+44 0330 223 3428
Call Us
+44 0330 223 3428

Dev Blog: WordPress 5.0.1 Security Release

Dev Blog: WordPress 5.0.1 Security Release

WordPress 5.0.1 is now available. This is a security release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately.

Plugin authors are encouraged to read the 5.0.1 developer notes for information on backwards-compatibility.

WordPress versions 5.0 and earlier are affected by the following bugs, which are fixed in version 5.0.1. Updated versions of WordPress 4.9 and older releases are also available, for users who have not yet updated to 5.0.

  • Karim El Ouerghemmi discovered that authors could alter meta data to delete files that they weren’t authorized to.
  • Simon Scannell of RIPS Technologies discovered that authors could create posts of unauthorized post types with specially crafted input.
  • Sam Thomas discovered that contributors could craft meta data in a way that resulted in PHP object injection.
  • Tim Coen discovered that contributors could edit new comments from higher-privledged users, potentially leading to a cross-site scripting vulnerability.
  • Tim Coen also discovered that specially crafted URL inputs could lead to a cross-site scripting vulnerability in some circumstances. WordPress itself was not affected, but plugins could be in some situations.
  • Team Yoast discovered that the user activation screen could be indexed by search engines in some uncommon configurations, leading to exposure of email addresses, and in some rare cases, default generated passwords.
  • Tim Coen and Slavco discovered that authors on Apache-hosted sites could upload specifically crafted files that bypass MIME verification, leading to a cross-site scripting vulnerability.

Thank you to all of the reporters for privately disclosing the vulnerabilities, which gave us time to fix them before WordPress sites could be attacked.

Download WordPress 5.0.1, or venture over to Dashboard → Updates and click Update Now. Sites that support automatic background updates are already beginning to update automatically.

In addition to the security researchers mentioned above, thank you to everyone who contributed to WordPress 5.0.1:

Alex Shiels, Alex Concha, Anton Timmermans, Andrew Ozz, Aaron Campbell, Andrea Middleton, Ben Bidner, Barry Abrahamson, Chris Christoff, David Newman, Demitrious Kelly, Dion Hulse, Hannah Notess, Gary PendergastHerre Groen, Ian Dunn, Jeremy FeltJoe McGill, John James Jacoby, Jonathan DesrosiersJosepha Haden, Joost de Valk, Mo Jangda, Nick Daugherty, Peter Wilson, Pascal Birchler, Sergey Biryukov, and Valentyn Pylypchuk.


WordPress 5.0.1 is now available. This is a security release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately. Plugin authors are encouraged to read the 5.0.1 developer notes for information on backwards-compatibility. WordPress versions 5.0 and earlier are affected by the following bugs, which are fixed in version 5.0.1. Updated versions of WordPress 4.9 and older releases are also available, for users who have not yet updated to 5.0. Karim El Ouerghemmi discovered that authors could alter meta data to delete files that they weren’t authorized to.Simon Scannell of RIPS Technologies discovered that…

Source: WordPress

Tagged

Post Status: Interview with Matt Mullenweg on Gutenberg, WordPress, and the future

Post Status: Interview with Matt Mullenweg on Gutenberg, WordPress, and the future

Welcome to the Post Status Draft podcast, which you can find on iTunes, Google Play, Stitcher, and via RSS for your favorite podcatcher. Post Status Draft is hosted by Brian Krogsgard.

In this episode, I am joined by Matt Mullenweg, the co-founder of WordPress and CEO of Automattic.

Just after releasing WordPress 5.0, and on the heels of WordCamp US, Matt and I review the event, the release, and discuss how he thinks things went, what could have gone better, and what he sees ahead.

We also dig into WooCommerce, various plans around core development processes, Automattic, and more. I hope you enjoy.

And an audio version.

Full transcript is coming soon.

Episode Links

Sponsor: iThemes

iThemes makes great WordPress plugins, themes and training to help take the guesswork out of building, maintaining and securing WordPress websites. I talk to iThemes CEO Cory Miller during the break to hear about what they are working on, and excited about for the coming year.

