EDITS.WS

Tag: News

  • WordPress 6.2.2 Restores Shortcode Support in Block Templates, Fixes Security Issue

    WordPress 6.2.2 was released early this morning as a rapid follow-up to 6.2.1, which introduced a bug that broke shortcode support in block templates. Version 6.2.1 was also an important security release, but due to the catastrophic breakage for those using shortcodes in block templates, some users were implementing insecure workarounds or simply downgrading to 6.2 to keep critical functionality working on their websites.

    WordPress contributors worked quickly over the weekend to ensure that users can now update to 6.2.2 with their shortcodes intact. The release post identified the removal of shorcode support in the previous release as “a regression” and a bug. This is an important recognition, as shortcodes are still a tool that users frequently rely on to insert functionality from plugins that haven’t made it available as a block, as well as a necessity for things that won’t work without inline shortcodes.

    Version 6.2.2 is also a security release, as core contributor Jonathan Desrosiers said that the issue patched in 6.2.1 “needed further hardening” in this update.

    Users are advised to update immediately and automatic updates are rolling out. Many reported having turned automatic background updates off for core after 6.2.1 broke their websites. Users who did so will need to manually update as soon as possible.

  • WordPress 6.3 Development Kicks Off to Conclude Gutenberg Phase 2

    The WordPress 6.3 development cycle has begun and work is already underway on an ambitious list of features that will debut in the upcoming major release. It will cap off Phase 2 of the Gutenberg project, with an emphasis on polishing customization features and making them easier to use.

    WordPress 6.3 Editor Triage co-lead Anne McCarthy published a roadmap to 6.3 this week, which summarizes what users can expect:

    This release aims to make it easier for users to edit pages, manage navigation, and adjust styles all directly in the Site Editor. It also seeks to provide detailed, relevant information when exploring different parts of the site, such as showing the number of posts per page when viewing relevant blog templates.

    In addition to polishing and wrapping up phase 2, McCarthy’s post outlines the new features that are coming. Here are a few of the highlights:

    This is a tentative glimpse at some of the user-facing features that may be coming in WordPress 6.3, but the roadmap includes many more items, screenshots, and quick demos.

    “As always, what’s shared here is being actively pursued, but doesn’t necessarily mean each will make it into the final release of WordPress 6.3,” McCarthy said.

    Gutenberg Lead Architect Matías Ventura will be leading WordPress 6.3. Beta 1 is expected in a little more than a month on June 27, 2023, with RC 1 on July 18, and the general release scheduled for August 8.

  • WCEU 2023 Publishes Schedule, Reaffirms Commitment to Diversity

    WordCamp Europe 2023 is just under three weeks away from happening in Athens on June 8-10. More than 2,700 tickets have been purchased and 527 remain, along with 49 micro-sponsor tickets.

    Speaker announcements have concluded and the official schedule was published today. WCEU will be running three tracks of presentations and two tracks for workshops. Organizers have also announced a Wellness Track that will feature different activities throughout the day, including a Yoga class, a Tai Chi class, and a group hike.

    “The Wellness Track is an important addition to WordCamp Europe because we need to find a balance and be more focused on taking care of our minds and bodies, taking care of the whole community and in turn the one world we have to live in,” organizer Ohia Thompson said.

    “This means seeing our interconnectedness and moving forward with a focus on wellbeing, diversity, and sustainability. The Wellness Track this year is just the beginning of a more intentional future for everyone connected to WordPress.”

    Last year the team hosting the event in Porto was called out for a lack of diversity on the organizing team, which performs critical tasks like selecting speakers and managing a speaker support program. In what appears to be an echo back to that controversy, a public interaction on Twitter earlier this month caused community members to question the organizing team.

    WCEU was once again forced to reaffirm its commitment to diversity after Sjoerd Blom, one of the Global organizers, accused StellarWP’s Director of Community Engagement, Michelle Frechette, of “being prejudiced” when she questioned the lack of diversity in the first few rounds of speaker announcements.

