EDITS.WS

Author: Sarah Gooding

  • Automattic Releases wp-now: A Local Development Environment Powered by WordPress Playground

    Automattic has published a new project called wp-now that creates a local development environment in seconds. The tool is a NodeJS app that is powered by WordPress Playground, an experimental project that uses WebAssembly (WASM) to run WordPress in the browser.

    wp-now allows developers to quickly spin up a new WordPress site with their chosen theme and then open it in the browser automatically logged in as admin without having to enter any credentials. It uses the SQLite Database Integration plugin for its database and developers can quickly swap out versions of PHP and WordPress for testing.

    Automattic software engineer Antonio Sejas explained how it works:

    When you use wp-now from a directory, we create a php-wasm instance, download the selected WordPress version and mount the necessary directories in a virtual file system (VFS). Then, we initiate a NodeJS express server that listens and proxies all requests to the php-wasm. As a result, wp-now can easily log you into WordPress automatically, activate plugins and themes, and automatically configure your WordPress site.

    wp-now can be installed directly from npm. It works across all platforms (Mac, Linux, and Windows). Although it doesn’t support custom domains or SSL yet, Automattic has it on the roadmap. wp-now contributors are also looking at auto detecting when a file is modified and automatically refreshing the browser, importing a database from another WordPress site, and adding a deploy feature for SSH/SFTP hosting, among other features.

  • Gutenberg 15.8 Adds Pages Menu to Site Editor, Revisions UI to Global Styles

    Gutenberg 15.8 was released with some exciting features that were included in the tentative WordPress 6.3 roadmap. Users are getting closer to a more unified content editing experience with the addition of the Pages menu to the Site Editor. Clicking on Pages will load the ten most recently updated pages with a link to “Manage All Pages” at the bottom of the list. Users can quickly jump into editing content by selecting a page.

    The interface also includes a little reminder about the nature of pages in WordPress: “Pages are static and are not listed by date. Pages do not use tags or categories.” It will be interesting to see how page editing in the Site Editor is received, whether it is too confusing for users to understand what they are editing, or whether the baseline expectation is that content can be edited anywhere.

    Revisions for design changes have landed in 15.8 with a basic UI inside the Global Styles panel. It shows a timeline of saved changes along with who made the change, so users can easily revert back to previous design changes. This creates an extra cushion or safety net for those who are designing their own sites and should provide a greater level of user confidence when making design changes.

    Version 15.8 also introduces theme previews for block themes, a feature that has been sorely missing for early adopters of block themes. This is made possible by a new theme_preview parameter, which allows the user to see what the site would like if a different theme was active.

    A few other noticeable changes in this release include the following:

    • Post Featured Image: New design for Replace and Remove buttons. (50269)
    • More intuitive Details block with summary and innerBlocks content. (49808)
    • List View: Allow dragging to all levels of the block hierarchy. (49742)

    Check out the full changelog for all the details on enhancements and bug fixes in 15.8.

  • Shufflehound Releases Free Lemmony Child Theme for Agencies

    Shufflehound made a big splash in March when it released Lemmony, a free WordPress block theme with more than 30 patterns. This was the company’s first block theme on WordPress.org and it is already active on more than 1,000 websites. Building on the success of this theme, Shufflehound has created a child theme for agencies.

    Lemmony Agency bears a strong resemblance to its parent theme but with more agency-specific patterns. This theme ships with 25 new custom block patterns, on top of the ones already included in Lemmony, for a total of more than 50 patterns.

    The patterns unique to this theme suit agencies but would also work well for non-profits, advocacy, portfolios, or businesses of any kind. These include a hero with services, accordions for things like FAQ, counters, more pricing tables, services with icons or images, a blockified sidebar, testimonials, and more.

    The theme’s creators have done an excellent job in organizing all the patterns available to users. Inside the pattern explorer/inserter, they have been separated into different panels for the patterns specific to the Lemmony Agency theme, the Lemmony patterns, and the Lemmony full-page patterns. This makes it easier to build pages, since users won’t have to hunt through all the patterns lumped together.