Thanks to iThemes for being a Post Status partner.


Welcome to the Post Status Draft podcast, which you can find on iTunes, Google Play, Stitcher, and via RSS for your favorite podcatcher. Post Status Draft is hosted by Brian Krogsgard. In this episode, I am joined by Matt Mullenweg, the co-founder of WordPress and CEO of Automattic. Just after releasing WordPress 5.0, and on the heels of WordCamp US, Matt and I review the event, the release, and discuss how he thinks things went, what could have gone better, and what he sees ahead. We also dig into WooCommerce, various plans around core development processes, Automattic, and more. I…

Source: WordPress

Tagged

WPTavern: State of the Word 2018: WordPress Embraces the Block Editor

WPTavern: State of the Word 2018: WordPress Embraces the Block Editor
photo credit: WP Tavern

WordCamp US kicked off in Nashville over the weekend, following the release of WordPress 5.0. In the first 48 hours, 5.0 had been downloaded more than 2.8 million times. It passed 3 million Saturday night.

“There’s been a lot that’s been going on, so I’d like to allow WordPress the chance to re-introduce itself,” Matt Mullenweg said during the preamble of his State of the Word address. He invoked the four freedoms as the project’s constitution and called the community back to its roots.

“It’s the reason we’re here,” Mullenweg said. “WordPress isn’t a physical thing; it’s not a set of code. It’s kind of an idea. WordPress is backed by the full faith and credit of every person and company that depends on it.”

He reiterated the project’s mission to democratize publishing and recast his vision for advancing the open web.

“Like I said a few years ago, we’re building a web operating system, an operating system for the open, independent web and a platform that others can truly build on,” Mullenweg said.

WordPress’ 32.5% market share and its commercial ecosystem, which Mullenweg estimates at $10 billion/year, give the project the resources to make a powerful impact on the future of the web.

Mullenweg Builds a Compelling Case for the Block Editor

photo credit: WCUS Photography Team

Mullenweg drove home the necessity of Gutenberg by showing a selection of videos where new users struggled to accomplish simple tasks in the old editor. Their experiences were accompanied by painful commentary:

  • “This feels like writing a blog back in 2005.”
  • “This was very finnicky; this does not work.”
  • “How would I add a caption? I have no clue.”

Mullenweg described how he used to effortlessly switch back and forth between the visual and HTML editors prior to WordPress 5.0 but realized that not all users are able to do this.

”This has been our editor experience for over a decade now and many of us have learned to deal with it,” he said.

He followed up with a video demonstrating how much easier these tasks are in the new block editor and identified blocks as the way forward for WordPress.

Some attendees commented after the fact on how the user testing videos, paired up against an expert using Gutenberg, seemed unbalanced and they would have liked to see videos of new users attempting the same tasks in the new editor. The goal of that segment, however, seemed to be more aimed at communicating the need for Gutenberg and the possibilities it opens up once users have had the chance to grow into it.

Mullenweg Urges Attendees to “Learn Blocks Deeply”

Millions of early adopters have already embraced the block editor during phase 1 of the Gutenberg project, which closed out with 1.2 million active installs and 1.2 million posts written. There have already been 277 WordCamp talks on Gutenberg, 555 meetup events focused on the new editor, and more than 1,000 blog posts discussing it.

Blocks are taking over the world of WordPress. Version 5.0 shipped with 70 native blocks and there are already more than 100 third-party blocks in existence and 1,000 configurations related to that.

“Blocks are predictable, tactile, and can be simple like a text block, or as rich as an e-commerce interface,” Mullenweg said. He described them as the new DNA of WordPress, from which users can create anything they can imagine.

Mullenweg showcased two sites built using the block editor, the Indigo Mill and Lumina Solar. These beautiful sites open the imagination to what Gutenberg is capable of bringing to websites.