    Blom has since publicly apologized for his response to the criticism this week, reiterating that diversity matters to the team, but only after WCEU received overwhelmingly negative feedback regarding the incident.

    WordCamp Europe has not yet published anything to mitigate the effects of this public altercation but damage control measures are likely in the works, as Blom indicated a more official response will be coming from the team.

  • WordPress Is Developing a Command Center for Quick Search and Navigation Inside the Admin

    WordPress may soon be getting a Command Center, which would function as a quick search component for navigating to other areas of the admin, and would also be capable of running commands. The feature was introduced in Gutenberg 15.6 under the Experimental flag and currently has limited use in the Site Editor context while navigating and editing templates.

    The Command Center project is intended to be expanded to the whole of wp-admin in an extensible way so plugin developers can register their own commands. This would also allow for AI-powered extensions to expedite design, content, and layout creation.

    “One aspect worth highlighting is the proposed API to interact with the command center,” Gutenberg engineer Riad Benguella said in a post requesting feedback on the project. “The command center has been developed as an independent @wordpress/commands package. It offers APIs to render and register commands dynamically. These extension points allow plugins to inject any commands of their liking and opens the door for interactions with LLMs.”

    Benguella shared a video of the prototype navigating between templates and template parts in the Site Editor:

    Feedback so far had been generally positive, but contributors on the project will have the challenge of providing real examples of the Command Center’s benefits in order for some to fully realize the vision for this feature as more than just a fancy shortcut for power users.

    “Neat, but I’m unclear what practical problem this actually solves?” WordPress developer Jon Brown said.

    “Currently there is a clear easy to find and use drop down at the top center of the editor. Are people really having problems using that? This seems to complicate things where users have to know the names of the items to type them in. Does the average user know to type in ‘post meta’ to edit that?

    “There are couple plugins that have done this admin wide, which again while neat, seems better aimed at power users that already know what they’re looking for.”

    Benguella responded that the Command Center is being developed as “a complementary UI tailored specifically for average and power users,” and that users would not be required to remember technical terms in order to use it.

    Other participants in the conversation asked that contributors consider not releasing the Command Center in WordPress until it can serve contexts beyond just the Site Editor.

    “Initially we’ve added the command center to both post and site editors but I expect that we’ll be adding to all WP-Admin once we’ve proved its behavior and APIs,” Benguella responded. The API is currently still in the experimental stage in Gutenberg and it’s not yet known if expansion to wp-admin would be added before or after the Command Center lands in the next version of WordPress.

    “Love the concept, hate that it’s limited to the Editor,” WordPress developer Dovid Levine said.

    “This would ideally be implemented holistically – either as part of a push to modernize the long-neglected dashboard or API efforts to interact with GB data outside of the Editor. We’ve seen how slow developer adoption is when done the other way (GB first/only) – and worse, how painful it is for the early adopters/advocates if/when considerations beyond the Editor are finally taken into account.”

    The first milestone, powering quick search for content and templates in the editor, is outlined on GitHub where contributors can track the progress. The Command Center will also be tested in the future as part of the FSE Outreach Program. Benguella is requesting feedback on the feature and its API on the post published to the core dev blog, specifically regarding the user experience and whether the APIs detailed in the post are capable enough to address third-party use cases.

  • WordPress 6.2.1 Update Breaks Shortcode Support in Block Templates

    WordPress 6.2.1 was released yesterday and rolled out to sites with automatic background updates enabled. The update included five important security fixes. Ordinarily, a maintenance and security release can be trusted not to break a website, but many users are struggling after 6.2.1 removed shortcode support from block templates.

    A support forum thread tracking the broken shortcodes issue shows that this change impacts how plugins display things like breadcrumbs, newsletter signup forms, WPForms, Metaslider, bbPress content, and more. The problem affects template blocks, not sites that are using non-FSE themes.

