EDITS.WS

Author: Sarah Gooding

  • WordPress Plans Ambitious Admin UI Revamp with Design System, Galvanizing Broad Support from the Developer Community

    WordPress’ admin is on deck for a long-awaited makeover after Gutenberg lead architect Matías Ventura published plans for a revamped admin design as part of the Phase 3: Collaboration road map.

    “As WordPress turns twenty years old, the overall aim of this work is to improve upon this experience at a foundational design level, giving plugins and users more control over the navigation while ensuring each WordPress experience is recognizable, intuitive, accessible, and delightful,” Ventura said.

    His post is a follow-up to some earlier admin concepts he published a year ago which evolves the admin towards more fluid browsing and editing flows. This is similar to the block editor design that positions the admin frame as a shell that wraps around a canvas that contains the content in a zoomed state. Instead of users clicking back to access navigation tools, the tools remain present but outside of the canvas view.

    Although contributors have not yet officially produced any designs for the project, Ventura shared a light version of an admin concept.

    One aspect of the proposed plans that has energized the developer community is the prospect of the admin getting rebuilt with an extensible design system.

    “This effort is also an opportunity to formalize the design primitives and interaction paradigms that are part of the UI component system begun in wordpress/components,” Ventura said.

    “A crucial aspect is to ensure WordPress itself is built with the same pieces and APIs that plugin authors can use. Aside from color themes, our set of primitive components also need to work in dense environments like the editor, as well as environments that need more breathing room and focus like admin sections. Density, clarity, usability, and accessibility are paramount.”

    image credit: Matias Ventura – Admin Design

    The admin design concepts have renewed developers’ excitement about the future of WordPress, but they are also hoping this revamp will solve several long-standing problems with the interface.

    One recurring theme in the feedback was the need to find a way to curb the pollution of top-level menus and the out of control admin notices, which are hijacked by plugin developers in the absence of a standard notification system.

    “It’s really about aligning APIs, ensuring we have semantic descriptions of capabilities, and offering the right levels of controls for both plugins and users,” Ventura said.

    “I know it’s a fairly limited example, but there’s a nice balance in the ability to pin or unpin plugin sidebars on the editor, from the perspective that plugins can be opinionated, and users can still interact with those opinions.”

    Another challenge that concerns developers is ensuring the new design adequately accommodates WordPress sites with large numbers of posts, pages, categories, menus, comments, and other things that can easily overwhelm a UI that was intended to be simplified.

    “As part of leveraging the components across the admin interface, we need to address functional gaps (like table and list views, bulk editing operations, etc) and assist plugin needs for anything that might not be already addressed that should be addressed,” Ventura said. “Ultimately, the design library needs to be showcased in the wordpress.org website as a clear resource for people building upon WordPress.”

    Developers who participated in the comments were optimistic about the project and reacted positively to the concepts Ventura shared.

    “I often say, white space is where the magic happens,” WordPress designer and developer Brian Gardner said.

    “The light admin concept is breathtaking and gets me even more excited than I am now about the future of WordPress.”

    Several developers commented on how eagerly they are awaiting an update to a modern UI that reduces the number of page refreshes.

    “Wow! It’s gonna be amazing!” WPMarmite founder Alex Borto said. “A complete admin fluid browsing experience is much needed. I dream of navigating through the admin area without any page loads!”

    For years, WordPress developers have been expected to try to match WordPress’ dated admin UI on their settings pages and the Yoast SEO plugin drew criticism when it released version 20.0 with a new modern interface. Many users are not keen on plugins building their own UI in the admin, as it can make things more confusing. Having a standard set of UI components would make things easier for developers who are extending WordPress.

    “This gives me great optimism about securing the next 20 years of WordPress’s success,” WordPress developer Mike McAlister said. “The fact that you can do anything with WordPress is incredible, it’s probably our biggest strength.

    “But without standardized design patterns for the admin, we’ve seen that devolve into a UI/UX headache with plugin and theme developers baking their own experiences inside WordPress. Reining this in and creating a unified experience for everyone to buy into will not only make it easier on product creators, it will also be a huge win for users.”

    Ventura said this document is just an outline of the admin design project and that it will be followed up with more in-depth design explorations further down the road.

