  Ipstenu (Mika E.) Permalink
    Tags: , swfupload   

    Secure SWFUpload 

    Do you use SWFUpload? Have you been getting a lot of emails from us telling you it’s not secure? We have a solution. Or rather, WordPress has one.


    The WordPress security team has officially forked the long-abandoned SWFUpload project and is strongly encouraging all web developers who use SWFUpload to update.

    We strongly suggest you do not use SWFUpload. But if you must, use this fork.

    Read More at Make/Core

    George Stephanis Permalink

      Well, hopefully plugins wouldn’t be using their own versions of it anyways, just using the core version instead.

      Wait. I assumed people would do things the right way. Nevermind.

  Ipstenu (Mika E.) Permalink
    Tags: ,   

    Font Awesome is permitted in the Plugin Repository 

    This took longer than we would have liked to say, but there were communication issues on multiple fronts.

    You can use the Font Awesome font files and CSS in your code, per the current Font Awesome License:

    As far as crediting is concerned, we feel attribution is always good. You should always put that in your source code, but your readme is optional. Credit links must be opt-in if they show on the front facing part of your site (this includes the login page), but that’s nothing new.

    So with that said, we’re going through the plugins that had been closed for Font Awesome usage and opening them. If we missed yours, please email us at plugins at wordpress.org, with a link to the plugin (like http://wordpress.org/extend/plugins/font-awesome/ which is open) and we’ll check right away.

  Andrew Nacin Permalink  

    Plugins SVN Repository DNS Change Today 

    In a short while (next 30 minutes or so), plugins.svn.wordpress.org will undergo a DNS change as part of a datacenter migration. The TTLs are low, so this should only take a few minutes.

    Nothing will go down, but the SVN repository will become temporarily read-only. If you try to commit code during this time, you’ll receive an maintenance message pointing you here. Plugin pages and downloads will not be affected.

    Also, the associated Trac at plugins.trac.wordpress.org will be taken offline (for up to an hour) while it is migrated and re-synced.

    Sam Permalink

      ok good luck andrew ^-^

    Andrew Nacin Permalink

      Plugins SVN is online again. If your commits are not working, flush your DNS cache. Here’s the proper IP address for plugins.svn.wordpress.org:

      $ dig plugins.svn.wordpress.org +short

      Trac remains down while it re-syncs.

    Andrew Nacin Permalink

      Everything is back online.

    jquindlen Permalink

      If you don’t know how to flush your DNS on Windows, open up cmd and type:
      ipconfig /flushdns

    jquindlen Permalink

      To flush your DNS on Windows, open a command prompt (run > cmd) and type: ipconfig /flushdns

    JAkzam Permalink

      Hey could someone maybe help me out…I’m a long time WP Developer, but just release our first public Plugin that has been accepted and approved for the WP directory and the SVN.

      I received the email to wait about an hour (it’s been many) and login with this account information.

      But I think I may have screwed up, as I think I have a previous registration on the SVN Repository using this same username. When I log in to the already created account, it says I am not involved in any projects, but the link to the SVN Repository shows my files…

      So what do ya think…should I just be a little more patient?



      p.s. Sorry if this isn’t a good place to ask this question. But I’m a quick learner.

      Ipstenu (Mika Epstein) Permalink

        Email plugins AT wordpress.org if you need help with this. Also re-read the email we sent, especially the part where it says to use the WordPress.org login ID and password to get into SVN. ;)

    fangshiyu Permalink

  Ipstenu (Mika E.) Permalink  

    Plugins to embed audio/video or use HTML, please read 

    If you have a plugin with the sole purpose of embedding video into WP posts, or one that makes HTML5 work in WP, you need to know that there is HTML5 support for Audio and Video coming in WordPress 3.6, so please test ASAP.

    Read Audio/Video Support in Core

  Samuel Wood (Otto) Permalink
    Tags: author, google, markup, schema   

    Be the Author… 

    So, I’ve had this working for a while, but not a lot of people noticed, so I figured I’d spell it out explicitly.

    WordPress.org plugin pages have special magic Google markup. This is what allows many of the Google tricks we do for plugin pages to work. If you’ve ever searched for one of our plugins on Google, you may have noticed that it says it’s “free” as well as showed the rating as stars and such. This is all using Google’s Rich Snippets functionality with markup from the schema.org specifications.