    “It’s absolutely insane to me that shortcodes have been removed by design!” @camknight said in the support forum discussion. “Every single one of our agency’s FSE sites uses the shortcode block in templates for everything: filters, search, ACF & plugin integrations. This is chaos!!”

    Another user, @asjl, reports having this update break hundreds of pages.

    “I’ve got the same problem on over 600 pages which use five or six different templates with shortcodes in each template on one site and similar things on several others,” @asjl said.

    “I’m looking forward to editing each of those pages to get the shortcode back in place. Or backtracking to 6.2 and turning off updates.”

    It’s not clear why shortcode blocks that are in block theme template parts still work, but this is one workaround that has been suggested to users. In a trac ticket for the issue others have suggested adding a PHP file for a plugin called “Shortcode Fix” to the plugins folder, but this workaround reintroduces the security issue.

    Other users are being forced to revert to previous insecure versions of WordPress in order to keep critical functionality on their sites working. WordPress developer Oliver Campion commented on the Trac ticket with more details about how sites are currently using shortcodes in templates:

    This update has been nothing short of a disaster. I cannot understand how there was no warning of such a destructive, automatic roll out!

    We have managed to rollback affected sites to v6.2 and block automatic core updates until there is a suitable solution, which we hope is imminent due to the reported security issues!

    Shortcode Blocks, in our opinion, are absolutely essential to the design process when using Block Themes.

    We use them to inject classic menus that can have dynamic menu items (such as sign out), dynamic header content, specialized loops and footer content that’s as simple as showing the current year in the copyright statement to showing a contact form or other such dynamic content. And that’s just what I can think of from the top of my head.

    An unfortunate consequence of this update is that it has destroyed many users’ confidence in WordPress’ automatic updates. This kind of breaking change should never happen in a release that auto installs overnight.

    Even if it’s absolutely necessary to avoid a zero-day vulnerability on WordPress sites, discontinued shortcode support in block templates should have been accompanied with more information to help affected users find a solution.

    The only communication users received about this was a short, inadequate note on the vulnerability in the 6.2.1 release post “Block themes parsing shortcodes in user generated data.”

    Fixing all of these shortcode uses on websites that heavily rely on them would already have been a challenge for many, even with advance notice. Shipping this breaking change in an automatic update, without a proper explanation of how it impacts users, only served to twist the knife.

    During today’s core dev meeting, WordPress 6.2.1 co-release lead Jb Audras said this issue may prompt a quick 6.2.2 release but the details are not yet available.

    “As you may know, one security fix led to an important issue with shortcodes used in templates,” Audras said. “The issue is currently actively discussed in the Security Editor team, and some hypothesis have been made to sort this out in a quick follow-up release.

    “No schedule available for now – it will depend on the follow-up patch currently discussed by the Editor team.”

    In the meantime, those who cannot employ a workaround and are looking to rollback to 6.2 can can use the WP Downgrade plugin as a temporary fix, with the knowledge that this leaves the site vulnerable until a permanent solution can be put in place.

  • WordPress 6.2.1 Released with Fixes for 5 Security Vulnerabilities

    WordPress 6.2.1 was released today. Those with automatic background updates enabled should see a notice in their email, as updates rolled out earlier today.

    This is a maintenance and security release that includes important fixes for five security vulnerabilities outlined by core contributor and release co-lead Jb Audras:

    • Block themes parsing shortcodes in user generated data
    • A CSRF issue updating attachment thumbnails
    • A flaw allowing XSS via open embed auto discovery
    • Bypassing of KSES sanitization in block attributes for low privileged users
    • A path traversal issue via translation files

    The patches were backported to WordPress 4.1. Now that these vulnerabilities are public, it’s recommended that users update immediately.

    WordPress 6.2.1 also includes 20 core bug fixes and 10 fixes for the block editor, all detailed with ticket numbers in the release candidate post.

