WordPress.org

Last year WordPress developer Hardeep Asrani and the folks at ThemeIsle released Custom Login Customizer, a plugin that allows users to design their own login pages in the customizer. Since that time core developers have made more progress on the customizer roadmap, allowing for more varied uses outside of a theme-related context.

Last week the ThemeIsle team debuted Advanced CSS Editor, a new plugin in its arsenal that demonstrates another exciting use for the customizer. It makes use of postMessage transport to offer live previews of CSS changes while a user is writing them in the customizer. The plugin also allows users to write CSS for different device screen sizes, including desktop, tablet, and mobile phones. The demo below shows a screen capture of the plugin in action on my test site:

Seeing CSS edits updating in real time, instead of switching back and forth between a file editor and the frontend, was a refreshing experience. Having the ability to quickly write and preview media queries is also a convenient feature.

Although many core contributors are not fond of having a file editor in WordPress, the feature has yet to be removed. Using the Advanced CSS Editor plugin makes you wonder what the core file editor might look like in the customizer, at least for CSS files.

In the past, the customizer’s paint brush admin icon seemed like an ambitious stretch for a feature that, up until recently, felt clunky and slow to render previews. But recent advancements like selective refresh will help to make the customizer provide a true live preview experience.

The Advanced CSS Editor plugin is a good example of how fast previews can be in the customizer and how much of a better experience it offers over similar plugins that require multiple clicks to refresh.

On this day in 2011, Jetpack, the project formerly known as “.org connect” inside Automattic, was released to the public. At the time, the team consisted of five people. Today, there are more than 50 people on various teams within the project, including, support, user experience, growth, and development. It’s also active on more than 1 million sites.

To celebrate the occasion, Jesse Friedman, Experience Advocate at Automattic, shares four unique stories from people who rely on Jetpack for their sites. The stories include a food blogger who uses 20 different modules, a developer who manages a number of sites, a new user who discovers the benefits of Photon, and a convert who prefers Jetpack over clunky alternatives.

Jetpack’s support team is also celebrating its fifth birthday. According to Carolyn Sonnek, Happiness Rocketeer for Jetpack, the support team responded to over 93,000 support messages between email and the forums last year.

In addition to Jetpack’s birthday, the site’s domain has moved from Jetpack.me to Jetpack.com. Automattic purchased the domain in December 2015, from Jetpack Design of Santa Monica, CA. According to domain appraisal service Estibot.com, its estimated value is $51K.

Interview With Jesse Friedman

Friedman describes his journey working on Jetpack and shares what he’s learned since joining the team.

How long have you been on the Jetpack journey and what’s it been like?

I started using Jetpack in the Spring of 2012. I was working as the Director of Web Development at a web development and marketing company. I needed several different tools to round out the WordPress environment I was building to house a 2,000 site multisite that was growing by 50 sites a month.

All of us on the team agreed that Jetpack solved a lot of different needs for us in one convenient plugin. As developers, we loved the out of the box features like Sharing, Publicize, and Monitor, and our clients loved Stats.

In 2014, I left that company and joined up with the BruteProtect team. We worked hard to build a great security plugin that has been implemented on millions of websites. Later in 2014, we were excited to receive the news that we were joining the Jetpack team to continue BruteProtect as a Jetpack feature. Released last year, Jetpack Protect guards our users from malicious and brute force login attempts. It was truly something special to go from being a big fan of Jetpack to being on the team at Automattic.

What are some things you have learned through Jetpack development that have benefited you in other areas?

In the last 18 months, I’ve been doing a lot of work around the experience users have with Jetpack. Everything from individual features, to the connection process, to our website and how we communicate with our users. I’ve learned a lot about Jetpack and our community. The main thing being that, while Jetpack provides a lot of value to professionals and veterans, it is just as, if not more important for new users.

Do you think Jetpack is a key component to WordPress reaching 50% market share?

The WordPress community as a whole is growing so quickly. Hosts provide really simple tools to build a WordPress website with a single click or even no clicks at all. That means that WordPress and Jetpack have to be just as intuitive and work to improve the new user experience.

This is especially important when we consider growing WordPress’ market share. I think everyone who builds something for WordPress, or publishes on WordPress, or organizes WordPress community events, are critical to growing to 50% or beyond.

Any WordPress tool or plugin that can help a user build their website faster while providing maintenance tools like Manage or security tools like Protect is going to play an important role in the growth of market share.

Jetpack specifically, is in a unique position because we can leverage the WordPress.com infrastructure and network to build extremely powerful tools (like a global CDN) in an otherwise simple interface. Not to mention Jetpack’s popularity, it’s one of the most popular plugins across all of WordPress. Which is reinforced for me as I spend more and more time with our users, who are quite happy.

Paid Services in Jetpack Remain at a Minimum

Jetpack has come a long way since its inception but it’s interesting to look back at 2011 and review what some in the WordPress media world had to say about it. Ryan Imel, of WPCandy.com, looked into new opportunities for Automattic as Jetpack provided a direct line into millions of self hosted sites.

Jetpack is now a direct line in to WordPress.org Dashboards for Automattic. When (not if) Automattic releases a new software as a service, a simple update to Jetpack will bring that news in front of a serious number of WordPress.org users. This is a big step for Automattic, since up to now their reach has been mostly within the walls of WordPress.com. Now Jetpack is not only available for anyone to use, but it will come preinstalled with one-click installs of WordPress with a number of hosting providers.

Jetpack’s goal was to provide many of the useful features on WordPress.com to self-hosted users and while it does that, the business portion of the plugin can’t be ignored. Automattic owned services VideoPress and VaultPress are presented to millions of users who may otherwise not have known about them.

Today, Jetpack contains only two modules that require a paid subscription, VideoPress and VaultPress. So while it would be easy to increase Jetpack’s revenue generating capabilities by cramming it with commercial services and paid add-ons, Automattic has not done so.

At the end of the post, Imel asks a question that couldn’t be answered at the time, “In a large sense, what does Jetpack mean to the world of WordPress?” Fast forward five years later, we know that it’s a key component that’s helping WordPress move towards 50% market share.

Jetpack Pride

The five year mark is a great milestone for any plugin and a great time to reflect. In Jetpack’s five year existence, Matt Mullenweg, WordPress co-founder, says what he’s most proud of, “I’m most proud of the fact that people who start using WordPress and Jetpack at the same time are more likely to be using WordPress a month later. It brings us closer to WordPress’ over-arching goal of democratizing publishing, giving users the ability to have the best of both worlds: open source and cloud.” Mullenweg said.

Share Your Jetpack Story

The Jetpack team is looking for feedback on how it’s saved you time, help you build websites faster, helped optimize your sites, etc. You can share your story by publishing it in the comments of this post or by using the #JetpackTurns5 hashtag on Twitter. One of my favorite stories so far is from Cecil Rainon who discovered WordPress through Jetpack and now works for Automattic.

Discovered WordPress through this plugin and I'm now a proud Automattician! https://t.co/r0yCKYzqmI via @jetpack #jetpackturns5

— Cécile (@cecile_rainon) March 9, 2016

We use a number of modules to provide basic functionality such as contact forms, custom CSS, Likes, Protect, and more. In fact, every module except for five are activated on the Tavern. Using one plugin that handles a lot of the functionality we use on a daily basis is easier to maintain than using a number of separate plugins.

