+44 0330 223 3428
Call Us
+44 0330 223 3428

WPTavern: WordPress 5.1.1 Patches Critical Vulnerability

WPTavern: WordPress 5.1.1 Patches Critical Vulnerability

WordPress 5.1.1 was released yesterday evening with an important security update for a critical cross-site scripting vulnerability found in 5.1 and prior versions. The release post credited Simon Scannell of RIPS Technologies for discovering and reporting the vulnerability. Scannell published a post summarizing how an unauthenticated attacker could take over any WordPress site that has comments enabled:

An attacker can take over any WordPress site that has comments enabled by tricking an administrator of a target blog to visit a website set up by the attacker. As soon as the victim administrator visits the malicious website, a cross-site request forgery (CSRF) exploit is run against the target WordPress blog in the background, without the victim noticing. The CSRF exploit abuses multiple logic flaws and sanitization errors that when combined lead to Remote Code Execution and a full site takeover.

Since WordPress ships with comments enabled by default, an attacker could exploit this vulnerability on any site with the default settings. Auto-updates went out yesterday but administrators who have background updates disabled are advised to update immediately.

The maintenance release also includes the ability for hosts to offer a button to prompt their users to update PHP ahead of WordPress’ planned minimum PHP version bump in 5.2. The “Update PHP” notice can be filtered to change the recommended version.

Version 5.1.2 is expected to follow in two weeks.


WordPress 5.1.1 was released yesterday evening with an important security update for a critical cross-site scripting vulnerability found in 5.1 and prior versions. The release post credited Simon Scannell of RIPS Technologies for discovering and reporting the vulnerability. Scannell published a post summarizing how an unauthenticated attacker could take over any WordPress site that has comments enabled: An attacker can take over any WordPress site that has comments enabled by tricking an administrator of a target blog to visit a website set up by the attacker. As soon as the victim administrator visits the malicious website, a cross-site request forgery (CSRF) exploit is run against the target WordPress blog in the background, without the victim noticing. The CSRF exploit abuses multiple logic flaws and sanitization errors that when combined lead to Remote Code Execution and a full site takeover. Since WordPress ships with comments enabled by default, an attacker could exploit this vulnerability on any site with the default settings. Auto-updates went out yesterday but administrators who have background updates disabled are advised to update immediately. The maintenance release also includes the ability for hosts to offer a button to prompt their users to update PHP ahead of WordPress’ planned…

Source: WordPress

Tagged

WPTavern: Dark Mode WordPress Plugin Up for Adoption

WPTavern: Dark Mode WordPress Plugin Up for Adoption

Daniel James is putting his Dark Mode plugin up for adoption.

“I’m stepping back from plugin development (and WordPress contributions) and would like to see someone passionate about it pick it up,” James said.

Dark Mode has 2,000 active installations and is the most popular among a handful of dark or “night mode” plugins in the official directory. In August 2018, James submitted a merge proposal for including Dark Mode in core, but it was shot down the same day it was published. Gary Pendergast said the proposal “seemed premature” and noted that the project was lacking several merge criteria outlined on the Handbook page for feature plugins. He cited a lack of weekly chats, no kickoff and update posts, and no testing from the Flow team, among other concerns.

“I decided recently that because of the direction WordPress is going in with the move towards React with Gutenberg that I should probably focus my efforts elsewhere,” James said.

“That’s mostly to do with the merge proposal getting rejected fairly quickly without any helpful next steps on how to improve it. Plus, with how rapidly Gutenberg is being developed, I’d have to pretty much work in tandem with the Gutenberg team to ensure the Dark Mode plugin styled the UI correctly. That’s spare time I just don’t have.

“I feel like WordPress leadership is another reason. It’s really difficult (I think/feel) to get something like Dark Mode pushed through. It’s very much near the bottom of the priority list, which I get, but sucks a bit when you’re volunteering in spare time of course.” James said the plugin currently requires a few hours per week in support and maintenance.

