WordPress.org

Marcus Couch and I were joined by Eric Mann to discuss the news of the week. After the news, we discussed in-depth a few of the core proposals Mann has published on his blog. We covered the following three WordPress core proposals:

• Data Service
• Portability
• Offline Editor

After speaking with Mann, it’s clear he puts a lot of thought into each proposal. I hope you enjoy the show and don’t forget to give us your feedback in the comments.

Stories Discussed:

Breaking: Jetpack Releases Critical Security Update, Immediate Action Required
WordPress 3.8.2: First Security Release Shipped as a Background Update
Recent Update To Wordfence Security Breaks WordPress Mobile Apps
DevPress Sold To Unknown Buyer For $14k
Devin Price is the new owner of DevPress
WordPress.org Profile Redesign is Live

Plugins Picked By Marcus:

Webkite for WordPress – WebKite is a service for getting your data online quickly and easily. Backed by the WebKite API, the WebKite for WordPress plugin delivers the filtering and sorting capabilities of sites like Kayak, Amazon, and Yelp. Users can interact with your content to easily find items that are relevant to their needs, a great way to build rapport and trust with your user base.

Watermark – This plugin allows you to add a watermark on images uploaded to the media library. It applies a watermark on new images as well as images already uploaded.

Forget About Shortcode Buttons – Forget About Shortcode (FASC) Buttons are a visual way to add CSS buttons in the post editor screen and to your themes.

TwentyTwenty – Show before and after pictures in your blog, with an interactive slider that allows users to compare them.

BP Group Documents – BP Group Documents creates a page within each BuddyPress group to upload and any type of file or document. This allows members of BuddyPress groups to upload and store files and documents that are relevant to the group.

WPWeekly Meta:

Next Episode: Friday, April 18th 3 P.M. Eastern – Special Guest: Andrew Nacin

Subscribe To WPWeekly Via Itunes: Click here to subscribe

Subscribe To WPWeekly Via RSS: Click here to subscribe

Subscribe To WPWeekly Via Stitcher Radio: Click here to subscribe

Listen To Episode #145:

CoSchedule, the editorial workflow and activity scheduling plugin, has secured $500K in a Series A round of funding. The angel investment was led by Sandin Holdings and Bullinger Enterprises of Fargo, North Dakota. Matching funds were provided by the North Dakota Development Fund. Joe Sandin of Sandin Holdings will join CoSchedule’s Board of Directors, providing strategic guidance and business advice.

When I reviewed the plugin last year, I considered it to be a viable alternative to Edit Flow. CoSchedule will use the money to hire more employees, increase their marketing budget, and increase the speed of development so new features reach users faster.

Moon says the company has experienced rapid growth since launching in September of 2013. Since the launch, the plugin has over 6,000 downloads with users in more than 100 countries and paying customers in 35 countries. I asked Moon, what advice does he have for those looking to obtain a round of funding to take their business or service to the next level? He replied:

I think a lot of developers hesitate to look for funding for their work because the process is overwhelming and unfamiliar to them. I will definitely admit that it is a ton of work, but it can be hugely valuable. Not only can you get the financing you need to move to the next level, but it really forces you to look at your product in a new way and challenge every assumption that you’ve made. Investors ask hard questions, and that can be a really good thing.

Do you use CoSchedule? If so, what do you think of its editorial workflow and how it handles multiple authors?

BuddyPress reached a major milestone today, crossing the two million download mark just a week ahead of the official 2.0 release. The plugin, known as “a social network in a box,” now has more than 500 related community extensions.

Over the past 7 years, BuddyPress has developed a strong international community of users and contributors. Roughly 50% of BuddyPress sites are in English, with the other half comprised of social networks in Spanish, Italian, French, German, Dutch, Swedish, Portugese, Chinese, and many other languages.

The upcoming version 2.0 of the plugin adds a host of new features that help administrators manage their communities more efficiently in the dashboard. It also introduces some remarkable performance improvements that reduce the plugin’s footprint by up to 75% in many places. Help celebrate BuddyPress crossing the two million download mark by testing 2.0-beta2.

If you’ve noticed after upgrading to WordPress 3.8.2 that the Quick Draft dashboard widget no longer functions correctly, you’re not the only one. Unfortunately, one of the security fixes in 3.8.2 caused the widget to break. Auto-drafts created through the widget are not being promoted to draft status. When a title and content is added to the widget, clicking the save draft button gives the appearance that its discarded. It doesn’t show up within the drafts list even though it exist within the database.

The patch attempts to do two things.

• Find all lost Quick Draft auto-drafts and promote them to proper drafts.
• Bring them back in place, with no date changes or other processing.

Andrew Nacin, lead developer for WordPress, explains why every auto-draft created won’t be able to be retrieved.

Unfortunately, each save of Quick Draft by the same user would update the existing auto-draft they previously lost. If they used Quick Draft in succession, or tried again when they couldn’t find their post — both of which are not unlikely — we can only rescue their last edit.

Quick drafts only hold onto a single auto-draft post ID per user and will re-use it as long as it remains an auto-draft. This is due to performance reasons so new auto-drafts are not created each time the dashboard is visited. Once upgraded, you should see the latest draft created through Quick Draft with the date and time of creation kept in tact.

If WordPress 3.8.3 is released, it may be available as soon as this weekend but nothing has been set in stone.

Akismet 3.0 is currently in development and the official release will likely coincide with WordPress 3.9 on April 16th. The upcoming 3.0 release represents a major rewrite of the plugin and the Akismet team is inviting everyone to help test the release candidate. This version will introduce a few new features and will remove much of the legacy code that was included for backwards compatibility with older versions of WordPress.