Happy birthday, Jetpack and here’s to five more!

Today the Jetpack plugin turns five years old. Who woulda thunk it? It’s one of the most popular plugins in WP history, and sites that include it as part of their WordPress install are more likely to to have engaged and active users — we’ve even seen it reduce churn on major web hosts. While there’s been a lot that’s happened in the Jetpack plugin so far, what’s around the corner has me even more excited. P.S. Check out that new domain.

Today Andrew Ozz, one of the maintainers on WordPress’ core Editor component, announced some major improvements coming to the links modal in the 4.5 release. Currently, when adding a link to text in the visual editor, a modal launches where you can paste in the URL, add link text, and set the target to open in a new window. The modal also expands to let you search for and link to existing content.

The TinyMCE link modal in WordPress 4.5 will allow for inline editing. It can actually detect when a user is entering a URL or attempting to search for one. The search uses jQuery UI Autocomplete, making it fast and easy to search through existing content. The gears icon launches the full modal with advanced options to set the target and title attribute.

The links modal improvements are the result of WordPress core contributor Ella Iseulde Van Dorpe’s work on a ticket opened to make this UI similar to the way Google Docs handles links. The experience of linking in the visual editor is now tighter and much more elegant and intuitive. This is one of the many small, yet impactful ways that WordPress is improving with each incremental release.

Gary Pendergast is looking to bring WordPress users a new way of giving feedback on posts that goes beyond simple text-based comments. A core committer and emoji aficionado, Pendergast spearheaded the effort to add emoji support to WordPress and is now working on an emoji reactions feature plugin.

The plugin is being developed to offer reactions that are similar to those available in Slack and Facebook.

“It works much the same way as a Like button, but provides a wider range of reactions so readers can give more nuanced feedback without needing to go to the effort of leaving a comment,” Pendergast said. “This also allows readers to provide the same level of interaction in situations where a ‘Like’ is an inappropriate message to send, as Eric Meyer describes in his post about Inadvertent Algorithmic Cruelty.”

The Reactions plugin is available on WordPress.org as a proof-of-concept with basic features:

• Allows for reactions to posts
• REST API endpoints for storing and retrieving reactions
• An exceedingly ugly emoji selector

The plugin is under active development but those who want to get involved testing it early can log bugs on the project’s GitHub issues queue. Reactions requires the WP REST API plugin. Once both are installed, you’ll see an emoji reactions button beneath the post content.

Clicking on the button will expand a panel of emoji reactions. The emoji picker UI is very basic but Pendergast is still investigating different options for display.

The post on the make/core blog immediately drew heated criticism and opposition. One of the more restrained reactions from @chatmandesign praises the idea for personal blogs but discourages its development beyond a plugin:

I have to agree with what rapidly seems to be becoming the general consensus: Great idea for a plugin – if I ever setup my own personal blog, I might even use it – but I can’t imagine why this would be considered for Core. I would end up having to disable it on nearly every website I build, which are primarily business websites where this sort of goofy element would simply be inappropriate.

Others commented that while it may not be a good candidate for core, having a canonical plugin for handling emoji reactions could be beneficial for the community.

Pendergast responded to critics by reiterating the casual exploratory nature of the project.

“Right now, it isn’t being considered for Core – it’s being explored as a possible feature in the future,” he said. “The idea still has to prove itself in terms of usefulness, usability, and general appeal. In terms of how close this is to landing in Core, it’s about the same as a new ticket being opened on Trac.”

Thanks in large part to mobile devices, emoji are now inescapable staples of modern communication for digitally connected people. Even so, the question of bringing emoji reactions into WordPress core may prove to be a deeply polarizing issue.

In one camp you have emoji fanatics who would go so far as to create a 25,000+ character emoji translation of Alice in Wonderland. On the other side are equally impassioned emoji haters who think the characters are unimaginative and that using emoji perpetuates “linguistic incompetence”.

If the Reactions feature plugin makes it to the core proposal stage, the WordPress community will be in for some interesting debates. If you want to get in on the fun of emoji reactions and lend a hand to the project, you can join the #feature-reactions channel in Slack. Development of the plugin will continue on GitHub and will be periodically pushed to WordPress.org.

Today the WordPress.com VIP team released a plugin for Facebook’s Instant Articles, which will be open to any publisher starting April 12, 2016. Automattic partnered with Facebook and VIP-Featured-Partner agency Dekode to produce a plugin that outputs a compliant feed of posts wrapped in the required markup for Facebook.

Instant Articles for WordPress is now available on GitHub and is also coming soon to the WordPress plugin directory.

Publishers must go through a review process to ensure that their posts are properly formatted and compliant before being allowed to push content via Instant Articles. Once approved, articles will load nearly instantly on mobile devices. According to Facebook, the speed is as much as 10 times faster than the standard mobile web.

“We had heard from a lot of WordPress publishers that they were eager to try out the Instant Articles program — based on the speed and user experience optimized for Facebook’s audience,” VP of Platform Services at Automattic Paul Maiorana said. “It’s still quite early, but we wanted to move quickly to ensure that WordPress and WordPress.com VIP publishers can take advantage of Instant Articles as soon as it opens up to everyone. And we were excited to work with Facebook to help make that happen.”

Facebook is working to create the best news feed on the web. More content delivered instantly means more advertising revenue for the social network. Publishers that make their content available via Instant Articles also have the opportunity to earn advertising revenue. If publishers sell their own ads, they get to keep 100% of the revenue. If they opt to use the Facebook Audience Network, they keep 70%.

Automattic’s open source Instant Articles plugin does not have built-in options for serving ads. According to Maiorana, further customization will be left up to the publishers.

“The new plugin is meant to be a starting point for publishers, from which they can customize design, advertising options, and which articles they choose to syndicate,” Maiorana said.

Instant Articles is not yet available to WordPress.com users, but Maiorana said that it’s something they will explore in the future.

Instant Articles Is Geared Towards News Publishers

You may be wondering if your brand or business should use the new plugin and start pursuing the approval process with Facebook. The current implementation of Instant Articles is not for everyone. A Facebook spokesperson told Contently:

In April, Instant Articles will be open to any publishers that wish to join, but it is primarily designed for news publishers. While other types of publishers will have the option to create Instant Articles, in many cases there are other formats on Facebook that will better serve their needs.

Facebook’s algorithm is likely to prioritize Instant Articles, as faster-loading articles are shared more often.

However, publishing to Instant Articles requires no small amount of technical skill, especially if you’re not already on a platform like WordPress that offers support via a plugin. Even with the help of Automattic’s plugin you still need to make a number of customizations to add branding and advertising while the underlying APIs are still in flux.

Publishers will need to decide how much control of their content they are willing to give up to Facebook in exchange for articles that load instantly. Funneling readers to Instant Articles hosted on Facebook has the potential to undermine direct mobile traffic. Facebook is also notorious for its censorship. What will Automattic’s response be to its partner if Facebook decides to censor WordPress publishers on its network? Maiorana wouldn’t directly answer this question.

