EDITS.WS

Author: Sarah Gooding

  • Linux Backdoor Malware Targets WordPress Sites with Outdated, Vulnerable Themes and Plugins

    Security researchers at Doctor Web, a security company focused on threat detection and prevention, have discovered a malicious Linux program that targets WordPress sites running outdated and vulnerable plugins and themes.

    The malware targets 32-bit versions of Linux, but it is also capable of running on 64-bit versions. It exploits 30 theme and plugin vulnerabilities to inject malicious JavaScript into websites, redirecting visitors to the attacker’s selected website.

    The report states that Doctor Webs’ analysis of the application revealed that “it could be the malicious tool that cybercriminals have been using for more than three years to carry out such attacks and monetize the resale of traffic, or arbitrage.” During this time, the tool has been updated to target more exploitable vulnerabilities.

    There are two versions of the malware – Linux.BackDoor.WordPressExploit.1 and Linux.BackDoor.WordPressExploit.2. Version 1 seeks to exploit vulnerabilities in popular plugins like WP GDPR Compliance, Easysmtp, WP Live Chat, and a dozen other free and commercial extensions. A few of these have been known to have frequent vulnerabilities and one was closed due to guideline violations but may still be active on some sites.

    An updated Version 2 has a different server address for distributing the malicious JavaScript and an additional list of exploited vulnerabilities for a few more widely used plugins, including FV Flowplayer Video Player, Brizy Page Builder, WooCommerce, and more.

    Doctor Web’s report also speculates that attackers may have engineered a long game plan that will give them administrative access even after users update to newer (patched) versions of the compromised plugins:

    Both trojan variants have been found to contain unimplemented functionality for hacking the administrator accounts of targeted websites through a brute-force attack—by applying known logins and passwords, using special vocabularies. It is possible that this functionality was present in earlier modifications, or, conversely, that attackers plan to use it for future versions of this malware. If such an option is implemented in newer versions of the backdoor, cybercriminals will even be able to successfully attack some of those websites that use current plugin versions with patched vulnerabilities.

    Doctor Web published a document with indicators of compromise, detailing hashes, IPs, and domains that the Linux backdoor malware has been using to infect WordPress websites.

  • Icon Block 1.4.0 Adds Height Control, Improves Color Handling to Better Support Global Styles

    Nick Diego, developer advocate at WP Engine, has released version 1.4.0 of his Icon Block plugin. Diego launched it in October 2021, after struggling to find an efficient way to add SVG icons to the block editor. He is aiming for this small but useful plugin to become “the definitive SVG icon and graphic block.” In the past year, it has grown 1300%  to more than 7,000 active installs, while staying focused on a tight set of features.

    WordPress contributors have been discussing adding SVG support to core for more than a decade, but have not yet found a clear path forward that properly addresses security concerns. In July 2022, the Performance team began working on a module for SVG uploads but it’s still in progress. In the meantime, since the SVG format has nearly universal support across the web, users have relied on plugins like SVG Support (1M+ installs) or Safe SVG (700k+ installs) to upload SVG files to the media library and use them like any other image file.

    Diego’s plugin is different in that it was made for use with the block and site editors. The Icon Block registers a single block that allows users to add custom SVG icons and graphics. It also enables access to the WordPress icon library, which contains 270+ SVG icons.

    One advantage of the plugin is that users don’t need to install a whole block library if they just need SVG icons. In version 1.2.0, Icon Block added the ability for developers to register their own custom icon libraries.

    The latest release expands width control beyond what is offered in the core Image block to support %, px, em, rem, vh, vw, or whatever units are defined in theme.json. These units are also available in Global Styles, so users can control width based on how the theme author intended. Diego, who said he prefers to use native WordPress components wherever possible, updated width controls using Gutenberg’s HeightControl, which isn’t yet available in core.

    “Luckily, it is built out of components that have been in WordPress since 6.0. I ported the code from the HeightControl over to a custom DimensionControl in the Icon Block and made a few modifications to meet my specific needs,” Diego said.

    Icon height support is a new feature in the latest 1.4.0 release, another feature request from the plugin’s community of users.

    image source: Icon Block 1.4.0 release post

    “One thing to note is that I choose to exclude % from the height unit options,” Diego said in the release post. “Using % can have unexpected results based on the icon’s container height and is quite unintuitive.”