Akismet 3.0 has a more straightforward configuration page that funnels users to the correct action:

One critical item that seems to be missing here is direction on where to find your API key if you already have one. Though it may be obvious to some that you need to log into Akismet, go to Account Overview, and click “reveal key,” this process is not as intuitive as it might seem. Hopefully something can be added to help make this clear. The team has confirmed that this is on their list.

Akismet 3.0 inclues a new feature that allows you to define how strict it is in discarding spam. It also adds the ability to easily disconnect your account.

The service has zapped more than 130 billion spam comments and track backs to date. Millions of WordPress users depend on Akismet every day to help keep their blogs clear of spam. If you can spare a few minutes to help test the 3.0 release candidate, the Akismet team promises some exclusive swag for those who submit the most helpful bug reports and feedback. Even better than that is the opportunity to help improve Akismet for WordPress users across the globe. Check out the announcement post for more details and the latest download link.

For the past four years, BuddyPress developer Brajesh Singh has maintained a popular tutorial for allowing BuddyPress activity as a wire. This was the default behavior for activity during the early 1.x era of BuddyPress, which allowed users to “write on each other’s walls” without having to use @mentions.

Singh’s updated tutorial shows you how to set up wire/wall functionality without having to edit any theme code, as was required in previous tutorials. He’s packaged it up and put it into a convenient plugin that emulates a user wall/wire by performing the following:

• Shows the activity post form on other user’s profile
• Filters the text that says “What’s new {username}” to say “Write something to {displayed_user_name}”
• Removes the BuddyPress function that handles the post update action and hooks a custom function that allows saving the activity posted from user profiles as a mention.

The result is very similar to the wall/wire feature originally included in BuddyPress:

Posts on user wires/walls will show up in the activity stream as having originated on a user’s wall, differentiating it from regular activity @mentions.

Inevitably, BuddyPress developers will have clients asking them to make their social networks more like Facebook. Some users are more comfortable using the wire/wall style of interaction, as it is the default behavior on Facebook and mirrors the way activity worked in the early days of BuddyPress. This plugin will restore that feature to BuddyPress so that users don’t have to bother with @mentions.

BuddyPress Activity as a Wire is compatible with BuddyPress 1.9.2+ but will require a minor update to take advantage of the activity performance improvements in 2.0. Download it for free from BuddyDEV.

We’ve been hard at work on version 3.0 of the Akismet plugin for WordPress. It’s a major rewrite of the plugin code that includes a new configuration page, improved signup and activation, and some new features. We’ve shed most of the legacy code that was maintained for backwards compatibility with ancient versions of WordPress, and redesigned the code so we can bring you new features in coming months.

Since it’s a major change from previous versions, we could use your help testing the new plugin before its final release. If you’re comfortable manually installing a plugin in WordPress, you can download akismet.3.0.0-RC1.zip or use the 3.0.0-RC1 tag in the Subversion repository.

Try it out and tell us what you think – we have some exclusive Akismet swag for those who send bug reports and the most helpful feedback. Bug reports and detailed feedback is best sent via our contact form. You can leave general public feedback in comments below or on Twitter.

If you’re not sure how to install the plugin manually, or you’re not willing to run pre-release code on your site, we recommend waiting for the final release, which we expect to coincide with next week’s launch of WordPress 3.9.

In the aftermath of the Heartbleed bug and a week filled with critical security updates, it’s time for some good news. The wildly popular and hopelessly addictive 2048 game can now be embedded in WordPress.

The 2048 WordPress plugin is based on the open source game created by Gabriele Cirulli. The game has been cloned many times into mobile apps as well as bewildering variations that feature the likes of Doge and Flappy Bird.

Embedding 2048 in WordPress is as easy as adding the [2048] shortcode to any page or post. The objective of the game is to achieve the 2048 tile by using your arrow keys to merge tiles of the same number.

If you want to help your website visitors waste hours of their lives, install the 2048 plugin from the WordPress Plugin Directory and embed it on your site. By now many of your friends and colleagues have already beaten the game and will undoubtedly provide you with strategic tips. However, the desire to win is likely to consume your every waking moment. Don’t say I didn’t warn you.

Jetpack released version 2.9.3 today. This is a critical security update that fixes a potentially serious threat that has been present in Jetpack since version 1.9, released in October 2012. George Stephanis explained the vulnerability in the release announcement:

During an internal security audit, we found a bug that allows an attacker to bypass a site’s access controls and publish posts. This vulnerability could be combined with other attacks to escalate access.

At this time, the Jetpack team has no evidence that the vulnerability has been exploited on any sites running the plugin. However, now that it has been disclosed publicly, every WordPress site administrator that is using Jetpack is strongly encouraged to prioritize this update and take immediate action for all sites that you manage.

To give you an idea of the severity of this bug, Stephanis said sites that continue running old versions of the plugin may soon be disconnected from the Jetpack service for their own security. Here’s what they’re doing to mitigate the threat:

This is a bad bug, and Jetpack is one of the most widely used plugins in the WordPress world. We have been working closely with the WordPress security team, which has pushed updates to every version of the plugin since 1.9 through core’s auto-update system. We have also coordinated with a number of hosts and network providers to install network-wide blocks to mitigate the impact of this vulnerability, but the only sure fix is updating the plugin.

Sites that can receive automatic background updates may already have the updated version of Jetpack. All others will be prompted to update manually.

The Jetpack team has prepared point releases for all 11 previous versions that are vulnerable to this threat. They will be reaching out to admins of sites that are still running the old versions to make them aware of the critical update. Sites that do not update will not be allowed to reconnect to the Jetpack service.