“Our goal at WordPress.com VIP is to help publishers have the tools and the freedom to make their own decisions — and to move quickly in experimenting across platforms,” Maiorana said. “This is another new way for them to do that.”

New mobile publishing channels like Instant Articles and Google’s AMP project require developer resources for publishers to get on board. Both of these tech giants are clawing for content distribution. They each have their own unique requirements that publishers will have to meet to in order to have their content found and prioritized. Each publisher will have to decide whether the improved speed, exposure, and/or ad revenue will be enough to make these efforts worthwhile.

WPCampus, a WordPress event geared towards non-profits and higher education, will take place on July 15-16, 2016 in Sarasota, FL at the University of South Florida Sarasota-Manatee campus. The team is looking for speakers and sponsors. Speakers who are accepted will receive free admission and swag.

Organizers are open to stories as they relate to WordPress and education. According to the site, the intended audience will include faculty, students, developers, site designers, devops/sysadmins, content developers, instructional designers, marketing and admissions people, and institutional leaders. The team is most interested in case studies, conceptual discussions, best practices, and works-in-progress.

If you’re interested in speaking at the first WPCampus, speaker submissions close at midnight EST on March 21, 2016. WPCampus is not affiliated or endorsed by the WordPress Foundation and is its own community run entity.

Over the years, we’ve told users that the WordPress plugin directory is the safest place to download and install plugins from. This is due in large part to the dedication of volunteers who act as gatekeepers and review plugins before they’re added to the directory. Plugin updates, however don’t receive the same scrutiny as there’s too many of them.

Sucuri Security representative Denis Sinegubko, published an in-depth post that explains how an update to the Custom Content Type Manager plugin, which is active on more than 10k sites, turned into a security nightmare for some users. Custom Content Type Manager enables users to create custom fields for dropdowns, images, and more.

According to Sinegubko, a user by the name of Wooranker was added as a maintainer on February 5th. Wooranker is also listed as a contributor to the Postie plugin but according to its author, Wooranker does not and will not have access to change the source code. On February 19th, Wooranker pushed out an update that included the CCTM_Communicator.php file and inserted new code into the plugin’s index.php file.

On March 1st, MartinCDS created a thread in the plugin’s support forums and reported the following:

I recently updated a few of my sites and since then my site was hacked. According to my log files the code was injected via custom-content-type-manager/auto-update.php. I navigated there and there is a form input. Please fix this in the next update. I don’t see a reason for an automatic update anyways- this is a known vulnerability by hackers.

Other users also reported that their sites had been hacked due to the auto-update.php file. This file allowed the attacker to upload a c.php file into the plugin directory. The c.php file was used to create a more sophisticated attack shell named wp-options.php in the site’s root directory. The c.php file was deleted once wp-options.php was created, making it harder to detect.

Custom Content Type Manager is Fixed

Samuel ‘Otto’ Wood, who helps maintain WordPress.org, left a comment on the article acknowledging that the plugin has been fixed on the directory:

The plugin has been updated to 0.9.8.9, which is a copy of 0.9.8.6 (the last good version). This will remove the malicious code from the plugin, but not any code that was added to sites in the meantime. Please follow through with the Mitigation steps given by Denis in the post.

To learn how the attack works, insight into who Wooranker may be, and to see a list of mitigation steps, I encourage you to read the post.

A Concerning Reminder

I feel bad for those who updated their plugins from a trusted source only to make their sites vulnerable to attack. Unfortunately, there is no way to prevent situations like these from occurring unless every line of code for each update is scrutinized by a security professional, but that doesn’t scale.

This doesn’t detract the trust I have for the WordPress plugin directory but users need to realize that what happened with Custom Content Type Manager can happen to other plugins as well. Your best defense is to use security scanning software of your choice that keeps track of file changes and to make routine backups.

An interview I did with the Irish Times when I was in Dublin is now live.

Magnus is a beautiful new photoblogging theme that landed in the WordPress Theme Directory last week. It was created by Hugo Baeta, whose work you may have seen in the WordPress.com design handbook and last year’s subtle refinements to the default admin color scheme. Magnus is Baeta’s first theme to be approved for the official directory.

The theme puts the spotlight on your photographs with full-width featured images for posts. If the homepage is set to display posts, the most recent post’s title and featured image will show at the top of the page.

Baeta applied a unique pulse effect to the full-width images using CSS3 keyframes animation with the scale property. The resulting effect almost makes it appear as though you are traveling through the image. The theme also includes several other subtle, tasteful CSS animations for menus, toggling, and page transitions.

If the homepage is set to display posts, they will tile uniformly under the most recent one with titles and featured images.

Baeta’s careful attention to typography is evident in the highly readable single post design. Magnus uses a combination of Google fonts – Karla for paragraph text and Montserrat for headers.

The theme includes one widgetized area, a sidebar that can be toggled into view from the right side of the screen. The sidebar slides smoothly into view and is semi-transparent, which makes for a less jarring experience than other similar sidebar implementations.

Left, right, and centered overhanging pull quotes can be easily created by aligning blockquotes to either side or the center.

One thing I appreciate about this theme is that it makes almost all of the design decisions and allows very few design-related customizer options. You can change the header image and the header text color, but that’s it. The design is all about showcasing your images.

If you need your content to make a big impact, Magnus is solid option that doesn’t require configuring a long list of options. You can download it for free from WordPress.org or via your admin themes browser.

In our first episode in more than a month, Marcus Couch and I discuss the latest WordPress news, including a preview of WordPress 4.5. I share my experience taking a month off away from WordPress and the lessons learned in doing so. This show is a little rough around the edges but we’ll be back to our normal selves starting next week.

Stories Discussed:

WordPress 4.5 Beta 1 Released
WordPress 4.5 to Introduce Native Support for a Theme Logo
Poetica Acquired by Condé Nast, Open Source WordPress Plugin Will Be Discontinued
Stripe Payment Gateway for WooCommerce Is Now Available for Free
Automattic Adds AMP Support to WordPress.com, Releases Plugin for Self-Hosted Sites

Plugins Picked By Marcus:

Migrate Ninja Forms to Gravity Forms is a plugin that does exactly what it’s name implies. It migrates content from Ninja Forms to Gravity Forms.

AMP Analytics extends Google’s AMP to allow you to add analytics to your Accelerated Mobile Pages.

PageLines Platform 5 is a complete drag-and-drop editing system. It works with any standard WordPress theme.

WPWeekly Meta:

Next Episode: Wednesday, March 9th 9:30 P.M. Eastern

Subscribe To WPWeekly Via Itunes: Click here to subscribe

Subscribe To WPWeekly Via RSS: Click here to subscribe

Subscribe To WPWeekly Via Stitcher Radio: Click here to subscribe

Listen To Episode #224:

There’s a lot of great WordPress content published in the community but not all of it is featured on the Tavern. This post is part of a new series where I share an assortment of items related to WordPress that caught my eye but didn’t make it into a full post.

Automattic Stands with Apple

In light of the recent court order issued against Apple in the San Bernardino case, Automattic has taken a stand with Apple by joining other influential technology companies in filing an amicus brief in support of Apple’s legal challenge.

