्रेस के बारे में जानने से पहले मेरी पहचान सिर्फ एक प्रवर्तक के रूप में थी। वर्डप्रेस पर काम करते रहने से, मेरी इसमें सहभागिता बढ़ती गयी। वर्डप्रेस ने मुझे अपने जीवन में एक मौका दिया है ताकि साबित हो कि मैं कुछ अलग कर सकती हूं और मुझे लगा कि मेरे पास कौशल और क्षमता है और मैं कुछ कर सकती हूं। मुझे अपना आत्मविश्वास वापस मिल गया। मैं हमेशा वर्डप्रेस में कुछ नया सीखने की कोशिश करती हूं।

मैं वर्डप्रेस में थीम डेवलपमेंट करती हूं। मैंने वर्डप्रेस में बहुत कुछ सीखा है। मैं गर्व से कह सकता हूं कि मैं वर्डप्रेस समुदाय का हिस्सा हूं। एक बात मुझे जीवन में जानने को मिली है कि सफलता के लिए कोई शॉर्टकट नहीं है। जो कुछ भी जीवन में मिलता है, कड़ी मेहनत के कारण ही मिलता है।

मैंने वर्डप्रेस में 3 साल पूरे किए हैं और मैं इसका हिस्सा बनकर बेहद खुश हूं। मुझे वर्डप्रेस पसंद है और इसमें अद्भुत समुदाय है मेरे खाली समय में मैं वर्डप्रेस अनुवाद करती हूं। मैं वर्डप्रेस में समर्थन, अनुवाद और अन्य चीजें देने के हर संभव तरीके से योगदान करने की कोशिश करती हूं।

WordCamp में पहली बार वक्ता बनने का अनुभव

Wordcamp उदयपुर हाल ही में आयोजित किया गया। उसमें मैं आयोजक और स्पीकर थी यह अद्भुत अनुभव था जिसे मैंने पहले कभी महसूस नहीं किया था। वर्डकैंप में मुझे पता है कि यह कितना बड़ा समुदाय है। यह मेरे जीवन का सबसे यादगार और सबसे बड़ा अनुभव है। मैं इसे एक क्षण के लिए भी नहीं भूलूंगी।

एक बात यह है कि मैं आयोजक टीम का हिस्सा थी और मेरा पहला सेशन। मैं पूरी तरह नर्वस थी। सेशन बहुत अच्छा गया और सभी घबराहट खुशी में बदल गई। क्योंकि मुझे एहसास हुआ कि इतने लोगों के सामने बात करना आसान बात नहीं थी। इसलिए मैं बहुत खुश थी। यदि मुझे वर्डप्रेस समुदाय में प्रदर्शन करने का मौका मिलता है तो मैं किसी भी तरह से योगदान करुँगी।

धन्यवाद पत्र

वर्डप्रेस के लिए धन्यवाद जिसने मुझे खुद को साबित करने का मौका दिया और मैं अपने माता-पिता के लिए विशेष रूप से धन्यवाद करना चाहती हूं कि उन्होंने हमेशा मुझ पर विश्वास किया और मुझे प्रोत्साहित किया।

The post There is No Shortcut to Success – सफलता का कोई शॉर्टकट नहीं है appeared first on HeroPress.

For the past few months, users have been testing bbPress 2.6 Beta 2. bbPress 2.6 will be the first major version update since 2014 and will include the following features:

• Per-forum moderators
• Improved favorites and subscriptions management
• Improved BuddyPress integration
• Performance improvements
• User experience improvements to meta-boxes and admin-area tools
• Tighter integration with the WordPress Dashboard
• Template tweaks and clean-up

In an interview published last week, John James Jacoby, bbPress lead developer, shared insight into bbPress 2.6’s development. According to Jacoby, there will likely be a third beta as the team continues to work on a solid data migration path from 2.5 to 2.6.

“In the process of working on 2.6, some interesting things sort of happened all at the same time,” he said. “It kind of goes back to the old bbPress problem where WordPress.org is running 2.5 and is also running a hybrid of 2.6 to take advantage of performance improvements.”