If you operate a WordPress site running Jetpack or have client sites using the plugin, you will need to take action immediately, especially if your site’s functionality depends heavily on the Jetpack service.

photo credit: onkel_wart (thomas lieser) – cc

One of the best things about BuddyPress is that it gives you the ability to bring together people who share a common goal or interest. Sometimes this requires getting people together at the same time for a meeting or rendezvous. With just the bare basics you could try to mention specific members in the activity stream or send private messages to schedule a meeting, but now there’s a more efficient way to do this with built-in privacy controls.

Rendez Vous is a new plugin that makes it possible for community members to schedule appointments with one another. Developed by @imath, a prolific plugin author and BuddyPress core contributor, Rendez Vous provides a simple table for each user to mark his availability for a proposed rendezvous.

A Quick Tour of the Rendez Vous Plugin

The plugin fits naturally into the user menu and utilizes BuddyPress notifications for updates.

Any member of the site can create a new rendezvous, set possible times for meeting and select members to add to the meeting. The panel for creating a new event launches in a modal window and allows you to set three possible times to choose from:

The “Who” tab lets you search for members, if you have a large network, and click on those you want to invite.

The user profile menu displays all published rendezvous to which a user has been invited:

The person who schedules a rendezvous will receive notifications related to member responses:

As member replies roll in, the table will fill up with availability from those who have responded. Here’s an example of a public rendezvous:

The way the table appears will depend on your theme. The plugin simply adapts to the active theme, so you may find that you need to do a little CSS work to make it look exactly how you want. In the next update @imath plans to include a filter to allow a theme to easily override the plugin’s CSS files with its own.

The Rendez-Vous plugin is a simple, flexible tool that can help to facilitate both online and offline meetings and events. Because the plugin uses fairly generic wording, you can schedule any kind of meeting. It would be suitable for any of the following examples:

• A group Skype chat
• A meeting for site moderators
• A family reunion
• A doggy play date
• A documentation sprint
• A teacher/student conference
• A tutoring session

You might event use it to determine the best time for maintenance on a small community site. The possibilities are endless for bringing people together efficiently. The scheduling panel allows you to select from public or private for more control over who can view and join the rendezvous.

Rendez Vous is available for free from the WordPress Plugin Directory. You can also find and contribute to the project on Github. The plugin is compatible with WordPress 3.9-RC1 and BuddyPress 2.0-beta2. It should also work on installations that are running WordPress 3.8.3 and BuddyPress 1.9.2.

For a live tour of the the plugin in action, check out @imath’s video:

With the release of WordPress 3.8.2, some users are reporting on the WordPress.org support forum that the update disabled XML-RPC causing mobile apps to break. Many of those who are reporting the issue have one thing in common: they’re using the Wordfence Security plugin. With over 1.5 million downloads, Wordfence Security is a popular plugin used to secure WordPress sites.

A recent update to Wordfence disables XML-RPC in WordPress to prevent sites from being used as drones in a pingback Denial of Service attack. Due to the timing of WordPress 3.8.2 as well as the update to Wordfence, users think 3.8.2 is the culprit. Andrew Nacin, lead developer for WordPress, replied to the support thread explaining why the fix is improper and has no tangible benefit to users:

The changelog says “Disable XML-RPC in WordPress to prevent your site from being used as a drone in a DDoS attack.” The problem is this “attack” affects pingbacks. But the fix actually disables everything in XML-RPC except pingbacks, thus breaking mobile apps and anything else relying on XML-RPC, but allowing pingbacks through.

If you want to disable pingbacks, then disable pingbacks. Don’t do this. Or don’t do anything, as these attacks are not particularly effective and more recent versions of WordPress and Akismet both pass along better information when verifying pingbacks; and Akismet additionally detects abuse.

Wordfence responded, saying they’ve filed a bug and will be investigating a fix. Until then, if you’re using Wordfence, browse to the plugin’s options page and look for Other Options. Uncheck the box to Disable XML-RPC for DDoS protection.

Upgrade WordPress and Akismet To The Latest Versions

Network Solutions recently sent out a security bulletin to customers using WordPress informing them about the Denial of Service attacks that can result from pingbacks. Network Solutions advised customers to install the Disable XML-RPC plugin. While it disables the XML-RPC API, it does not disable trackbacks and pingbacks.

The best course of action is to update to WordPress 3.8.2 if you haven’t already done so. Also upgrade Akismet to the latest version. Both software updates address the Denial of Service attack associated with pingbacks without having to disable XML-RPC entirely.

The guest blog on Automattic’s hiring process for the Harvard Business Review ended up being pretty popular and thanks to Michelle Weber and Dan McGinn it’s been expanded into a longer version that’s now on shelves in the actual magazine! Very excited about this. If you are in an airport and see it on the stands (as above) definitely pick it up, it’s a great issue.

Back in March, Fred Meyer, shared his thoughts on why the core of WordPress needs a writing style guide. The post generated a healthy conversation, including this comment by Matt Mullenweg:

WP has always been optionated software with a lot of personality. Every year or two people try to neuter it, remove a bt of its soul, and sometimes it gets through. There are always convincing reasons, like this post, but it’s sad nonetheless. If anyone is going to stop using the software over these we probably didn’t create something very compelling in the first place. You could also create a “dry” localization of the software and see if it gets much traction.

After the conversation subsided, Meyer created a survey to determine the thoughts and opinions of users. The results are now available with a total of 69 respondents completing the survey. While the small sample size makes it hard to conclude anything, there are two things that came to light based on the results.

The first is that WordPress could improve the text so it’s spoken with a clear, well-defined voice. Second, irreverent and goofy humor is rarely a user’s preferred way to receive WordPress messages. Instead, users appear to prefer content that is as clear as possible in its technical details.