The court order requires Apple to write code that acts as a backdoor and weakens security on iPhones. Automattic’s transparency blog explains why they’re siding with Apple:

Like Apple, we respect the rule of law, and honor the valid government orders we receive to furnish data in connection with criminal investigations. But deliberately weakening information security, as Apple has been asked to do here, is a step too far that makes everyone less safe.

Undermining security measures – even in situations where there appear to be good intentions – will inevitably have unintended consequences for regular people.

We stand with Apple in both condemning terrorism and defending the privacy and security of our users. If Automattic was faced with a government order like the one issued in San Bernadino, we, like Apple, would do everything within the law to challenge it. That’s why we’re joining with a sizable group of leading tech companies today to support Apple in this case.

If you’d like to learn more about why the court order is a terrible idea, check out the full legal brief submitted by Automattic to the United States District Court.

The Ethics of Sharing GPL Code

Tom McFarlin shares his thoughts on working with clients, educating people, and sharing GPL code from client projects. If you’re a consultant, how do you convince clients to give you permission to release code they pay for and you write to the public under the GPL?

After reading the post, check out this comment left by Darrinb.

Gravity Forms Becomes 2nd Gold Partner

Around this time last year, Scott Kingsley Clark launched a new sponsorship program called Friends of Pods. The funding is used to decrease private development of Pods and focus more on Pods core, related plugins, and integrations. Gravity Forms, the popular form creation plugin created by Rocketgenius is the second gold partner in the program.

In addition to the partnership news, the Pods Gravity Forms add-on is now available on the WordPress plugin directory.

ActiveDen is No More

ActiveDen, a site where people could sell Flash assets and was the first site in the Envato Marketplace has officially closed its doors. The company shut it down in order to focus on things that have more impact.

To learn more about the history of ActiveDen, I encourage you to watch this 45 minute video featuring Collis Ta’eed where he talks about the first six months of Envato.

SIDEKICK Partners With ThemeForest

SIDEKICK announced it is in a trial partnership with 19 ThemeForest authors. The partnership enables customers to view interactive tutorials from within the WordPress dashboard. According to the announcement, the test aims to alleviate some support pain for authors.

Calypso’s Contributor Code of Conduct

Codes of Conduct are not limited to events. Many open source projects have implemented them as a way to provide a base line of expectations from those who participate in the project. WordPress core contributor, Ryan Boren, shared a link to Calypso’s Code of Conduct on Github which explains the expectations project maintainers have of contributors.

Open source contribution is onboarding flow 4 the future of work in a software eaten world. It has codes of conduct. https://t.co/isXa7S1WTh

— Ryan Boren (@rboren) March 3, 2016

Coen Jacobs on Bundling Libraries in WordPress

Coen Jacobs explains why bundling libraries is not overhead but a best practice. It’s another post in a series from Jacobs on the issue of handling dependencies in WordPress.

WordImpress and Media Temple Partnership

The WordImpress team announced on its site that it has partnered with Media Temple as WordPress Community Consultants. In exchange for information about customer needs, Media Temple is enabling the team to sponsor, attend, and speak at more WordCamps this year.

Happy Birthday Wapuu!

In what is a traditional part of this series, I end each issue featuring a Wapuu design. For those who don’t know, Wapuu is the unofficial mascot of the WordPress project.

In honor of Wapuu’s recent birthday which is February 19th, I present Birthday Wapuu. I hope you’ll join me in wishing Wapuu a happy birthday!

That’s it for issue three. If you recently discovered a cool resource or post related to WordPress, please share it with us in the comments.

Version 3.1.8 of the Akismet plugin for WordPress is now available.

This update improves compatibility with plugins that rewrite admin URLs. It also reduces the amount of space Akismet uses in the database and reduces the size of the Akismet API requests. A fix is also included for a bug that could have caused comment moderation emails to be sent for some comments that were caught as spam.

To upgrade, visit the Updates page of your WordPress dashboard and follow the instructions. If you need to download the plugin zip file directly, links to all versions are available in the WordPress plugins directory.

In September of 2015, Joshua Strebel, founder of Pagely, announced that Alex King would be one of the speakers at Pressnomics 4, an annual conference devoted to the business aspects of WordPress. Unfortunately, days after the announcement, King passed away from colon cancer.

Due to health reasons, King would not have been able to attend the event in person. Instead, Strebel flew to King’s house and recorded a 40 minute bedside interview. In the interview, which is edited beautifully, the duo discuss King’s career, lessons learned managing Crowd Favorite, and if Automattic is the empire, who fills the role of Darth Vader.

Jeff Matson who writes and maintains documentation for Rocketgenius and who’s attending the event, describes the crowd’s reaction after watching the interview, “Insightful and full of emotion, where a standing ovation was not only warranted, but mandatory. The crowd’s reaction truly showed how loved and respected Alex King was.”

As I watched the interview, it was difficult not to cry. King passed away 10 days after it was recorded and even then, he had a sense of humor. King is survived by his wife Heather and his daughter Caitlin.

This week the Roots development team released wp-password-bcrypt, a plugin that uses bcrypt instead of MD5 password hashing. MD5’s known and exploited weaknesses have rendered it “cryptographically broken and unsuitable for further use,” according to the CMU Software Engineering Institute.

In a post announcing the plugin, Scott Walkinshaw explained why WordPress’ default MD5 hashing function + salting is insecure:

MD5 is considered “broken” due to its collision vulnerability, but it’s broken more fundamentally for passwords: it’s too cheap and fast to calculate a hash.

bcrypt, on the other hand, is much slower than MD5, making it more expensive to calculate. This stronger method of password hashing is built into PHP 5.5, but WordPress maintains 5.2.4 as its minimum required version. This precludes WordPress from using the newer password_hash function.

Walkinshaw cites a four year old ticket which proposes a way for WordPress to allow plugin developers to more easily change from the salted MD5 method of hashing to the more secure bcrypt. James McKay left a sobering comment on that ticket, advocating that WordPress core move to make bcrypt the default for environments that support it:

bcrypt needs to be made the default, out of the box option on all systems that support it. The idea that WordPress admins should have to go hunting for a plugin or tweak configuration options to do this scares me, simply because most of them won’t unless (a) they are well versed in web security, (b) they know that WordPress uses a weak alternative by default, and (c) they consider it to be an issue worth worrying about.

People often underestimate the seriousness of MD5 and the SHA-* algorithms being “less secure.” They aren’t just less secure: thanks to developments in password cracking in the past few years using GPU- and FPGA- based software, they are totally useless. Programs such as oclHashCat even have an option specifically to crack passwords in WordPress databases — and the rate at which they can do so is terrifying. If you’re not making a strong password hashing algorithm the default, out of the box option, you’re exposing your users to unacceptable and unnecessary risk.

Unfortunately, action on the ticket has been held up due to a UX issue. Discussion on the ticket continues, but contributors have not yet settled on a path for improvement.

“So what is holding up the switch?” Walkinshaw said. “Bureaucracy and the unwillingness to make it happen. The consensus of the ticket is that it’s actually a UX problem. At this point, there is no technical reason why this can’t be done.”