Throughout the process of migrating WordPress.org from bbPress 2.5 to 2.6, the development team was able to resolve a number of bottlenecks associated with turning bbPress into a plugin.

“With every beta comes more feedback and the closer we get to release, the more feedback that comes in,” he said. “As we upgrade WordPress.org and receive more feedback, we fix more things.”

“With a small team, there’s no dedicated resources on the project which is the same problem that existed in 2014 when I did my Indiegogo campaign. I’m really trying to spend a lot of time working on it but I’m also spending a lot of time on the security team, contributing to WordPress core, Multisite, and other projects. bbPress is my focus for as much as I can afford it to be.

“bbPress 2.6 will ship, I promise, and it will be a better bbPress than it has ever been.”

Jacoby confirmed that there will likely be a third beta released sometime in the near future. Those who have upgraded to bbPress 2.6 Beta 2 are reporting substantial performance improvements.

If you use bbPress 2.5 and want to upgrade to 2.6 Beta 2, Jacoby encourages users to create a full backup of the site’s database as the upgrade migrates data for subscriptions and favorites. These changes are not easily reverted should you choose to downgrade back to 2.5.

For your convenience, I’ve clipped the portion from the full interview that includes our conversation about bbPress and BuddyPress that you can listen too below.

https://wptavern.com/wp-content/uploads/2017/05/John-James-Jacoby-Gives-bbPress-2.6-Update.mp3

When it comes to spam, comments are one of the first things that comes to mind. However, spam user registrations can be just as prolific on sites with open registration. Leland Fiegel, founder of Themetry, has developed a new plugin called Stop Signup Spam that prevents users from registering an account if their email or IP address is on the Stop Forum Spam database.

Stop Forum Spam is a free service that records reports of spam registrations from blogs, forums, wikis, and more. Stop Signup Spam integrates with the WordPress registration form and Restrict Content Pro. Fiegel launched a new site over the weekend and despite not announcing it, it received a handful of spam registrations.

After Googling the registrants’ email addresses, he discovered a number of them were reported on Stop Forum Spam’s site. “I had never heard of Stop Forum Spam before, but it is basically an Akismet equivalent for forum sign up spam,” Fiegel said. “I noticed they had a dead link to a WordPress plugin. I looked up the Stop Forum Spam API documentation and built a basic one myself a couple of days ago. I submitted it to WordPress.org and it was approved within a day.”

When a user is blocked from registering, the following error is displayed: Cannot register. Please contact site administrator for assistance.

Although users can check the Stop Forum Spam database to see if their email or IP address is blocked, the error message doesn’t inform them that Stop Forum Spam is what blocked their registration.

“I wanted to keep the error message vague so users wouldn’t lash out at site administrators for accusing them of being ‘spammers’ but clear enough that the site administrator would know it was a false positive when it was reported to them,” Fiegel said.

In the plugin’s description, Fiegel is clear about what data is sent to the service. Each time a user attempts to register an account, an API call that contains the user’s email and IP address is sent to Stop Forum Spam and checked against its database. Although the plugin uses the service’s API, it does not require users to register for an API key. This allows the plugin to function upon activation without having to configure anything. Registrants that are incorrectly blocked as spammers can submit a request to have their IP or email address removed from the database.

Fiegel has no plans to integrate support for other forms but is open to pull requests from those who would like to contribute integration support of their own. I did not test this plugin on an active site, but Fiegel says it has dramatically cut down on the number of spam registrations on his new site. If user spam registration is an issue you’re dealing with, consider giving Stop Signup Spam a try.

“When we try to pick out anything by itself, we find it hitched to everything else in the Universe.”

— John Muir

Peer reviewed by @boonebgorges

NefisYemekTarifleri.com is the largest Turkish recipe sharing platform in the world. It has more than 290,000 recipes that reach millions of users every single day. NefisYemekTarifleri is a unique platform that uses WordPress and BuddyPress for all its applications — desktop, mobile web, Android, iOS, and AndroidTV.