    One of the magic tricks we do is to point to your WordPress.org Profiles page as the “author” of the plugin. It’s your plugin, after all, and you deserve the credit. But promoting the authorship is only half the picture, it helps if Google also knows who you are as an author. Then they can do something clever too:


    This is a sample entry for one of my plugins from the Rich Snippets Testing tool. The photo and authorship info may not show up on every search result that gets my plugin up on Google’s search results, but it certainly doesn’t hurt. But to get this information to be capable of showing, Google needs to connect your profile and user information on WordPress.org with a profile and user information from Google+. To do this, there’s two steps:

    Step 1: Edit your WordPress.org profile to include a link to your Google+ account. You can do this yourself, and you can see how I did it on my Profiles page. I included this link in my “About Me” section: https://plus.google.com/100201852715113506716?rel=author

    Note that the ?rel=author bit is important, that’s what tells Google that you are the author here and links your G+ account to this page.

    Step 2: Tell Google that you contribute to WordPress.org. To do this, go to your Google+ Profile. In the “Links” section you will find a “Contributor To” area. You need to add two links to this area:

    • The first link will be a link to your own profile page, on http://profiles.wordpress.org. This completes the connection and tells Google that you and the profile are the same person. Because your plugin page automatically links to your profile with the author information, making this connection creates an indirect authorship connection to all your plugins.
    • The second link you need to make is a link to http://wordpress.org itself. This is because Google wants there to be an explicit connection on the same domain name (not a subdomain), and so this link is required. And hey, you’re contributing to WordPress.org every time you update your plugin or theme, so well done there! :)

    After doing both these steps, you can try your plugin’s URL in the Rich Snippets tool yourself, and voila, you’ll see the magic. Note that you may not see it in the actual Google search results for weeks, and it may never appear. Google shows snippets like these on terms of their own choosing. All you’re doing here is to give them the data that lets their engine do the magic, if it can.

    Gabriel Reguly Permalink

      Wonderful Otto! Thanks for sharing this.

    Charleston Software Associates Permalink

      Coolness! Thanks for the step-by-step guide, Otto. Works great!

    myatu Permalink

      I didn’t even know you could use HTML in the “About Me” section. Learn something new everyday! :)

    Peter Permalink

      +1 for Otto!

    Chuck Reynolds Permalink

      never had my about section filled out. html ftw. thx – good setup.

    realloc Permalink

      +1 Excellent!!

    Syed Balkhi Permalink

      Sweet. I just added authorship on my profile :)

    Crunchify Permalink

      Great Tips. I’ve just updated my profiles..

    Andrey "Rarst" Savchenko Permalink

      Had you considered implementing `link rel=”author” url=”[g+ profile]“` in plugin pages header? It will simplify setup and won’t need that “indirect” connection through profile page.

      Samuel Wood (Otto) Permalink

        That would require us to set up a special field somewhere for a G+ account, and if that social-network, then why not add others too, and yadda-yadda..

        This was a freebie, basically. I didn’t have to make any code changes to do it. We’ve had rel=author in there pointing to profiles forever, and the schema.org markup has been there for at least a year or more.

        I just noticed that I seemed to have been the only one to have done this already when I was looking through some search results today, so I felt like a post to show people how was in order. I did fiddle with the markup a bit today for other reasons, but not for this post.

    Marcel Brinkkemper Permalink

      This is great stuff. +1 for @rarst suggestion

    Jon Brown Permalink

      This is fantastic Otto, Thanks for the detailed write up. Would have taken way longer than I have patience to figure it all out on my own.

    takien Permalink

      Done, thank you :)

    toddhalfpenny Permalink

      Absolutely brilliant… lovely work… thanks.

    Eric Amundson Permalink

      Thanks for the write-up, Otto.

      Looks like the WP.org plugin repo alphabetizes plugin contributors, correct?

      In trying to connect my profile, I found that the Rich Snippet Testing Tool, I get an error saying:

      “Note: The testing tool currently only checks the first rel=author link listed on a webpage for a link to a Google+ profile”

      Issue is that a former contributor has a name that starts earlier in the alphabet, so it’s always finding his author link first, but since he’s not linking to Google +, his avatar isn’t showing in results.

      Any ideas on how to force Google to see the profile of the correct user?