Meyer’s Next Course Of Action

I asked Meyer what his next course of action is now that he’s had a chance to analyze the results. He said he “plans to move forward with advocating for a tone review, with the intent of seeing if it can be added to the to-do list for WordPress 4.0″. I asked if anything about the results surprised him:

One thing that surprised me about the survey was how dry people’s favored content was–e.g., “Powered by WordPress” instead of even “Proudly Powered by WordPress.” I really think there’s a danger (again, as Matt said) that a content review, particularly one done by committee, could squeeze the color out of WordPress, in favor of writing that is really safe and technical and that no one can possibly take issue with.

The survey seems to reinforce Mullenweg’s opinion that this issue isn’t something that will make or break people’s decision to use WordPress. At the same time, the survey showed users would appreciate textual content that is better suited to them, content that is more helpful and contains a more consistent tone.

Time To Decide Which Voice We Want WordPress To Have

Meyer said that the community will need to decide the tone of the language used in WordPress. Focusing on colorful language that is consistent, helpful and inviting to English speakers outside of North America.

If you’d like to follow along with the project and contribute to the cause, follow Meyer on WPShout.com. He’ll be using the site to inform those interested of the progress. You can also get in touch with him directly via email, fred@pressupinc.com.

Automattic announced its acquisition of Longreads today. Since 2009, the Longreads service has helped people find and share the best fiction and nonfiction longform content on the web, curated by its team of editors and the #longreads hashtag.

Longreads defines longform content as anything over 1,500 words, the type of articles that are most often read by people who are away from the distractions of their desks. Though individual attention spans seem to be dwindling in the digital age, the proliferation of mobile devices and apps dedicated to reading has sparked a renaissance of the written word. Longreads became a key player in the resurgence of longform reading by helping people to discover the best content.

The editorial team at Longreads joins online publishing titan WordPress.com under the Automattic umbrella. Historically, WordPress.com has been a strong supporter of longform writing and offers several themes dedicated to longform posts. WordPress.com has also often featured longform reads among its recommendations.

Mark Armstrong, founder of Longreads, describes how he sees Automattic as the right partner to help them go deeper in their mission to promote longform storytelling:

We also quickly realized that Longreads’ goals and Automattic’s goals were complementary: For us it is to serve readers the best storytelling in the world, and for Automattic it’s to power a world where publishers and writers have the freedom and independence to own and control their own space on the Internet, and to then produce their best work using those tools.

Armstrong said that they will continue to run the service in the same way they always have and will keep the Longreads Membership active.

The Rebirth of Longform Storytelling

If the success of the New York Time’s Snowfall is any indication, “immersive storytelling” is on the upswing and longform content is well-positioned to be reinvented in the digital age. There’s no reason why WordPress publishers shouldn’t be at the helm.

The popularity of longform content is growing. Automattic’s Raanan Bar-Cohen, in his announcement of the acquisition, said that “Use of the #longreads hashtag on Twitter has grown more than 130% over the last two years, and more publishers than ever are committing resources to in-depth storytelling as part of their daily mix of stories.”

Complex topics and ideas often require longform articles in order to fully convey their depth. Longreads has found a successful way to tap into a segment of the public that values longform reading enough to pay for daily recommendations. Automattic’s acqusition of Longreads is a signal that longform content is not dead but rather has the chance to be reborn in the digital era. That’s good news for WordPress publishers and even better news for readers.

Brad Stone at BusinessWeek reports Automattic has acquired the great service Longreads, which you can also read about on our blog. See also: Techmeme.

If you’re interested in WordPress project stats, WP Central has a collection of interactive visualizations for everything from download stats to version usage to internationalization. The site, created by WordPress contributor Marko Heijnen, has been in development for several months and is gradually adding more data.

The homepage of the site features stats for the latest release, with data for the total downloads, last seven days, downloads per day and per hour.

Version usage is particularly interesting, with clickable segments that display the percentage of WordPress installations operating on various versions of WP, PHP and MySQL.

The site uses Bootstrap for the theme and Heijnen said that all of the data is pulled from the WordPress.org API, with the download history stored locally. He’s looking into the possibility of collecting and displaying old data, along with the new stats.

Heijnen created the site with the hope of providing a historical reference that is easy to visualize. “I would love for it to become a place that shows the history of WordPress, i.e. how many downloads we had per release and the progress,” he said. “I hope that people will be able to get more insight about how WordPress has grown over the years.”

WP Central‘s graphs make it easy to visualize trends in WordPress downloads and version usage. Given that WordPress is a major part of millions of people’s lives on the web, it’s important to have helpful sites like WP Central that will track WordPress’ growth over time and make this data available to everyone. To find out about new data and visualizations added, follow WP Central on Twitter.

The dates for WordCamp NYC were announced today. The event will be held August 2-3, 2014 at the New York Marriott at the Brooklyn Bridge in downtown Brooklyn.

Tickets will go on sale within the next few weeks. Traditionally, WordCamp NYC has sold out every year. In 2009, 2010, and 2012 the event brought together roughly 800 WordPress fans. However, maximum capacity for the Brooklyn venue is 650.

I spoke with Steve Bruner, one of 10 organizers for the event, who said that finding a suitable venue has been a challenge. “We’ve been searching for a venue that would hold 800+ people AND be affordable in one of the most expensive cities in the world,” he said. “When we finally decided that 800 wasn’t going to happen, we were able to finalize on the Brooklyn Marriott, which is a really awesome venue.”

Bruner said the unique aspects of WordCamp NYC are not unlike the city itself. A large number of attendees, a world-class speaker lineup and a high percentage of international attendees makes this WordCamp an exciting and diverse event. Also, if you haven’t visited New York in the summertime, you’re in for a sizzling hot treat. Follow @WordCampNYC on Twitter for all the latest updates. Given the reduced number of tickets this year, you’ll want to be notified as soon as they go on sale.

photo credit: Will Montague – cc

WordPress 3.8.2 was released today with several important security fixes that warrant an immediate update. If you have background updates turned on, you should get the 3.8.2 security release within 12 hours. Of course, you can always update immediately via Dashboard > Update in the admin.