    Version 1.4.0 also improves color support to better support Global Styles. When themes define a primary and secondary colors in theme.json, icons set to use these will work seamlessly with style variation switching. This is a beautiful demonstration of how block developers can make their plugins work harmoniously with Global Styles to improve the experience of full-site editing.

    image source: Icon Block 1.4.0 release post

    In future releases, Diego said he plans to work on a way to allow users to insert custom SVG icons from an “uploaded” SVG file, as well as explore ways to integrate with third-party icon libraries. Access to Font Awesome, Boostrap icons, Ionicons, and other SVG libraries would give users a much wider selection beyond the WordPress icon library when designing their sites.

    Users can submit feature requests via the issues queue in the plugin’s GitHub repository. Since Diego is developing the plugin using native WordPress components as much as possible, users can also expect additional functionality to become available as it is added to WordPress core.

    “There are tons of great icon plugins in the WordPress ecosystem, free and premium,” Diego said. “Most have more features and functionality than the Icon Block. However, what makes this block different is its strong commitment to WordPress’ core design principles.

    “The goal was always to make the block feel like it belonged in WordPress itself. I have strived to use as many core block supports and components as possible. Version 1.4.0 stays true to this effort with much-needed enhancements.”

  • Commercial and Community Categorization Is Live on WordPress.org Theme and Plugin Directories

    One of Matt Mullenweg’s announcements at the 2022 State of the Word was the addition of new taxonomies for the theme and plugin directories that will help users more quickly ascertain the purpose of the extensions they are considering.

    With nearly 60,000 free plugins available and more than 10,000 free themes, it’s not always immediately evident which extensions are officially supported by the community and which have commercial upgrades and support available.

    The new “Community” and “Commercial” designations were created to demystify the selection process and empower users to find plugins and themes that suit their needs. They were live on WordPress.org last week and plugin and theme authors were invited to opt into the categorization. The categories are visible in the sidebar of the listings.

    In the example below, Akismet, Automattic’s commercial spam plugin that is bundled with WordPress, has the new Commercial category applied, indicating it is free but offers additional paid commercial upgrades or support.

    The categories do not yet seem to be as widely applied to themes, but one example is all the default themes fall under the “Community Theme” designation, indicating that they are developed and supported by a community as opposed to being a part of a commercial endeavor.

    There are currently just two categories, but meta contributor Samuel (Otto) Wood said this effort is “the start of a broader categorization of plugins and themes.” He outlined how plugin and theme authors can opt into the new categorization feature:

    To opt in a plugin or theme, email plugins@wordpress.org, or themes@wordpress.org, and simply ask to opt into it. This is a manual process for now. In the future, we will be adding a method for plugins and themes to do it themselves.

    Once your plugin or theme is added, you will get a new feature (on the advanced tab for plugins, or at the bottom of the listing page for themes). For both cases, it’s a simple URL entry.

    For Commercial extensions the URL is a support link. Community extension URLs will be labeled as a contribute link.

    Several participants in the comments of the announcement suggested that commercial-tagged plugins and themes should also have the option to include a “contribute” link since they are open source software. Wood’s response seems to indicate the URL is more about where to direct support.

    “This is a matter of categorization,” he said. “Community plugins are those that are mainly supported by a community of users. Commercial plugins are those primarily supported by a commercial profit-seeking entity.”

    Once these categorizations are more widely adopted, it will be interesting to see if the theme and plugin directories will add the ability to filter search results using these tags. This would allow users to narrow down the results to be in line with their expectations for support.

  • Gutenberg 14.8 Overhauls Site Editor Interface, Adds Style Book

    Gutenberg 14.8 was released today with a major update to the Site Editor’s interface that makes it feel more unified as a design tool.

    In August, Gutenberg designer James Koster shared some mockups for updating the Site Editor to include a “navigable frame” where users can select from a menu of features and styles on the left. This was one answer to what Koster identified as unbalanced feature weighting, a critical design flaw that he said was negatively impacting users’ experience with the editor.

    In October, contributors began moving this idea forward, and now the first iteration of the new “browse mode” is making its debut in Gutenberg 14.8. Automattic-sponsored contributor Ryan Welcher published a video demonstrating the new UI for navigating the Site Editor:

    video credit: Gutenberg 14.8 release post

    Version 14.8 also introduces Style Block, which is now nestled into the Global Styles panel. It offers a way to visualize how global style changes will affect blocks by previewing them (both core and third-party blocks) in a resizable panel. This is especially useful when a theme has many style variations that would otherwise be time intensive to save and then preview with various blocks. It helps users answer the question, “How are these styles going to look with my blocks?” Styles can also be previewed for individual blocks.

    video credit: Gutenberg 14.8 release post

    Users who have been missing the Custom CSS panel from the Customizer will be delighted to know that Gutenberg 14.8 adds custom CSS to the Styles > Custom panel in the Site Editor. This first iteration is shipping as Experimental, so users who want to test it can enable “Global styles custom CSS” under the Gutenberg > Experiments menu in the admin.