Current status:

• 290k+ recipes, ~500 new recipes from different authors per day
• ~2.2M+ registered users with ~2.6M xprofile_data, 24M+ usermeta
• ~4M native apps download, ~1M active usage
• ~100TB CDN BW usage per month
• 3M+ BuddyPress activities and ~4M+ notifications
• 300k+ search requests per day

We use ElasticPress to handle 10M+ requests. To scale this platform, we use various tools which we share at Stackshare. We share some of our stats on Twitter #nytstats.

BuddyPress for a Growing User Base

NefisYemekTarifleri.com is turning 10 years old this August and has been using BuddyPress for the last 5 years. According to my boss, “BuddyPress has helped a lot to increase our user base.”

Our platform is community-driven, i.e., all the recipes come from our users. The membership and number of recipes submitted have increased dramatically since we started using BuddyPress. The users feel more welcome because they have their “own space” where they can easily add their avatars, cover images, post their recipes, and share other social media links. BuddyPress has enabled users to engage more with other registered members as well as invite new users to the site. Our editorial team spends a majority of their time editing user recipe submissions.

Currently, we are using all BuddyPress core components except Friends and Groups. Thankfully, r-a-y‘s BuddyPress Followers plugin is a great replacement to the built-in Friends component.

Customized BuddyPress Features

Notifications

Our notification system is quite different from the standard BuddyPress notifications. It supports push and web push notifications and works async over the message queue.

There are a lot of activities which can trigger notifications. There were and are many instances when we send notifications to tens of thousands users every day. For example, when one author with thousands of “followers” publishes a new recipe, it took a long time to send a simple notification like, “Hi there! Jane Doe published a new recipe, take a look!” Consider when we have 10 authors with many followers publishing new recipes at the same time.

In the early days, we created a custom `nyt_bp_add_notification` script which called BuddyPress’ own notification that added a function for bulk messaging. We found out that it was causing lags on our slave MySQL servers because the impact on the disk IO was dramatic. Our solution was a new custom script, `nyt_bp_add_bulk_notification`, which inserts data directly to database (as a bulk SQL query). By the way, we highly recommend Percona’s PMM for catching performance hogs.

At the end of 2016, we migrated from parse.com to our self hosted parse for push notifications. After which, we used web-push-php for the web push notifications.

Cover Image

We decided to replace the built-in cover image feature and create our own Facebook-inspired UI which was more user-friendly. The feedback has been quite positive from our members.

Features of our new cover image UI:

• A user can directly upload a cover image by clicking on an icon on top of the cover image area.
• The full-size image is saved behind the scenes.
• Quick image resizing after the image upload has completed.
• A user can change image position via drag-drop.
• The full path and image coordinates are recorded as meta.

Messages

The Messaging component is active but not fully open for the end users. We will make this available for everyone when we’ve completed our mobile app integration. This is how we are setting this up for our site:

• All messages have to be between two people, we canceled group messaging.
• When someone you are not following sends a message, that message is marked as “pending”. You also “block” that person.
• Fluent messaging: all conversations between two people use the same thread.

Workarounds/Hacks/Yikes!

Cache: We hated touching BuddyPress directly, but we had to hack core file to fix memory issues. (We have submitted a patch that reduces memory usage for BP#7130)

Messaging, reimagined: We made some necessary changes a bit in a hacky way on the messaging component. Changing messaging behavior was not easy and there are some edge cases we have to monitor and address.

Limit notifications: Only allow 200 notifications per user, WordPress’ cron cleans up on a daily basis.

API Endpoints: We had to be careful on managing API endpoints, addressing the mobile apps a bit differently than web, especially when you do caching inside the device.

Long-running process: MQ workers are long-running PHP scripts and they caused memory problems on production after a while. We fixed this issue with stop_the_insanity.