      Samuel Wood (Otto) Permalink

        I don’t think it is sorted, actually. I think it shows up in the order in the Contributors line in the readme.txt file. But if you have an example I can see, I can track the code down.

        Aaron D. Campbell Permalink

          Google “WordPress Twitter Widget” and you’ll see Sara’s pretty face, and she’s the last contrib in the list. However, check the Rich Snippet Tool and it shows me. I’m the first contrib in the list. I’d prefer it to show Range, but that one’s in the middle.

          I’m not certain this is the pattern, but that seems to be what’s happening now. I’ll try to tweak the contrib list on a few plugins and see what happens.

          Samuel Wood (Otto) Permalink

            The readme.txt for that plugin has the people in the same order as the author listing on the sidebar does:


            I have no idea how/why Google shows faces or chooses between them. The rich snippets tool says first one wins, but this is neither the first nor the last time that Google has given me false or contradictory information.

            Aaron D. Campbell Permalink

              Yeah, the rich snippets tool says the first wins (and displays the first person), but actual Google searches seem to be showing the last. Since you’re right about the order of contribs matching the readme, I’m going to try reording some to see what happens.

            Aaron D. Campbell Permalink

              I gave it a little over 24 hours after the change, and as best as I can tell, Google just likes Sara better. She seems to be listed no matter the order. It may still be cached, but either way it’s still really cool.


            Samuel Wood (Otto) Permalink

              24 hours isn’t enough time. Those things likely won’t alter for weeks or more. I know WordPress.org is well-indexed by Google, but seriously, their snippets logic is confounding sometimes. Best to just set it the way you want and let it do its own thing. You can’t force it.

              Mine didn’t start showing up until I changed my G+ pic to be a “recognizable headshot”. Guess they don’t like my scuba avatar. It’s a shame too, I like the blue one.

            Samuel Wood (Otto) Permalink

              After screwing around with this for a while, and reading up on the topic, Google seems to get very, very confused with multiple rel=authors. So I just now changed it to only have one rel=author on the plugin page, and that will be the first person listed.

              Hopefully, this should eliminate the ambiguity and cause more predictable results.

    Brad Dalton Permalink

      Been using this link on my profile for a while already but didn’t add the ?rel=author to the end of the Google url which does make a difference.

    Mert Yazicioglu Permalink

      Before doing this, my plugin WordPress Move was the second result in Google when you searched for “wordpress move”. Now, however, it’s on the third page.

      Not sure if it’s a coincidence.

  Ipstenu (Mika E.) Permalink
    Tags: , api   

    Google Maps JavaScript v2 API To Be Removed 

    If you’re using the Google Maps JavaScript API v2 (and 78 of you are), your plugins will break on May 19th. This means we’ll not be accepting any plugins that use the old code (and probably will close your plugins that do if you don’t fix ‘em).

    From Google, Google Maps JavaScript v2 (Deprecated)

    The Google Maps JavaScript API Version 2 has been officially deprecated as of May 19, 2010. The V2 API will continue to work until May 19, 2013. We encourage you to migrate your code to version 3 of the Maps JavaScript API.

    The Google Maps API lets you embed Google Maps in your own web pages with JavaScript. The API provides a number of utilities for manipulating maps (just like on the http://maps.google.com web page) and adding content to the map through a variety of services, allowing you to create robust maps applications on your website.

    The Maps API is a free service, available for any web site that is free to consumers. Please see the terms of use for more information.

    To use the Maps API on an intranet or in a non-publicly accessible application, please check out Google Maps API for Business.

    So please update your plugins.

    (Props to Kailey Lampert for this post)

  Jon Cave Permalink

    Review an intentionally vulnerable plugin 

    Imagine that another plugin author has asked you to look at a plugin that is currently in development to check for security flaws and help them fix any that are present. Would you know what to look for and how to fix the problems? Well, a fun challenge has arrived that will test, and hopefully improve, your knowledge in this crucial area of plugin development. I have developed a small, bug ridden plugin that requires a rigorous security review and suggestions for fixes.

    The code is available from https://gist.github.com/joncave/5348689.

    This is an incomplete plugin that aims to log any failed login attempts. Unfortunately, it actually harms the security of a site rather than enhancing it. All of the interesting parts are in vulnerable.php, so you should focus your review there. Please remember not to run this plugin on any server that is accessible to the internet!

