After an accumulation of undisclosed and unpatched vulnerabilities in plugins hosted on WordPress.org, Patchstack has reported 404 plugins to WordPress’ Plugin Review Team.
“This situation creates a significant risk for the WordPress community, and we decided to take action,” Patchstack researcher Darius Sveikauskas said. “Since these developers have been unreachable, we sent the full list of those 404 vulnerabilities to the plugins review team for processing.”
Ordinarily, reporting plugins to WordPress.org is a last resort for challenging cases after Patchstack fails to find a way to contact the vendors. In this case, many of these plugin authors have included zero contact information in their extensions or are not responding to communication attempts. Patchstack has characterized it as a “zombie plugins pandemic” due to the overwhelming number of abandoned plugins affecting more than 1.6 million sites.
The WordPress.org Plugins Team has acted on the report by closing more than 70% of the plugins. In June, the team added six new sponsored volunteers and opened applications for more team members but have struggled with managing a formidable backlog of plugins waiting to be reviews. The backlog is climbing higher and is now over 1,119 plugins with a 71-day wait time.
Adding plugin vulnerability issues, where hundreds have to be closed, only adds to how long developers have to wait to get new plugins reviewed.
As of August 31, 2023, Patchstack reports the following stats associated with these reports to WordPress.org:
404 vulnerabilities
358 plugins affected
289 plugins (71,53%) – Closed
109 plugins (26,98%) – Patched
6 plugins (1,49%) – Not closed / Not patched
Up to 1.6 million active installs affected
Average installs per plugin 4984
Highest install count 100000 (two plugins)
Highest CVSS 9.1
Average CVSS 5.8
“Oldest†plugin – 13 years since the last update
Patchstack is urging developers to add their contact details to their plugins’ readme.txt and/or SECURITY.md files. To streamline security issue management, the company has created the Patchstack mVDP (managed vulnerability disclosure program) project, which is free for developers to join. Patchstack validates the reports that come through, rewards the researchers, and passes them to the vendor to be addressed.
The company is also advocating for a dashboard alert when a plugin or theme is removed due to security reasons, as WordPress does not currently give the user this information. Their researchers will soon be submitting more reports that may result in closed extensions.
“We are preparing more similar lists for the WordPress.org themes repository and repositories focused on premium products,” Sveikauskas said. “We are currently processing about extra 200+ similar vulnerabilities.”
Kevin Ohashi from Review Signal has published his 2023 WordPress and WooCommerce hosting performance benchmarks. This is his 10th round of capturing performance data from hosting companies that opt into the testing. Ohashi’s methodology tests two metrics through a variety of methods: peak performance and consistency.
The benchmarks include a LoadStorm test designed to simulate real users visiting the site, logging in, and browsing (uncached performance). They also test cached performance, SSL, WP queries per second, performance on some computational and database operations, and a WebPageTest that fully loads the homepage and records how long it takes from 12 different locations around the world. As part of the consistency testing, Ohashi also measures uptime using HetrixTools and Uptime Robot for a minimum of three months.
Participants pay a standard, publicly documented fee, based on the price tier of the product being tested, to cover the costs. Ohashi does not accept sponsorships for the tests, and has become one of the most trusted sources for unbiased performance reviews of WordPress hosting plans.
In 2023, Ohashi tested 31 companies across 72 plans and seven pricing tiers, with tests nearly identical to previous years. He made minimal adjustments to the LoadStorm test script to improve performance and make it compatible with newer versions of k6.
The website makes it easy to review results at a glance by using a star system. Hosts that achieve “Top Tier” status receive a full star:
This is awarded to companies who maintain 99.9% uptime throughout the entire testing and show little to no performance degradation during load testing, primarily focused on error rate and consistent response times. Error rates above 0.1% and response times above 1000ms* will keep a company away from achieving Top Tier marks.
The half star indicates “Honorable Mention” status, which is given to companies that came close to Top Tier but fell just short, such as struggling slightly on a load test.
Among budget hosts in the <$25/month category, the majority of hosts (16/21) rang in at the Top Tier level. Those who did not earn Top Tier status were held back by inferior performance on the the LoadStorm test for the most part, even though several still took top scores in other aspects of the testing.