WordPress.org will be highlighting plugins and themes to push the block ecosystem forward. There are also more than 100 Gutenberg-ready themes available to users on the directory and a new Gutenberg block tag that is currently live for plugins. It will also be available for themes soon.

Mullenweg highlighted tools like the create-guten-block toolkit, Block Lab, and Lazy Blocks that are making it easy for developers to create their own blocks. Block collections and libraries are also emerging. He said one of the priorities for 2019 is to build a WordPress.org directory for discovering blocks and a way to seamlessly install them.

Building on the homework he gave to WordPress developers in 2015, to “Learn JavaScript Deeply,” Mullenweg urged the community to “Learn Blocks Deeply.” Blocks provide a host of opportunities to improve the user experience beyond what Gutenberg’s creators could have imagined in the beginning.

Gutenberg Phase 2: Navigation Menu Block, Widget blocks, Theme Content Areas

Mullenweg announced the next phases for the Gutenberg project. Phase 2 has already begun and focuses on site customization, expanding the block interface to other aspects of content management. This includes creating a navigation menu block. Reimagining menus is will be challenging, and Mullenweg said they may even get renamed during the process.

Phase 2 goals also include porting all widgets over to blocks and registering theme content areas in Gutenberg. An early version of phase 2 will be in the Gutenberg plugin so anyone wanting to be part of testing can reactivate it.

During the Q&A time, one attendee asked a question about how this phase seems to include very little about making layout capabilities more robust. He asked if Mullenweg plans to let those the marketplace handle those layout decision or if core will define a layout language. Mullenweg responded that it may be more prudent to see what others in the ecosystem are doing and cherry pick and adopt the best solutions. He also remarked that it would be exciting if users could switch between different page builders in the future and not lose their content.

Gutenberg Phases 3 and 4: Collaboration and Core Support for Multilingual Sites

Mullenweg announced that Gutenberg phase 3, targeted for 2020, will focus on collaboration, multi-user editing, and workflows. Phase 4 (2020+) is aimed at developing an official way for WordPress to support multilingual sites. When asked what that will look like from a technical standpoint, given the many existing solutions already available, Mullenweg said he didn’t want to prescribe anything yet, as it’s still in the experimental stage.

Other major announcements included a highly anticipated bump in the minimum PHP version required for using WordPress. By April 2019, PHP 5.6 will be the minimum PHP version for WordPress, and by December 2019, the requirement will be updated to PHP 7.

WordPress releases are going to come faster in the future, as Gutenberg development has set a new pace for iteration. Mullenweg said he would like WordPress to get to the point where users are not thinking about what version they are on but instead choose a channel where they can easily run betas or the stable version.

Mullenweg Acknowledges Mistakes Made and Lessons Learned in the 5.0 Release Process

WordPress 5.0 was one of the longest and most controversial release cycles in the project’s history. Those outside the inner circle of decision-making endured a great deal of uncertainty, as dates were announced and then missed, with secondary dates thrown out in favor of pushing 5.0 out with just three days’ notice.

“We were scared to announce a new release date after missing our previous one,” Mullenweg said, acknowledging the controversial release date. He said this seemed to create a lot of fear and uncertainty until they announced a new date. The dates seemed to come out of the blue and were stressful for the community.

Mullenweg highlighted the lessons they learned in the process of releasing 5.0:

  • Need the various teams across WordPress working together better
  • Need to keep learning JavaScript, even more deeply
  • Importance of triage and code freezes
  • Always announce release dates

Mullenweg noted that WordPress 5.0’s beta releases were tested 100 times more than other releases, which he said contributed to Gutenberg becoming more robust before landing in 5.0. However, these positives seemed to be overshadowed by several critical breakdowns in communication that many feel betrayed the community’s trust.

He noted that people used the plugin review system as a way to vote on Gutenberg and that perhaps the community needs a different medium for expressing those kinds of things. Users did this because they felt it was one of the only feedback mechanisms where they had a voice. Negative reviews piled on in the early days of the plugin’s development but they continued steadily throughout the feature plugin’s journey into core. After 5.0 was released, negative reviews on the Gutenberg plugin have continued to pour in, and its rating has fallen to 2.2/5 stars.