In the Works

Following are some of the features we have in queue:

• Upgrading BuddyPress, of course
• Elasticsearch integration over ElasticPress. (We haven’t tried it yet but Pascal already wrote some code we can start playing with.)
• User suggestion to follow a member.
• Activity improvements (currently, just acting like feed).
• PHP 7.1 upgrade with dockerizing all the things. (Still using different versions of PHP)

BuddyPress allows us to build one of the largest niche communities in the world. Fortunately for everyone, BuddyPress is being maintained by developers who are active contributors to WordPress core. Our thanks to all BuddyPress contributors, especially the BP core team.

 

Tomorrow is the last day to apply for the The Up and Running Scholarship, from HeroPress and WPShout! Once the entry time is closed then we’ll package up the submissions and send them to the judging panel.

NO SUBMISSIONS WILL BE ACCEPTED after 23:59:59 UTC 09 May.

If you’ve been waiting to apply, don’t wait any more!

The post TOMORROW is the last day to apply! appeared first on HeroPress.

Weglot, a multilingual plugin which has been in the WordPress market for a little over a year, has closed $450K in seed funding from SIDE Capital. Co-founder Rémy Berda reports that there are now more than 10,000 websites using Weglot and the company has passed 30K€ in monthly revenue.

Over the past six months Berda and his small team have been working to add improvements based on user feedback. Weglot will now detect a visitor’s language and automatically redirect to serve the translated page. Weglot users can also connect with Textmaster‘s marketplace to order professional translations through their accounts. The support burden has also increased from 10-20 emails per day to more than 80 per day, challenging the small team’s resources.

“Over the past few months, we started to be overworked by the amount of support or the number of features we wanted to add to the product,” Berda said. “We got a bit frustrated not to be able to improve the product as we wanted to through lack of time. So we understood that if we wanted to keep growing at a fast pace, we would need to scale up our two-person company and raising money was the perfect way to do it.”

After making the connection with SIDE Capital at the end of 2016, Weglot decided to partner with them to fund the further expansion if its support team. The team is currently comprised of two founders, one lead developer, one head of support, and one support agent. Approximately 1,500 of Weglot’s 10,000 users are on an active paid plan, but the remaining 85% of free users make up a significant portion of the support load. Berda said they are investing their resources in support, which serves both free and paid users, in order to maintain the same quality.

In tandem with improving the performance of the plugin and its support, Berda said the team is also developing other integrations to test Weglot’s service outside of the WordPress market.

Weglot is growing rapidly in the North American market. Although the Asian market is not represented on the plugin’s user breakdown below, Berda said it has more than doubled in the past two months.

“We have been seeing an accelerating growth in the Americas in the past 6 months,” Berda said. “We went from 5% of our clients to 25% now. Asia is still small but has been quickly growing in the past two months from 3% to 8%.”

One year after officially launching Weglot, Berda and his team have found that WordPress is a ripe market for entrepreneurs who are ready to move quickly and provide a high level of customer service. His advice to newcomers?

“You’re in the right place,” Berda said. “WordPress is a huge market with real needs, and it is often overlooked by many entrepreneurs. There is an active and strong community with ‘caring’ values. So WordPress is definitely a great place to build a business.” He recommends keeping to a brisk timeline:

“One month after you have the idea, you must have some people (1 to 10) testing a MVP,” Berda said. “One more month later, you must have your first paying customer to validate the needs. Finally, never neglect customer support. Done carefully, customer supports transforms into customer acquisition.”

WordPress 4.8 kicked off in this week’s core developer meeting and the schedule for the upcoming release is now published. Beta 1 is scheduled for May 12 and the official release is targeted for June 8. This will be the first major release in 2017 and is focused on laying the foundation for the new Gutenberg editor. The schedule identifies the features that contributors are aiming to ship in 4.8:

• TinyMCE inline element / link boundaries
• New media widgets
• WYSIWYG in text widget
• WordCamp / meetup dashboard upgrade to the “news” section

Several contributors expressed concern during the meeting about the compressed timeline, as both the beta and RC testing times have roughly half the time they have been given in the past. Also, the release’s close proximity to WordCamp Europe, which officially begins activities the following week, presented additional concerns about the added workload of a release within the May/June timeframe.