Andrew Nacin outlined the important security fixes in this release. In summary, they are:

• Fixes a weakness that could let an attacker force their way into your site by forging authentication cookies
• A fix to prevent a user with the Contributor role from improperly publishing posts.
• Update to pass along additional information when processing pingbacks to help hosts identify potentially abusive requests.
• Fixes a low-impact SQL injection by trusted users
• Prevents possible cross-domain scripting through Plupload, the third-party library WordPress uses for uploading files.

These security concerns were discreetly disclosed to the WordPress security team, but now that they are public knowledge, it’s very important to get your sites updated to the latest version.

First WordPress Security Release Shipped as a Background Update

In the course of providing the 3.8.2 security update, a 3.7.2 release was also pushed out, which includes the same fixes for sites still running on 3.7.1.

We’ve now entered a new era of WordPress security updates wherein sites that are on older versions may have automatic updates enabled. Passing on those same security updates, wherever possible, only makes sense.

I asked Nacin how far back the team plans to provide security releases for sites running older versions of WordPress. “We don’t want sites to remain on older versions,” he said. “But it’s obviously tough to pass up the opportunity to keep them secure.”

There is no hard and fast rule set for how far back security updates will go, but Nacin says that they will continue to do what they can. “This was the first security release shipped as a background update, so it’s new to us, too,” he said. “But I would expect we’ll do whatever we can to keep sites secure.”

So far the automatic updates seem to be going quite well:

In the 15 minutes after WordPress 3.8.2 dropped, 230,000 WordPress installs were automatically updated. https://t.co/8pCvBD2Tl8

— Andrew Nacin (@nacin) April 8, 2014

We’ve served about 800,000 updates over the last hour. All sites have been receiving instructions to update; they check every 12 hours.

— Andrew Nacin (@nacin) April 8, 2014

More numbers: 1.2 million WordPress sites have automatically updated over the last 97 minutes. https://t.co/Cc76GKcTID

— Andrew Nacin (@nacin) April 8, 2014

T plus two hours: 1,446,176 updates. At this point I’ve moved beyond “nervous wreck” to “shipping champagne.” Eventually this won’t be news.

— Andrew Nacin (@nacin) April 8, 2014

The first release candidate for 3.9 was also sent out on the heels of the 3.8.2 security update. You can expect to see the official 3.9 release next week on April 16th.

The second (and hopefully final) beta for BuddyPress 2.0 is now available (zip). Since Beta 1, we’ve made a few dozen fixes and improvements. Notable changes from the first beta:

• Fixed a potential out-of-memory fatal error in certain activity stream views. #2768
• Fixed broken SQL query format on certain activity stream views. #5503
• Improvements to profile visibility settings appearance #5352
• Fixed a bug where blog comments were not synced to the activity stream when the comment author != blog author #5507
• Better logic to avoid duplicates and invalid results during the activity heartbeat ping #5505
• Miscellaneous localization improvements

Plugin authors, theme authors, and site administrators with access to dev environments: please get out there and test! We need your continued feedback to make our scheduled release of April 16.

Questions? Comments? Visit our support forums or our development tracker.

As teased earlier, the first release candidate for WordPress 3.9 is now available for testing!

We hope to ship WordPress 3.9 next week, but we need your help to get there. If you haven’t tested 3.9 yet, there’s no time like the present. (Please, not on a production site, unless you’re adventurous.)

To test WordPress 3.9 RC1, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the release candidate here (zip). If you’d like to learn more about what’s new in WordPress 3.9, visit the work-in-progress About screen in your dashboard ( → About in the toolbar) and check out the Beta 1 post.

Think you’ve found a bug? Please post to the Alpha/Beta area in the support forums. If any known issues come up, you’ll be able to find them here.

If you’re a plugin author, there are two important changes in particular to be aware of:

• TinyMCE received a major update, to version 4.0. Any editor plugins written for TinyMCE 3.x might require some updates. (If things broke, we’d like to hear about them so we can make adjustments.) For more, see TinyMCE’s migration guide and API documentation, and the notes on the core development blog.
• WordPress 3.9 now uses the MySQLi Improved extension for sites running PHP 5.5. Any plugins that made direct calls to mysql_* functions will experience some problems on these sites. For more information, see the notes on the core development blog.

Be sure to follow along the core development blog, where we will be continuing to post notes for developers for 3.9. (For example, read this if you are using Masonry in your theme.) And please, please update your plugin’s Tested up to version in the readme to 3.9 before April 16.

Release candidate
This haiku’s the easy one
3.9 is near

Roots is a WordPress starter theme that incorporates the HTML5 Boilerplate, Bootstrap, and Grunt. It’s also known for creating cleaner HTML, cleaner script output, and its unique theme wrapper method for handling template markup.

Up until now, you’d have to use the Roots theme in order to take advantage of any of its features. Ben Word, Roots’ creator, has now made some of the theme’s features available for use within any WordPress theme via a new plugin called Soil.

Soil offers you the benefits of three distinctive Roots features:

• WordPress Markup Cleanup
• Relative URLs
• Nice Search – (/search/query/)

The “Clean-Up” feature enables the following:

• wp_head() clean up
• Remove WP version from RSS feeds
• Clean up attributes
• Clean up tags
• Clean up body_class()
• Wrap embedded media as suggested by Readability
• Use figure and figcaption tags for WP captions
• Remove unnecessary dashboard widgets
• Remove unnecessary self-closing tags

How to Use Soil with Your WordPress Theme:

photo credit: JerseyRed – cc

Step 1. Install and activate the Soil plugin.
Download Soil from Github and unpack/rename folders as necessary. Add to your plugins folder.