  • New Proposal Looks to Retire Older WordPress Default Themes

    WordPress is approaching its 20th anniversary, and for the majority of those years, contributors have cranked out a new default theme. Even though the structure and supported features of default themes have drastically changed over the years, contributors are still actively maintaining all 13 of the “Twenty” themes.

    A new proposal on WordPress.org recommends winding down active maintenance on older themes and implementing a new system of requirements for retiring them.

    “The level of effort to support 13 themes is not insignificant, especially in the times of the rapidly evolving block editor,” Bluehost-sponsored core contributor Jonathan Desrosiers said. “The burden of maintaining these themes has historically fallen on the Core team to ensure they continue to receive any needed updates.” These tasks include things like ensuring compatibility with newer PHP versions, fixing bugs, updates and deprecations of dependencies, security updates, and much more.

    “Because there are so many, it’s not uncommon for it to take several months before older default themes properly support newer features added in WordPress Core,” Desrosiers said. “Additionally, themes created prior to the existence of certain APIs are often unable to fully take advantage of these new features (global styles, block patterns, etc.).”

    Desrosiers contends that reducing the support burden on contributors will allow them to focus on ensuring the most modern block-based themes deliver the best experience.

    “It also helps clear the path for work on new block theme-focused experiments and initiatives (such as the Community Themes Initiative) attempting to refine the role that themes will have in the block editor era,” he said.

    Themes released through the WordPress.org account via the Community Themes Initiative, like the recent Stacks slide deck theme, will be officially supported, adding to the load. These themes, however, have the benefit of working with the Site Editor and all the latest features WordPress offers. When dealing with limited volunteer resources, supporting older default themes doesn’t have as much upside as spending these efforts the more modern themes.

    WordPress bundles the three most recent default themes in the latest download. This proposal seeks to retire older themes after a minimum of five years of support and when usage falls to less than 1% of all WordPress sites as determined by WordPress.org data. Using this criteria the default themes Twenty Ten through Twenty Sixteen would be retired and only receive security updates. Desrosiers suggests a yearly assessment of usage data to determine which themes would be retired.

    The three most recent WordPress default themes would be actively maintained and contributors would continue maintaining the following themes with bug fixes, compatibility updates, and security fixes:

    • Twenty Seventeen
    • Twenty Nineteen
    • Twenty Twenty

    The proposal has multiple benefits, in addition to reducing the number of actively supported themes from 13 to 6, but also has the drawback of affecting an estimated 730,000 users who will no longer receive maintenance on their themes.

    General reception to the proposal has been positive, as those using very old themes are usually looking for as few changes to their website as possible. With security updates still available to retired themes, these users would not be forced to update to a newer theme.

    The proposal was developed based on feedback and recommendations from a group of contributors. It is now awaiting feedback from the larger community. Unless the proposal needs to be significantly modified, contributors will soon move on to the practical tasks associated with retiring themes.

  • Hostinger Is Coming to WordCamp Europe

    It feels like we just got back from the festivities of WordCamp Asia 2023 in Thailand, and now WordCamp Europe 2023 is already upon us! It will take place in Athens, Greece, from 8 to 10 June.

    If you’re new to WordPress, WordCamps are offline conferences with various activities related to this open-source website publishing software. Attendees participate in presentations, workshops, networking events, booth exhibitions, contributing sessions, and more.

    This year marks the second European flagship WordCamp since the pandemic. The first was in Porto, Portugal, last year, and over 2,500 WordPress enthusiasts came by, making it the biggest WordCamp to date.

    Hostinger Is Contributing to WordCamp Europe

    Just like last year, Hostinger is proud to take part in WordCamp Europe 2023 as a Super Admin sponsor.

    WordCamps are invaluable: they allow us to engage with the WordPress community, learn more about the platform, and represent our clients. After all, 71% of websites hosted with us are based on WordPress.

    Hostinger team at the booth in WordCamp Europe 2022

    Only by understanding the users better can we improve the customer experience and provide solutions that matter. For example, we’ve prioritized the inclusion of LiteSpeed Object Cache in our hosting plans because our clients kept asking for it and stressing its importance.