Growing Pains and a Call for Transparency

photo credit: David Bisset for Post Status

Mullenweg said that Gutenberg development happened entirely in the public eye, surfacing many challenges associated with developing open source software in public. The code was public, but the most important decisions were made behind closed doors. This was compounded by the developer community voicing frustrations during core dev chats and on social media.

During the Q&A segment, several audience members called for more transparency in the release process, noting that most of the posts and announcements regarding 5.0 came from Automattic employees. Morten Rand-Hendriksen, who has become somewhat of a community firebrand at WordCamp Q&A’s, received applause for his question regarding the use of the word “we” in connection to posts on the make blogs. He pressed Mullenweg for more insight into where these decisions are made.

Mullenweg said the “we” he meant in regards to 5.0 release dates referred to a private channel where the release leads discussed it. He said with so many people showing up to the dev chats, the discussions became difficult.

“I don’t just go in a cave and come up with these things,” Mullenweg said. “A lot of people were showing up [to dev chats] who had never contributed to WordPress before and were crowding out the discussion of the core team.” He also said the private conversations were “every bit as feisty as the public one,” except there weren’t any drive-by opinions.

To those on the outside, these meetings appeared to be secret, as they were never referenced or summarized on the make blogs. This left the developmer community wondering where these decisions were coming from and whether or not they had a voice.

During the Q&A, Mulllenweg said he listened to vigorous discussion and diverse viewpoints from release leads coming from different companies, while gathering as much information as possible from reading reviews, blog posts, and comments from the community. He described this process as part of the art of trying to make sense of all the different things people are saying and balance that.

Supporting a BDFL-led project requires a certain amount of trust that the leadership is listening. Over the past several weeks Mullenweg has made a strong effort to keep the channels of communication open.

The painful user testing videos Mullenweg shared demonstrated how desperately WordPress needed to grow out of its old editor. It isn’t often that core makes changes that affect nearly every corner of the WordPress ecosystem at the same time. This experience came with its fair share of growing pains. Despite communication missteps during the 5.0 release process, Mullenweg has successfully navigated the project through this rocky transition. Although WordCamp US attendees seemed road weary after 5.0, they were united by a shared desire to move forward and continue working together with the leadership that has kept WordPress on the course of growth and improvement for the past 15 years.


photo credit: WP Tavern WordCamp US kicked off in Nashville over the weekend, following the release of WordPress 5.0. In the first 48 hours, 5.0 had been downloaded more than 2.8 million times. It passed 3 million Saturday night. “There’s been a lot that’s been going on, so I’d like to allow WordPress the chance to re-introduce itself,” Matt Mullenweg said during the preamble of his State of the Word address. He invoked the four freedoms as the project’s constitution and called the community back to its roots. “It’s the reason we’re here,” Mullenweg said. “WordPress isn’t a physical thing;…

Source: WordPress

Tagged

Matt: State of the Word 2018

Matt: State of the Word 2018

Over the weekend I was in Nashville with over a thousand other WordPress enthusiasts. I met a ton of people, learned a lot, and was able to share the annual State of the Word address with the audience, which is a big summary of what WordPress has been up to and where it’s going. This year we covered user testing, Gutenberg, 5.0, the future phases of Gutenberg, all the latest and greatest blocks, new minimum PHP requirements, the adoption of 5.0, and some event and community updates. You can also see just the slides.


Over the weekend I was in Nashville with over a thousand other WordPress enthusiasts. I met a ton of people, learned a lot, and was able to share the annual State of the Word address with the audience, which is a big summary of what WordPress has been up to and where it’s going. This year we covered user testing, Gutenberg, 5.0, the future phases of Gutenberg, all the latest and greatest blocks, new minimum PHP requirements, the adoption of 5.0, and some event and community updates. You can also see just the slides.

