WooCommerce 7.5.0 was released this week with three new blocks for the Product Archive templates. These include a new Store Breadcrumb block, Product Results Count block, and a Catalog Sorting block, all seen in action below.
These blocks were released as part of an effort to “blockify” Product Archive templates so that they can more easily be customized with a block experience.
“We also want to account for the extensibility within this project by researching the mechanism for extensions to extend the templates and implementing a compatibility layer to keep as many extensions as possible working with blockified templates while giving time for extension developers to update and blockify their extensions,” WooCommerce engineer Tung Du said.
This project also includes support for a Notices block so merchants can display store notices to customers as well as determine where they appear.
WooCommerce 7.5.0 has expanded support for Global Styles, so that the Product Button, Product Rating, and Product Price blocks can now be customized more easily in the Site Editor. The Product Rating block now supports padding controls in Global Styles so that store owners can add more spacing around the blocks.
This release also brings in expanded support for the Style Book, which has been available since the WooCommerce Blocks 9.5.0 release. The Featured Product and Featured Category blocks can now be previewed in the Style Book and have Global Style changes applied.
WooCommerce 7.5.0 includes two database updates, 278 commits to WooCommerce Core, and rolls in 170 commits from the WooCommerce Blocks plugin.
Gutenberg 15.3 was released this week with a new “Time to Read” block that calculates the estimated reading time for the post or page using the same method that appears in the details panel. The block displays this information on the frontend wherever it is inserted.
This is the first iteration of the Time to Read block, so it isn’t very customizable yet. Although users can add custom CSS to the block, it only includes alignment controls right now. The block needs Typography controls and more options for customizing its appearance to be consistent with other core blocks.
In 15.3 Duotone filters have been reworked in several ways to make them more portable across themes. Previously, duotone settings were stored as an array of colors. This has been changed so that duotone presets are stored as slugs, making the color swatches available when a user changes themes.
Another change for Duotone filters in this release is the ability to set them globally inside the Site Editor’s Styles panel.
The Site Editor also received several improvements to make the design more clear and consistent, updating the designs for the edit button and the add template modal, and cleaning up the template details popover, among other small changes.
Check out the 15.3 changelog for the full rundown of all the enhancements, bug fixes, and accessibility and performance improvements.
WordPress 6.2 RC 2 was released today on schedule. The new Navigation section in the Site Editor was dropped from the upcoming release in a somewhat unusual turn of events this late in the release cycle. The feature will remain in the Gutenberg plugin and will be iterated on for a future core release. Users will still be able to manage their menus within the block settings of the Navigation block.
The Navigation section was added in Gutenberg 15.1, the last release to be rolled into 6.2, and the one with the least amount of time to be tested.
“After being added and as the beta cycle continued, various bugs and refinements started adding up,” Editor Triage Co-Lead Anne McCarthy said. “In particular, the top pain points revolved around which menu appears (and how to change it), needing a better description of what this newer section did, and improving the general experience of adding links from that section.”
McCarthy published a video showing what has been removed:
The conversation leading to this decision was spread across many PRs, issues, and Slack conversations, so it became difficult to track. McCarthy cited a dozen of the related issues and PR’s, including page links being buried in the inserter, confusion around which menu is pulled into the panel, and many other loose ends that do not provide a good experience for users.
 “Even with trying to lock the experience further down, bugs continued to pop up and the experience isn’t polished enough to move forward with,” she said. “This led to a decision amongst Core Editor Tech, Core Editor Triage, and the Design lead ahead of WordPress 6.2 RC 2 to remove that was then shared with the wider release squad.”
The PR to remove the feature was merged 13 hours ago and now the navigation panel will only be visible if using the Gutenberg plugin. Anyone who is creating documentation or educational resources for WordPress should be aware that those related to the navigation panel may need to be udpated.
WordPress 6.2 is now just two weeks away from being released on March 28, 2023. Testing and translation are still needed to ensure the official release will be ready for the world of WordPress users.
Patchstack, a WordPress security maintenance and management tool, has published its “State of WordPress Security” whitepaper for 2022, tracking a few key metrics on publicly reported vulnerabilities.
The findings highlight the risk of using unmaintained themes and plugins along with developers’ need to keep pace with updates to libraries and dependencies included in their work. Patchstack is tracking a significant increase in vulnerabilities reported in 2022:
In 2022 we saw 328% more security bugs reported in WordPress plugins – we added 4,528 confirmed security bugs to our database, compared to 1,382 in 2021.