Step 2: Add Soil theme support to your theme’s functions.php file.

add_theme_support('soil-clean-up');
add_theme_support('soil-relative-urls');
add_theme_support('soil-nice-search');

If the full Roots theme is not for you but you appreciate some of its features for cleaner markup and URLs, then the Soil plugin is an easy way to port those over to your theme. For more in-depth information on root relative URLs and the clean up changes it makes, check out the Roots 101 guide.

Hookr.io is a brand new project created by Christopher Sanford in the alpha stage of development. It’s an index of all the available WordPress Hooks and API calls stretching back to WordPress 1.5. The site is a result of a pet project he’s been working on for about a year. It started out as a plugin he installed to index his local WordPress projects. Sanford explains why he created the site:

Most reference sites contain only subsets of hooks (if any), and unless the plugin/theme is premium, they usually contain little to no documentation regarding their API. I was tired of the ineffective “find in project” searches within my IDE. So, one day after questioning my productivity and lack of resources for what I needed to do, I started writing the initial parser/indexer as just a locally installed plugin.

The front page features a slider allowing you to switch between versions of WordPress. When one is selected, the site displays how many of the following are in that version.

• Hooks (Action/Filter)
• Actions
• Filters
• Classes
• Constants
• Functions
• Shortcodes

While the total amount of each are correctly displayed, Sandford has limited the results to 250 until it can be determined the site will perform well under load. If the benchmarks are successful, he’ll make the entire index available.

WordPress Hook and API Index

WPSeek performs a similar role as a WordPress search engine for developers. Sanford says the metadata he has indexed sets it apart from other  search engines:

I’m storing all the information related to each “object.” For instance, what file and line(s) the function is defined in/on, what are the function parameters, what other objects exist within its source code (hooks, classes, constants etc), the original source, or snippet, both with/without syntax highlighting, documentation blocks, etc.  All of this has been generated directly from the source code, not screen-scraped. By having this metadata at my disposal, it makes adding features, or overhauling the layouts extremely simple.

Indexed Metadata

He wants users to see the holistic view of a given topic. For example, showing all classes existing in the admin area related to FTP as shown in the following screenshot. This view helps developers to see the interconnected parts that make up WordPress.

Holistic View Of Classes

While Hookr.io isn’t easy to use on a mobile device, Sanford says he has, “Already provisioned bootstrap. It’s just a matter of time and necessity to fully implement.” The interface uses a combination of colors and numbers to display relationships between data. The UI is what works for Sanford but he realizes it may not be optimal. The goal was to have a simple and clean layout but he’s looking for UI/UX advice.

If developers are going to use Hookr.io, the content has to be accurate. According to Sanford, “90% of the development time was consumed with ensuring the accuracy of the parser.” He admits it’s not perfect but is accurate enough to develop against. Since WordPress is updated far less frequently than plugins and themes, the content is updated in an ad-hoc fashion. If the site becomes a useful tool for developers, he plans on automating the manual processes for near real-time updates.

Your Feedback and Ideas Are Needed

Based on the feedback and whether or not developers find the site useful will determine whether Sanford devotes more time to the project. He already has a lot of ideas in mind to make it a true resource for WordPress developers, regardless of skill level. One of the features Hookr.io supports but is not available to the public is the inclusion of plugin and theme data. The content has been indexed but it’s about three million records. A lot of benchmarking and fine-tuning will take place before the data is added to the search engine.

Sanford is looking for feedback on all facets of the site. Whether it’s design, implementation, or accuracy of data, please share it in the comments. He’ll be watching the conversation closely and will answer any questions you have.

WordPress 3.8.2 is now available. This is an important security release for all previous versions and we strongly encourage you to update your sites immediately.

This releases fixes a weakness that could let an attacker force their way into your site by forging authentication cookies. This was discovered and fixed by Jon Cave of the WordPress security team.

It also contains a fix to prevent a user with the Contributor role from improperly publishing posts. Reported by edik.

This release also fixes nine bugs and contains three other security hardening changes:

• Pass along additional information when processing pingbacks to help hosts identify potentially abusive requests.
• Fix a low-impact SQL injection by trusted users. Reported by Tom Adams of dxw.
• Prevent possible cross-domain scripting through Plupload, the third-party library WordPress uses for uploading files. Reported by Szymon Gruszecki.

We appreciated responsible disclosure of these security issues directly to our security team. For more information on all of the changes, see the release notes or consult the list of changes.

Download WordPress 3.8.2 or venture over to Dashboard → Updates and simply click “Update Now.”

Sites that support automatic background updates will be updated to WordPress 3.8.2 within 12 hours. If you are still on WordPress 3.7.1, you will be updated to 3.7.2, which contains the same security fixes as 3.8.2. We don’t support older versions, so please update to 3.8.2 for the latest and greatest.

Already testing WordPress 3.9? The first release candidate is now available (zip) and it contains these security fixes. Look for a full announcement later today; we expect to release 3.9 next week.

I wanted to share unique perspective for why the web matters in an app world with a guest post from Stratechery writer Ben Thompson:

This week Twitter was abuzz with the most recent report from Flurry that showed people spending most of their time on mobile using apps, not the browser:

Many were quick to once again declare “The Web is Dead,” but I’m not sure that conclusion makes sense, at least for writing.

First off, Flurry’s numbers don’t account for webviews within mobile apps. On my site, Stratechery, 37% of my iOS traffic comes from webviews (Android doesn’t break out the difference), which on Flurry’s chart would fall mostly in the Twitter slice. More mass market sites likely take up some percentage of Facebook time, as well.