    The Lemmony Companion plugin, recommended when users install the theme, adds a handful of custom blocks that some of the patterns rely on to work. It includes blocks for a counter, icon, post featured image caption, typing text, hero auto-slider, and accordion.

    This might be the best way to ensure these features are styled exactly to match the theme and give users more creative control inside these particular blocks. Sometimes using third-party plugins to add sliders or icons can look like it’s bolted onto the design in an unsightly way. A companion plugin designated specifically for this theme makes sense in this instance.

    Shufflehound made an interesting choice creating Lemmony Agency as a child theme of what is already a very flexible multi-purpose theme. This certainly could have been shipped as full-page pattern but it would have also greatly expanded the patterns packaged with the parent theme. In these early days of block theming, it’s not yet clear what users might consider “pattern bloat” or too many patterns, especially since they can easily be categorized under various panels inside the explorer.

    Lemmony Agency is a solid option for building websites that need to showcase their services, display pricing, or simply maintain an informational web presence. It’s available for free from WordPress.org and will auto-install the parent theme at the same time.

  • WordPress 6.2.2 Restores Shortcode Support in Block Templates, Fixes Security Issue

    WordPress 6.2.2 was released early this morning as a rapid follow-up to 6.2.1, which introduced a bug that broke shortcode support in block templates. Version 6.2.1 was also an important security release, but due to the catastrophic breakage for those using shortcodes in block templates, some users were implementing insecure workarounds or simply downgrading to 6.2 to keep critical functionality working on their websites.

    WordPress contributors worked quickly over the weekend to ensure that users can now update to 6.2.2 with their shortcodes intact. The release post identified the removal of shorcode support in the previous release as “a regression” and a bug. This is an important recognition, as shortcodes are still a tool that users frequently rely on to insert functionality from plugins that haven’t made it available as a block, as well as a necessity for things that won’t work without inline shortcodes.

    Version 6.2.2 is also a security release, as core contributor Jonathan Desrosiers said that the issue patched in 6.2.1 “needed further hardening” in this update.

    Users are advised to update immediately and automatic updates are rolling out. Many reported having turned automatic background updates off for core after 6.2.1 broke their websites. Users who did so will need to manually update as soon as possible.

  • WordPress 6.3 Development Kicks Off to Conclude Gutenberg Phase 2

    The WordPress 6.3 development cycle has begun and work is already underway on an ambitious list of features that will debut in the upcoming major release. It will cap off Phase 2 of the Gutenberg project, with an emphasis on polishing customization features and making them easier to use.

    WordPress 6.3 Editor Triage co-lead Anne McCarthy published a roadmap to 6.3 this week, which summarizes what users can expect:

    This release aims to make it easier for users to edit pages, manage navigation, and adjust styles all directly in the Site Editor. It also seeks to provide detailed, relevant information when exploring different parts of the site, such as showing the number of posts per page when viewing relevant blog templates.

    In addition to polishing and wrapping up phase 2, McCarthy’s post outlines the new features that are coming. Here are a few of the highlights:

    This is a tentative glimpse at some of the user-facing features that may be coming in WordPress 6.3, but the roadmap includes many more items, screenshots, and quick demos.

    “As always, what’s shared here is being actively pursued, but doesn’t necessarily mean each will make it into the final release of WordPress 6.3,” McCarthy said.

    Gutenberg Lead Architect Matías Ventura will be leading WordPress 6.3. Beta 1 is expected in a little more than a month on June 27, 2023, with RC 1 on July 18, and the general release scheduled for August 8.

  • WCEU 2023 Publishes Schedule, Reaffirms Commitment to Diversity

    WordCamp Europe 2023 is just under three weeks away from happening in Athens on June 8-10. More than 2,700 tickets have been purchased and 527 remain, along with 49 micro-sponsor tickets.