    When checking out patterns in the inserter, hovering over a pattern will now reveal its title. The invisibility of pattern titles becomes an issue when patterns are visually similar to one another with slight variations. Having the title be visible helps users sort through and select the best pattern for their needs.

    The Navigation block has several updates that should improve the experience of building and editing menus:

    • Navigation block: Add page list to Link UI transforms in Nav block. (46426)
    • Navigation block: Add location->primary to fallback nav creation for classic menus. (45976)
    • Navigation block: Update fallback nav creation to the most recently created menu. (46286)
    • Navigation block: Add a ‘open list view’ button. (46335)
    • Navigation block: Removes the header from the navigation list view in the experiment. (46070)

    Gutenberg 14.8 includes dozens of enhancements and bug fixes beyond these highlights. Check out the release post for the full changelog.

  • ClassicPress at a Crossroads, Directors Consider Re-Forking WordPress

    ClassicPress is polling its users to determine the next step for the software. The project is a pared back fork of WordPress based on version 4.9 that uses the TinyMCE classic editor as the default option with no block editor. It’s run under a non-profit organization called the ClassicPress Initiative.

    In July 2022, the project appeared to be on the rocks when its directors resigned, saying that the community felt they were now hindering the progress of ClassicPress. The organization was struggling to meet its required financial support but has since rallied and is in a more stable place after moving the donation process to Open Collective.

    In a recent forum post titled “The Future of ClassicPress,” one of the project’s directors, Viktor Nagornyy, presented the community with two paths: re-fork ClassicPress using WordPress 6.0, or continue as-is.

    “Over the past few years, our core team has been working on improving ClassicPress and backporting features from WordPress,” Nagornyy said. “As WordPress continued to evolve, ClassicPress got a bit behind in adding new features as the focus became PHP 8+ compatibility.”

    An exploratory fork of WordPress 6.0 with the block editor removed exists in a GitHub repository called WP-CMS. It is not finished but could potentially become ClassicPress 2.0. This option has the benefit of helping the project catch up to WordPress and improve compatibility with more recent versions of PHP, and open up more plugins and themes for users that require 5.0+ in order to be compatible. The downside is that it will take months to complete with ClassicPress’ limited number of contributors and ClassicPress 1.x would need to be maintained in terms of security for some time.

    The alternative is continuing to maintain the project as it is with no requirement to maintain separate versions. Nagornyy identified the cons of this approach:

    • Our small core team will continue to focus on PHP compatibility
    • Backporting from WP is prioritized, so new ClassicPress features might not happen
    • We won’t be able to catch up with WordPress, functions/features will be missing
    • Plugins/themes compatible with WordPress 5+ would be incompatible with ClassicPress

    The project is now at a crossroads considering the two options, which has forced the community to reexamine the purpose of ClassicPress.

    “So the real question is ClassicPress a Pre-Wordpress 5.0 or just WordPress without Gutenberg?” founding committee member Daniele Scasciafratte said.

    “Considering also that CP is based on a codebase of 5 years ago and the web is moving on, I think that we should move to Re-Fork and find a way to automatize it as much possible and simplify it.”

    ClassicPress core committer Álvaro Franz, who is also the author of the WP-CMS fork based on WP 6.0, said he is unwilling to help with a continuation of the current version.

    “I don’t see the point in working on an outdated version of something that has already been improved by many great developers at WordPress (as stated by @Mte90, there have in fact been A LOT of improvements),” Franz said. “But I can take care of v2, since I already am the author of the mentioned fork, I can help with keeping WP-CMS up with WordPress and then using that as a base for CP v2.”

    WordPress core contributor Joy Reynolds commented on the thread, indicating that ClassicPress has a grim future ahead if it keeps struggling to backport all the improvements made after 4.9. She contends that continuing on the same path leads to a dead end, given the project’s small contributor base:

    The whole point of backporting from WP is because they have thousands of developers, millions of users testing every combination of version and plugin and host to find problems (plus a testing team), a security team, and a performance team. CP has none of that and it’s kind of silly to not take advantage of their efforts. But the more things we ignore or fall behind on, the harder it is to backport anything.