There are fewer participants at the $25-50 plan (and other more expensive plans) but the results are similar to the budget hosts, with A2 Hosting, Cloudways, and Stromonic edged out of contention for Top Tier. All three failed to achieve Top Tier for any of the plans tested this year.
In the Enterprise tier ($500+), the majority of participants handled the LoadStorm test without issue. When testing cached performance, Ohashi found that the overall field of participants is getting faster:
Excluding Seravo, every company was 33ms average or below and 43ms p95 or below. Compared to last year where the fastest average was 6.4 ms and p95 was 20ms. There are four companies this year below both of those levels. The performance at the Enterprise tier is mind bogglingly fast and getting even faster which is hard to comprehend when last year’s 6.4ms was beaten by 4 plans this year.
Most of the entrants in the WooCommerce category earned Top Tier status, with the exception of Blallo and Cloudways, both of which stumbled on the LoadStorm test. The hosting plans tested range from $25.95/month – $99/month. The WooCommerce-specific tests collect average response times, total requests, errors, and other metrics across four different profiles:
Profile 1 (20%): Buyer – Homepage, add item to cart, go to cart, checkout (doesn’t submit order)
A more detailed breakdown is available on the WooCommerce benchmarks results page.
It’s important to note that the tests do not clearly identify a winner or top performer. They also don’t take into account other aspects of the WordPress hosting experience, like reviews, support, and features. Ohashi tests the defaults for all of these plans, but if there are more optimization features that can be customized for sites (which are not clearly outlined in the initial setup) then those are also not taken into account. The methodology simply focuses on performance, so it’s just one factor of hosting, albeit a very important one.
“As far as surprising results, I keep thinking ‘Are we nearing the point that we won’t see much improvement?’ and each year the whole field gets faster and faster,” Ohashi said. “Even improving on sub 10ms times between years. For example, in the <$25/month tier, in 2022 there were 3 companies with <50ms average response time on the Static k6 test. This year there are 10. I also saw 100ms+ improvements from the other (slower) side bringing up the whole field a meaningful amount. Everyone is getting faster and faster.”
Why Are Some Managed WordPress Hosting Companies Missing?
There are many leading WordPress managed hosts that are notably absent from Ohashi’s benchmarks, whose inclusion would be helpful for a deeper understanding of market. I asked him about a handful of them and he reported that WP Engine, Dreamhost, and Kinsta declined to participate this year, to name a few. GoDaddy took a year off but may be back next year.
The major reasons for hosts not wanting to participate fall into a few categories, and bad performance is chief among them.
“Some companies perform poorly or poorly relative to price and don’t want to participate anymore,” Ohashi said. “They usually talk about other ‘intangible’ values that you can’t measure. I think good performance should be a default for every hosting company, and good companies shouldn’t be afraid of bad results – if they actually plan on improving their services.
“But some would probably rather spend fortunes on marketing instead of better engineering, and bad results aren’t going to help their marketing. I personally love seeing companies who participate year after year despite mixed results. I respect the companies who consistently earn Top Tier are doing a great job. But there’s something special about companies willing to put themselves out there regardless of the results, because it’s a public and open commitment to improving.”
Ohashi said that occasionally the timing doesn’t work out where a host is going through a major engineering overhaul during the testing and doesn’t want the platform benchmarked when they are about to release a new one. In this case some opt to skip a year.
The costs of the benchmarking can also be prohibitive for some smaller hosting companies. Ohashi raised prices by $250 across all tiers this year (eg. $100->$350, $500->$750) to cover his costs. Although this doesn’t seem like much for a hosting company, they also have to pay for the servers for four months, and have the staff/resources available to work with Ohashi on organizing, executing, and debugging issues. 20i, Krystal Hosting, Nexcess, and Pressable agreed to sponsor upstart companies in the space for 2023.
Another reason some hosts don’t participate is a lack of interest or value. They don’t see how they can use the benchmark results to their advantage.
“Some companies don’t get as much value from the benchmarks as others,” Ohashi said. “Performance across the board has gone way up. It’s harder and harder to stand out.