    Speaker announcements have concluded and the official schedule was published today. WCEU will be running three tracks of presentations and two tracks for workshops. Organizers have also announced a Wellness Track that will feature different activities throughout the day, including a Yoga class, a Tai Chi class, and a group hike.

    “The Wellness Track is an important addition to WordCamp Europe because we need to find a balance and be more focused on taking care of our minds and bodies, taking care of the whole community and in turn the one world we have to live in,” organizer Ohia Thompson said.

    “This means seeing our interconnectedness and moving forward with a focus on wellbeing, diversity, and sustainability. The Wellness Track this year is just the beginning of a more intentional future for everyone connected to WordPress.”

    Last year the team hosting the event in Porto was called out for a lack of diversity on the organizing team, which performs critical tasks like selecting speakers and managing a speaker support program. In what appears to be an echo back to that controversy, a public interaction on Twitter earlier this month caused community members to question the organizing team.

    WCEU was once again forced to reaffirm its commitment to diversity after Sjoerd Blom, one of the Global organizers, accused StellarWP’s Director of Community Engagement, Michelle Frechette, of “being prejudiced” when she questioned the lack of diversity in the first few rounds of speaker announcements.

    Blom has since publicly apologized for his response to the criticism this week, reiterating that diversity matters to the team, but only after WCEU received overwhelmingly negative feedback regarding the incident.

    WordCamp Europe has not yet published anything to mitigate the effects of this public altercation but damage control measures are likely in the works, as Blom indicated a more official response will be coming from the team.

  • WordPress Is Developing a Command Center for Quick Search and Navigation Inside the Admin

    WordPress may soon be getting a Command Center, which would function as a quick search component for navigating to other areas of the admin, and would also be capable of running commands. The feature was introduced in Gutenberg 15.6 under the Experimental flag and currently has limited use in the Site Editor context while navigating and editing templates.

    The Command Center project is intended to be expanded to the whole of wp-admin in an extensible way so plugin developers can register their own commands. This would also allow for AI-powered extensions to expedite design, content, and layout creation.

    “One aspect worth highlighting is the proposed API to interact with the command center,” Gutenberg engineer Riad Benguella said in a post requesting feedback on the project. “The command center has been developed as an independent @wordpress/commands package. It offers APIs to render and register commands dynamically. These extension points allow plugins to inject any commands of their liking and opens the door for interactions with LLMs.”

    Benguella shared a video of the prototype navigating between templates and template parts in the Site Editor:

    Feedback so far had been generally positive, but contributors on the project will have the challenge of providing real examples of the Command Center’s benefits in order for some to fully realize the vision for this feature as more than just a fancy shortcut for power users.

    “Neat, but I’m unclear what practical problem this actually solves?” WordPress developer Jon Brown said.

    “Currently there is a clear easy to find and use drop down at the top center of the editor. Are people really having problems using that? This seems to complicate things where users have to know the names of the items to type them in. Does the average user know to type in ‘post meta’ to edit that?

    “There are couple plugins that have done this admin wide, which again while neat, seems better aimed at power users that already know what they’re looking for.”

    Benguella responded that the Command Center is being developed as “a complementary UI tailored specifically for average and power users,” and that users would not be required to remember technical terms in order to use it.

    Other participants in the conversation asked that contributors consider not releasing the Command Center in WordPress until it can serve contexts beyond just the Site Editor.

    “Initially we’ve added the command center to both post and site editors but I expect that we’ll be adding to all WP-Admin once we’ve proved its behavior and APIs,” Benguella responded. The API is currently still in the experimental stage in Gutenberg and it’s not yet known if expansion to wp-admin would be added before or after the Command Center lands in the next version of WordPress.

    “Love the concept, hate that it’s limited to the Editor,” WordPress developer Dovid Levine said.

