EDITS.WS

Author: Sarah Gooding

  • WordPress’ Legacy Default Themes Updated to Bundle Google Fonts Locally

    WordPress contributors have updated the legacy default themes to bundle Google Fonts locally in the theme folder, instead of loading them from Google’s servers. In years past, loading fonts from the the Google CDN was the recommended practice for performance reasons, but new privacy concerns have emerged following a German court case, which fined a website owner for violating the GDPR by using Google-hosted webfonts, 

    All of the default themes from Twenty Twelve to Twenty Seventeen have been updated. The process began nine month ago but the approach took some time for contributors to refine. Updates to default themes are usually done in coordination with major and minor releases of WordPress, as core contributor Jonathan Desrosiers explained in the ticket.

    “The reason the updates are usually coordinated is that the themes are usually updated to be compatible with new versions of WordPress, so releasing at the same time makes a lot of sense,” Desrosiers said. “Also, the number of contributors that focus on the tickets within the Bundled Themes component is usually very low unless these compatibility issues are being addressed.”

    A dev note to accompany these updates to the legacy default themes was published to WordPress.org. It contains code examples for serving a new stylesheet from the theme directory, fixing the editor style within a custom theme-setup function, removing the font stylesheet, and including a custom set of fonts in a child theme. This change particularly impacts those who have edited or removed the font stylesheet in a child theme of these default themes or a plugin.

    WordPress’ Themes Team has strongly urged theme authors to switch to locally hosted webfonts, and is expected to officially ban remotely hosted fonts following WordPress’ legacy default themes getting updated.

  • WordPress 6.2 Product Demo Video Now Available

    If you’re not yet excited about the upcoming WordPress 6.2 release, you will be after watching the new live demo product video that was recorded last week. The demo was presented by Anne McCarthy and Rich Tabor, and moderated by Nathan Wrigley.

    The team used a beautifully customized version of the default Twenty Twenty-Three theme, which showcases what is possible in 6.2 with just core blocks and themes. They started from the Site Editor view, demonstrating how easy it is to zip around from pages to templates and template parts with the new browse mode. This mode also features a resizeable pane that previews the site at different viewports.

    WordPress 6.2 is light years ahead in terms of its progression as a design tool. The team gave a short introduction to pushing styles globally, as well as the ability to copy and paste styles. The features make it much easier to make changes across the site, instead of having to apply them separately to each block. They also gave a tour of the Style Book, which is helpful for quickly making global changes to blocks with a preview. Tabor noted how users could actually use that screen to design the entire site.

    Other features covered in the live demo include the new sticky positioning for top-level group blocks, a tour of the new navigation and dedicated list view, distraction-free mode, and the improved pattern and media panel, which reduces the number of steps for exploring patterns and adding images. At the end, the presenters took questions from viewers, many of which cover what is and what isn’t currently possible with the Site Editor.

    WordPress 6.2 is expected on March 28, 2023, less than four weeks away. RC 1 has been delayed due to a regression which impacts the Site Editor. An additional Beta 5 is expected on March 7 to text a fix for this issue. In the meantime, the live demo video is a good way to familiarize yourself with all the major features coming in the next release.

  • WordPress Themes Team Proposes Community Themes Initiative

    Representatives of the WordPress Themes Team are looking to carry forward the momentum contributors found in creating the Twenty Twenty-Three theme’s style variations by launching a new Community Themes initiative. Leading up to WordPress 6.1’s release, 19 designers from eight countries built 38 unique style variations, and 10 were selected to ship with the release. At that time, contributors discussed a spinoff child theme project with additional style variations for Twenty Twenty-Three.

    Automattic-sponsored core contributor Maggie Cabrera published a proposal that seeks to extend this new era of increased design contribution through a Community Themes project.

    “The goal is to bring together a squad of people to build block themes all year around the same way the default themes are built,” Cabrera said. She cited other reasons for the proposal, including the need to increase the number and the variety of quality block themes in the directory, and capitalize on community momentum during times when no default theme is being actively developed.

    The reality is there simply are not enough block themes available to the community yet with the current count at 247. Last year, the WordPress project fell short of its goal to get 500 block themes in the repository by the end of 2022. The world of patterns and the ease of inserting blocks into templates gives users more design flexibility than ever before, so the landscape of themes is slowly changing, but there is no replacement for finding a theme design that just works and enabling it with one click.

    The new Community Themes initiative may offer an easier onramp for theme developers who are still getting into block theming, as well as a supportive community of builders who spur each other on to create themes that are compatible with the latest and greatest features of WordPress.