The popularity of dark modes for applications has taken off after macOS Mojave introduced a dark mode, and has also been spurred on by the news that Apple’s 2020 iPhone lineup will be produced with OLED screens. Many popular applications, such as YouTube, Facebook Messenger, Twitter, and Google Maps already have a dark mode that either works automatically based on light conditions or can be manually enabled. Chrome also recently added a dark browsing mode for Mac users. Fans of dark mode claim it is easier on the eyes and conserves battery.

Users who tend to gravitate towards dark mode are still a small subset, but the feature is gaining momentum. A dark mode may one day come to WordPress core but it doesn’t seem likely in the near future. Daniel James’ Dark Mode plugin isn’t ready for core, since it doesn’t support the new editor, but he said he hopes the new owner will find the time to take it where it needs to go.

“I’m happy to transfer the plugin to someone else to continue it, as long as they’re well known/respected,” James said. “I won’t just be giving it away for security reasons. It would be great for it to be included in core one day, but at the very least it would be nice for someone who really likes it to just continue it.”


Daniel James is putting his Dark Mode plugin up for adoption. “I’m stepping back from plugin development (and WordPress contributions) and would like to see someone passionate about it pick it up,” James said. Dark Mode has 2,000 active installations and is the most popular among a handful of dark or “night mode” plugins in the official directory. In August 2018, James submitted a merge proposal for including Dark Mode in core, but it was shot down the same day it was published. Gary Pendergast said the proposal “seemed premature” and noted that the project was lacking several merge criteria outlined on the Handbook page for feature plugins. He cited a lack of weekly chats, no kickoff and update posts, and no testing from the Flow team, among other concerns. “I decided recently that because of the direction WordPress is going in with the move towards React with Gutenberg that I should probably focus my efforts elsewhere,” James said. “That’s mostly to do with the merge proposal getting rejected fairly quickly without any helpful next steps on how to improve it. Plus, with how rapidly Gutenberg is being developed, I’d have to pretty much work in tandem with the Gutenberg…

Source: WordPress

Tagged

HeroPress: Work Life “Balance” With WordPress

HeroPress: Work Life “Balance” With WordPress
Pull Quote: I can’t imagine how I could have ever achieved my goal of integrating family and an impactful career without WordPress.

I always knew I wanted to have a career, and I also knew I wanted a family. As my family grew, I realized that a typical job where you have to show up at an office every day didn’t work with the dynamic and unpredictable nature of kids. I didn’t understand why being at a physical office was a requirement: wasn’t the most important thing getting the work done? I could work just as well from home, and the flexibility would mean I could do my work at hours that worked for me. Who cares if I finished a project at 11 pm, if I did it well and on time?

Creating Change

So after my fourth kid was born, I decided to create that flexibility for myself, and went freelance, but with a vision to grow into a company. That’s why from the beginning I created a brand for my services, and called the “company” illuminea. At first I offered content related services, like marketing writing, and Hebrew to English translation. Increasingly the work I was doing was related to company websites, and the power websites had in terms of communicating messages and content marketing really caught my attention. I also had always been fascinated by technology.

So I started to teach myself how to build websites, using Google as my teacher.

At first I built basic HTML websites, but as I also learned about web marketing I realized that a site that can’t be easily updated is not doing any favors for its owners. Website content needs to be quickly and easily updatable. So I started researching CMS options. Many companies in those days were using expensive and clunky proprietary CMSs, and I was not impressed. I tested the three leading Open Source CMSs, and fell in love with WordPress. I was impressed by the templating system, the plugin ecosystem, and the community.

Moving to WordPress

At that time companies did not take WordPress seriously as a CMS. Blogging was catching on, so companies would install a WordPress blog as a subdomain, but they weren’t using it for general site management. I thought it could be more, and managed to convince a few clients to let me build their sites on WP.

And then version 3.0 was released, and WP became a full-fledged CMS.

Companies started to become sick of the limitations and costs of their proprietary CMSs, and since I was one of the first in the Israeli market to offer WP as a service, I started to get more and more clients for full website projects.