  • All-In-One Security Plugin Patches Sensitive Data Exposure Vulnerability in Version 5.2.0

    All-In-One Security (AIOS), a plugin active on more than a million WordPress sites, was found to be logging plaintext passwords from login attempts in the database and has patched the security issue in version 5.2.0.

    In a post titled “Cleartext passwords written to aiowps_audit_log” published to the plugin’s support forum two weeks and five days ago, @c0ntr07 reported the issue:

    I was absolutely shocked that a security plugin is making such a basic security 101 error (not to mention being out of compliance with NIST 800-63-3, ISO27000, CIS, HIPAA, GDPR, ….)

    How can I stop the logging of clear text passwords?

    How can this be fixed so we don’t fail the upcoming security review and audit by our third-party compliance auditors?

    A support representative from AIOS confirmed that it was a known bug in the last release and offered a development copy of a zip file with a fix. It took more than two weeks for the patch to be published.

    In version 5.2.0, released on July 10, 2023, AIOS included the following security updates in the plugin’s changelog:

    • SECURITY: Remove authentication data from the stacktrace before saving to the database
    • SECURITY: Set tighter restrictions on what subsite admins can do in a multisite.

    Users are advised to update to version 5.2.0+ immediately in order to secure their sites. At the time of publishing, almost no users have updated to 5.2.0+, leaving hundreds of thousands of users who are running 5.1.9 still vulnerable.

    “So far the developer haven’t even told the users to change all passwords,” Patchstack CEO Oliver Sild said in response to the issue on Twitter. “Due to the scale, we will 100% see hackers harvest the credentials from the logs of compromised sites that run (or has run) this plugin.

    “We have also sent out vulnerability alert to all Patchstack users. Hopefully the Updraft team will do the same and will tell their security plugin users to clean those logs ASAP and ask all the site users to change the passwords where ever they used the same combinations.”

  • WordPress Selects Inaugural Cohort to Launch Experimental Mentorship Program

    WordPress’ Community Team kicked off its experimental mentorship program this week, announcing that the inaugural cohort has been assigned to a group of mentors who will guide them forward on project contribution across various teams.

    “Our mentors offer 1:1 support to each contributor in our cohort,” Automattic-sponsored Community Team contributor Hari Shanker R said. “These mentors check-in with mentees each week to offer them support and guidance on the program and to answer any questions that they may have.”

    Mentees graduate from the program after completing self-directed courses, participating in “learn-up” sessions, selecting a contributor team, and making an initial contribution to the team. Optionally, mentors may guide their mentees through a three-month contribution plan. The goal is to create new ongoing contributors through the program.

    A group of 13 mentees have been selected from 50 applications and will participate across eight teams, including Core, Training, Community, Documentation, Photos, Test, Polyglots, and Support.

    “While our group is not in a position to assign mentors to everyone, the activities and tasks of our cohort will be shared in the newly-formed #contributor-mentorship channel of the Make/WordPress Slack, where interested folks can join most of our contributing sessions and onboarding sessions which will also be shared widely with our community.”

    Other open source projects, such as Drupal, have supported mentoring programs that have been used to successfully engage new contributors at events, inspire more collaboration, and foster a learning environment.

    Earlier this year the Linux Foundation published a report from a recent study on Mentorship in Open Source. It surveyed more than 100 mentees from the LFX Mentorship graduating class of 2020 and 2021, and 99% reported the program was beneficial. Nearly half of the graduates (47%) said it helped them get a job.

    The report explores the additional benefits of mentorship programs beyond increasing contribution to the open source project itself. Quality mentorship programs can have an economic and career impact on mentees, as well as increase diversity across the project and help new contributors get more connected to the community.

    WordPress’ Community team has already invested time from 22 facilitators and 13 mentors in getting the program launched. The structure offers a somewhat more formal experience similar to a short internship, but it’s still in the early stages and may change based on feedback from participants.

    “This program is an experiment—our hope is to learn as much as possible from the same to improve mentorship in the WordPress project and to support and empower more contributors,” Shanker said.

  • State of Digital Publishing to Host WordPress Publishers Performance Summit, July 27, 2023

    The State of Digital Publishing, a startup market research publisher focused on digital media, is hosting an online event called WordPress Publishers Performance Summit (WPPS) on July 27, starting at 2PM EST. The organization’s mission is to help publishers develop sustainable business models through education, guides, online courses, and other resources. They have partnered with Multidots, a WordPress development agency and WordPress.com VIP Gold Partner, who is sponsoring the event.