That said, it’s striking how little written content appears on Flurry’s chart; the only category that is primarily about written content is news, and even that includes video. And yet, pageviews on WordPress.com and Jetpack are up 27% year-over-year, new sites ranging from small blogs like Stratechery to huge sites like FiveThirtyEight continue to launch and grow, and multiple startups (and competitors!) continue to find writing something worth investing in.

So is the web dead or not?

I don’t think so, for a few reasons:

• The total amount of time spent on a computing device (especially mobile), has and continues to grow significantly. This means that many of the activities on our phones, app or not, are additive to what we previously used a computer for. This makes sense: what makes mobile such a big deal is that instead of a computer being a destination device, it’s now a companion that goes with us everywhere. This is how you square the fact that apps seem to dominate usage even as writing on the web continues to grow. When the entire pie is huge and getting bigger, the total size of any particular slice grows as well, even if it becomes relatively thinner.
• Although apps take up a huge percentage of total time, a significant percentage of app time is dominated by just two categories: games (32%) and social networks and messaging (28%). In fact, the more interesting juxtaposition raised by Flurry’s numbers is not apps versus web, but games and social versus everything else.YouTube and other entertainment apps form a solid percentage of what is left (8%), but the remainder is a mishmash of utilities, productivity, the aforementioned news, and, of course the web, which could be anything and everything.
• The single most exciting development when it comes to writing on the web is the democratization of publishing. It it now trivial to start a blog, whether on WordPress.com or another provider, and that has led to an explosion of content. As I wrote on Stratechery in FiveThirtyEight and the End of Average:
  

  Most of what I read is the best there is to read on any given subject. The trash is few and far between, and the average equally rare. This, of course, is made possible by the Internet. No longer are my reading choices constrained by time and especially place.

  Why should I pick up the Wisconsin State Journal – or the Taipei Times – when I can read Nate Silver, Ezra Klein, Bill Simmons, and the myriad other links served up by Twitter? I, and everyone else interested in news, politics, or sports, can read the best with less effort – and cost – than it ever took to read the merely average just a few short years ago.

  While there is still a lot of work to be done on discovery (I mostly use Twitter, but admit the learning curve is steep), I already find the idea of being constrained to any one channel for reading to be laughably old-fashioned. And yet, that’s exactly what an app is: a single channel for one publisher’s content. Contrast this to the web, where any given piece is available instantly by simply clicking a link.

There is no question that apps are here to stay, and are a superior interaction model for some uses. But the web is like water: it fills in all the gaps between things like gaming and social with exactly what any one particular user wants. And while we all might have a use for Facebook – simply because everyone is there – we all have different things that interest us when it comes to reading.

That’s why very few of us devote all of our reading time to a single general interest newspaper these days, and that’s why we at WordPress.com have no intention of pushing anyone to any one particular platform or app. Instead our focus is on enabling and empowering individuals to create new content that is at home in the mobile browser, the WordPress.com app, Facebook or Twitter webviews, or any other channel that makes sense for the reader. Let the water flow to exactly where it’s needed! That’s the power of the web, and now that a computer is with us in so many more places, we need that flexibility more than ever.

You can read more of Ben Thompson’s writing on his excellent WordPress-powered blog Stratechery, one of my favorite sources for the “why” behind the news.

See also: John Gruber on Rethinking What We Mean by ‘Mobile Web.’

Varying Vagrant Vagrants is likely the most popular Vagrant configuration for setting up a WordPress development environment. VVV makes it easy to create new WordPress installations for developing themes and plugins as well as contributing to core.

One of the most time-consuming aspects of testing and reviewing WordPress themes is setting up a test site with all the necessary development tools. WordPress Theme Review VVV is a vagrant setup created by Aubrey Portwood. It completely automates the process of setting up your development site and tools for theme review.

How to Set Up WordPress Theme Review VVV

This tutorial makes use of an existing VVV setup. If you haven’t yet installed it, check out the VVV project page on github and follow those instructions to get up and running.

Step 1: Switch to your VVV installation’s www directory.

cd www

Step 2: Clone the WordPress Theme Review VVV project to a wordpress-themereview folder.

git clone git://github.com/aubreypwd/wordpress-themereview-vvv.git wordpress-themereview

Step 3: Re-provision your VVV.

vagrant provision

Step 4: Visit your new theme review development site.

http://themereview.wordpress.dev

Login Credentials:
user: admin
password: password

Here’s what the WordPress Theme Review VVV script does:

• Creates a /vagrant-local/www/wordpress-themereview/htdocs folder with a fresh WordPress install
• Creates a data base wordpress_themereview database.
• Installs and activates the Developer and Theme-Check plugins
• Imports the Theme Unit Test data

You are now ready to start testing WordPress themes. When you want to start over, simply delete the htdocs folder in the wordpress-themereview directory.

The ability to create test environments in a flash makes theme testing less of a chore. Using this VVV setup takes a fraction of the amount of time it would normally require to get a theme development environment set up with all the plugins and test data required. If you’re a WordPress theme developer or part of the Theme Review Team, give the WordPress Theme Review VVV setup a try to see if it can make your workflow more efficient.

Disqus announced it is testing out a new advertising technique in the form of sponsored comments. According to the post, the experiment has been going on for at least a month and based on the results, is expanding it across the service. The sponsored comments are clearly marked as such and can contain any type of media to get the point across. Here is what the comments look like minimized and expanded.

Disqus Sponsored Comments

Disqus says the sponsored comments are based on a feature launched earlier this year called Featured Comments which gives publishers a chance to highlight the best comments within a conversation. This is a great feature for publishers as long as the featured content is not an ad. Sponsored ads are not set in stone and the service is still working on the overall experience concentrating on the quality, positioning, and feedback of the ads. Disqus says sites that have ads disabled will not see the sponsored comments.