    The Themes Team’s next hallway hangout discussion will focus on the goals and purpose of this initiative. Contribution opportunities will be available for all skill levels, including designing, coding, testing, and reviewing themes. If you are interested to help on this project, the team is inviting people to join the next hangout on Tuesday, March 7, 2023, at 10:00 AM EST. RSVP is required to attend online.

  • WordPress Community on Mastodon Launches “Toot the Word” Survey

    Last month’s Twitter outage gave Mastodon a boost, as the company also announced unpopular changes to its API access. People from the WordPress community continue to trickle into the fediverse, with many going so far as to shutter their Twitter accounts. A fledgling community of WordPress users on Mastodon has made the network home and are reporting more quality interactions than they experience on other platforms.

    Daniel Auener, who runs a WordPress agency based in Sweden, curates and maintains a list of WordPress community members’ Mastodon accounts that anyone can follow by downloading a CSV file and importing it into Mastodon. He and the other admins of the five largest WordPress-related Mastodon instances have joined together to create a survey for WordPress users.

    The survey is being organized by the following admins:

    “The goal of this two-minute survey is to help us improve the WordPress-related Mastodon instances and Mastodon as a meeting place for the WordPress Community in general,” Auener said.

    “We want to know your needs and challenges and how you think we – as WordPress-related instances – can strengthen the WordPress community on Mastodon.”

    Respondents will be asked how frequently they use Mastodon and how important it is to their overall WordPress-related social media activity. They will also be asked about the quality of communication with the community and what they would like to see more of on Mastodon. So far the survey has received 112 responses. If you have embraced the fediverse, take two minutes to leave your feedback on the “Toot the Word Survey” before it closes on March 5, 2023.

  • MonetizeMore Acquires Advanced Ads Plugin

    MonetizeMore, an ad revenue optimization company, has acquired the Advanced Ads plugin and will be hiring the team behind the products.

    The plugin’s ad management tools are used by more than 150,000 websites to create, display, and rotate ad units, as well as schedule and target ads based on preset conditions. It integrates with many other popular plugins like BuddyPress, bbPress, Elementor, MailPoet, Paid Memberships Pro, and more. The plugin is distributed on WordPress.org with commercial upgrades and add-ons available.

    Advanced Ads creator Thomas Maier launched the plugin 2014 after finding that most WordPress ad plugins didn’t support responsive ads, cached websites, or split testing for better performance. Over the past nine years his team has grown to 12 people supporting 40 million impressions.

    Maier said he “never found much joy in fulfilling the executive and administrative roles in such a successful project” and will be returning to working on a team with Advanced Ads’ customers as part of MonetizeMore.

    “I haven’t felt comfortable with a managing (aka ‘boss’) position for a while and wanted to get out of it before losing fun working with my team, product, and customers,” Maier said. “It was more a process than a specific turning point.

    “Luckily, I built relationships with potential buyers long before thinking about selling. This helped me last year to get multiple qualified offers in a short period of time. I also asked people who have sold their WordPress [businesses] for advice, which was often very honest and open.”

    Maier said the administrative burden wasn’t the problem, as his team did most of the daily tasks already. In selling Advanced Ads he was looking to move into a new role by passing the ownership on to a company that he believes to be a “sensible market participant.”

    “My energy was drained by me feeling responsible for everyone, the team, customers, and partners, to be happy,” Maier said. “I couldn’t shut up thinking about that even when everything was running smoothly. After 13 years running my own companies, I am looking forward to stepping away from the driver’s seat.”

    This acquisition allows MonetizeMore to expand its ad optimization tools with Advanced Ads’ features, which allow users to manage and target their ads without coding skills.

    “Their expertise complements our existing programmatic advertising tools and products suite, keeping our publishers at the forefront of the industry,” MonetizeMore CEO and founder Kean Graham said. “As we are set for exponential growth this year and on track to cross the $100M ARR mark this year, we will remain selective in making strategic acquisitions and partnerships with organizations that also empower ad-monetized publishers.”

    Maier said he doesn’t expect any changes with the plugin’s pricing as the result of the acquisition. There are currently no changes planned for active subscriptions, existing product features, or service levels.

  • All In One SEO Patches Multiple Stored XSS Vulnerabilities in Version 4.3.0 

    Wordfence has published the details of two stored XSS vulnerabilities the company responsibly disclosed to the developers of the All In One SEO plugin in January 2023. The vulnerabilities potentially impacted more than 3 million users on versions 4.2.9 and earlier.