    WPPS will feature 10 panelists speaking on best practices for managing and optimizing the performance of WordPress publishing sites. Panelists have been selected from high performance teams at The Boston Globe, Forbes, Multidots, WordPress.com VIP, Parse.ly, and other publishers.

    The schedule includes four 40-minute sessions over the span of four hours:

    • How to do less: evaluate your website’s performance and metrics
    • Reasons why your Core Web Vitals are not passing
    • Successfully securing and scaling WordPress
    • Improving publishing workflow – the threats and opportunities ahead

    These sessions will be aimed at editorial and content strategists, SEO specialists, ad tech and integration professionals, and others working in the publishing industry.

    WPPS is free and attendees can register on the event’s website. Unlike many other virtual events, the organizers do not plan to record the sessions so those who are interested will need to watch them live. Participants will have the opportunity to ask questions and have them answered by the panel. Those who are unable to attend live can sign up on the website to receive an ebook with the panelists’ recommended WordPress best practices that were shared at the event.

  • WordPress 6.3 Makes the “Edit Site” Link Open the Current Template

    WordPress 6.3 will make site editing several clicks faster for users who are moving from the frontend to edit the corresponding template. When you click the “Edit Site” link in the admin bar from a category page, for example, you currently get dumped out into the Site Editor on the home page. From here it’s several clicks more to get to the template you intended to edit. The upcoming release changes it so that the “Edit Site” link is aware of the current template.

    WordPress developer Brian Coords pointed out the fix on Twitter today. It’s a delightful bit of good news for anyone who works regularly with the Site Editor and becomes annoyed by how long it takes to click through to the applicable template. WordPress is now more context aware, delivering site editors to the correct template directly from the admin bar.

    The update applies to posts, pages, archives, 404 templates, front page, and anywhere the user happens to be on the frontend. Check out the Gutenberg issue and the related WordPress Trac ticket for more technical details on how contributors arrived at this implementation.

    This small fix is important because it removes the requirement for the user to have to know the name of the template they intend to edit. It’s now as easy as clicking directly from the frontend. The more WordPress can reduce friction and the need to have special knowledge in order to edit templates, the more accessible it becomes as a design tool for someone who is just starting out and has no framework for the idea of underlying templates.

    WordPress 6.3 is on track to be released with this fix on August 8, 2023. Beta 4 landed today with 40+ (Editor) and 60+ (Trac) updates since Beta 3, and RC 1 is expected next week.

  • MalCare, Blogvault, and WPRemote Plugins Patch Vulnerabilities Allowing Site Takeover Through Stolen API Credentials

     Snicco, a WordPress security services provider, has published an advisory on a vulnerability in the MalCare plugin, which is active on more than 300,000 sites.

    “MalCare uses broken cryptography to authenticate API requests from its remote servers to connected WordPress sites,” WordPress security researcher Calvin Alkan said.

    “Requests are authentication by comparing a shared secret stored as plaintext in the WordPress database to the one provided by MalCare’s remote application.

    “This can allow attackers to completely take over the site because they can impersonate MalCare’s remote application and perform any implemented action.”

    These potential malicious actions include creating rogue admin users, uploading random files to the site, and installing and removing plugins.

    Exploitation requires a pre-condition to be met, such as a site with a SQL injection vulnerability in a plugin, theme, or WordPress core, or a database compromised at the hosting level, or subject to another vulnerability that allows the attacker to read or update WordPress options.

    “MalCare has received the full details of this vulnerability three months before this public release, and despite us offering (free) help, they subtly dismissed it because ‘supposedly’ this is the industry standard for API authentication,” Alkan said.

    “Furthermore, concerns were raised, because the vulnerability requires a pre-condition that on its own, would be a vulnerability.”

    Two days after Snicco published the security advisory with the proof of concept, MalCare pushed a patch in version 5.16 on July 8, 2023, along with a notice on the plugin’s blog:

    In the rare situation, where a site has a pre-existing, high severity SQL injection vulnerability, an attacker might be able to read the MalCare key. To address such issues, we are further strengthening our authentication systems.

    Authentication is a critical system and any improvements must be done in a careful manner. We have reviewed various plugins and best practices in our ecosystem to come up with our solution.