    “This would ideally be implemented holistically – either as part of a push to modernize the long-neglected dashboard or API efforts to interact with GB data outside of the Editor. We’ve seen how slow developer adoption is when done the other way (GB first/only) – and worse, how painful it is for the early adopters/advocates if/when considerations beyond the Editor are finally taken into account.”

    The first milestone, powering quick search for content and templates in the editor, is outlined on GitHub where contributors can track the progress. The Command Center will also be tested in the future as part of the FSE Outreach Program. Benguella is requesting feedback on the feature and its API on the post published to the core dev blog, specifically regarding the user experience and whether the APIs detailed in the post are capable enough to address third-party use cases.

  • WordPress 6.2.1 Update Breaks Shortcode Support in Block Templates

    WordPress 6.2.1 was released yesterday and rolled out to sites with automatic background updates enabled. The update included five important security fixes. Ordinarily, a maintenance and security release can be trusted not to break a website, but many users are struggling after 6.2.1 removed shortcode support from block templates.

    A support forum thread tracking the broken shortcodes issue shows that this change impacts how plugins display things like breadcrumbs, newsletter signup forms, WPForms, Metaslider, bbPress content, and more. The problem affects template blocks, not sites that are using non-FSE themes.

    “It’s absolutely insane to me that shortcodes have been removed by design!” @camknight said in the support forum discussion. “Every single one of our agency’s FSE sites uses the shortcode block in templates for everything: filters, search, ACF & plugin integrations. This is chaos!!”

    Another user, @asjl, reports having this update break hundreds of pages.

    “I’ve got the same problem on over 600 pages which use five or six different templates with shortcodes in each template on one site and similar things on several others,” @asjl said.

    “I’m looking forward to editing each of those pages to get the shortcode back in place. Or backtracking to 6.2 and turning off updates.”

    It’s not clear why shortcode blocks that are in block theme template parts still work, but this is one workaround that has been suggested to users. In a trac ticket for the issue others have suggested adding a PHP file for a plugin called “Shortcode Fix” to the plugins folder, but this workaround reintroduces the security issue.

    Other users are being forced to revert to previous insecure versions of WordPress in order to keep critical functionality on their sites working. WordPress developer Oliver Campion commented on the Trac ticket with more details about how sites are currently using shortcodes in templates:

    This update has been nothing short of a disaster. I cannot understand how there was no warning of such a destructive, automatic roll out!

    We have managed to rollback affected sites to v6.2 and block automatic core updates until there is a suitable solution, which we hope is imminent due to the reported security issues!

    Shortcode Blocks, in our opinion, are absolutely essential to the design process when using Block Themes.

    We use them to inject classic menus that can have dynamic menu items (such as sign out), dynamic header content, specialized loops and footer content that’s as simple as showing the current year in the copyright statement to showing a contact form or other such dynamic content. And that’s just what I can think of from the top of my head.

    An unfortunate consequence of this update is that it has destroyed many users’ confidence in WordPress’ automatic updates. This kind of breaking change should never happen in a release that auto installs overnight.

    Even if it’s absolutely necessary to avoid a zero-day vulnerability on WordPress sites, discontinued shortcode support in block templates should have been accompanied with more information to help affected users find a solution.

    The only communication users received about this was a short, inadequate note on the vulnerability in the 6.2.1 release post “Block themes parsing shortcodes in user generated data.”

    Fixing all of these shortcode uses on websites that heavily rely on them would already have been a challenge for many, even with advance notice. Shipping this breaking change in an automatic update, without a proper explanation of how it impacts users, only served to twist the knife.

    During today’s core dev meeting, WordPress 6.2.1 co-release lead Jb Audras said this issue may prompt a quick 6.2.2 release but the details are not yet available.

    “As you may know, one security fix led to an important issue with shortcodes used in templates,” Audras said. “The issue is currently actively discussed in the Security Editor team, and some hypothesis have been made to sort this out in a quick follow-up release.

    “No schedule available for now – it will depend on the follow-up patch currently discussed by the Editor team.”