    There are many things that continue to evolve, outside of WP, like PHP, Javascript, CSS, HTML, and various bundled tools (like jQuery and TinyMCE and PHPMailer and Simple Pie and Requests…).

    CP can’t stand still at 4.9. That’s dead. But if you tried to backport all the PHP8 stuff, you’d find it very difficult because of all the formatting changes they made, plus all the bug fixes, plus all the new features. The new fork bypasses the backport problem by taking it all at once and deleting the block stuff that is unwanted.

    I personally think that CP doesn’t have any features of value that WP doesn’t have. It has a bunch of fixes and a few features from WP, but it’s a dead end, especially with the limited roster of people who contribute code.

    In a contrasting comment, ClassicPress founding committee member Tim Kaye distilled why the poll seems to be so divisive.

    “If all that people want is WordPress without Gutenberg, there’s absolutely no need for ClassicPress at all since there’s already a plugin that provides what you’re looking for,” Kaye said. “It’s called Classic Editor.

    “The idea that the question is whether CP should essentially mirror a stripped-down version of WP or not is therefore entirely misconceived. Those who desire that objective should be using that plugin. It’s really that simple.

    “CP (and the work that goes into it) only makes sense if it’s its own CMS with its own decision-making process and its own features.”

    Former ClassicPress contributor @ozfiddler, who likened working on the project to “polishing the brass on a rudderless ship,” suggested ClassicPress identify a destination before choosing between two paths.

    “But then, that’s the problem with CP – it never really knew where it was going, beyond ‘WP-without-Gutenberg,’” @ozfiddler said. “So, it means you get statements like this listed as a con for one of the options: ‘We won’t be able to catch up with WordPress.’

    “When I was contributing to CP I always thought that the ambitions greatly outweighed the available resources. I occasionally suggested a drastic pruning back of the project, but this was always met with widespread disapproval. I still think that if CP is going to survive at all (and I very much doubt it) then you will need to define a narrower subset of users and focus your limited efforts on catering to them.”

    ClassicPress’ poll and the 80 comments in the discussion offer a glimpse into the frustrating reality of maintaining a fork of a fast-moving, large project like WordPress. So far there are 31 votes and Nagornyy plans to close it within the next few days if it doesn’t receive any new votes.

  • Block Protocol Announces New WordPress Plugin Coming in 2023

    Block Protocol, a project that launched earlier this year that aims to build a universal block system, has announced a new WordPress plugin coming in early 2023. It will allow users to embed interactive blocks that are compatible with Gutenberg. Given WordPress’ footprint on the web (43% by W3Tech’s estimate), this plugin is a major milestone on the project’s roadmap for supporting a more interoperable and open web with blocks that can be shared through a standardized protocol. 

    The Block Protocol plugin will give users access to the global registry of interoperable blocks. These include interactive blocks for drawing, a GitHub pull request overview, a timer, calculation, and more. Once installed, users will see these blocks available in the inserter. The newest versions of the blocks are always available to users without having to update the plugin. Creators of the Block Protocol are also releasing a few new blocks alongside the plugin, including an OpenAI DALL-E-powered image generation block and a GPT-powered block for generating text.

    This announcement comes just days after Matt Mullenweg’s 2022 State of the Word address, where he was asked about Gutenberg potentially collaborating with the Block Protocol project.

    “Sometimes developers don’t like to work together on the same thing,” Mullenweg said in response to the question. “And so it’s part of why there’s like 200 CMS’s and stuff like that. Sometimes there might be a stylistic or a technical change that when you look at it, you say, ‘I can’t use this thing that exists. I’m going to start something that’s different.’ And I think that’s a little bit what’s happening with Gutenberg and the Block Protocol.”

    Mullenweg confirmed that the projects have been communicating but were not able to get onto the same page.

    “They feel like there’s some things, either choices in Gutenberg or ways we develop things, that just are incompatible with how they see it happening,” he said. “We’ll see where that goes in the future. We’ve tried to make it CMS-agnostic so it can be embedded in anything and re-skinned, like you saw with the Tumblr example, it can be totally different. Everything we’re doing is open, so I would hope that wherever they end up, Gutenberg blocks could maybe be embedded, if there’s a translation layer or something like that.”