In the meantime, if you want to implement secure bcrypt hashed passwords, you can use the wp-password-bcrypt plugin from the Roots team. It will protect against database compromises. If your WP database fell into the wrong hands, attackers would have a much more difficult time attempting to brute force a bcrypted password versus a MD5-based password.

The plugin re-hashes user passwords with bcrypt when users log in. If a user never logs in, the password remains hashed with MD5. It can also be uninstalled without negative consequences. There are no settings – it simply works in the background.

“We’ve purposely tried to keep the plugin as simple as possible so there are no surprises,” Walkinshaw said. “Obviously we recommend people test out the plugin first, and hopefully put it on a staging site first.”

The plugin can be installed by automatically autoloading it with Composer or by manually copying wp-password-bcrypt.php into your mu-plugins folder. It will also soon be added to Roots’ Bedrock project boilerplate to provide a more secure default.

The inaugural WordCamp Belfast and WordCamp Dublin are now in the early stages of planning. Members of the WordPress Northern Ireland meetup group are collaborating with the Dublin meetup to organize an event in Belfast in September 2016 and one in Dublin in April 2017. The dates have not yet been set in stone but organizers are looking at venues and are gathering all the details and costs to begin work on a budget.

“Ever since first setting up the WordPress Meetup group in January 2014, a WordCamp was always something that we wanted to see – when the time was right,” organizer Mark Smallman said. “Having had the meetup group running successfully for two years, and having been in communication with the Dublin group, we decided the time was right to explore the possibility of running a WordCamp.”

John Walsh, co-organizer of the Dublin WordPress Meetup Group, has applied to be the lead organizer of WordCamp Dublin 2017.

“The goal is to combine our resources and work together to achieve the common goal of bringing WordCamp to Dublin and to Belfast on an annual basis,” Walsh said. “Separately, we have a certain capability but by working together we can accomplish a lot more.”

Since neither of the two groups has previously hosted or planned a WordCamp, Smallman said that it’s a steep learning curve for all of them.

“It helps to have as many and as varied a range of skills as possible on-board to help us get to the summit,” Smallman said. “We hope that once we have #WCBelfast in full swing, some of the same organizing team members can either offer assistance to WordCamp Dublin or take on roles directly within their organizing team. This should help both WordCamps in terms of planning for the future.”

Smallman said that if both WordCamps are a success, the teams will look at the possibility of alternating between Belfast and Dublin in future years.

“Having a team that is spread over the two areas will also help to widen the net of possible speakers, sponsors and attendees for both WordCamps, hopefully helping to make both a success,” he said. “And who knows, possibly both will become regular events on the WordCamp calendar.”

The Wapuu of the North: Growing the Community Spirit in Belfast

Smallman and the organizing team hope the two WordCamps will help to validate and grow the unique WordPress communities on both sides of the border.

“Belfast and Northern Ireland have a wide range of very skilled people in the I.T. sector,” he said. “But up until recently it was lacking when it comes to community spirit within the sector. Slowly, we have seen groups within the area grow and now we have thriving Blogging and PHP groups as well as many others.”

As an expression of community spirit, the Belfast organizing team has already created a wapuu mascot for the event.

“The Wapuu of the North was generously created by Peter of 1440 Design in Belfast,” Smallman said. “Peter works along side Sam Nelson who is on our organizing team. Sam also created our #WCBelfast badge.

“We chatted and bounced a few ideas around for a theme for the WordCamp,” he said. “Game of Thrones was a very obvious choice, and one that none of us could think of a better fit. Northern Ireland has no fewer than a dozen filming locations for the show. We all thought that we could not choose anyone better than the Wapuu of the North to deliver the message that the White Walkers (developers) were on their way!”

Smallman said the team is excited about the venue they’ve selected for hosting Northern Ireland’s very first WordCamp.

“With all being well, we really are planning something very special for our first WordCamp,” he said. “We cannot wait to get moving onto the next stage.”

BuddyPress 2.5.0 “Medici” was released today, named for Medici on 57th, a Chicago restaurant famous among BP contributors for its “Garbage Pizza.” The new BP Email API is the highlight of the release. It allows users to edit BuddyPress emails in the admin and change their appearance in the customizer.

The placeholder text in curly braces, which is replaced with data in the emails, is called a “token.” All available email tokens are listed in the codex. Since BP emails are simply a custom post type, plugin developers can easily hook into BuddyPress’ email system and create new emails that will be triggered by a specified action.

This release also introduces long-awaited support for emoji, which can now be used in activity updates, messages, and group descriptions.

Other highlights of BuddyPress 2.5 include:

• Post Type Comments Tracking – Custom post types show in the activity stream and now, with the BuddyPress “Site Tracking” component enabled, replies to CPT-generated activity items will be synchronized with comments on the corresponding post.
• Twenty Twelve Companion Stylesheet – BuddyPress now has basic styles that will make it fit in seamlessly when activated with the Twenty Twelve theme.
• Autolink Settings for Profile Fields – BuddyPress profile fields can be autolinked to a search of the members directory using the field value as a search term. This release offers as new setting to enable or disable the autolinking on a per-field basis.

34 volunteer contributors worked together to close 95 tickets for the 2.5 milestone. For a full list of all the improvements and fixes, check out the official 2.5.0 changelog.

The team behind the TGM Plugin Activation Library (TGMPA) is working to propose it as a feature plugin for WordPress. Last July contributors on the project opened the discussion on a post calling for feature plugins, and the upcoming 3.0 version is being developed with this path in mind.

Developers use TGMPA to manage dependencies between plugins and themes, as an alternative to bundling a heap of plugin-type functionality into one extension. It walks users through the process of installing plugin dependencies that are required or recommended by the developer. The library is used by 6% of WordPress.org themes as well as a large number of commercial products hosted on CodeCanyon and Themeforest.

TGMPA will require a substantial rewrite in order to make it ready for consideration as a feature plugin. It also needs to be multisite compatible, address a number of usability issues, and be trimmed of extra features to become leaner and more core friendly.

The team behind the project has a survey open to solicit opinions from the community regarding the implementation of these changes. A few sample considerations from the survey include:

• What method should the plugin use to supply dependency information to multisite independently of whether a theme or plugin is active?
• How should the plugin deal with themes and plugins which haven’t yet upgraded to the newer version of TGMPA?
• Should the plugin support plugin download sources other than wordpress.org?

“To me it feels like we need more core team support for it to be properly considered for feature plugin status, so some lobbying behind the scenes is in order,” TGMPA lead developer Juliette Reinders Folmer told the Tavern. “The survey is also part of this as that will give us hard data to use in the discussions.”

The Future of TGMPA Is a More Modular Architecture

Folmer said that regardless of whether TGMPA is approved to become a feature plugin, future development will continue with core in mind.

“Development for v3 will be a lot more modular,” Folmer said. “TGMPA currently is effectively one file with four classes. That makes it easy to include it in themes and plugins (one file), but not as easy to maintain. As v3 will contain some big changes, this seems like a good point in time to change the structure of TGMPA as well.”