Similar to previous years, the majority of these security bugs were found in plugins (93%), followed by themes (6.7%), and WordPress core (0.6%).
These numbers were sourced from public data from Patchstack and other security companies and researchers in the WordPress ecosystem. The total number of vulnerabilities comes from the three official CNAs in the WordPress space that are authorized to assign CVE IDs to new security vulnerabilities and to whom researchers report issues. These include Patchstack, Automattic (WPscan) and WordFence. Patchstack CEO Oliver Sild said some of the vulnerabilities were also independently published elsewhere or reported directly to MITRE.
The report emphasized that the increase in the number of vulnerabilities reported means that ecosystem is becoming more secure as the result of more security issues being found and patched.
Another small improvement over last year is the percentage of critical security bugs that never received a patch. In 2022, that number was 26% versus 29% in 2021. Critical vulnerabilities were better addressed this year but Sild said so far it’s not a significant change that they would connect with any trend yet.
“We still think it shows a big problem, which is that some plugins are unsupported or abandoned and do not receive timely patches,” he said.
Solving the problem of developers abandoning their work is challenging, and many users have no idea how to select plugins that are more likely to be supported.
“I think it’s important to be transparent,” Sild said. “It is also okay that projects come to an end. I just recently told my colleague that ‘when someone builds a new plugin, they should keep in mind that someone might actually use it.’ It kind of stuck with me, because even if the plugin developer has moved on and is not working on the project anymore, there still might be people who rely on it.”
Sild said users often get left in the dark because WordPress core only shows if an update is available. If a plugin gets closed by WordPress.org due to an unpatched security issue, users don’t get notified.
“It’s something we try to improve together with our partners such as other security plugins and hosting companies,” he said. “Communication is key. We recently also created a free service for plugin developers called ‘managed vulnerability disclosure program’ shortly mVDP. The goal is to help plugin developers adopt more mature security practices and show users that they take security seriously.”
Other notable insights from the whitepaper include a breakdown of WordPress security bugs by severity. In 2022, the majority of vulnerabilities (84%) were classified as Medium severity, with a smaller percentage of High severity (11%) and Critical (2%).
Of the most popular plugins (over 1 million installs) that had security issues, only five contained high severity bugs. The two with the highest CVSS score vulnerabilities were Elementor and Essential Add-ons for Elementor, followed by UpdraftPlus WordPress Backup, One Click Demo Import, and MonsterInsights.
The whitepaper highlights a few other trends, including hosting companies alerting their customers to vulnerabilities, the growth of the security research community, and increased security awareness within the WordPress ecosystem. For more details on the state of WordPress security in 2022 and predictions for this year, check out the whitepaper on Patchstack’s website.
Automattic has acquired the ActivityPub plugin for WordPress from German developer Matthias Pfefferle, who will be joining the company to continue improving support for federated platforms. Pfefferle, who is also the author of the Webmention plugin, said his new role is to see how Automattic’s products can benefit from open protocols like ActivityPub.
In 2021, Automattic CEO Matt Mullenweg indicated that he would be interested in having Tumblr support the ActivityPub protocol for a greater level of interoperability across networks like Mastodon and others using the same protocol. That is still in the works, but WordPress sites already have this capability through the plugin.
“ActivityPub and a lot of other Open Web Plugins (like the Webmention plugin) were spare time projects, so I was not looking for an acquisition,” Pfefferle said.
“When Matt announced that Tumblr wants to implement ActivityPub on Twitter, I asked why not WordPress, so I came in contact with Automattic and they offered me the opportunity to work full time on the plugin and other Open Web projects.”
The ActivityPub plugin makes it possible for readers to follow a WordPress site in the fediverse using the ActivityPub protocol. This includes Mastodon, one of the most popular platforms using the protocol, and other platforms like Pleroma, Friendica, HubZilla, Pixelfed, SocialHome, and Misskey. For those using Mastodon, this plugin will automatically send posts to the network and replies to it will become comments on the post.
Last March, the ActivityPub plugin had just 700 users. Today it has grown to more than 2,000 active installs. Although it is not yet widely used, it has gotten more exposure since Elon Musk bought Twitter.
“Thanks to Elon Musk, the number of downloads from my ActivityPub (WordPress) plugin and my followers on Mastodon have increased at least tenfold!” Pfefferle said in a post on his blog in January 2023. “This inspired me to work more actively on the plugin again and some great changes came about.”
Most recently, Pfefferle added a new onboarding screen with recommended plugins, added the published date to author profiles, and added outgoing mentions, among other features.