Right before I had my fifth kid, I made my first hire: Rebecca Markowitz. I taught her whatever I knew, and she quickly surpassed me with her skills in many areas. We have been working (and laughing) together ever since!

One thing led to another and illuminea became one of the leading providers of custom WordPress business solutions in Israel. We were privileged to work with inspiring innovators and generally nice people.

Building Something New

I had had many ideas for products throughout the years, but managing a business and having babies meant I could not realistically build a product on the side. However, after about twelve years of illuminea, and when my youngest was no longer a baby, I had an idea for a WordPress-related product: our clients, and ourselves, were suffering from issues related to speed and security. No matter what we did, we could never speed up client websites as much as they or we would have liked; and no matter what we did on the security side, sites still had vulnerabilities too often. So I thought: why not convert WordPress websites to serverless and static versions of themselves so they’ll be fast and secure?

I decided to go for it. I got accepted to a Jerusalem startup accelerator called Siftech, and they gave me the tools and access to resources and mentors that I needed to take the next steps.

I called that venture Strattic, and today we are a venture-backed team of seven with a great product that our clients love.

I can’t imagine how I could have ever achieved my goal of integrating family and an impactful career without WordPress. To this day I love that I am always challenged and learning more, and always meeting more people in our amazing community, while also having the flexibility I need to be a mom. Of course it’s not perfect, but it’s pretty good, thank God.

The post Work Life “Balance” With WordPress appeared first on HeroPress.


I always knew I wanted to have a career, and I also knew I wanted a family. As my family grew, I realized that a typical job where you have to show up at an office every day didn’t work with the dynamic and unpredictable nature of kids. I didn’t understand why being at a physical office was a requirement: wasn’t the most important thing getting the work done? I could work just as well from home, and the flexibility would mean I could do my work at hours that worked for me. Who cares if I finished a project at 11 pm, if I did it well and on time? Creating Change So after my fourth kid was born, I decided to create that flexibility for myself, and went freelance, but with a vision to grow into a company. That’s why from the beginning I created a brand for my services, and called the “company” illuminea. At first I offered content related services, like marketing writing, and Hebrew to English translation. Increasingly the work I was doing was related to company websites, and the power websites had in terms of communicating messages and content marketing really caught my attention.…

Source: WordPress

Tagged

WPTavern: Google Announces Season of Docs Program to Match Technical Writers with Open Source Projects

WPTavern: Google Announces Season of Docs Program to Match Technical Writers with Open Source Projects

Google is launching a new program called Season of Docs with the goal of fostering collaboration between technical writers and open source projects. The initiative is very similar to Google Summer of Code, except it is focused on documentation and technical writing contributions instead.

Prospective participants can apply during the month of April 2019. Google plans to publish a list of accepted organizations with their ideas for documentation projects. Technical writers can choose a project and submit a proposal to Season of Docs. The accepted proposals will be published July 30, 2019, and participants will then spend a month bonding with their open source communities and collaborating with mentors. The Season of Docs program officially runs from September 2 – November 29, and participants will receive a stipend of $2400 – $6,000 USD, calculated based on Purchasing Power Parity.

In 2017, Google’s Open Source Survey results showed that incomplete or missing documentation was one of the most common problems encountered in open source, observed by 93% of respondents. The Season of Docs program aims to give technical writers an opportunity to contribute to open source projects in a more structured way while learning about open source code. Participating organizations gain the chance to improve their processes for documenting their projects while working with a technical writer. Check out the FAQ section of the Season of Docs website for more detailed information.