With a more modular approach in place, Folmer said that the team plans to split the package into a number of different repositories for development purposes. She has tentatively identified features that would be offered in the core module, and everything else would be supported via add-on modules, i.e.:

• support for bundled plugins
• support for non-wp.org download urls
• support for recommended plugins

TGMPA would also introduce two wrappers – each would function as a layer that will load all the available modules:

• one for continued support for including TGMPA in plugins and themes
• one for TGMPA as a feature plugin

“So no matter what will be decided concerning whether TGMPA will be allowed to become a feature plugin, support for the features of TGMPA as is (but better) will be continued,” Folmer said.

“With the modular development, it won’t be as easy anymore to download ‘TGMPA’ from GitHub, as you’d need to download all the different modules (or use composer / use git submodules),” she said. “I envision the Custom TGMPA Generator to be the way forward for downloading TGMPA as a complete package in that respect.”

Can TGMPA Gain Enough Support from Core Developers to Become a Feature Plugin?

Folmer said that the WordPress core developers she has spoken with are divided on whether on whether its current approach makes it a good candidate for a feature plugin.

During preliminary discussions on GitHub, WordPress core committer Gary Pendergast expressed reservations about requiring too much user interaction during the process.

“The primary goal of plugin dependencies should be that it’s invisible to the user,” Pendergast said. “If there’s ever a point where the user is asked to make a decision, then it’s not ready for core.

“I’ve had a quick read through the TGMPA code,” he said. “I think it’s solving the problem it needed to solve (providing a drop-in library for themes and plugins), but I think we’d need to tie it much more tightly into core for it to be a feature plugin.”

Folmer hopes to address user experience concerns with refinements to the plugin based on feedback from the survey, which will be open until the end of March.

“So far, most responses have been from developers using TGMPA,” she said. “Even though the survey is quite technical, we would very much also like to hear from more end-users.”

With the recent confusion over WordPress.org’s previously unwritten rule banning framework plugins from the official directory, the challenge of managing inter-plugin dependencies is under the spotlight again. The TGM Plugin Activation library isn’t the only possible solution to this problem, but it does have a motivated contributor base that is willing to take up the challenge of solving this problem via a feature plugin. If you want to be part of shaping the roadmap for version 3, make sure to fill out the survey before April 1.

Today the WordPress plugin review team issued a reminder for what they said is a long-standing, unwritten rule: frameworks are not allowed in the official directory. In a post tiled “Please do not submit frameworks,” Mika Epstein outlined the reason behind the rule:

At this time, we are not accepting frameworks as we don’t feel frameworks, boilerplates, and libraries are appropriate for the Plugins Directory. We require that plugins be useful in and of themselves (even if only being a portal to an external service). And while there are many benefits to frameworks and libraries, without plugin dependency support in core or the directory, it becomes another level of hassle for users.

Until WordPress core adopts a way to support plugin dependencies, the plugin review team recommends that frameworks and libraries be packaged with each plugin in a way that doesn’t conflict with other plugins/frameworks/libraries.

The issue was most recently addressed with the CMB2 plugin, which Epstein said was mistakenly approved months ago. CMB2 is essentially a library that makes it easy for developers to build metaboxes, custom fields, and forms. It is exactly the kind of plugin that the previously unwritten rule is meant to block from being available in the official directory. Epstein further clarified the reasons why:

The issue is as follows: Having a framework as a plugin is a poor experience for the user. Not the developer. The user. The user understands “I have an add-on for WooCommerce, I probably need Woo.” They do not always understand “I have plugin Slider Joe. Why do I need Advanced Custom Fields?” In addition, by having a library as a plugin, the onus of version compatibility is now on the person least likely to understand it: the user.

The plugin repository is not, currently, a library or framework repository. It’s not meant like the NPM package manager, or even Composer as a way to define what a plugin ‘needs’ in the same ways for a developer to build a project. The plugin repository is, plain and simple, meant for plugins that users will find useful. Plugins that add functionality to WordPress in a directly inter-actable way.

The confusion lies in the fact that this particular rule has been applied inconsistently for years and has many notable exceptions, including Redux Framework, CMB2, and arguably plugins like Piklist, Titan Framework, Kirki, Options Framework, and many more. These are the types of plugins that don’t really do anything out of the box but are meant for developers to use for building things.

According to Epstein, a few of these plugins have been “grandfathered in” due to oversights in the plugin review process, but the rule stands for new submissions.

“CMB2 and Redux Framework are grandfathered in,” she said. “We don’t let any more in, since a lot of plugins include them inside AS plugins. It’s a mess. Also CMB2 shouldn’t have been approved, which is a different mess altogether. Frameworks are not supposed to be in the repo at this time. Period.”

Another commenter on the most recent post, who recently had his Advanced Term Fields plugin approved, asked, “Are you saying the best way to handle this scenario is to include the parent framework in each child plugin, as opposed to alerting the user that ‘This plugin requires XXX plugin in order to function properly?'”

Epstein confirmed that this is in fact what the team is suggesting:

Currently, yes. That would have been the best way. Since your plugin is approved, though, it’s unfair of us to yank the rug out from under you. While you don’t have a great many users, we recognize when the gaff is us.

The plugin review team has a difficult job and is working with limited volunteer resources. However, the inconsistent application of unwritten rules has led to what appears to be an arbitrary set of guidelines. One thing that would make life easier for both reviewers and plugin developers is if WordPress core adopted a way to manage inter-plugin dependencies. The TGM Plugin Activation team is working on a proposal for a feature plugin, which we’ll examine in depth in an upcoming post.

Poetica announced today that its team and technology have been acquired by Condé Nast. The technology provided realtime “Google-docs style collaboration” in the WordPress post editor as well as a non-WordPress editor available via the public Poetica.com service. As of June 1, 2016, the service will be shut down.

The Poetica team will continue to develop the technology as part of Copilot, Condé Nast’s proprietary publishing platform.

According to CTO and co-founder Blaine Cook, development on the open source plugin will be discontinued, as the plugin is dependent on the Poetica service. Those who have been using the plugin will have no choice but to find an alternative.

WordPress isn’t well-equipped for content collaboration. In fact, thanks to its fancy post locking feature, WordPress is streamlined to enable the opposite of a collaborative editorial workflow. It’s designed for one user to work on a post while locking all other users out.

Additionally, after a post is published, no further collaboration can be made, as the only way to make edits is to push changes immediately to the live copy.

Poetica was one of the few tools that provided a way for editorial teams to write together, allowing multiple WordPress users to view and edit content at the same time. The plugin tracked changes and allowed users to make suggested edits that could be accepted or rejected.

Although Poetica provided a much-needed collaboration tool for WordPress, its founders said they were unable to create a profitable business model around the software:

Up until now, though, we’ve been a small five-person team. We’ve tackled the dual problems of creating a humane, intuitive, and collaborative way to interact with text, on any device and any content platform; and the parallel challenge of creating a viable business model. Unfortunately, these goals were often at odds with each-other, competing for our limited time and attention.

After Poetica.com is shut down, it will destroy any drafts and user data from the site, as Condé Nast has only acquired the software and not the user data. Users will soon be notified via email about how to download a full archive of their drafts ahead of the June 1st shutdown.