    If you spot a vulnerability whilst reviewing the code then make a note of the problem, where it’s located and what the problem is. Then come up with a patch that would solve the problem. It might also be beneficial to create a request that would demonstrate the vulnerability which can then be used to test your fix. I hope that this process will help you understand more about vulnerabilities, what sorts of things to look for when reviewing your own code, how to go about coding securely, and how to fix any problems in your own plugins if a flaw is found.

    If you would like individual feedback on your finding and solutions, and to provide me with some information on which bugs people found and fixed, you can submit them via this survey. Please refrain from posting any spoilers in the comments for now.

    In a week or so I will write another post detailing each of the vulnerabilities present in the code and how to fix them.

    Bonus challenge: with access to a subscriber level account can you find any ways of extracting the data from an option named secret_option?

  Ipstenu (Mika E.) Permalink
    Tags: twitter   

    Do You Write Twitter Plugins? 

    Version 1.0 of their API is going away very soon, so if you happen to be using that, your plugin will break.

    You should keep up with Twitter’s Calendar and update your plugins to the latest versions of the API as soon as possible to prevent angry users and broken plugins.

    Ben Lobaugh Permalink

      Thanks for the updates Ipstenu! Blasting out to my followers and the WordPress Seattle community!

    whiletrue Permalink

      Hi all, we released today a quick update for the “Really Simple Twitter Feed Widget”, requiring users to create their own Twitter Application. It’s online and working with full 1.1 API support. Our two other Twitter based plugins will be updated soon.

      We’re also working on a simpler way for authenticate users, providing a custom Twitter Application and the 3-legged authorization method. What are you doing about it?

    Workshopshed Permalink

      I abandoned development on my twitter badge plugin because of these changes, it used client side javascript and hence can’t be made to work without significant changes. I’m currently using Twitter’s own widget but I’m not entirely happy with it. The Really Simple Twitter Feed Widget, seems like it should work for me.

    Aaron D. Campbell Permalink

      Just under the wire, but I did get the release out! The new Twitter Widget Pro (2.5.0+) uses the new API – http://wordpress.org/extend/plugins/twitter-widget-pro/

    JumboClicks Permalink

      Don’t you love chasing API changes .. if its not twitter its amazon .. oh its just working perfectly now and it almost looks nice too… wait api change .. OH JUST COME ON .. heh

  Jen Mylo Permalink
    Tags: stats   

    Plugin/Plugin Team Stats 

    We don’t track our progress as a project very well. We have relatively few stats that we look at over time to see how we’re growing/changing, and those we do have are largely cobbled together with various combinations of manual labor and scripting. One of the things I want to do this year is get us going in the direction of collecting stats on our work and participation levels, and to make as much of it as possible an automated process. I recognize that this stuff is non-trivial. That said, I can’t create an overall wishlist for Otto to shoot down until we figure out what stats would be good to have.

    What stats would be useful/helpful/just plain cool to know around your team? This is brainstorming… don’t think about APIs or if/how it could be collected, just throw out ideas in the comments of what information you think it would great to start seeing, say on a monthly basis. List any and all ideas, including stats you are already collecting. I’ll collate all the teams’ ideas and see what the Meta team says we can do.

    @coffee2code: As team rep, can you try to rally your group to make suggestions over the coming week? Thanks!

    Jane Wells Permalink

      I’ll start off by listing stats similar to the ones suggested for themes:

      • Number of plugins in the directory (total, updated within past year, within past x months, etc)
      • Number of plugin developers in directory, high/low/average number of plugins per developer
      • Number of active plugin reviewers, high/low/average number of themes reviewed per person
      • High/low/average frequency of plugin updates/commits
      • Length of time from plugin submission to approval
      • Number of plugins per month accepted as is, rejected flat out, or given instruction on what to do to get accepted
      • Number of plugins closed at author request, and high/low/average amount of time since those plugins were last updated
      • Number of plugins closed for spam
      • Number of plugins closed for security issue
      • Number of plugins closed for breaking a directory rule
      Ipstenu (Mika Epstein) Permalink

        Length of time from plugin submission to approval is averaging just around 48 hours, for a complete, fully working, plugin with a readme and no guideline violations (which is what ‘directory rules’ are). Once we get into people whom we push back, it’s as much up to their ability to reply to emails within 7 days as our ability to sort through the email ;) (holidays and weekends and ZOMG! busy! change that, ut we’re pretty good).