    One vulnerability, which received a 6.4 (Medium) CVSS score, Wordfence attributes to insufficient input sanitization and output escaping. Researchers found that this “makes it possible for authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”

    The second vulnerability was given a 4.4 (Medium) CVSS score and requires an authenticated attacker to have Administrator-level privileges. Wordfence outlined how attackers might exploit these vulnerabilities:

    Unfortunately, vulnerable versions of this plugin fail to escape submitted site titles, meta descriptions and other elements during post and page creation, and when changing plugin settings. This made it possible for users with access to the post editor, such as contributors, to insert malicious JavaScript into those fields, which would execute in the browser of any authenticated user, such as a site’s administrator, editing such a post or page.

    This is a likely scenario to occur as posts written by contributors have to be reviewed and moderated prior to publication.

    All In One SEO has patched both vulnerabilities in version 4.3.0 but so far only 25.5% of the plugins 3+ million user base has updated to the latest version, leaving approximately 3/4 of the plugin’s users still vulnerable.

    The plugin’s changelog for version 4.3.0 includes a brief, vague note on the security fix included: “Updated: Additional security hardening.” There have been two more releases of the plugin since the vulnerabilities were patched in 4.3.0.

  • WordPress 6.2 Openverse Integration Updated to Upload Inserted Images

    WordPress 6.2’s Openverse integration is getting some last minute changes after contributors expressed concerns about it hotlinking images by default. The new feature allows users to quickly insert free, openly-licensed media into their content. It also allows users to upload external images through a button in the block toolbar, but this creates an extra step in the process and is easy to miss in the UI.

    Several contributors cited GDPR and privacy concerns in the ticket that called for uploading the images by default. They also noted that hotlinked images can pose problems for users who want further manipulate the images by cropping, rotating, and filtering, and for developers managing site migrations. Some went as far as to say the feature belongs in a canonical plugin, which would likely have had a less rushed implementation and better testing prior to landing in core.

    “I am deeply uncomfortable with any integration of Openverse into core,” WordPress contributor Peter Shaw said. “Philosophically WordPress is a personal publishing platform so it should be avoiding external APIs and dependencies. The only external calls it should make (by default) is to check for updates.

    “No issue with the service itself though (I like it) but it should be a canonical plugin that site owners consciously install. Either way images must be on the local server though.”

    As the hotlinking drew more attention, WordPress contributors chimed in on the ticket to call for the feature not to be shipped in its current implementation.

    “This cannot ship this way, or it will get unknowing users sued,” Yoast founder Joost de Valk said. “Next to that it has negative performance implications, as you can’t do srcset or loading attributes on images loaded from remote. Sideload really should be the default, and in fact IMHO, only way.”

    Gutenberg contributor Nik Tsekouras jumped in with a quick PR that changes the implementation to upload the Openverse images when they are inserted, wherever possible.

    “We definitely want to upload to the site library for this flow and should treat this as a bug,” Gutenberg Lead Architect Matias Ventura said. “There’s work going on in parallel to upload by default on other actions (like pasting) that are not as straightforward or general enough (hence the need for something like #46014) but this one should be straightforward.”

    Tsekouras’ PR ensures that any images inserted from Openverse are uploaded. If they cannot be uploaded to media library due to CORS issues, WordPress inserts the Image block with the external URL and a warning about legal compliance and privacy issues. Here’s an example of a successful upload:

    video credit: James Koster in PR #48501

    WordPress 6.2 Beta 4 was delayed this morning until March 1, due to an unrelated regression introduced in 6.2. Tsekouras cherry-picked the Openverse PR to the wp/6.2 branch to get it included in the next release, so the next beta should ship with the updated implementation.

  • Gutenberg 15.2 Introduces Revisions for Template Editing

    Gutenberg 15.2 is now available with support for revisions when editing templates and template parts. The Site Editor can be an intimidating place if you’re new to making changes there. A few clicks can make a drastic impact and some users won’t know how to return to where they started. Surfacing the revisions panel gives users a safety net.

    The revisions panel works the same as the content editor, so it doesn’t yet provide a visual presentation of a user’s additions, deletions, and changes. Users can restore previous versions of the template if they are able to read the block markup.

    Gutenberg 15.2 also brings improvements to navigating the Site Editor. It’s now much easier to drill down to the exact template you want to edit in just a few clicks in the Site Editor sidebar, globally save edits across navigation, template, and template parts, and more easily return to the dashboard. These changes are best illustrated in the GIF published in the release post;

    image source: Gutenberg 15.2 Release Post

    Other highlights in this release include the following:

    • New: CSS aspect-ratio controls to the Post Featured Image block
    • New in the Button block: support for border color, style, and width
    • Accessibility improvements: improved labeling, optimizing the tab and arrow key navigation, and ensuring proper hierarchy of headings
    • New in Post Excerpt block: a UI for controlling excerpt length
    • Latest Comments block: Add typography support

    Check out the full list of changes and bug fixes in the 15.2 release post. This version of Gutenberg will not be included in the upcoming WordPress 6.2 release. If you can’t wait until 6.3, you can get these features now by installing the Gutenberg plugin.