Pfefferle said he thinks the idea of the acquisition is not to have the protocol merged into core, but to “guarantee that it will stay open source and to maybe make it a canonical plugin.”
As more social networks unite on open protocols, it won’t matter where you choose to create your home on the web. Interoperability between apps allows people to post from whatever network they enjoy, creating a richer, more diverse web. Automattic’s support of the ActivityPub plugin ensures WordPress’ place in the fediverse, where blogs will not isolated islands but rather interconnected as many were in the early days of blogging. Pfefferle’s work embodies these ideals.
“I think my drive was always to build an alternative to the big walled gardens of Facebook & co,” Pfefferle said.
“I fell in love with the idea of blogging and the spirit of the Web 2.0 movement and tried to keep the idea alive. I worked on several WordPress plugins and participated in several movements (DiSo, DataPortability and others) starting in 2007.
“It is so exciting to finally see such a big interest in Open and Federated technologies!”
More than 200 users on Mastodon who consider themselves part of the WordPress community, responded to the recent Toot the Word 2023 Survey, which was conducted by the admins of five WordPress-oriented Mastodon instances. The purpose of the survey was to help those running these instances understand how important Mastodon is for the WordPress community and what they can do to improve their instances to foster a better meeting place.
Key findings from the survey have been published alongside the raw data on GitHub for anyone to analyze. More than 82% of respondents (172/209) said they frequently use Mastodon. The community is active and Mastodon is an important social channel for those who have adopted it in addition to their other networks.
A few other highlights from the published findings include:
Nearly all participants of the survey expect Mastodon to have some kind of influence on the WordPress community in the future, a majority thinks Mastodon will be very influential or extremely influential. Most of the participants want to see more WordPress content and community discussions on Mastodon in the future.
Generally, users on WordPress-oriented instances state that the communication with the community on Mastodon is important to their WordPress-related social media activity. They also are working with the community, or state that they are WordPress Community influencers, more often than users on common instances.
The survey also found that the respondents who rated themselves as important to the WordPress community seem higher in WordPress-related instances, which may mean that those looking for more relevant WordPress-related content and interactions are better-suited joining these existing instances rather than unrelated ones or creating their own.
“For me as an instance admin, it’s important to know that all the work I’m doing means something for the tooters on my instance and the entire community,” wptoot.social administrator Daniel Auener told the Tavern. “I think the survey has shown that many in the still small WP/Mastodon community see this network as important as I do. So I’m quite confident (as many of the surveys participants) that Mastodon will have its place in the WordPress community.”
Administrating a Mastodon instance is not trivial. The users depend on the administrator to keep everything up and running with system updates, hosting, community moderation, curating community lists, and other housekeeping tasks. Auener said his current hosting costs are $20-30/month and they are 70-80% covered by one-time donations and commitments on Patreon.
“If nothing more, the [survey] results will keep me and my wptoots-instance going,” Auener said. “I even hope that the results will show others within the community that Mastodon as a social network is worth supporting and finding their own ways to contribute.”
Auener hasn’t planned anything specific yet but based on the results it is clear that participants want to have more WordPress content in their timelines.
“I think one of the best ways of achieving that would be to onboard more WordPress sites to the fediverse via ActivityPub,” he said. “Working in that direction is something I’m thinking about.”
There is an ActivityPub plugin for WordPress that implements the ActivityPub protocol for so that readers can follow your site’s posts on Mastodon and other federated platforms that support ActivityPub. It is currently used by more than 2,000 WordPress sites and is one avenue for users to automate sharing their content across the fediverse. A search for Mastodon plugins turns up several other auto sharing plugins and Jetpack is also considering adding Mastodon support to Publicize after many requests on a ticket opened in 2017.
Some Mastodon users on other instances have considered switching to a WordPress-oriented instance, so increasing education for users on how to move to a new instance is another improvement Auener is considering.
“The data even seems to support that the quality of (WordPress-)conversation is better on our instances,” he said. “So spreading that information, helping people to move and keeping our instances a safe space for great WordPress discussions is another cause for action.”
Joining Mastodon’s federated network is still intimidating for some who are not familiar with how the instances work and are not sure which one to join. Others fear they may lose out on interactions and connections by moving to a lesser-used social network. This survey indicates that the WordPress-related instances are active and important to the community interacting there. Auener has created a document called The WordPressers Guide to the Fediverse for those who are new and want to learn more.