        We’d need a way better way to track why a plugin was closed for the last four. Right now we have to document manually.

        Jane Wells Permalink

          “This is brainstorming… don’t think about APIs or if/how it could be collected, just throw out ideas in the comments of what information you think it would great to start seeing”

          In other words, don’t worry about how it could or couldn’t be done, that’s a different conversation.

    Marcus Permalink

      Number of plugins “compatible” with latest version(s) of WP

      Ipstenu (Mika Epstein) Permalink

        Marcus – the problem there is we don’t test them after submission, so it’s up to the developer to remember to update their readmes. And the lack of an update doesn’t mean the plugin isn’t compatible. That distinctions way too wibbly-wobbley to rely on.

        Jane Wells Permalink

          I think Marcus’s suggestion is a good one. At the very least, gathering the stats on which ones say they’re compatible to which version will be useful.

        Marcus Permalink

          True, but that’s why I used quotes when saying “compatible” :D

          Agreed it’s not perfect, in my case for example I do have some plugins that aren’t marked as compatible for the latest version (haven’t had time to update readmes), yet they are.

          I think it’d still be nice to know because it is still somewhat of an indicator of what plugins are getting updated for latest WP updates.

          I’d say another bit of data that could be use is the Works/Doesn’t work, but then this info isn’t that reliable either I’ve found.

    Charleston Software Associates Permalink

      Plugin aging report = number of plugins in these groups: updated 0-30 days ago, 30-90 days, 90-180, 180-365, 1y+. Provides a general “age” of the plugin repository at several strata.

      Is the plan to publish this for the general public somewhere near the plugins home page? Some of these metrics would be nice to know for site developers & plugin authors.

      Jane Wells Permalink

        There’s no plan yet, since none of these stats are being collected yet. Eventually I’d like to be able to post nice monthly stats reports on the wordpress.org blog, and team-specific stats could also live in the team site and the public sections of wordpress.org. First we need to decide what information is worth having, then figure out how/if we can gather it, THEN decide where it gets published.

    Pippin (mordauk) Permalink

      Number of abandoned plugins (ones without updates for 2 years).
      Number of plugins with over xxx downloads.

      TCR Permalink

        Agree with these. would be useful to have a filter on the plugin searches to exclude plugins that haven’t been updated for 2 years. etc.

    circlecube Permalink

      What about plugin ratings? Across all the teams plugins it could average the ratings or show the best rated plugin. Most reviews.

      Number of updates would be useful too (and/or frequency of updates), then you know if the plugin is tried and true or just went from 1.0 to 3.0.

    rielf Permalink

      Where i can denounce a SCAM Pluguin?

      “Google adsense plugin” is scam….

      1: His donation system don t respect the google adsense terms and conditions and any google adsense account can be baned

      2: I insert my PUB correctly and all adds are from the pluguins programers.

      3: I setup de donation sistem in 0% and they are stealing my adds space whitout pay me.

      And i want to say that this pluguin is the worst adsense pluguin i never sawed, his configuration are simply ridicolous and you only can put the adds in the post….

      Scott Reilly Permalink

        You should email plugins@wordpress.org to report abuse or spams/scams by plugins. Please include a direct link to the plugin’s page in the Plugin Directory so we know precisely which plugin you’re referring to.

    Mark Permalink

      Plugins, that are already outdated or haven’t used in years, can clearly be seen. Moreover, before updating the version, make sure it is compatible and last but not the least, don’t keep those plugins for too long that appears to be Spam/abuse and report them at your earliest!

    zoranc Permalink

      polling systems on the main plugin page(+api so it can be included in the plugin settings pages). This way users would be able to vote on features and overall plugin direction

    David Lingren Permalink

      How about more information on the Support topics, e.g., average response time, time to resolve, number of unresolved topics? As a plugin author, one of my most frustrating tasks is looking back over all the topics and trying to find the items marked “Not Resolved”. I keep tripping over the “Not a support issue” topics.

  Jen Mylo Permalink

    Team Rep Results 

    9 people voted. Results: Scott Reilly as first lead, Pippin Williamson as second lead. New team rep terms starts with the new year, so I’ll get in touch with you guys to make sure everyone is on the same page re expectations. Congratulations, and thanks for your willingness to serve!