In June 2015 Deque, an accessibility consultancy, open sourced aXe, its accessibility rules engine for automated web UI testing. aXe is a compact JavaScript library (~100 KB) that executes automated accessibility tests inside your testing framework or browser. Deque outlined a number of advantages that the aXe library has over previous approaches to automated testing of HTML-based user interfaces:

• It works on all modern browsers
• It supports in-memory fixtures, static fixtures, integration tests and iframes of infinite depth
• It has zero false positives (bugs notwithstanding)
• It is open source
• It is actively supported by a major accessibility vendor
• It is designed to work with whatever tools, frameworks, libraries and environments you have today
• It is designed to be integrated into your existing functional/acceptance automated tests
• It automatically determines which rules to run based on the evaluation context
• It is highly configurable

aXe integrates with Karma, QUnit, Jasmine, Mocha, PhantomJS, and many others – basically any testing framework that supports JavaScript execution.

aXe Extension Adds Accessibility Testing to Chrome Developer Tools

If you’re not using automated testing tools in your projects, the Chrome developer tools extension is the easiest gateway to performing accessibility tests directly in the browser as you’re viewing or building a website or application.

aXe is available as a free extension from the Chrome web store. (Alternatively, it’s also available as an add-on for Firefox.) Once you click “Add to Chrome,” aXe will be available under its own tab in Chrome DevTools panel. It automatically ferrets out accessibility defects and offers details for each violation.

The creators of aXe were invited to contribute the open source library to the W3C WAI Evaluation and Repair Tools Working Group, as the group works to develop a normative set of rules for evaluating WCAG 2.0 conformance.

If you’re working on improving WordPress’ accessibility, the aXe extension can even help perform some of the tests recommended by the Accessibility team. You can log issues by creating a ticket on WordPress Trac or testing patches for existing tickets.

In 2014 the Accessibility team discussed adding automated accessibility testing to WordPress, with Quail.js as one of the frontrunners. The team is just now adding accessibility code standards to the WordPress core handbook. The next step would be firming up a list of requirements for an automated testing tool. aXe might be a new possibility to consider, as it is open source and focused on helping websites meet WCAG 2.0 requirements.

Deque’s mission with aXe is to bring equality to the digital world. They are working to make automated accessibility testing more mainstream with professional web developers. If accessibility is a priority for your work, aXe is a lightweight library you may want to consider for automated testing on own projects.

Last week WooCommerce announced on Twitter that its Stripe payment gateway is now a free product. Prior to this decision, it was priced at $79 for a single license, $99 for up to five sites, and $199 for up to 25 sites.

Exciting product announcement from @stripe (which is also now free for WooCommerce, woo!) https://t.co/kQet52WMbn pic.twitter.com/PzCRoyrgWG

— WooCommerce (@WooCommerce) February 25, 2016

The news coincides with the debut of Stripe’s new Atlas product, which allows foreign companies to incorporate as a U.S. company in Delaware, set up a U.S. bank account, and accept payments with Stripe. Atlas was created to help entrepreneurs start global businesses no matter where they are located in the world.

Automattic had a similar aim of lowering the barrier to entry for WooCommerce when it made the Stripe payment gateway available for free.

“Receiving payments is integral to running an online store,” WooCommerce Product Team Lead Matty Cohen said. “Publishing the WooCommerce Stripe integration for free is one way we are helping merchants to get their stores set up quicker, and to easily receive credit card payments through their stores.

“One of our focuses is to lower the barrier to entry and to assist WooCommerce stores in becoming successful,” Cohen said. “We are excited to be partners in making payment processing globally available for WooCommerce merchants.”

Over the past two years, Stripe has been working to expand its services beyond the handful of countries it initially supported in the US and Europe. Although Stripe is increasingly popular, it cannot yet be considered a global option for accepting payments. It’s currently in private beta for businesses in Brazil, Mexico, Portugal, Singapore, and Switzerland.

Products like Atlas, in combination with the free gateway available from WooCommerce, should serve to bring Stripe availability to more locations around the world. WooCommerce representatives would not comment on whether Automattic is planning on offering more payment gateweys for free.

This week Mandrill announced that it will be discontinuing its free tier for transactional emails. As of March 16th, new Mandrill users will create their accounts through MailChimp and existing users will be required to merge their accounts with a MailChimp account where they will be charged $20+/mo for transactional emails. The deadline for merging accounts is April 27th.

MailChimp is choosing to focus on delivering “personalized transactional” emails that require more design. For those who want to continue delivering utility type emails, the company recommends Amazon SES:

Transactional emails, like password reminders and the myriad email notifications you get after making changes to online accounts, are dead simple. Utilitarian providers like Amazon SES excel at this. Their innovation is mostly focused on increasing efficiency and reducing costs.

Many WordPress developers depend on Mandrill for sending wp_mail() emails in order to ensure delivery and take this load off the server. After MailChimp’s announcement, many are scrambling to find an alternative.

Amazon SES allows users to send 62,000 messages per month to any recipient, as long as you call it from an Amazon EC2 instance. If you already have one set up, this is one of the best options.

Human Made created an open source plugin that makes it easy to change to Amazon SES. Setting it up is as simple as adding a few constants to your wp-config.php file and then verifying your sending domain for SES.

Of course, Amazon SES isn’t the only option. Remkus de Vries wrote a post on transactional email alternatives to Mandrill, which includes MailGun (10,000 emails free every month), SendGrid (up to 12,000 emails free per month), SendIn Blue (up to 9,000 emails/month, 300 emails/day free), and several others. Many of these email services also have corresponding plugins available in the WordPress Plugin Directory.

After leading the do_action( ‘wordpress-charity-hackathon’ ); event in 2014 and 2015 in Cape Town, South Africa, Hugh Lashbrooke is bringing the event to Texas with the help of Austin local David Cole. The Austin WordPress Meetup Group will be hosting the hackathon on April 8th, which will coincide with WooConf.

Participants will spend the day building new WordPress-powered websites for 10 local non-profit organizations. At the end of the day, the following charities will have a new (or revamped) online presence with free hosting:

• North Austin Community Media (aka KXPE-LP)
• The Blood Center of Central Texas
• Refugee Services of Texas
• PelotonU
• Circle of Health International
• Black Fret
• AIDS Services of Austin
• Texas PACE Authority
• Day With Daddy
• Austin Kids First

“What we’re looking for are 5-6 people to sign up for each build team and with 10 build teams that means we’re looking for 50-60 people to get involved and help to give back to the non-profits in the Austin area,” Lashbrooke said. “It’s important to note that the build teams are not just developers – we’re looking for project managers, social media managers, designers and content creators as well as developers.”

The hackathon will be held at the tail end of WooConf and Lashbrooke said he hopes to attract a few WooConf attendees.

“We’re going to make a more direct push to get WooConf attendees to be a part of the event, but right now the sign-up form is open to absolutely anyone,” he said.

As part of the WordPress Community team’s new initiative to standardize certain specialized full day events, the do_action charity hackathon is now fully backed by the WordPress Foundation.

“The Foundation will be on hand to offer support (logistically and financially) where necessary, just like with regular meetup events,” Lashbrooke said. “I will also be putting together documentation on how we organize this kind of event, which will be published on WordPress.org so that other communities can replicate the event type in their area.”

When looking for non-profits to include, Lashbrooke said they don’t only look for organizations without websites. They also look for those that need their online presence improved or otherwise entirely rebuilt.