“I would like to align my work more with the WordPress community and the work all the amazing people in the community teams and initiatives do,” he said. “I’m quite new in the game and think I can learn a lot from people working within the community for years. I think Mastodon/the Fediverse aligns very well with WordPress values but there is still a lot of convincing to do.”
WordPress contributors published the 6.2 Field Guide, which includes the dev notes – technical updates for many of the new features and changes included in this release. These include editor component updates, notes on new and expanded APIs, accessibility updates, and more.
Plugin and theme developers are advised to test their extensions for compatibility and update the “Tested up toâ€Â version in their readme files to 6.2. (A separate testing guide is available for those who are testing the changes in this release.)
A bug that was introduced in 6.2 Beta 1, which showed a white screen when using the browser’s back button inside the Site Editor, was fixed earlier this week in the 6.2 Beta 5 release. This is a major issue that would likely affect millions of users, and it underscores the fact that testing at this phase is still important. Bugs can be reported via the Alpha/Beta area in the support forums or by filing a bug report on WordPress Trac.
Lemmony is a new WordPress block theme designed by the team at Shufflehound, a theme development company based in Europe with commercial products on Themeforest. This is the team’s first block theme on WordPress.org and it is a strong debut.
Lemmony is a beautifully-designed multipurpose theme that would work well for businesses, agencies, and portfolio websites. It features the Plus Jakarta Sans font face for both headings and paragraph text, a geometric sans serif style, designed by Gumpita Rahayu from Tokotype.
The homepage includes bold, full-width immersive images offset with calls-to-action and blocks featuring a variety of different ways to present information. Scrolling the page reveals tasteful (and optional) animation that brings the content to life.
Lemmony packages more than 30 custom block patterns to help users design and build pages. These include multiple heroes with lists and calls-to-action, heroes with images and titles, partner logos, query with a sidebar, services grid, services with video, team members, and more – nearly every kind of pattern that a business website might require.
Lemmony also packages five full-page patterns for services, gallery, contact, about, and the front page, making it easy to simply drop the pattern in place for the most common pages found on a brochure website.
This theme offers a solid user experience for those who are just getting started building their websites. After installing and activating Lemmony on a fresh site, it will look nearly exactly like the live demo. Everything on the front page is in place with placeholder content, including different menu items, just waiting for the user to add, remove, or edit the blocks. The user doesn’t have to start from scratch do any guesswork about where things go in the design. This is the kind of experience that all block themes should provide.
Lemmony comes with a companion plugin that includes additional customer blocks and other features, such as the custom icons seen in the demo. It will prompt the user after installing the theme to install the plugin as well to get more features. If the user is editing a page and inserts a pattern that includes icons, the theme will allow users to install the plugin directly from the editor. It’s a very smooth experience for including features that require an additional plugin. The plugin is optional and most of the designs seen in the demo work without it installed.
In the future, Lemmony’s creators plan to include more website templates, which would make it easier and faster to set up different kinds of sites. Overall, the theme feels snappy, has an unusually large variety of patterns, and is responsive and looks great on mobile. The installation experience is user-friendly and provides a good starting point for jumping into full-site editing. Check out the live demo and download Lemmony for free from the WordPress Themes Directory.
Jetpack 11.9 was released this week with support for sharing posts to Mastodon. The new button allows readers to click an icon to launch a sharing window that will ask the user to enter the full URL of the Mastodon instance where they want to share the post.
Adding the URL will update the window to automatically insert the link for the post and share from your account.
Mastodon makes its usage numbers publicly accessible. As of March 8, 2023, the total user count is at 6,487,821, with 1,293,309 considered active users. Many WordPress community members who have moved over to Mastodon report having more quality interactions and higher engagement than on other social media platforms. This new sharing button gives your posts more opportunities to reach that audience. It can be enabled at Jetpack > Settings > Sharing in the admin.
The Jetpack team is also looking at adding Mastodon support to Publicize so users can have their posts automatically shared when they are published. Many people have requested this feature on GitHub and it may land in the plugin sometime in the future.
Jetpack 11.9 also updates the design of the Stats dashboard. In place of the dusty blue bar graphs and sections with referrers and top pages and posts, the updated design is now more in line with Jetpack’s green branding. It features 7-day highlights at the top and the trends shown are in comparison to the previous seven days. The UI is more modern than the previous version and provides a more mobile-friendly experience. It is enabled by default but can be disabled in the Settings for those who prefer the traditional Stats design.
Also included in version 11.9 is a new “Sync Fields” style option in the Forms block that allows users to ensure fields maintain the same style as the blocks are edited.