    Mullenweg sounded optimistic about the possibility of interoperability between Gutenberg and Block Protocol’s specification where users could copy and paste blocks across applications.

    “Maybe they create something really cool, that’s open source,” he said. “And then we’re like, ‘oh, let’s bring that over to Gutenberg,’ so the innovation can flow both ways, and sometimes that’s only possible if you’re starting something from scratch.”

    Since the Block Protocol project is open source and designed to be an open protocol, Mullenweg said he considers it “like a cousin project,” and hopes that WordPress can integrate more in the future.

    “If not, that’s okay too,” he said. “Maybe this will just be an alternative ecosystem that can experiment with new ideas or maybe things we would say no to, they can try. And then we see how it’s adopted by users.” 

    The initial draft of the Block Protocol spec is being incubated by the team at HASH, an open source data, modeling, and simulation platform. HASH is using the protocol in beta. The current version of the spec will be deprecated as of v0.3, which is anticipated to arrive in February 2023 alongside the WordPress plugin.

    “I obviously can’t speak to what Automattic are officially thinking about the Block Protocol, but we’ve been energized by the community’s continued interest,” HASH CEO David Wilkinson said.

    “Thanks to WordPress’ open architecture we can prove out the Block Protocol first as a plugin, giving users today the ability to access Block Protocol blocks within WordPress, and build blocks themselves that work not only in WordPress, but in HASH and other Block Protocol embedders, as well. In time we think that the value in having a standard way to write blocks which work across apps will become self-evident.”

    Wilkinson said WordPress was the most requested CMS from Block Protocol users, as it is the most widely used, but he also has a personal connection with the software.

    “WordPress is near and dear to my heart,” he said. “I built my first websites with it, have worked with it for more than half my life (!), and have a huge amount of respect for the organization and operation behind it. It’s the obvious platform to start with.”

    The Block Protocol team has received requests for support from users of more than 50 block-based applications, and the project is currently running a poll to help identify the next one on the roadmap.

    Even though the Block Protocol and Gutenberg projects did not find an acceptable way to combine efforts, WordPress users will get the best of both worlds with the new upcoming plugin. At the moment, access to Block Protocol’s Hub of blocks doesn’t offer any functionality that is superior to what is found in core WordPress and other native block plugins. The addition of the OpenAI-powered blocks will help make it more compelling, and the protocol’s ability to work across apps may bring an influx of more interesting blocks in the future.

    The Block Protocol is currently onboarding beta testers for the new WordPress plugin. Those who are interested can sign up for early access.

  • WordPress.com Launches Newsletter Product

    WordPress.com has launched a newsletter product just in time to capture those escaping Gumroad’s price increase and editors displaced by Revue shutting down. Newsletters, which were already booming as a communication tool in recent years, have become more critical than ever, as the uncertainty around Twitter has people scrambling to find reliable ways to stay connected.

    WordPress.com (and Jetpack users) have had the ability to send published posts to email subscribers for years. This isn’t usually marketed as a newsletter (as you can see below) but functions in the same way.

    WordPress.com Newsletter is a new streamlined product for scheduling and publishing newsletters using WordPress. It uses the same underlying infrastructure as subscribing to sites via email, offering users unlimited email subscribers. During setup, newsletter creators can import up to 100 subscribers from other newsletter services by uploading a CSV file.

    A theme designed for newsletters is put in place with additional newsletter-focused block patterns for the Subscribe box. Users can take advantage of the Site Editor to further customize the site’s background, site icon, and accent colors. This type of website showcases the versatility of the block editor, as newsletter creators can quickly design their own unique websites, without editing any code.

    With all the activity in the newsletter product space lately, I had to give myself a tour of WordPress.com’s new product to see how it stacks up to creating campaigns with other dedicated email services. In the first part of the setup process, users will upload a logo, specify a site name and description, and select a color.

    The next section displays pricing options with a plain link at the top for the free plan. Paid plans are ad-free and allow users to send unlimited emails. In the future, the premium plan will allow users to monetize their newsletters in various ways, such as selling subscriptions or collecting donations.

    After selecting a plan and free or paid domain name, users have the opportunity to upload up to 100 emails from other newsletter services. I selected the free plan, so that number may be unlimited with the paid plans. The site setup is fairly quick, as it puts the default theme in place, and users are encouraged to start writing. It’s a simple flow entirely geared towards publishing newsletters. Depending on the readiness of the post, newsletter authors can have their first issue landing in subscribers’ inboxes in minutes.

