At the monthly WordPress user group I run here in Manchester, UK, I normally give a quick round-up of the latest WordPress news. This month I decided to share it with the wider world.
Update: I’ve added the audio only version of this round-up. You can listen to it here. Just click on the player.
Update 2: There are now subtitles in English for the video. Click the “CC” button on the video player. You can also find a transcript at the bottom of this page.
(Links to places mentioned in the video)
- WordPress SEO Plugin security issue
- Joost’s announcement about the security issue
- Blog post discussing auto updates
- Codeguard Backup awareness survey article on WP Tavern
- WordPress.org plugin repository
- WordPress.org theme repository
- WordPress.org security white paper
- WordPress 4.2 beta 1 release
- The WordPress Foundation
- Delicious brains tour of the WordPress database
- WordPress version stats
- Blog article discussing the Major update to the version stats
Hi, my name is Mike Little. I’ve been running a WordPress Meetup group in my local city, Manchester here in the UK, for about six years. Normally, I present a round-up of recent WordPress news that, I feel, is worth sharing with the group. This month I decided to share it with a larger audience, hence this video. So without further ado, let’s get going.
On the subject of security, a critical SQL injection vulnerability was discovered and fixed in the WordPress SEO plugin by Yoast. If you haven’t got the fixed version 1.7.4 or greater, you should update immediately. This bug was severe enough and the plugin popular enough that Yoast reached out to the wordpress.org plugin team. And they pushed out an automatic update to the sites that had the plug in installed and that had automatic updates enabled. A number of people were pretty upset about this. However, this wasn’t the first time it had happened. In 2014 major bug in jetpack prompted the team to automatically update millions of installations of jetpack.
If people want to, they can disable automatic updates for some or all of the options, that is WordPress minor updates, plugin updates, theme updates and WordPress major updates. But I urge anyone considering doing such a thing to consider it very carefully, and to make sure that you have an alternative strategy in place to be alerted to and handle critical updates. The upset around this automatic update that was pushed out was such that Dion Hulse needed to write a blog post on the make.wordpress.org blog to explain about those security updates. And pointing out that when these automatic updates were first released in WordPress 3.7 that the capability was always there to push out plugin or theme updates if the security issue was severe enough.
One of the good things to come out this very public fixing of a security issue is that a number of other plugins actually suffered from the same problem and they have been fixed now that the knowledge has come to light, and that includes BB press, and Gravity Forms. So, as usual, it is important that you keep up to date with all the security fixes all the bug fixes. With plugins, themes, and WordPress itself. Make sure you keep your sites up to date.
Code guard, a service that specialises in automated backups, have published the results of a survey they carried out at the tail end of February. Although it was a small survey, only answered by about 500 WordPress users. It was quite interesting the results that came out. 25% of respondents said that they received very little training in the use of WordPress. 22% hadn’t been trained at all in WordPress backup and had no idea how to do it. 21% had seen the White Screen of Death multiple times and quote, “it’s horrible” they said. To me, a disappointing 69% of respondents had had a plugin fail after an update, and 24% said it had happened many times.
My take is that everyone should be in control of their own backups or have an understanding of what backup measures have been put in place by their hosting provider, or by the people who set up the site for them. And any backup routine should meet the following minimum criteria.
It should have the ability to do a full backup. So data, uploaded files, WordPress, plugins, and themes.
It should be automated, you should never rely on your own memory to manually run a backup.
And ideally, it should be stored off site. If the server goes down. You need to be able to get at your backup files.
And you should know how to restore from your backup or know someone who can do it for you. Even if you have to pay them.
Backups are important. They should be part of your normal day-to-day site management.
WordPress 4.2. Beta one is now available for testing. Some interesting changes going into this version, the “press this” bookmarklet feature has been totally redesigned to be more intuitive. And it works on mobiles now. If you don’t know what that is press this has been around since, well, since the early days of WordPress, and it’s a bookmarklet. You drag it to the top of your browser. And as you browse around the web, you can use the bookmarklet to create a draft post of the page that you’re looking at.
There’s been a little bit of controversy around this improvement to the press this bookmarklet which I find quite surprising. People have been claiming that it encourages users to breach copyright. I find it surprising because a) the functionality hasn’t changed since the early days of WordPress when this was first introduced. And it’s also always included a link back to the source of the content that you might be blogging about. So I’m going to ignore that controversy. I think it’s more about people who didn’t know this feature existed.
There’s also expanded support in the core for emoji, not something that I have an interest in. in fact, my day-to-day usage of emoji is probably limited to smiley face, sad face and maybe winking face. But I’m sure people will love this.
The plugin installation and update process has been made smoother. You can now do plugin updates in place on the plugins page instead of needing to go to the updates page.
On the more technical side, one aspect of the taxonomy roadmap has been implemented. Terms shared across multiple taxonomies will now be split into separate terms when one of them is updated.
Browsing and switching installed themes has been added to the customizer to make switching faster and more convenient. This means that whilst you’re using the customizer, you can now switch between your themes to see exactly what your changes will look like with a different theme. You no longer need to come out of the customizer in order to switch themes to try a new look on your site.
If you want to test any of these features in this beta install it on a test or local site, not your live site, and start testing. If you find any issues please do report them to the development team. Any feedback is useful to them and can be a great way to contribute to making WordPress better.
In passing, I noticed that the WordPress Foundation website has been redesigned For those who don’t know, the WordPress foundation is the charitable organisation founded by Matt Mullenweg to further the mission of the WordPress open source project. As it says on the site, the point of the foundation is to ensure free access in perpetuity to the software projects it supports. It doesn’t get updated much, but there is some old but informative information on there. Check it out.
Delicious brains have published an in-depth guide to the WordPress database. It’s quite useful summary of the WordPress database schema includes descriptions of the tables, the columns and the usage of the data and also has a couple of diagrams of the relationships between the tables. I commented with a couple of corrections which they’ve now Incorporated. So if you want to find out more details about the WordPress database beyond the information in the Codex, then do check out this article.
On wordpress.org there’s been a security white paper published as part of the about section of that site. It’s an analysis and explanation of the WordPress core software development, and it’s related to security processes. It’s a pretty good document goes into quite some detail about the various aspects of how WordPress is built, the processes around that, and how the major, the 10 major security areas are addressed by WordPress. I noticed that they are looking for translators. So if you do have a second language other than English, please do contribute and help get that paper translated.
Both the WordPress plugin directory and themes directory have launched a new design in the last few weeks. Go check them out. They now much more resemble the experience you get in your WordPress admin screens.
Speaking of wordpress.org, the WordPress version stats have been updated. Although the display of the stats is pretty much the same as it was before. What’s interesting is that the calculations have been updated to ignore old sites that are no longer actually running. Or at least those that haven’t pinged WordPress.org in the last few months, it’s much more satisfying to see a full 36% of sites running 4.1. Previously, the out of date stats had the figure as low as 10%. More deep delving into the data will be available in the future, or maybe available in the future. For example, how many of those running the latest version of WordPress are actually running it on very old versions of PHP, look out for further changes to this area of the site.
Another change on wordpress.org is that the plugins now show more accurate ratings data. That’s because the rating system has been reset and rebuilt by Samuel Otto Wood. The ratings now correspond exactly with the reviews. Previous ratings that didn’t have an associated review have now been removed, given that we have a big enough body of reviews to count. This is also eliminated leftover counts from known spam ratings. A much better improvement and hopefully given a much more accurate understanding of popularity of plugins.
That was my round-up of recent WordPress news. I hope you found it useful. You can find links to all the things discussed accompanying this video. Until next time, see you.