“I think some companies may view it as an instant validation and reason for customers to come busting down the doors. But there are a lot of great companies offering great performance. Earning Top Tier status means you’ve got a performant hosting platform. It’s great, and it can help validate some customer needs/desires in the decision making funnel, but it won’t magically generate tons of sales.”
Ohashi said he has put together notes for hosting companies that earned Top Tier status to help them leverage more value this year from a marketing perspective, based on what he has seen some companies do with their results. Creating more value for participating companies is something he is actively working to improve upon.
Although Review Signal had approximately 35,000 people visit in the past year, Ohashi doesn’t think the traffic captures the full value of the benchmarks very well. The people who dig into these metrics are those who have a large impact on where their WordPress clients host their websites.
“The people who care about the benchmarks are seriously into WordPress / hosting / performance,” Ohashi said. “It’s a lot of agencies, developers, large website owners and hosting people. One way I’ve measured impact is by going to the major WordCamps (EU/Asia/US) and talking to people. The number of folks who are aware of the benchmarks there was surprisingly high to me. The people who are interested enough to spend time at WordCamps are the same folks interested in reading the benchmarks. It’s not the largest number of people who read them, but it is the largest impact people who read and value them.”
After an in-depth performance analysis earlier this year revealed that translations can impact server response times, WordPress contributors proposed half a dozen technical solutions for consideration to improve performance for the ~56% of sites that use translations.
Performant Translations, a feature project by the core Performance Team, is now available as a plugin on WordPress.org. It incorporates some of the proposed solutions and speeds up translations by converting .mo files to .php files, allowing them to be parsed faster and stored in OPcache.
It supports multiple file formats (.mo, .php, and .json) and multiple text domains and locales loaded at the same time. Existing .mo files get converted to .php files which are then loaded by WordPress.
A chart included on the plugin’s details page shows a significant page load time reduction when using the plugin, as compared to sites with translations that don’t use the plugin. The plugin brings translations very close to the same page load times as English (non-translated) sites.
“With enough testing and feedback, we hope to eventually merge this plugin into WordPress core,” Performance Team contributor Pascal Birchler said when announcing the plugin on X.
“In the coming weeks and months we will share more testing instructions and continue to improve the plugin. This will be made available via Performance Lab, too.”
Performant Translations is considered to be a beta testing plugin but can be tested and used in production at your own risk. It doesn’t require any changes to settings or configuration after installation. The plugin can be safely removed after testing, because it essentially cleans up after itself. All .php files it generates will be removed by the server once the plugin is deactivated and uninstalled.
A collection of leading WordPress agencies have launched a collaborative project to promote the platform to large-scale organizations. Big Bite, in partnership with 10up, Alley, Human Made, Inpsyde, and XWP, have published a free WordPress for Enterprise guide that includes contributions from Google and WordPress VIP.
The guide highlights many high profile companies and organizations using WordPress, including CNN, Vogue, Google, The Wall Street Journal, Spotify, Harvard University, the White House, Meta, PlayStation, and many more.
Even after 20 years of unprecedented growth and adoption across major brands, the misconception that WordPress is just a blogging platform persists among many who don’t keep up to date with open source software.
“Despite being the number one CMS, many people still associate WordPress solely with bloggers and small businesses, and are surprised to learn that it powers sites for some of the biggest brands on the planet,” Big Bite CEO Iain McPherson said. “By coming together to create this guide, we’re aiming to change that perception and highlight the many advantages it offers to enterprise organizations that have lots of contributors, lots of content, and lots of challenges.â€
The guide offers an easy-to-read overview of how well-suited WordPress is for the enterprise market and the possibilities for creating a customized platform to fit any organization. It includes short chapters on the following topics:
From small blogs to big brandsÂ
Open source advantagesÂ
Platform security
Scalability and internationalization
Solution cost and value
Editorial experience
Performance mattersÂ
Feature extensibility
Headless capabilities
“While smaller brands are able to switch CMS platforms fairly easily, for large-scale enterprises it’s often a major undertaking, so we hope this guide makes the decision process much easier for those exploring open source options,” WordPress VIP Director of Product Marketing Michael Khalili said.