    The default newsletter site theme doesn’t come with additional style variations but users can easily edit the templates to expand, reduce, or further customize what is shown on the frontend.

    The default theme is very minimalist but looks nice out of the box on both desktop and mobile. The subscribe form is front and center and recent posts, or newsletter “issues,” show up underneath with a featured image.

    If you are familiar with WordPress, using the block editor is likely far easier than any newsletter campaign editor out there, as these tend to be clunky and limited in options. Publishing directly from WordPress.com also eliminates the need to copy the content over into a newsletter service and reformat it for email, a problem that services like Newsletter Glue have set out to solve for self-hosted WordPress sites.

    if you are a subscriber of IndieWeb principles, one of the most important considerations in launching a newsletter is that you own your own data and have the opportunity to practice POSSE (Publish (on your) Own Site, Syndicate Elsewhere). WordPress.com’s new offering makes it effortless to follow this workflow for newsletter publishing.

    One bonus feature, which is lacking with major newsletter service providers, is that subscribers can reply to the email to leave a comment on the published post, furthering the public conversation around each issue of the newsletter.

    Although WordPress.com has experience sending millions of emails at scale, the newsletter product’s pricing and sales copy doesn’t mention anything about deliverability rates. This is a major selling point for people coming from other services which haven’t performed as well on deliverability. There is also no comparison chart showing the limitations of the free account, which may be an important consideration for those who are just testing the waters.

    For those who are not hosting their sites at WordPress.com, there are a myriad of diverse plugins for self-hosted WordPress that can make newsletter publishing a seamless process. It requires knowing which ones to install, setup, and configure. For non-technical publishers, WordPress.com’s newsletter product is the most approachable entry point to WordPress-based newsletter publishing that exists on the market right now. If the company can add the monetization features fast enough, this product has the potential to become a major contender among newsletter services jostling to capture the creator economy.

  • Drupal Gutenberg 2.6 Released with Drupal 10 Compatibility

    Drupal Gutenberg, the Gutenberg module for Drupal that was created by Frontkom, has released version 2.6 with compatibility for Drupal 10. The module offers Drupal users a better authoring experience using blocks, allowing them to quickly build landing pages and save reusable blocks inside the editor without any code required.

    There are more than 3,300 active Drupal installations using Gutenberg, and the module has been receiving regular updates for more than four years. It ships with 60+ blocks as well as access to the Gutenberg Cloud, a cross-platform community library for custom Gutenberg blocks. Since the blocks are JavaScript-only, they work across both Drupal and WordPress sites alike.

    “Installing Gutenberg slashed our content creation time by 80%,” a content creator at Fortum, a Finnish state-owned energy company, reported to the Drupal Gutenberg maintainers. “We are able to create more content in a shorter time, allowing us to be much more agile than we used to.”

    Version 2.6 includes the following fixes and enhancements:

    Drupal Gutenberg has removed support for Drupal 8 in this release. Version 2.6 is fully compatible with Drupal 10, released yesterday. Drupal 10 was previously scheduled for June 2022 but pushed back to December. This release shipped with all the new features of CKEditor 5, which boasts a more modular architecture, but it is a complete rewrite of the previous version with no backwards compatibility.

    CKEditor is the most popular editor among Drupal users and is now the default editor. Drupal users can easily swap out their editor on per content-type basis, and the Gutenberg module can be enabled as an alternative to CKEditor. The module is superior to CKEditor when it comes to design controls and building layouts.

    The maintainers of Drupal Gutenberg hold periodic contributor meetings on a bi-weekly basis, every second Friday at 15-16 CET on Google Meet. They have fully embraced the vision of Gutenberg as a platform where blocks can be used to edit content and design across a variety of applications. If you are a user of the Drupal Gutenberg module, the maintainers are requesting feedback through a 30-second survey.

  • State of the Word 2022: Matt Mullenweg Highlights Gutenberg’s Progress, Announces New Community Tools

    State of the Word (SOTW) watch parties kicked off around the world this afternoon as Matt Mullenweg delivered his annual address to the WordPress community. A small group of people gathered live in New York City to participate while the majority of enthusiasts watched via the livestream. Mullenweg spent an hour reviewing and celebrating the work done across the project in 2022 before taking questions from the audience.

    At last year’s SOTW, Mullenweg spoke about how Gutenberg adoption is growing beyond WordPress and how he believed it could become “bigger than WordPress itself.” In addition to Gutenberg getting rolled out on the bbPress support forums this week to modernize the WordPress support experience, the block editor has found its way into more apps in 2022.