    In WordCamp Europe 2023, connecting with our users and other WordPress enthusiasts remains our top priority – we’ll seek candid feedback about our products and answer any questions.

    a Hostinger team member having a conversation with customers at the booth during WordCamp Europe 2022

    We also want to identify how we could further contribute to developing the WordPress ecosystem.

    Hostinger is already involved in the Five for the Future initiative, where individuals and companies contribute resources to support WordPress’ growth. So far, Hostinger has been sponsoring contributors across nine teams, including Core, Community, and Documentation.

    What’s awesome is that every WordCamp has a Contributors’ Day. It allows the attending contributors across various teams to work together. We’re excited to finally meet the people we collaborate with virtually! We’re very keen to brainstorm and learn from one another.

    Hostinger team members contributing to WodPress in WordCamp Europe 2022's Contributors Day

    Why You Should Come to WordCamp Europe

    WordCamps are events that bring together local WordPress communities. Usually, they are held for around one to two days.

    But WordCamp Europe is a flagship WordCamp – a big gathering that spans three days and covers a broad geographical area. This larger scale means there are more activities you can join and more opportunities to socialize with fellow WordPress enthusiasts. Currently, there are three flagship WordCamps – Europe, Asia, and the US.

    Arnas Stuopelis, Hostinger's CEO, joining Contributors Day in WordCamp Europe 2022

    In general, flagship WordCamps are the best places to learn more about WordPress technology and community. They’re where you can better understand the platform’s ins and outs, including current trends, use cases, and how to make the most of WordPress.

    Hostinger's CMO, Daugirdas Jankus, having a onversation with Jonathan Wold

    WordCamps are also perfect for connecting with people you share interests with. Despite what some may believe, you don’t have to have solid coding knowledge to get the best of WordCamps. Everyone’s welcome – hobbyists, casual enthusiasts, and those whose work revolves around website development, digital publication, and marketing.

    Love photography? You can meet fellow moment-hunters who contribute photos to the WordPress Photo Directory. Excited to learn more about themes? You can chat with theme creators or find ways to contribute to WordPress theme development yourself. If you want to expand your business network, you can also meet other tech professionals and agencies here.

    WordPress's co-founder, Matt Mullenweg, delivering a talk on stage in WordCamp Europe 2022 together with WordPress's Executive Director, Josepha Haden Chomphosy

    Consequently, WordCamps feature sessions on all aspects of WordPress. For example, WordCamp Europe 2022 included the Accessibility for Dyslexia talk by Maja Benke and the Growing in WordPress Through Partnerships session by Jonathan Wold.

    Usually, the sessions are held at three different tracks simultaneously. You might want to attend talks booked at the same time – you’ll have to choose!

    Just remember to take a break and take advantage of other WordCamp experiences, like meeting new people and jumping into spontaneous discussions. They make WordCamps unique, so enjoy them while you can!

    Where You Can Find Us

    Coming to WordCamp Europe 2023? We’re excited to meet you and talk about all things WordPress and beyond.

    Check out the map below to find our violet booth! We’ll be situated right next to the Atrium, beside Jetpack. See you there!

    map of Hostinger's booth location in WordCamp Europe 2023

    The post Hostinger Is Coming to WordCamp Europe appeared first on Hostinger Blog.

  • ACF Plugin’s Reflected XSS Vulnerability Attracts Exploit Attempts Within 24 Hours of Public Announcement

    On May 5, Patchstack published a security advisory about a high severity reflected cross-site scripting (XSS) vulnerability in ACF (Advanced Custom Fields), potentially affecting more than 4.5 million users. WP Engine patched the vulnerability on May 4, but the Akamai Security Intelligence Group (SIG)  is reporting that attackers began attempting to exploit it within 24 hours of Patchstack’s publication.