Source: WordPress

Tagged

Post Status: Matt Mullenweg’s State of The Word, 2018

Post Status: Matt Mullenweg’s State of The Word, 2018

Matt started by “reintroducing WordPress” and the four freedoms, stressing that “WordPress isn’t a physical thing or code, it’s an idea.” Additionally, a “robust commercial ecosystem” supports WordPress, and Matt noted that current estimates indicate WordPress generates about $10 Billion (USD) annually.

After two years of development and just after WordPress 5.0 officially launched, it’s not surprising the focus of Matt’s talk was on Gutenberg. “We’ve gotten a lot of questions about why we are doing certain things… why we are working on Gutenberg. And it’s good to return to users to find that,” Matt acknowledged.

Enhancing editor usability

A video of new WordPress users testing the classic editor (WordPress 4.9) was shown projected on the big screens over the stage. These clips primarily showed people having difficulties with relatively simple tasks in the editor.

Matt’s point was that we’ve become accustomed to the custom editor’s quirks, but blocks offer a better experience — from copying and pasting from Microsoft Word and Google Docs into WordPress to quickly creating a responsive website.

Community Gutenberg adoption

Matt continued with a summary of how Gutenberg has performed in Phase 1 of its release. Before the WordPress 5.0 release, 1.2 million active installs and 1.2 million posts were published, with about 39,000 posts written daily. Phase 1 had 8,684 commits and over 340 contributors. The ‘Gutenberg’ tag is already available for plugins in the WordPress repo, and it will be “coming soon” for themes.

Notably, over 100 Gutenberg themes are already present in the WordPress repo — including the new Twenty Nineteen theme. Matt highlighted two websites — The Indigo Mill and Lumina Solar — as examples where Gutenberg blocks have been used well to create effective layouts. Matt riffed on the “Learn JavaScript Deeply” mantra by repeating “Learn Blocks Deeply.” Blocks are the DNA of the new editor. Currently, 70 native blocks and over 100 third-party blocks exist for Gutenberg.

Community Gutenberg development

He highlighted some of the third party blocks in the wild:

Matt mentioned several block libraries and frameworks that have appeared:

Mobile Apps

Matt gave the audience an update regarding the WordPress native mobile apps: In the past month, app users published 1.3M posts and uploaded 3.1M photos and videos. Gutenberg will be going into the mobile apps, with a beta release expected in February 2019; I heard February 22nd is the current target date for a beta release.

The Next Phases of Gutenberg

Matt highlighted the next phases of Gutenberg’s evolution, which included new information about Phases Three and Four:

Phase One

Fundamental blocks for writing and editing in the backend editor. These are complete now, although Matt later said that work on the editor would continue.

Phase Two

Customizing outside of the page/post content will be the next point of emphasis. It may include widgets, menus, and miscellaneous content. Matt notes that menus “will need a bit more experimentation”. “2019”.

Phase Three

Collaboration, multi-user editing in Gutenberg, and workflows. The target for this to phase to be complete is “2020+.”

Phase Four

“An official way” for WordPress to support multilingual sites. Also slated for “2020+.”

Other Announcements

There were several non-Gutenberg tidbits of note:

Auto updates on major versions of WordPress

On a list of items to work on in 2019, Matt said he wanted to make it a goal to add optional auto-updates for plugins, themes, and major versions of WordPress.

Updated minimum PHP versions

A proposal written by Gary Pendergast makes a case for WordPress to start updating its minimum PHP versions. The proposed plan is to move to PHP 5.6 by April 2019 and to PHP 7.0 by “as early as” December 2019. Notably, security support for PHP 5.6 expires in a few days, and the “end of life” for PHP 7.0 just passed.

After Matt mentioned this proposal, it received an enormous amount of applause — far more applause than most of the Gutenberg news that came earlier, and Matt noticed. It is definitely welcome news!

WordPress release adoption

During the life of the WordPress 4.9 branch, there were over 173 million downloads with 68.4% of all known WordPress installs running 4.9.