    Mullenweg cited a few examples including Engine Awesome (a Laravel-based SaaS application), the Pew Research Center’s Political Typology Quiz, the web version of Automattic’s Day One app, and the Tumblr post form. He noted that in Tumblr, 99% of the editor is hidden – there’s no sidebar, everything happens inline. Mullenweg said he is hoping Gutenberg can create an “open block standard that can be used anywhere,” where users learn it on one system and it can be applied in other apps.

    For those who had been missing WordCamps, one of the major highlights of 2022 was the return to in-person events. From 2021 to 2022, the number of meetup groups doubled. Only one WordCamp was held in 2021 but that jumped to 22 WordCamps in 2022. Mullenweg highlighted how WordCamps have historically been “the magical ingredient” for onboarding people to contribute and teaching them about WordPress culture.

    For being just one year back into in-person events, WordPress has done well in 2022 with 1,399 release contributors and 652 contributing for the first time. There were 204 people who contributed to all releases in 2022 and 424 who contributed in 2021 and returned in 2022. Some 322 contributors took a break in 2021 and returned in 2022.

    People are also contributing to Openverse, which has indexed more than 22 million images, 1.1 million audio files, and has handled more than 59 million requests in the last 30 days.

    Tools Coming to the Community: New Taxonomies for the Plugin and Theme Directories and Staging “Playground” that Runs WordPress in the Browser

    It wouldn’t be the State of the Word without a few exciting announcements. Mullenweg unveiled a plan to add new taxonomies for the theme and plugin directories that will help users more quickly ascertain the purpose of the extensions they are considering.

    For example, there would be a tag for the type of plugins that a developer might create to solve a problem but may not be intended for wide public use and may not come with dedicated support. Another tag would be designated for “Community” plugins, which Mullenweg said is for software that “belongs to all of us” with the lead developers stewarding it for the next generation. This tag is for plugins that do not have any upsells and invite contributions. Some of these plugins will be canonical plugins, those that are officially supported by core developers and receive attention from the security team. Gutenberg and the importer plugins are a few examples.

    Another tag would be designated for commercial plugins that have some sort of upsell and often include commercial support. Anything with a pro version will fall within this category. Mullenweg said he wants WordPress.org to create an environment where commercial and non-commercial plugins can exist together harmoniously.

    The new taxonomies will be launching in the directories this month and will also eventually make their way into the plugin and theme screens inside the WordPress admin. This will be a major improvement that will give users of all experience levels a better understanding of the extensions they are examining, making it easier to select the right type for their needs.

    Mullenweg also announced WordPress’ official support for the WordPress Sandbox project, which we featured earlier this month. He outlined a plan for what will officially be called “WordPress Playground.” The experimental project uses WebAssembly (WASM) to run WordPress in the browser without a PHP server, making it possible to spin up new playgrounds in just a couple of seconds. This will enable things like a guided, interactive WordPress landing experience where developers can edit code live and see the results right away. It will also make it possible for users to try plugins directly from the directory and may someday be used to allow people to contribute to WordPress core.

    A new website for WordPress Playground is located at https://developer.wordpress.org/playground/ where anyone interested can check out the experimental project for running a WordPress instance entirely in your browser. There’s also a new #meta-playground Slack channel for those who want to join the conversation.

    WordPress turns 20 next year. Mullenweg noted that not many software projects make it that long but WordPress is also growing faster than ever, currently powering 43% of websites according to W3Techs and 32% according to Builtwith. A new website at wp20.wordpress.net will be headquarters for the festivities, including swag, merchandise, and a new Milestones book for the most recent 10 years of WordPress’ history.

    If you didn’t have the chance to catch the State of the Word this afternoon, check out the recording below to hear Mullenweg’s vision for the next phases of WordPress and see demos of all the progress made on block themes and full-site editing in 2022.

  • Performance Lab Plugin to Add New Experimental SQLite Integration Module in Upcoming 1.8.0 Release

    WordPress’ Performance Team contributors have merged a new experimental SQLite integration module that is on track to be included in the upcoming version 1.8.0 of the Performance Lab plugin. (This is the plugin that contains a collection of feature plugins with performance-related modules the team hopes to land in WordPress core.) The new module allows the adventurous to test the new SQLite implementation, with the understanding that the overall user experience will still be rough.