    “Once exploit vector details are publicly released, scanning and exploitation attempts rapidly increase,” Akamai Principal Security Researcher Ryan Barnett said. “It is common for security researchers, hobbyists, and companies searching for their risk profile to examine new vulnerabilities upon release. However, the volume is increasing, and the amount of time between release and said growth is drastically decreasing. The Akamai SIG analyzed XSS attack data and identified attacks starting within 24 hours of the exploit PoC being made public.

    “What is particularly interesting about this is the query itself: The threat actor copied and used the Patchstack sample code from the write-up.

    Patchstack’s security advisory includes a breakdown of the vulnerability, sample payload, and details of the patch.

    Although the vulnerability, assigned CVE-2023-30777, was promptly patched, and WP Engine alerted its users the same day, site owners have been slow to update to the latest, patched version of the plugin (6.1.6). Only 31.5% of the plugin’s user base are running version 6.1+, leaving a significant portion still vulnerable unless they are protected by additional security measures like virtual patches.

    “Exploitation of this leads to a reflected XSS attack in which a threat actor can inject malicious scripts, redirects, ads, and other forms of URL manipulation into a victim site,” Barnett said. “This would, in turn, push those illegitimate scripts to visitors of that affected site. This manipulation is essentially blind to the site owner, making these threats even more dangerous.”

    Barnett noted that attackers using the sample code from Patchstack indicates these are not sophisticated attempts, but the comprehensive security advisory makes vulnerable sites easy to target.

    “This highlights that the response time for attackers is rapidly decreasing, increasing the need for vigorous and prompt patch management,” Barnett said.

  • Themeum Acquires Kirki Customizer Framework Plugin

    Themeum, a WordPress theme and plugin company founded in 2013, has acquired the Kirki Customizer Framework plugin from its former developer, David Vongries. In April 2023, Vongries announced he was sunsetting the product and discontinuing development. He put the plugin up for sale for $30K and sold it for just under the asking price.

    “I met the Themeum team at WordCamp Europe in 2019 and have fond memories of our encounter,” Vongries said. “They reached out to me immediately after the blog post was published on the Tavern, where I expressed my search for a new home for Kirki.

    “Themeum is a major player in the WordPress world and I truly believe they’ll be a fantastic fit for Kirki. They have the resources to take the plugin to the next level and give it the attention it deserves.”

    Rayhan Arif, Assistant Vice President of Business Development at Themeum, is expecting the Kirki plugin to come under the profile of Themeum on WordPress org shortly. Themeum is the company behind Tutor LMS, Qubely – Advanced Gutenberg Blocks, and nearly a dozen other smaller plugins.

    “Since 2012, we have been deeply involved in creating a similar product on another platform,” Arif said. “Our past experiences have equipped us with the necessary skills and knowledge that we believe will greatly enhance the value of this plugin. With this improvement, developers will find it easier to add customization options to their WordPress themes. In a sense, this feels like a homecoming product for us.”

    Vongries reported that support on the plugin was “basically zero,” despite there being more than 600,000 active installs. This makes sense as it is a framework geared towards developers. The majority of the plugin’s users have installed the free version from WordPress.org.

    “There are only a hand full of Kirki PRO customers,” Vongries said, although some had grown unhappy with Kirki’s lack of development before the acquisition.

    Themeum does not have any block-based theme products at this time, so this Customizer-dependent plugin fits in with the company’s catalog.

    “Our initial focus will be on enhancing the plugin, after which we will undoubtedly proceed with integrating it into our themes,” Arif said.

    “We are considering making certain adjustments to our pricing or business model, all with the intention of benefiting both existing and future customers. For example, we might substantially decrease the price.”

    Existing users may be concerned about the product changing hands, but Arif said it’s unlikely they will experience significant changes.

    “The acquisition is unlikely to bring about any negative implications for users,” he said. “The only perceptible change will be that product maintenance will now be handled by a professional team, well-versed in technology and carrying a wealth of experience.”