    In the meantime, those who cannot employ a workaround and are looking to rollback to 6.2 can can use the WP Downgrade plugin as a temporary fix, with the knowledge that this leaves the site vulnerable until a permanent solution can be put in place.

  • WordPress 6.2.1 Released with Fixes for 5 Security Vulnerabilities

    WordPress 6.2.1 was released today. Those with automatic background updates enabled should see a notice in their email, as updates rolled out earlier today.

    This is a maintenance and security release that includes important fixes for five security vulnerabilities outlined by core contributor and release co-lead Jb Audras:

    • Block themes parsing shortcodes in user generated data
    • A CSRF issue updating attachment thumbnails
    • A flaw allowing XSS via open embed auto discovery
    • Bypassing of KSES sanitization in block attributes for low privileged users
    • A path traversal issue via translation files

    The patches were backported to WordPress 4.1. Now that these vulnerabilities are public, it’s recommended that users update immediately.

    WordPress 6.2.1 also includes 20 core bug fixes and 10 fixes for the block editor, all detailed with ticket numbers in the release candidate post.

  • New Proposal Looks to Retire Older WordPress Default Themes

    WordPress is approaching its 20th anniversary, and for the majority of those years, contributors have cranked out a new default theme. Even though the structure and supported features of default themes have drastically changed over the years, contributors are still actively maintaining all 13 of the “Twenty” themes.

    A new proposal on WordPress.org recommends winding down active maintenance on older themes and implementing a new system of requirements for retiring them.

    “The level of effort to support 13 themes is not insignificant, especially in the times of the rapidly evolving block editor,” Bluehost-sponsored core contributor Jonathan Desrosiers said. “The burden of maintaining these themes has historically fallen on the Core team to ensure they continue to receive any needed updates.” These tasks include things like ensuring compatibility with newer PHP versions, fixing bugs, updates and deprecations of dependencies, security updates, and much more.

    “Because there are so many, it’s not uncommon for it to take several months before older default themes properly support newer features added in WordPress Core,” Desrosiers said. “Additionally, themes created prior to the existence of certain APIs are often unable to fully take advantage of these new features (global styles, block patterns, etc.).”

    Desrosiers contends that reducing the support burden on contributors will allow them to focus on ensuring the most modern block-based themes deliver the best experience.

    “It also helps clear the path for work on new block theme-focused experiments and initiatives (such as the Community Themes Initiative) attempting to refine the role that themes will have in the block editor era,” he said.

    Themes released through the WordPress.org account via the Community Themes Initiative, like the recent Stacks slide deck theme, will be officially supported, adding to the load. These themes, however, have the benefit of working with the Site Editor and all the latest features WordPress offers. When dealing with limited volunteer resources, supporting older default themes doesn’t have as much upside as spending these efforts the more modern themes.

    WordPress bundles the three most recent default themes in the latest download. This proposal seeks to retire older themes after a minimum of five years of support and when usage falls to less than 1% of all WordPress sites as determined by WordPress.org data. Using this criteria the default themes Twenty Ten through Twenty Sixteen would be retired and only receive security updates. Desrosiers suggests a yearly assessment of usage data to determine which themes would be retired.

    The three most recent WordPress default themes would be actively maintained and contributors would continue maintaining the following themes with bug fixes, compatibility updates, and security fixes:

    • Twenty Seventeen
    • Twenty Nineteen
    • Twenty Twenty

    The proposal has multiple benefits, in addition to reducing the number of actively supported themes from 13 to 6, but also has the drawback of affecting an estimated 730,000 users who will no longer receive maintenance on their themes.

    General reception to the proposal has been positive, as those using very old themes are usually looking for as few changes to their website as possible. With security updates still available to retired themes, these users would not be forced to update to a newer theme.

    The proposal was developed based on feedback and recommendations from a group of contributors. It is now awaiting feedback from the larger community. Unless the proposal needs to be significantly modified, contributors will soon move on to the practical tasks associated with retiring themes.