“I think people are thinking of this as a normal release, a train leaving the station that a bunch of stuff (multisite! meta!) has to get on to make it in,” 4.8 release lead Matt Mullenweg said. “I agree that needs a much longer timeframe.

“What is really going on is that we have a few simple, already working as plugin enhancements that add a few files, and we want to get those in the hands of users sooner rather than later. We already update TinyMCE all the time. Potential breakage or compatibility should be limited to things that interact with the text widget or the news dashboard module.”

After a brief discussion on the dev meeting notes, the proposed schedule was confirmed. The feature project merge deadline is coming up on May 10, followed by Beta 1 two days later. Any enhancements that are not ready to proceed on this timeline will be put on hold for a future release.

In the past two years, there has been an increased effort in the WordPress community to raise awareness of mental health. Cory Miller, Rich Robinkoff, Michele Butcher, and others have presented on the subject at numerous WordCamps.

A common theme that surrounds mental health is the fear of discussing it openly. WPHugs.org, a passion project by Leo Gopal, aims to provide a safe space for people to connect, educate, and raise awareness of mental health.

“I suffered many times in my life so far with extreme depression,” Gopal said. “One of the most difficult parts of dealing with extreme depression is the feeling that you can’t tell anyone about it. This can include your boss or colleagues who you spend most of your time with.”

“Until, at WordCamp Cape Town 2016, I stood in front of a conference room full of people and ‘confessed’ that I am afflicted with depression. After the talk, many people came to me and called me ‘brave’ to be so open, and many opened up and thanked me for helping them realize that they too are not alone.

“After my recovery from attempted suicide, it was the friends I had made in the WordPress Community that gave me the most support. I reached my darkest point, and I got there feeling alone. WPHugs hopes to be a torch that allows others to never get to such a space.”

WPHugs has a Slack group that’s free to join that provides an opportunity for like-minded people to discuss topics in real-time. While the conversations in the Slack channel are not private, Gopal is hopeful that the community will be built around trust and honesty.

“I suspect that there will be more direct messages than there will be channel messages, and that’s okay, the connections are being made, we are talking more,” he said.

WPHugs is a not-for-profit passion project and although the site has sponsorship opportunities available, Gopal is looking for companies and people who can contribute time and resources.

“If companies want to contribute licenses to their software to help expand, grow, reach more people, by all means it is completely welcome,” Gopal said. “Sponsor time or resources, whatever you can to make this project thrive and survive, because it’s important, it could save someone’s life.”

Gopal admits he’s not an authority on how to maintain good mental health but plans to crowdsource tips, tricks, and host conversations to help others. Heavily inspired by HeroPress, Gopal wants to publish weekly essays called Mental Health War Stories.

The most important message WPHugs wants to get across is that people who are suffering from mental illnesses are not alone.

“It’s about making us aware of ourselves, taking care of our own mental health and how important it is for those around us. It’s also about being more empathetic for those around us who suffer in their own way and know that someone cares,” Gopal said.

“I went through a struggle discovering my mental illness and learning about it, and I did it alone. I don’t want that journey for others to be as solitary. I am a hugger.”

To share a mental health war story or to get involved with the project, you can get in touch with Gopal through the WPHugs contact form.

Security researcher Dawid Golunski of Legal Hackers has published the details of an unauthorized password reset vulnerability in WordPress core. Golunski demonstrated how, under certain circumstances, an attacker could intercept the password reset email and gain access to a user’s account.

His proof of concept takes advantage of WordPress using the SERVER_NAME variable to get the hostname of the server in order to create a From/Return-Path header of the outgoing password reset email.

Major web servers such as Apache by default set the SERVER_NAME variable using the hostname supplied by the client (within the HTTP_HOST header):

https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname

Because SERVER_NAME can be modified, an attacker could set it to an arbitrary domain of his choice e.g:

attackers-mxserver.com

which would result in WordPress setting the $from_email to

[email protected]

and thus result in an outgoing email with From/Return-Path set to this malicious address.