Google is launching a new program called Season of Docs with the goal of fostering collaboration between technical writers and open source projects. The initiative is very similar to Google Summer of Code, except it is focused on documentation and technical writing contributions instead. Prospective participants can apply during the month of April 2019. Google plans to publish a list of accepted organizations with their ideas for documentation projects. Technical writers can choose a project and submit a proposal to Season of Docs. The accepted proposals will be published July 30, 2019, and participants will then spend a month bonding with their open source communities and collaborating with mentors. The Season of Docs program officially runs from September 2 – November 29, and participants will receive a stipend of $2400 – $6,000 USD, calculated based on Purchasing Power Parity. In 2017, Google’s Open Source Survey results showed that incomplete or missing documentation was one of the most common problems encountered in open source, observed by 93% of respondents. The Season of Docs program aims to give technical writers an opportunity to contribute to open source projects in a more structured way while learning about open source code. Participating organizations gain…

Source: WordPress

Tagged

WPTavern: WordCamp Nordic Hosts Successful Kids Workshop

WPTavern: WordCamp Nordic Hosts Successful Kids Workshop

WordCamp Nordic hosted a successful kids workshop over the weekend where participants learned how to start publishing with WordPress. The event was held during Contributor Day at the same venue, tucked into a comfortable corner with soft chairs and ample floor space for the kids to stretch out.

Petya Raykovska led the workshop and participants followed along with the help of a large screen for demonstrating basic publishing-related tasks. The kids learned how to use the editor, add text and images, create galleries, and customize their sites by selecting a theme. Each participant left the workshop with their own WordPress site hosted at WordPress.com.

“It’s like an exercise in creativity, showing them how to use a tool to express themselves on the web,” Raykovska said.

Teaching kids how to use WordPress is far easier than teaching adults how to use it for the first time, because they don’t have preconceived notions about how the editor should behave. Raykovska said the group at WordCamp Nordic had no issues using Gutenberg.

“It doesn’t matter for them what editor they use,” Raykovska said. “They are very intuitive; they go along with anything that comes their way.”

She also reported that many of the kids from past kids workshop events have kept their blogs going and maintain strong relationships with the volunteers who helped them get started.

Each kids workshop is a new opportunity for organizers to test and refine different methods for teaching kids how to use WordPress. As these workshops become more common at WordCamps around the globe, it would be exciting to see them grow to become large scale events where more experienced kids can present on what they are learning and doing with WordPress.

If you are interested in running a kids workshop at another WordCamp, Raykovska has created an organizer kit for training the next generation of WordPress users and developers. It includes all the tasks and requirements for organizing this type of event, sample content, and a workshop script that organizers can follow.


WordCamp Nordic hosted a successful kids workshop over the weekend where participants learned how to start publishing with WordPress. The event was held during Contributor Day at the same venue, tucked into a comfortable corner with soft chairs and ample floor space for the kids to stretch out. Petya Raykovska led the workshop and participants followed along with the help of a large screen for demonstrating basic publishing-related tasks. The kids learned how to use the editor, add text and images, create galleries, and customize their sites by selecting a theme. Each participant left the workshop with their own WordPress site hosted at WordPress.com. “It’s like an exercise in creativity, showing them how to use a tool to express themselves on the web,” Raykovska said. Teaching kids how to use WordPress is far easier than teaching adults how to use it for the first time, because they don’t have preconceived notions about how the editor should behave. Raykovska said the group at WordCamp Nordic had no issues using Gutenberg. “It doesn’t matter for them what editor they use,” Raykovska said. “They are very intuitive; they go along with anything that comes their way.” She also reported that many of the…

Source: WordPress

Tagged

WPTavern: WordPress Explores Proposal for New Block Directory to Host Single Block Plugins

WPTavern: WordPress Explores Proposal for New Block Directory to Host Single Block Plugins

WordPress core contributor Alex Shiels has published a proposal for a WordPress.org block directory that would host JavaScript-based, single block plugins. The directory would make blocks searchable and installable from within the Gutenberg editor. Building a directory for discovering blocks and seamlessly installing them is one of the nine projects that Matt Mullenweg identified as a priority for 2019.

Block collections have become one of the most popular ways for distributing a group of related blocks but this method can cause bloat. Users currently cannot search for individual blocks by name and plugin names and descriptions are not always a good indication of what the blocks do.