Matt notes that the early adoption numbers for WordPress 5.0 were very similar to WordPress 4.7, which was also a December release back in 2016.

Lessons learned in 2018

Matt took time to summarize the lessons he learned in 2018, starting with the need for teams to improve how they work together: “There should be no reason for accessibility, testing, and other teams not to be working together since these features should be a feature of everything we develop from the very beginning.” No doubt this came as a response to the concerns about accessibility in Gutenberg that surfaced before WordPress 5.0 was released.

Community Update

Matt offered some community-related data as well:

  • WordCamps: In 2018 there were 145 WordCamps in 48 countries, with over 45,000 tickets sold. A total of 1,300 organizers (a 33% increase!), 2,651 speakers, and 1,175 sponsors made it all possible.
  • Meetups: This year saw 50% member growth in meetup attendance, with over 687 meetup groups and 5,400 meetup events.

And with that, he began Q&A.

You can view the State of the Word on YouTube in full, and it should become available on WordPress TV very soon.

Photos by Brian Richards, for Post Status.


Matt started by “reintroducing WordPress” and the four freedoms, stressing that “WordPress isn’t a physical thing or code, it’s an idea.” Additionally, a “robust commercial ecosystem” supports WordPress, and Matt noted that current estimates indicate WordPress generates about $10 Billion (USD) annually. After two years of development and just after WordPress 5.0 officially launched, it’s not surprising the focus of Matt’s talk was on Gutenberg. “We’ve gotten a lot of questions about why we are doing certain things… why we are working on Gutenberg. And it’s good to return to users to find that,” Matt acknowledged. Enhancing editor usability A video…

Source: WordPress

Tagged

WPTavern: AMP Plugin for WordPress Version 1.0 Introduces Gutenberg-Integrated AMP Validation

WPTavern: AMP Plugin for WordPress Version 1.0 Introduces Gutenberg-Integrated AMP Validation

Version 1.0 of the official AMP plugin for WordPress was released on the eve of WordCamp US, after two years in development by contributors from Automattic, XWP, and Google. This first stable version has a massive changelog with 30 people credited for their contributions. The plugin is now considered ready for production and is active on more than 300,000 sites.

Version 1.0 interfaces with the new editor that landed in WordPress 5.0. It will display warnings for AMP-invalid markup on a per-block basis, so users don’t have to guess what content is generating an issue.

This release also introduces a compatibility tool that offers detailed information on AMP validation errors. It functions like a debugging page where users can see which URLs are generating errors, along with the site component (plugin, theme, or core) where the markup originates.

Version 1.0 includes granular controls for selecting which templates will be served as AMP. This allows for a more gradual adoption across a site. Users can also opt for Native mode to have the entire site served as AMP.

The plugin has been updated to support four of WordPress’ default themes, including Twenty Fifteen, Twenty Sixteen, Twenty Seventeen, and Twenty Nineteen. The documentation for how AMP was added to these bundled themes serves as an example for how theme developers can make their own themes AMP-compatible.

WordPress users who opt to use AMP on their sites will have a more successful experience with this version, thanks to the improved UI for handling AMP validation errors and the new interface for limiting AMP-support to certain templates.

The AMP for WordPress project is also sporting a new website that features a collection of AMP-ready plugins and themes and a showcase of sites using AMP. It also has extensive documentation for implementors, site owners, and developers. The site provides a central place for news and resources related to the project and its expanding ecosystem of compatible extensions.


Version 1.0 of the official AMP plugin for WordPress was released on the eve of WordCamp US, after two years in development by contributors from Automattic, XWP, and Google. This first stable version has a massive changelog with 30 people credited for their contributions. The plugin is now considered ready for production and is active on more than 300,000 sites. Version 1.0 interfaces with the new editor that landed in WordPress 5.0. It will display warnings for AMP-invalid markup on a per-block basis, so users don’t have to guess what content is generating an issue. This release also introduces a…

Source: WordPress

Tagged