The results of this particular attack would depend on the server environment, the specific configuration of the mail server, and in some cases would require interaction from the user in question. Golunski’s report has a more specific breakdown of the possible methods that could be employed.

After reporting the issue to the WordPress security team in July 2016 and also via the HackerOne website, Golunski saw no progress on it and decided to release the vulnerability details to the public.

Although there is no official patch yet, WordPress Security Czar Aaron Campbell said the issue is not quite as severe as it may seem.

“It’s a lower priority issue, but we are aware of it and it is in our queue to address,” Campbell said. He explained the unique set of conditions that would be required in order for this to be a serious vulnerability.

“In order for the issue to have a security impact, a server needs to allow a user-supplied header to overwrite $_SERVER['SERVER_NAME'],” Campbell said. “We would consider that a poor server configuration (like leaving display_errors on on a production server), which is unfortunately outside our control.”

Campbell tested his personal Apache and nginx servers and none of them allowed for this. In addition to having a poorly configured server, Campbell said one of the following actions also needs to happen:

• a user needs to reply to a password reset email
• an auto-reply needs to reply to the E-Mail and include the original
• an E-Mail server has to be compromised or overloaded and the message returned to sender with content intact

“If your server is susceptible and you don’t have the ability to fix the actual server configuration, you still don’t have to make changes to WordPress files to mitigate the issue,” Campbell said. “A little PHP like this in a plugin will set the from E-Mail to a static E-Mail address of your choice:”

add_filter( 'wp_mail_from', function( $from_email ) { return '[email protected]'; } );

Campbell said any changes WordPress makes to core will likely be done via a ticket that is currently tracking the issue from a non-security perspective. He said a fix is mostly likely not going to be coming in the next security release, but the team is actively working on it. If they find a good mitigation for the issue, Campbell said they will share it once they have worked through all the potential ramifications.

photo credit: Jesse Bowser

The WordPress Community Team is debating the merits of a new type of WordCamp, a hybrid event with the traditional WordCamp content in a retreat-style format. Sven Wagener and the Köln meetup group in Germany, which has more than 700 members, have proposed a new style of camp that would potentially be called “WordCamp in the Green” or “WordCamp Retreat.”

The event would be held outside of town at a venue where all attendees stay in the same hotel. In addition to the regular WordCamp sessions and Contributor Day, attendees have the opportunity to participate in local outdoor activities.

The WordPress Community Team is open to considering different formats for WordCamps that serve a specific niche. WordCamp for Publishers, the first WordCamp focused around a specific topic, is a recent example of this flexibility.

The proposed format is very similar to the interest-based meetups that the Japanese WordPress community has been doing for years. Members spend time together in activities unrelated to WordPress, as opposed to simply focusing on improving technical skills, and as a result they become more connected with their local community. For example, the Word温泉 (WordOnsen) meetup includes members who enjoy hot springs. They gather in Fukushima where they stay at the same hotel, host WordPress sessions, and end with a party night. This format has successfully grown the Japanese meetup community to more than 50 local groups.

The Köln meetup group’s proposal for a WordCamp doesn’t stray too far from the traditional WordCamp program, as the only differences seem to be a more rural setting where everyone stays at the same venue. A more radical change would be an event where WordPress community members meet simply for networking and connecting with no planned educational component. These types of niche unofficial WordCamps have been happening for years outside of the WordPress-sanctioned events.

The WordPress Community Team is seeking feedback on the proposed “WordCamp Retreat,” as approval of the event would set a precedent.

“If we introduce a new type of WordCamp event like this, we want it to be something that works in many communities, scales effectively for larger (or smaller) groups, and is able to be reproduced by any organizers who wish to do so,” Commnity Team member Hugh Lashbrooke said.

The organizing team for the proposed WordCamp has already prepared a budget and is ready to move forward once given approval. Lashbrooke said the Community Team anticipates the new event types will have “a huge amount of interest from other communities around the world,” so they wanted to pitch it to the community for feedback.

If you have strong opinions on the topic, you can join the discussion on WordPress.org.