  • WordPress 6.2 Openverse Integration Hotlinks Images, Contributors Propose Uploading to Media Library as a Better Default

    WordPress 6.2 is set to introduce an integration with Openverse that allows users to quickly insert free, openly-licensed media into their content. It was not readily apparent when the feature made its debut in version 15.1 of the Gutenberg plugin that the inserted images are hotlinked.

    WP Engine developer Phil Johnston brought up this issue in the #core-editor channel on WordPress Slack today. WordPress core contributor Paul Biron confirmed images are hotlinked when first inserted but can be added to the site’s Media Library using the “Upload” tool, which is located in the Image block toolbar after Openverse inserts the image.

    Hotlinking is generally considered a bad practice, as it uses another site’s bandwidth to display the asset. Hotlinked images can easily get renamed or removed from the source site, which can negatively impact the sites that are displaying them.

    WordPress core contributor Jeremy Herve opened a ticket yesterday with concerns about the hotlinking and suggested it would be better to upload the images by default.

    “I would suggest uploading the image to one’s site once picked and inserted,” Herve said. “This way it would remain available on the site, whatever may happen to the service or the original image. Of course, the image attribution should remain in the caption.”

    Johnston also suggested hotlinking the images might be a privacy concern if it allows the host to gather data about the device loading the image.

    WordPress may end up changing the default behavior for Openverse inserts, but in the meantime, users should be aware of how this feature works and where to find the Upload tool.

  • Prison Journalism Project Launches Prison Newspaper Project on WordPress

    The Prison Journalism Project (PJP), a non-profit organization founded in April 2020, trains incarcerated writers to be journalists and publishes their stories with the goal of empowering them to be a vital voice in criminal justice reform. Over the past three years, the project has published over 1,700 pieces of work from more than 600 incarcerated and incarceration-impacted writers representing 180 prisons across 35 states and three countries.

    The project is bringing important issues to light, such as diminishing access to programs that further rehabilitation due to COVID-19 and the failure of drug treatment in prisons, first-hand accounts from incarcerated individuals that expose the inadequacy of state and federal prisons to meet the needs of those in their care. These stories and more are featured on the organization’s website, which is powered by WordPress and Newspack, a project from Automattic that provides a publishing platform for small and medium-sized news organizations. Newspack includes professionally designed themes and a set of pre-configured plugins, like Newspack Newsletters and WooCommerce Subscriptions, that help drive audience and revenue.

    This week the PJP launched the Prison Newspaper Project, which aims to connect prison publications with a broader general audience, including educators and researchers. At its peak, U.S. prisons running their own newsrooms published 250 prison papers in 1959. The prison press has declined significantly since then, despite massive improvements in the available technology for telling their stories. As of February 2023, the PJP counts 24 operational, prisoner-run news publications across 12 states.

    The new Prison Newspaper Project has indexed these publications into a prison newspaper directory. It also has a new category section on the site called “From Prison Newspapers,” where the organization highlights and amplifies the work of incarcerated writers across various publications. Their work is republished to PJP’s wider audience, offering a window into the incarcerated population and the conditions where they are living.

    While most of the prison newspapers in the PJP’s directory run on legacy systems or are only available via print-versions with digital archives, a few have online publications. San Quentin News is one that runs on WordPress, publishing beautiful stories of the humanity and artistry of those behind bars. One story features San Quentin artist Idalio Villagran, who “takes prison-constrained creativity and resourcefulness to another level, crafting beautiful roses of various colors from state-issued bread and Kool-Aid.”

    Roses are red . . . mostly

    Another post features the work of San Quentin artist Edgar Zarate Martinez, who is keeping his Mexican cultural heritage alive through his paintings that reflect his yearning for his family.

    FOR LOVE AND HONOR

    PJP was founded by Yukari Iwatani Kane and Shaheen Pasha at Penn State University in 2019, after teaching journalism at San Quentin State Prison and Hampshire County Jail in Massachusetts.

    Most of the other indexed prison publications don’t have an online presence, so the Prison Newspaper Project is vital for connecting them and bringing more exposure to prison journalism. Getting these publications online isn’t part of the current scope of the project, but there is a big opportunity here to modernize these newsrooms with WordPress and help them find a global audience.

    The Prison Newspaper Project is committed to regularly updating the list of active publications in the directory. People can submit newspapers or magazines not yet listed by emailing editorial@prisonjournalismproject.org.

    “As this section grows, we hope to offer you more resources on the history of this remarkable part of the fourth estate,” Prison Newspaper Project Editor Kate McQueen said.