    In a proposal titled Let’s make WordPress officially support SQLite, Yoast-sponsored core contributor Ari Stathopoulos contends that less complex sites (small to medium sites and blogs) don’t necessarily benefit from the requirement of using WordPress’ standard MySQL database:

    On the lower end of the spectrum, there are small and simple sites. These are numerous and consist of all the blogs, company pages, and sites that don’t have thousands of users or thousands of posts, etc. These websites don’t always need the complexities of a MySQL/MariaDB database. The requirement of a dedicated MySQL server increases their hosting cost and the complexity of installation. On lower-end servers, it also decreases performance since the same “box” needs to cater to both a PHP and a MySQL/MariaDB server.

    In an ideal world, users could select their database type during installation. Stathopoulos said this would require WordPress to have a database abstraction layer, which other platforms like Drupal have had more 10+ years.

    “Building a database abstraction layer for WordPress would be a colossal task – though it might be one that, at some point in the future, we may have to undertake to ensure the project’s continued evolution and longevity,” he said.

    As an alternative, Stathopoulos sees SQLite as a “perfect fit” and cited the benefits of using it for smaller websites:

    • It is the most widely used database worldwide
    • It is cross-platform and can run on any device
    • It is included by default on all PHP installations (unless explicitly disabled)
    • WordPress’s minimum requirements would be a simple PHP server, without the need for a separate database server. 
    • SQLite support enables lower hosting costs, decreases energy consumption, and lowers performance costs on lower-end servers.

    This new SQLite integration module is based on the wp-db-sqlite plugin, a SQLite database driver drop-in that is also used by the WordPress Sandbox project, as WASM doesn’t support MySQL. The wp-db-sqlite plugin was based on the original work of Kojima Toshiyasu in his eight-year-old SQLite Integration plugin, which is no longer available for download on WordPress.org. Stathopoulos said these solutions have evolved over the years, have been thoroughly tested, and proven to work seamlessly, although they are not well known among users.

    Matt Mullenweg commented in support of the proposal so the implementation moving into the Performance Lab plugin may have a decent shot at landing in core someday in the future. Most participants in the discussion on the proposal were supportive of the idea but also discussed a few of the potential drawbacks. These include poorer support for things like multi-author editing and search.

    “MySQL is and should continue to be the default because if you have aspirations to be the next big thing, then MySQL can scale better,” Stathopoulos said.” If on the other hand you just want a blog, a company site with your about page and a contact form to have an online presence, or any type of small site (which is arguably the majority of sites on WordPress) then SQLite is all you’ll ever need and it will perform a lot better.”

    A few participants in the discussion also bristled at the controversial, religious code of ethics SQLite holds for its contributors. Stathopoulos sees it as a non-issue because the project is open source and the technology is widely used.

    “Its popularity speaks volumes regarding what it can do and where it can be used,” he said in response to criticism of the idea of tying WordPress to a project with an objectionable code of ethics.

    If you have used WordPress from the early days, you have witnessed it become more complicated over the years. Discussions around the idea of a “WordPress Lite” have popped up every few years, but the platform’s specific selection of features seems to have been a major factor in WordPress powering 43% of the web (according to W3Techs). NerdPress founder Andrew Wilder suggested that a SQLite implementation might benefit from being branded as “WordPress Lite.”

    “Reading the comments and potential issues above, if this does move forward, perhaps the way to implement this in a way that makes sense to users would be to brand it simultaneously as ‘WordPress Lite,’” Wilder said. “So if a site is using SQLite, there could be features that are simply no longer available (such as multiple authors, or perhaps plugins that have certain database requirements can’t be installed).”

    Those who are interested in testing the new SQLite integration module should be able to test drive it next week. Google-sponsored Performance Team contributor Felix Arntz gave a few notes on testing in yesterday’s team meeting:

    For the SQLite implementation, other than the SQLite DB working correctly by itself, another crucial aspect to test is the user experience on module activation. You’ll get an entirely new database, but we’ve added some logic to make the transition as seamless as possible: On a typical WordPress setup, you should not need to reinstall WordPress yourself when you enable the module, and you shouldn’t even be needed to log in again.

    Basically the PR has logic to install WordPress automatically in the new database, using the same basic setup data that is present in the regular database.

    Just keep in mind that it is by no means a migration. It’s only the install you’ll get; no content will be migrated.

    The 1.8.0 release of the Performance Lab plugin is expected on Monday, December 19, and is set to include the new module.