In this episode, I’m joined by John James Jacoby. We recap WordCamp Chicago 2017 and learn about what he’s been up to as of late. Jacoby was recently elected as a trustee by the Village of East Troy, WI. We discussed what lessons he’s learned through open source software development that he’ll apply to his Trustee role.

We talk about how important mental health is and near the end of the show, he provides status updates on the bbPress and BuddyPress projects. Jacoby also weighed in on the stories making headlines in recent weeks.

Stories Discussed:

Shopify Discontinues Its Official Plugin for WordPress
WordCamp US 2017 Ramps Up Ticket Sales, Organizers Plan for 2,500 Attendees
Automattic to Close San Francisco Office
WordPress 4.8 Will End Support for Internet Explorer Versions 8, 9, and 10

WPWeekly Meta:

Next Episode: Wednesday, May 10th 3:00 P.M. Eastern

Subscribe To WPWeekly Via Itunes: Click here to subscribe

Subscribe To WPWeekly Via RSS: Click here to subscribe

Subscribe To WPWeekly Via Stitcher Radio: Click here to subscribe

Listen To Episode #271:

One of my favorite talks from TED last week was by Laura Galante. The most hackable device on the planet is your own mind:

 

Jetpack 4.9 gives self-hosted WordPress users access to some of the widgets that are available on WordPress.com. One of the most useful ones for European websites is the new EU Cookie Law Banner widget. The WordPress plugin directory has dozens of plugins related to cookie consent, but Jetpack users can now get this feature bundled with the popular plugin.

The widget launches a notice at the bottom of the screen where users can click to accept cookies. The widget banner text, color scheme, policy URL, and button text can be customized, and administrators can hide the banner based on different user behaviors.

The EU Cooke Law is an online privacy directive that was introduced in 2011 with the objective of allowing website visitors the right to refuse cookies that reduce their privacy. Sites that serve primarily EU audiences are required to comply. Companies in the U.S. and outside the EU with no legal EU presence are not likely to have any consequences for not complying, as the law is difficult to enforce outside the EU.

Jetpack 4.9 also adds a new Flickr widget and one for the Internet Defense League, an organization dedicated to defending internet freedom. The widget lets users select from three different badges to show support. Note that this widget does not sign the website up to broadcast specific campaigns. That feature is available in the Internet Defense League Cat Signal plugin.

This release also includes several minor fixes and improvements under the hood. Check out the full changelog on WordPress.org to see everything included in version 4.9.

Managing social media accounts across multiple networks can be a cumbersome task. Social Media Suite by Tina Todorovic and Dejan Markovic, based in Toronto, Canada, aims to make managing those accounts a breeze.

At its core, Social Media Suite is a social media marketing management platform. To use it, you’ll first have to install the Social Media Suite connector Plugin to connect your site to the service.

Once activated, click the Go to Control Panel button which loads Social Web Suite’s control panel where you can connect social media accounts.

I highly recommend that you open the control panel in a new browser tab as opening it in the same browser tab makes it difficult to browse back to the WordPress backend.

Through Social Web Suite, users can publish or schedule Tweets and other messages across social networks such as Facebook. After connecting my Twitter account, I was able to publish a Tweet from the site’s interface.

Social Media Suite Twitter Interface

Social Web Suite includes a number of sharing options. You can configure whether or not to share posts, pages, or both, how many times they can be shared, if the featured image is displayed, and if content is shared at the same time it’s published.

Other configuration options include, message formatting, hashtag support, which categories to include or exclude, and the ability to exclude specific pages or posts.

To see how well messages are performing, Social Web Suite offers an analytics dashboard that displays a similar set of statistics provided by Twitter. This allows you to quickly see which messages are having the most impact.

Social Media Suite Analytics Dashboard

As far as privacy is concerned, Social Media Suite stores marketing management content on its servers and will not ask users for their login information. The service is currently in Beta and is available by invitation only. I tested Social Media Suite on WordPress 4.7.4 and didn’t encounter any issues. If you’re looking for a service to manage your social media marketing strategy, consider giving Social Media Suite a try.