    In light of the current public discourse, we are expediting the update of our plugin. We will initiate a rollout by EOD.

    MalCare reports that its users have seen no evidence of the vulnerability being exploited.

    Snicco noted that the same vulnerability also exists in WPRemote (20k installs) and Blogvault (100k installs) plugins, as they share the same code. Users of either of these plugins or the MalCare plugin should update to the latest versions as soon as possible now that the vulnerability advisory and proof of concept have been published.

  • WordPress to Host 6.3 Live Product Demo on Thursday, July 20

    WordPress 6.3 is scheduled to be released one month from today on August 8, 2023. The live product demo date and time has now been set for Thursday, July 20, at at 16:00 UTC. Participants can join live via this Zoom link.

    Automattic-sponsored Gutenberg contributors Anne McCarthy and Rich Tabor will be hosting the event, moderated by Nathan Wrigley. They will highlight upcoming changes and take questions from participants during a Q&A session at the end.

    WordPress 6.3 is set to introduce an exciting array of new features – the Command Palette, content editing and distraction-free mode in the Site Editor, pattern creation, and much more. There have also been significant changes to pattern management UI as late as Beta 3. The live product demo is a good opportunity to get up to speed with a guided tour of everything new that will be landing in 6.3.

    The event will be recorded and those who cannot attend live can catch it later when it is published on WordPress.tv.

  • WordPress Unveils Plans for Real-Time Collaboration with Major Improvements to Revisions and the Media Library

    In a series of four posts, Gutenberg lead architect Matías Ventura has outlined the project’s phase 3 plans for Real-Time Collaboration, Workflows, Revisions, and the Media Library. WordPress 6.3 is set to be the final major release of Phase 2, which focused on Customization.

    Phase 3 will shift focus from the editors and move into other parts of the admin in an effort to bring seamless collaboration to WordPress.

    “The primary aim of real-time collaboration is to build functionality into the block editors so that concurrent collaboration, shared edits, and online presence of peers are possible,” Ventura said. “Supporting these workflows is not just about concurrency, though, but also about lifting restrictions that have been present in WordPress for a long time, such as locking a post when two people try to edit at the same time.”

    The technical challenges here are in making this available to all WordPress users, even those on the most economical hosting environments. Ventura shared a quick preview of what that might look like, along with the scope of the tasks that would be part of this effort.

    In the Workflows document, Ventura details collaborative features that will be part of this phase, including allowing users to add comments, suggest edits, and tag other users for peer review. These enhancements would apply to both content creation and design changes on block themes.

    There are some interesting projects listed within the scope of this section, including a publishing checklist, sharing draft links with permission controls, and exploring hook points for version control systems to take over internal revision systems if desired.

    image credit: Workflows – Matías Ventura

    Users can expect that Revisions will also be getting some major improvements as part of the Collaboration phase of the project.

    “As part of improving the overall experience, we should also go beyond document level history and explore how the interface could let users browse through single block changes and offer the ability to restore them individually rather than requiring full post restores,” Ventura said. “For global styles, we should evolve the revisions panel to allow comparing two revisions side by side. For synced patterns, we could allow browsing edit history with side by side and overlay comparison tools.”

    Long-awaited improvements to WordPress’ Media Library are also considered part of this phase.

    “The main goals are to expand the media management capabilities, unify the block edit and single media interfaces, and improve upon the major media flows,” Ventura said. He highlighted a few major areas that may get some enhancements, such as categorization and tagging, better handling of attached media, and design improvements to the library view.

    Other Media Library projects may include a revamp of the image editing interface, which remains somewhat unintuitive at this time. Ventura proposes these tools, such as cropping and thumbnail browsing, be updated to align more with the current block editor tools.

    Contributors may also be exploring contribution to the commons from WordPress, along with improvements to attribution.

    “As we look into expanding the presence and touch points of Openverse, it’d be interesting to see how contributions to the commons could work directly from a user’s WordPress install,” Ventura said. “Another area to look at is improving handling and presentation of other media types (audio, video, files) and their connection with blocks and the block APIs. We should resurface work on a native Playlist block, ideally powered by the Interactivity API.”

    Reactions to the outlined vision and scope for the Collaboration phase have so far been positive, as users and contributors are eager to see a strong focus come to some of the other parts of WordPress that have not had much attention for years. The newer real-time collaboration features that will take WordPress beyond the days of locking posts while another person is editing, have the potential to speed up content creation and editing for groups working on the same website.