The guide is a useful resource for large organizations examining WordPress as a platform or for small agencies looking to pitch WordPress to larger clients. It’s free and does not require you to enter your email address or other contact information to download it.
WordPress.com is now selling a 100-year plan, one of the longest available in the industry, for a one-time payment of $38,000. It includes managed WordPress hosting (whatever that looks like in 100 years), multiple backups across geographically distributed data centers, submission to the Internet Archive if the site is public, 24/7 dedicated support, and a domain that doesn’t need to be renewed by the customer for a century.
ICANN, the Internet Corporation for Assigned Names and Numbers, limits domain registration to a maximum of 10 years. Auto-renewing after this time requires the customer to renew on time and keep their payment method updated. A 100-year plan removes these uncertainties but still hinges on the registrar staying in business into the next century.
Customers who buy into the plan will need to have superior confidence in WordPress.com, coupled with the belief that domain names will still be important to the fundamental architecture of the web decades from now.
Automattic CEO Matt Mullenweg commented on the difficulties in pricing the 100-year plan during his presentation at WordCamp US 2023, while simultaneously discouraging WordPress product owners from offering lifetime licenses. The distinction here is that the 100-year plan has a finite length of time, even if its future support seems unfathomable at the moment.
“It also got me thinking about lifetime licenses, which I think we should stop doing in the WordPress world,” Mullenweg said.
“If you’ve ever worked with an accountant or an acquirer they don’t like when you have those because it’s essentially an open ended commitment, including often with support. How do you recognize that revenue? Offer a 20 year plan or something. I think when you’re saying ‘lifetime,’ it sort of cheapens the word. If we’re really thinking long-term, what promises we’re making to our customers, I think we should re-examine those practices.”
Mullenweg also said he was inspired by the Long Now Foundation, a non-profit established to foster long term thinking. The organization’s first project is the “Clock of the Long Now,” a mechanical monument designed to keep accurate time for the next 10,000 years:
It is still being assembled deep inside a mountain in west Texas. The Clock provides a rare invitation to think and engineer at the timescale of civilization. It offers an enduring symbol of our personal connection to the distant future.
WordPress.com is building something parallel to this in the digital world, enabling people to create their own virtual, lasting monuments and preserve their homes on the web.
Embedded in the new offering is also a poignant reminder that WordPress.com is a domain registrar, as the company recently made a bid to capture Google Domain customers ahead of their domains being sold off to Squarespace. Even if the new 100-year hosting plan is too expensive for 99.9% of prospective customers, it gives the impression that the company is capable of hosting entrusted domains for the long term.
Nobody, not even WordPress.com, knows what that will look like in 50 years, but it’s an ambitious, thought-provoking offering. What resources will a URL (Uniform Resource Locator) point to 50 years from now? Or will URLs be discarded into the scrap pile of obsolete building blocks as soon as there’s a better, more efficient way to identify web addresses? What does longevity look like in the digital world?
WordCamp US concluded this weekend after gathering nearly 2,000 attendees in National Harbor, Maryland, for the Community Summit, Contributor Day, and main conference days. For the majority of people in the WordPress world who were unable to attend, the recordings of the presentations from project leadership will give you an idea of what to expect in the near future and beyond. These videos were published right away and are embedded below.
WordPress Executive Director Josepha Haden Chomposy spoke on “The Future of WordPress,” with an emphasis on how the project can continue to thrive, build resilience, and outlast its current contributors. She encouraged the community to be proactive about expanding their learning and connections. She also reaffirmed the importance of the project’s mission to democratize publishing and the impact that can have in the world.
WordPress co-creator Matt Mullenweg capped off the event with a presentation titled “What’s Next for Gutenberg,” followed by a Q&A. He highlighted a few features coming in 6.4, including font management, an image lightbox, and the new Twenty Twenty Four default theme.
As WordPress is moving into the Collaboration phase of the Gutenberg project, which will enable multiple authors to edit simultaneously, Mullenweg highlighted the importance of redesigning the admin. This will be the first major redesign since MP6 and is also aimed at improving workflows for administrators.