Using A Third-Party Service Takes You Out Of The Drivers Seat

Back in March, we discussed what the future looks like for comments within WordPress. More and more sites are opting to use a third-party service to power their comments instead of using the native solution built into WordPress. It’s easy to see why when you consider the large amount of plugins it would take to duplicate the functionality third-party services offer such as featured comments and comment voting. But the downside to using a third-party as a publisher is that you’re attached to their leash.

photo credit: Suki♥! – cc

In 2012, Disqus turned on a new feature called Discovery. Many viewed the feature as a form of advertising but the point is that it was enabled automatically for each site it rolled out on. By using a service to power your comments, you could wake up one day to see an entirely new commenting form or a host of new features that ruin the experience on your site.

I Declare Comments An Ad-Free Zone!

The reaction to the new feature within the comments of the announcement is lukewarm at best with more questions than answers. I commend Disqus for at least being upfront with their users and explaining that it’s an experiment. By communicating the experiment upfront, it should prevent a flurry of angry users demanding to know why advertising is showing up on their site without their explicit approval.

The comment section of a website is where the magic of community happens. It’s where the reader gets a chance to voice their thoughts and opinions and interact with the author. In the case of WPTavern, it’s been a rewarding experience over the years with a lot of interaction in the comments.

There are many areas on a site to place advertising and the comments shouldn’t be one those. Unless they are brought up by a commenter within the conversation, advertising cheapens the interactive experience. They also make the site look amateurish just like most other forms of advertising do.

I don’t care how relevant the ad is, I wouldn’t want any part of it showing up in the discussion. If not executed correctly, one sponsored comment gives the appearance that a spam comment got through the filter. Comments are an important part of the experience on many WordPress sites and they’re generally filled with more information about the topic being discussed. I doubt a sponsored comment would be able to add anything meaningful to a conversation.

Do you use Disqus? If so, what do you think about this new feature? Is it something you support or will you have no part of it on your site?

The WordPress theme club known as DevPress has been sold to an unknown buyer for $14k. Launched in 2010, DevPress began as a WordPress collaboration project between Ptah Dunbar, Tung Do (aka Small Potato), Patrick Daly, and Justin Tadlock. Over the past four years, the company has experienced ups and downs. For example, in 2011, the company launched a theme and plugin review service that didn’t last long and was eventually phased out. In late 2011, Tung Do became the sole owner of DevPress.

Do cites financial and health issues as the primary reasons for selling the site.

For the past four years, through thick and thin, I did not want to sell this site. WordPress theme development is one of the few things I love, but I’ve not have had time to run this site properly and my wife has been sick for the past few months. I’ve already taken a loan 2 months ago, but her medical bills are stacking up. Obviously, I love my wife more so I’ve decided to sell.

This Isn’t The First WordPress Site Do Has Sold

Selling websites is not unfamiliar territory for Do. In 2008, he sold his popular site WPDesigner.com for $65k. Unfortunately, the result of that sale was a front page filled with webhosting affiliate links.

While the new owner of DevPress has yet to be named, Do says the new owner is someone he would trust to take over the site, “He is someone I would trust because he is competent in WordPress, is involved in giving back to the community, and has a more consistent track record than I do.” Do also said it will make sense when we find out who the new owner is. “When the deal is finished and you know who it is, it’ll make sense.”

Lessons Learned From Four Years Of Experience

I asked Do what lessons did he learn and what advice can he share from his four years working for DevPress. He said:

Innovation/bold-ideas doesn’t pay if you don’t succeed and patent it so focus on progress, consistency, and improving things most people find useful. Let others innovate and learn from their mistakes without having to pay the price yourself.

It’s unclear whether this is his last attempt to have a successful, sustainable, commercial theme business. After exchanging a few emails, I get the sense that he is changing his career path to go outside of WordPress. It’s unfortunate because I think he is one of the most talented designers within the WordPress community. I hope that he finds happiness and stability wherever his path leads him.

Who do you think the new owner of DevPress is? Let us know by leaving your best guess in the comments.

photo credit: Your petite tune – cc license

Last.fm never really caught on as a music service, but its scrobbling capabilities are still widely used. Its subscription streaming radio service will be retired at the end of this month in favor of on demand integration with Spotify and a new YouTube-powered radio player. Last.fm’s scrobbling service will also continue to live on.

P2 Jams is a new WordPress plugin that makes use of Last.fm scrobbling to allow project and team members to share the music they are listening to simply by linking up a Last.fm username.

From my tests with the plugin, it seems that it only displays music that a user is currently listening to and does not keep a backlog of tracks. The widget aggregates the “now playing” tunes from all users on a P2 blog who have entered a Last.fm username into their profiles.

Users can get more information about each tune by clicking on the link for the track. This takes you to Last.fm’s entry for that particular song, which provides album and historical information as well as a link to Spotify.

As the plugin didn’t have many instructions, here’s a quick walkthrough of how to use it. P2 Jams is available on github from WordPress developer Scott Basgaard. When installing a plugin from github, I usually download it, unpack it and then rename the plugin’s folder to remove “master” from the name.

Once installed, there are no settings to configure. Each member of the site will now have the option to enter a Last.fm username on the profile edit screen located at wp-admin/profile.php. Drop the P2 Jams “Who’s Jammin’?” widget in to the sidebar of the theme to display the tracks that team members are currently enjoying.

P2 Jams is entirely dependent on having a Last.fm username. If you don’t have one, you’ll need to sign up for a free account. In the unlikely event that you still listen to music on the Last.fm website, your username will automatically send your current tracks to the widget on the site.

If you’re using Spotify as your music service, you’ll need to enable scrobbling to Last.fm. This is done via Spotify’s Edit >> Preferences menu.

P2 Jams is a creative way for team members to connect and discover new artists. If your team loves music, this unique plugin can help foster a sense of community and add a little fun to your P2 collaboration.