    “Very much looking forward to this phase. I think it will really enable larger teams to work on posts much easier,” WordPress developer Rich Holman commented. “I’ve mentioned this before but the ability to continue working on a published draft without the front-end updating seems important especially with more editors working on something, especially if doing more experimental edits.”

    For more details on the features being considered for this phase, check out the Phase 3 overview post, along with Ventura’s more recent write-ups on how contributors will improve and expand WordPress’ collaboration architecture with updates to Real-Time Collaboration, Workflows, Revisions, and the Media Library.

  • Hey: An Elegantly Simple WordPress Block Theme for Blogging

    Hey is a block theme designed by Automattic for users on WordPress.com and also released for free in the WordPress.org Themes Directory. It’s the kind of simple theme that enables you to quickly get started writing online, without having to configure a bunch of design elements. The homepage features a profile image (Site Logo), site title, and recent posts with dates.

    Single posts display with the feature image at the top of the post, although this template can easily be edited if this is an undesirable feature. Previous and Next post navigation appears under the post. Users can add menu items to display at the top, but clicking the site logo brings the visitor back home in the absence of a navigation menu.

    The Hey theme comes in two different styles – the default and a serif variation. Colors can be adjusted to create a more vibrant palette for the site design.

    One major drawback to this theme, which may not be immediately evident by looking at the demo, is that if users want to display more than the three most recent posts, they will need to add the pagination block inside the query loop block. It will also need to be styled to match the theme better. The query loop can be edited to show more posts on the homepage.

    Although Hey is a simple personal blog theme, it also comes packaged with templates for WooCommerce compatibility. This is likely for the benefit of WordPress.com users who may want to quickly fire up a store. Self-hosted users who want to sell products with WooCommerce will be able to easily display things like the mini-cart, customer account block, product archive, product search results, and more.

    Overall, Hey is an elegantly simple block theme with a clean design and plentiful white space. It’s suitable for the person who wants an almost blank slate to get started, or just a theme that enables writing without any distraction for the reader. Check out the live demo on WordPress.com and download Hey from WordPress.org.

  • WordPress 6.3 to Drop Support for PHP 5

    WordPress is officially dropping support for PHP 5 in the upcoming 6.3 release, which is expected on August 8. WordPress’ minimum supported version has sat at PHP 5.6.20 since 2019, but will be updated to 7.0.0 in the next release. The recommended PHP version will stay the same at 7.4+.

    “The minimum supported version was last adjusted in WordPress 5.2 in 2019, and since then usage of PHP 5.6 has dropped to 3.9% of monitored WordPress installations as of July 2023,” WordPress core developer John Blackbourn said.

    “There’s no concrete usage percentage that a PHP version must fall below before support in WordPress is dropped, but historically the project maintainers have used 5% as the baseline. Now that usage of PHP 5.6 is well below that at 3.9% and dropping by around 0.1% every few weeks, plans to increase the minimum supported PHP version can move forward.”

    Blackbourn also emphasized that WordPress’ support for PHP 8.0, 8.1, and 8.2 is “very good” and contributors may soon act on a proposal for the criteria that would enable them to remove the “beta” support label on new PHP versions. Nearly 26% of WordPress users are already running sites on PHP 8.0+.

    Prior to this minimum required version boost, some hosts had even taken matters into their own hands in urging users to get on newer versions of PHP. Dreamhost charges additional fees for sites that require extended support for PHP 7.4 and older. IONOS and Strato have similar policies.

    The decision to bump the minimum supported version is happening after a lengthy seven-month long discussion, which surprisingly drew a little resistance. Although sites that remain on PHP 5.6 cannot upgrade beyond WordPress 6.2, they will still receive security updates, as the project currently backports them to versions 4.1+. The bump to 7.0.0 for the minimum supported version will have many benefits for the WordPress ecosystem of themes and plugins, will significantly reduce memory usage for upgraded websites, and provide better security and improvements to core tooling.

    “There are no plans to bump the minimum supported PHP version on a schedule,” Blackbourn said. “The core team will continue to monitor usage of PHP versions and work with the hosting team to encourage users and hosting companies to upgrade their versions of PHP as swiftly as possible. The 5% usage baseline will continue to be used for the foreseeable future.”