Mullenweg announced that WordPress has launched a new LMS (Learning Management System) working group. He commented on the benefits and drawbacks of having multiple plugins in the ecosystem that do the same thing. Although the competition can encourage more innovation, it can also lock users into one solution if they aren’t built to be interoperable.
Representatives from Tutor LMS, Learndash, LifterLMS, and Sensei met to discuss using common data models so users can easily switch between solutions. They are working in a new #LMS slack channel to establish industry standards that will preserve user freedom and choice through practical interoperability changes to their products.
Mullenweg also said he would like to see more plugins, such as those handling SEO or site builders, to agree on some data models so that products can operate in a more standardized and performant way, serving users better in the long term.
Check out the presentation below, along with the Q&A that followed. There were more than 80 questions submitted, and those that were missed during Q&A will have answers published to in a future post on WordPress.org.
Gutenberg 16.5 was released this week with the biggest changes landing in the Command Palette. Users now have access to more block-related commands for block transforms and block actions, including the following:
all transforms to the block has defined (e.g. to cover, to gallery, to columns, to file, to group, to media and text, for an image block)
“Together, these new commands not only enrich the command palette’s functionality but also improve the distraction-free mode by offering immediate access to basic functions,” Automattic-sponsored Gutenberg contributor Siobhan Bamber said in the release post.
Improving the discovery of these new commands may prove challenging. Contributors are exploring displaying the contextual actions as suggestions immediately after opening the command palette, to scale with the increasing index of available commands.
“Since the aim of this PR is to add so many commands, let’s not surface any suggestions yet,” Automattic-sponsored designer James Koster said. “We can explore that in a follow-up with a thought-out design which considers how to scale the display of so many commands, if necessary.”
The Command Palette design was also updated in this latest round of version 16.5. Users with a keen eye may notice a new search icon aligned to the right, a reduced width, darker icon color, and more subtle changes.
Gutenberg 16.5 adds more block supports to the Details block, Post Content block, and File block to make them more customizable with controls for colors, block spacing, and padding.
This update includes many more small enhancements and bug fixes, including improvements to the writing flow, build tooling, fluid typography, existing Command Palette commands, Snackbar component, and Global Styles. Check out the 16.5 release post for the full changelog.
WordCamp US 2023 kicked off Wednesday with the Community Summit and the Contributor Day on Thursday. The main conference days begin this morning and will be broadcast via high-definition livestreams throughout the event.
In-person attendees will have live captions on the screen in the Woodrow Wilson and Cherry Blossom tracks. The captions are also available on personal devices with livestreaming captions. Organizers have set up Woodrow Wilson StreamText and Cherry Blossom StreamText, which are also available to those watching remotely.
Livestream viewers can watch for free with no tickets required. Check the schedule for specific times. Presentations you are interested in can be starred and emailed to yourself or printed for easy access.
This year Post Status is celebrating a decade of serving WordPress professionals with its member-supported community. The site was founded by Brian Krogsgard in 2013, and now runs an active Slack community with 2,083 members, a weekly newsletter with 4,300 subscribers, and a job board.
As a testament to the community’s continued growth, Post Status announced it has added WordPress veterans Joost de Valk and Marieke van de Rakt as equity partners who have invested cash in the business. They will also be taking on active roles in leading the Post Status community – de Valk as CTO and van de Rakt as an advisor and editorial contributor.
“Post Status has created the most important networking possibilities for us in the past and helped us grow our WordPress businesses,” van de Rakt said. “It seems only fit to contribute and to take on an active role in the Post Status community at this point.”
Post Status CEO Cory Miller said the organization will be moving forward with “the same vision and values – supporting the business of WordPress, with an emphasis on agency owners.” Co-owner Lindsey Miller will be taking on a new role as CMO.
Although maintaining the professional community remains their first priority, Post Status will be expanding with two new initiatives this year that will benefit both partners and members. The team has soft launched the new poststatus.com, featuring a new Partner Directory that showcases WordPress businesses.
“I believe a healthy growing business ecosystem inside of WordPress is absolutely key to WP continued growth and success,” Cory Miller said.