Shiels proposed the new directory be limited to single block plugins, frontend JavaScript blocks with no UI outside of the editor. It would be a separate section inside the Plugins Directory, optimized for users to find blocks by name and description. Developers would be required to use a block.json file with metadata as outlined in the Block Registration RFC, which provides a technical specification for block type registration.

The most controversial part of the proposal is having blocks installable from within the Gutenberg editor. The long term goal is to make that process as seamless as possible. Block collections and blocks that do not meet the requirements of the single block directory would still be available via the normal plugin installation process. This could be confusing for users who do not know that blocks can be found in two separate directories.

“The Gutenberg editor should NOT be a plugin installation source,” Matt Cromwell commented on the proposal. “That just seems ripe for scope-creep. That’s not its purpose or function. Let it be an editor, layout builder, content manager, etc. Moving into searching an external library and installing plugins is the definition of losing site of the purpose of a ‘product.’”

Cromwell suggested a centralized block manager as an alternative that would offer a better experience for searching and installing blocks. He also echoed other participants’ opinions on the importance of including dynamic blocks in the directory, instead of limiting it to “JavaScript only” blocks.

“A centralized Block Manager like has already been suggested is a far better user-experience for searching and installing blocks than doing that in the Gutenberg editor. I like the idea of single-block plugins being the only option in the Directory. But make sure Dynamic Blocks that depend on other existing plugins or outside functionality are able to be added to that very important Directory as well. I really don’t see a benefit to limiting this Directory so much.”

WordPress developer Jamie Schmid also expressed hesitation about pursuing a solution that puts block installation inside the editor, as it may discourage users from thinking about their block usage across the entire site.

“I am not convinced that making blocks searchable and installable from within the editor is the best solution,” Schmid said. “This, along with page level block controls and style overrides, is encouraging a very short-sighted, page-level solution to an issue that is very likely a global site (or content or even business) issue. I’d love to instead see a central view for all installed blocks – similar to how plugins are, but more organized by type/function/etc and with a visual alongside. This will encourage making decisions at the site level, encouraging some bigger-picture reflection. And same to being able to apply access controls to the installation of new blocks.”

The proposal would place the single block plugin search interface inside the block inserter in the Gutenberg editor. This would enable users to quickly search for and install a block if they don’t see one they need among the existing blocks.

A mockup of what inline block installation might look like

Riad Benguella, Gutenberg’s technical lead for phase 2, encouraged participants in the discussion to think about blocks as pieces of content that do not rely on the post editor but can be configured anywhere inside WordPress.

“It is important to think of blocks as its own unit that have a meaning on its own, and that can be used in different contexts,” Benguella said. “A block is a piece of content (static or dynamic) that can be configured and rendered anywhere.” This includes blocks found both inside and outside post_content, content in a full site editor, inside the WordPress admin, a headless application, or even another CMS.

“We should be ambitious and think about all these contexts (the final picture), but at the same time we should be pragmatic and iterate to achieve this goal,” Benguella said.

The discussion regarding the new block directory and block plugin architecture continues across WordPress contributor teams. Shiels said the proposal was meant as a starting place and contributors are still in the preliminary stage of exploring ideas.


WordPress core contributor Alex Shiels has published a proposal for a WordPress.org block directory that would host JavaScript-based, single block plugins. The directory would make blocks searchable and installable from within the Gutenberg editor. Building a directory for discovering blocks and seamlessly installing them is one of the nine projects that Matt Mullenweg identified as a priority for 2019. Block collections have become one of the most popular ways for distributing a group of related blocks but this method can cause bloat. Users currently cannot search for individual blocks by name and plugin names and descriptions are not always a good indication of what the blocks do. Shiels proposed the new directory be limited to single block plugins, frontend JavaScript blocks with no UI outside of the editor. It would be a separate section inside the Plugins Directory, optimized for users to find blocks by name and description. Developers would be required to use a block.json file with metadata as outlined in the Block Registration RFC, which provides a technical specification for block type registration. The most controversial part of the proposal is having blocks installable from within the Gutenberg editor. The long term goal is to make that process…

Source: WordPress

Tagged