This release includes more than a dozen bug fixes and compatibility updates. Check out the changelog for all the details on the Development tab on the plugin’s WordPress.org page.
WP Engine is beta testing its new Pattern Manager plugin for creating and maintaining patterns. The plugin is intended for WordPress professionals – developers, agencies, and freelancers, who could benefit from having an interface and system for pattern management.
“There are some plugins out there that provide an interface for creating patterns on a production site, but this is not built for that,” WP Engine Principal Engineer Mike McAlister said. “This is meant to slide into a dev workflow where you’re creating, editing, managing patterns for a client, for release in a theme, etc.”
Plugins like Build & Control Block Patterns (2k active installs) and MyWP Block Pattern (200 active installs) allow users to build block patterns from the admin instead of writing code for them. They offer features like saving page content made with blocks into a pattern, unregistering block patterns, creating custom pattern categories, and more.
After taking WP Engine’s Pattern Manager for a test run, it’s clear that the emphasis in this plugin is going to be more on pattern organization than on the builder aspect. After activating the plugin, clicking on the Patterns screen takes you to a catalogue of all the existing patterns, based on the site’s active theme. They are organized by category and are also searchable.
I installed the plugin alongside a theme with more than 30 block patterns included to get a better feel for how it works. From the main pattern management screen users can edit, duplicate, and delete existing patterns. Clicking through to edit a pattern lets users add their own pattern categories, keywords, extended description, designate which post types the pattern shows up in, and optionally hide the pattern from the inserter.
Pattern creation happens on its own dedicated screen, which works just like the block editor but with the pattern-specific settings in the sidebar. Once a pattern is saved, it will appear with the others on the pattern management screen. The pattern is attached to the theme, so users should understand that they will not have access to their custom patterns if they activate a different theme.
Users might be curious about creating patterns directly in the block editor. After putting some blocks together in an artful arrangement, it might be convenient to be able to save them as a new pattern for the theme. McAlister said this is not currently possible but it is under consideration.
“Right now, pattern creation is limited to the Pattern Manager UI, where we can do some interesting and powerful things under the hood,” he said. “That doesn’t mean we won’t one day be able to do it inline, but in terms of exploring this concept as a workflow enhancement, we’ve limited it to a specific screen.”
After launching the beta, web designer Wolfgang Stefani asked on Twitter if it is possible to update patterns globally using the plugin.
“No, not yet,” McAlister responded. “It’s not a shortcoming of the plugin, rather how WP treats patterns right now. However, this will be possible with patterns soon, probably sometime this year.”
Although there are many additional feature requests that might benefit developers and designers’ workflows, the plugin’s creators are launching the beta to test the waters and see how users fare with this initial set of features.
“Certainly parts of this workflow are opinionated, based on how we’re building patterns, but we’re doing this beta to understand how other folks are building,” McAlister said. “We’re open to any and all feedback to improve the overall workflow.”
What if, for starters, patterns were a treated more like intelligent components? What if instead of being treated as just a collection of blocks, patterns were an entity that WordPress could use as a conduit to do more advanced site building?
McAlister explored a few ideas, such as making patterns more like template parts, globally synced and editable, adding pattern locking, and adding the ability to build style variations for patterns. The future is wide open for patterns to become far more useful than they currently are today, and third-party developers are exploring how they can extend this feature that has become so indispensable to building pages with WordPress.
WP Engine’s Pattern Manager fits in nicely into the admin interface, almost like a natural part of core, but the top-level menu for Patterns seems too prominent and should be relocated under Appearance. After testing the plugin, I can see how it could become a valuable tool for managing pattern visibility for clients and speeding up page building by offering a more organized system for patterns. The CMS use case is strong here. Agencies that build the same kinds of sites over and over again could benefit from using this tool to quickly add and duplicate custom block patterns and restrict those that don’t make sense in certain parts of a client-managed site.
During the live product demo for WordPress 6.2, a viewer asked if core will be adding more robust pattern management capabilities in the future à la WP Engine’s Pattern Manager plugin. The response was that this is a possibility for the future but is not currently a strong priority.
In the meantime, WP Engine plans to release the plugin for free on WordPress.org after testing with users and updating it based on feedback.
“We have no plans of monetizing,” McAlister said. “Right now, we’re more interested in digging into the developer workflow and finding unique solutions we can offer to folks who are digging into these modern WordPress tools.”
If you want to get in on the beta program, you can sign up to get access to a zip file of the plugin. Your feedback may be incorporated into future versions of the plugin that will eventually land on WordPress.org.