“We want to get a little more organized, professional as an industry, and that means cooperating, communicating, working together, with Post Status being that collective brand, showcasing the agencies, software and professionals of WordPress better.
“The next step is our directory. We want to say, here’s our professional industry for those looking at WordPress for their web projects.”
In addition to ramping up editorial commentary and analysis on industry trends, with the depth of the expertise of new partners de Valk and van de Rakt, Post Status is in the early stages of planning an annual summit. It will be similar to WordPress’ contributor summit but for businesses and individuals who are making their way in the marketplace.
“The second step is to gather together, talk business and what are we seeing, what are the issues, challenges, and opportunities as an industry,” Miller said. “That naturally gives us focus and initiatives to cooperate on together.
“Most industries have this already.
“Doctors, lawyers, big businesses have these kinds of venues and platforms for conversations about the state of their industry. We need that for WordPress and Post Status is taking next steps to do so.”
These two initiatives are next on the organization’s roadmap, and with the new partnership they now have the resources to execute on them.
“Showcase the collective, that’s our directory,” Miller said. “And gather us together to have the key conversations we need about where we’re going as an industry and community. That’s our summit.”
Sponsors are what keeps the lights on at Post Status, and the organization has historically been focused on driving individual membership for WordPress professionals but is shifting its focus on businesses as members now.
“We want every WP pro in Post Status, this is their home, their trade association,” Miller said. “Those who work at WP companies or with WP as part of their gig, we always want to welcome them in to PS.”
Post Status is one of the few WordPress organizations that has been operating for longer than a decade. Now that the Pressnomics event has been retired for four years, the WordPress community is sorely in need of an event where the business-focused community can connect and and help each other grow WordPress success in the wider industry. Post Status is the organization best-suited to step into this role. To stay on top of the organization’s efforts and plans and to support the business community, join as a member and/or subscribe to the weekly newsletter.
WordPress 6.4 will be shipping with a new default theme, expected in early November. The theme’s project leaders unveiled the designs and concept for Twenty Twenty-Four in an announcement on WordPress.org today.
For those who have complained that past default themes have been too niche or too narrowly focused in design, this theme will take the reverse approach. Contributors are attempting to build the ultimate multi-purpose theme that can be used for nearly any kind of website, highlighting the unmatched flexibility of building with blocks.
“The idea behind Twenty Twenty-Four is to make a default theme that can be used on any type of site, with any topic,” core contributorJessica Lyschik said. “Because of that, and contrary to past years, it has no single topic. Instead, three use cases were explored: one more tailored for entrepreneurs and small businesses, one tailored for photographers and artists and one specifically tailored for writers and bloggers.”
Last year’s default theme, Twenty Twenty-Three, was a stripped-back and minimal version of Twenty Twenty-Two, with a strong focus on community-submitted style variations. Like its predecessor, Twenty Twenty-Four will put the spotlight on some of the latest WordPress design features.
“Twenty Twenty-Four will be a block theme fully compatible with all the site editor tooling and it will surface new design tools like the details block or vertical text,” Lyschik said. “Another key intent for the theme is to properly present whole page patterns and template variations so that users don’t need to assemble whole pages themselves, thus easing up their site building process.”
Whole page patterns are a critical feature that all of the best block themes provide, as most people feel daunted when starting from a blank slate. If a whole page pattern is already pre-inserted on a new website install, users are light years ahead in their site building efforts.
Twenty Twenty-Four features the Cardo font for headings and a sans-serif system font for paragraph text. Cardo is an Old Style serif typeface designed by David J. Perry in 2002 for “classicists, biblical scholars, medievalists, and linguists.†It grounds the design with a bit of sophistication but should be easy to swap out with the typography management features coming in 6.4.
The initial previews of the theme don’t stray far from many of the traditional website designs you might see browsing businesses or portfolios. It leans more towards providing an invisible framework for the user’s own creations, instead of pushing a single, opinionated design. This design lets the Site Editor and design controls shine as tools that can unlock human creativity on the screen. So far it has received positive feedback on the WordPress.org announcement. Check out the post for more images/video, and information on how contribute to Twenty Twenty-Four’s development.