“That may mean their website works fine, but it doesn’t really cater to their needs (accepting donations, selling goods, encouraging volunteers, etc.), so then on the day we can refresh things for them and make it all work in the way that they need it to,” he said.

Last year the Cape Town participants helped create websites for the Academy for Adults with Autism, Care Career Connection, the South African Psoriasis Association, and several others.

“It really does feel great – the non-profit representatives are there on the day as well, and seeing their reaction to the results of the hard work from their teams is always hugely satisfying,” Lashbrooke said. “Ultimately, what we’re doing is empowering non-profits to get on with the work that they do best without their online presence being a hinderance to their work.”

If you live in Austin or will be attending WooConf and want to be part of the hackathon, you can sign up via the volunteer form.

In February 2015, the WordPress Theme Directory launched a new design. Konstantin Obenland worked with Samuel “Otto” Wood and the WordPress meta team to update the design and move the directory off of bbPress. Today Obenland announced that the Plugin Directory will be getting a similar treatment.

Version 3 of the Plugin Directory will focus heavily on improving the search interface, including prioritizing translated plugins for international users. Another major goal of the redesign is to streamline the plugin submission and review process. The new directory will be powered by WordPress, instead of bbPress, which will make it easier for plugin developers and reviewers to manage plugins, tags/categories, and committers.

According to the project overview, plugins will be saved in a custom post type, offering reviewers a more efficient workflow that makes use of post statuses with capability controlled permissions. This will also make it possible to run automated checks on plugins, which should reduce the number of inconsistencies in the review process.

The meta team plans to hit milestones every two weeks in order to ship version 3 by June 26, 2016. Obenland is aiming for getting a minimal viable product off the ground by March 1st, which would includes the plugin CPT, readme.txt parsing, and a basic display on the frontend. A full overview of the project and the tickets that will need to be addressed is available on the make.wordpress.org/meta P2. New contributors are welcome to jump in on Meta Trac and in the #meta Slack channel.

In October 2014, Jetpack 3.2 introduced a new site logo feature for theme developers. As Jetpack is widely used, it provided a way for theme developers to easily build in logo support, thereby increasing data portability across themes.

After discussion in yesterday’s core development meeting, WordPress 4.5 is now set to introduce theme support for a site logo using code that was ported over from Jetpack’s implementation. Themes will be able to declare support via: add_theme_support( 'site-logo', size ), which will add the site logo upload to the customizer.

According to release lead Mike Schroder, WordPress 4.5 will ship with a new version of Twenty Sixteen that will support a site logo as an example implementation for theme developers.

Adding a Site Logo was Not Intuitive for Users During Testing

In the corresponding ticket, a few WordPress contributors were concerned about users experiencing confusion between the “Site Icon” and “Site Logo” features. Tammie Lister conducted two users tests, which she posted on the make.wordpress.org/flow blog.

The first user landed on Appearance > Header and said, “I’m not really sure if this is the logo where I should be adding this.” She goes back to the admin, returns again to the header setting, and then finally lands on the customizer. She mistakenly added a site icon thinking it was the logo. Eventually, she found the correct setting and added the logo.

The second tester first landed on the Tools menu and then navigated to Appearance, got lost in the theme browser, and then landed on Customize. She thought she was on the wrong screen and went back. She navigated to Settings, Users, and several other screens in the process of trying to find the right place to upload the logo. Eventually she found it with the explicit instructions included in the testing round for those who are having trouble.

Both test users struggled to find this feature. Based on these tests, it does not appear that adding a site logo is very intuitive for users who are not working in WordPress every day. Watching the test users struggle through the admin in search of this setting is rather painful.

“Discoverability of the feature isn’t great,” Lister reported when summarizing the results of her testing. “Perhaps this is ok as a theme feature. Perhaps we need to ensure publicity of this feature and documentation. Once people find it and use it the actual process makes sense.”

Two Jetpack support personnel joined the conversation to report that the site logo feature has been well tested while used in the plugin and that they receive very few questions about it.

“I can’t recall a single case where a user was confused about how to use the Site Logo, nor a single instance where a user confused it with the Site Icon,” Kathryn Presner said.

Several contributors involved in the conversation commented that the feature seemed rushed. Given that nearly every modern website has a logo, this feature is one that is likely to be widely used with theme support. Theme authors will be the ones to add support for a site logo and field questions about how to use it. Based on the user tests, however, a brand new WordPress user with a vanilla site running Twenty Sixteen may be in for a bit of a hunt when trying to upload a logo.

Schroder pulled the trigger yesterday to include the feature in the upcoming release and it is now available in the first beta released last night. If you want to help test, the easiest way is to use the WordPress Beta Tester plugin and select “bleeding edge nightlies.”

Today WordPress.com announced support for Accelerated Mobile Pages (AMP), Google’s open source project to improve the experience of the mobile web for publishers. When visitors arrive to a WordPress.com site via a mobile search, posts will load faster than ever before.

Each post is dynamically generated according to the AMP spec, with /amp/ added to the end of the URL for the mobile version. They’re also cached in Google’s cloud infrastructure to reduce loading time. The performance gains are staggering. In early tests, Pinterest’s engineering team found that “AMP pages load four times faster and use eight times less data than traditional mobile-optimized pages.”

What makes AMP pages load so quickly? Google has a strict set of optimizations that are employed to improve mobile loading:

• Allow only asynchronous scripts
• Size all resources statically
• Don’t let extension mechanisms block rendering
• Keep all third-party JavaScript out of the critical path
• All CSS must be inline and size-bound
• Font triggering must be efficient
• Minimize style recalculations
• Only run GPU-accelerated animations
• Prioritize resource loading
• Load pages in an instant

To see just how fast AMP is, check out the Google search demo at g.co/amp.

Automattic also released a plugin that allows self-hosted WordPress users to take advantage of the mobile performance improvements offered by AMP. The plugin has been tested since October and is currently active on 8,000 installs. For most users, it’s as easy as installing the plugin and activating it. The default styles are fairly generic but developers can refer to the documentation on GitHub to further customize AMP styles.

The Jetpack team is working on getting its publishing-related modules ready for AMP compatibility. In order to take advantage of AMP performance increases, users have to compromise on JS-powered features like Sharing Buttons and Likes.

“It’s definitely something on our roadmap, and we’re working on the details and timeline at the moment,” Jetpack team lead Sam Hotchkiss told the Tavern.

According to NiemanLab’s survey of newsrooms, publishers that are not running on WordPress are struggling to get on board with AMP, due to the fact that it requires developer resources to implement. This is especially difficult for those that impose JavaScript-based paywalls, as AMP heavily restricts JavaScript.

AMP allows for paywalls, subscription content, and ads, but for many publishers these will have to be rebuilt to be distributed according to the AMP specifications. At this time, AMP does not support “interstitials,” the pop-up ads that obscure content and annoy readers.

Publishers can opt not to support AMP, but the kicker is that Google may show preference to results that are configured to deliver AMP-powerd posts, simply by virtue of the fact that it already factors page speed into results. The AMP demo shows a carousel of AMP-powered posts under Top Stories, but it’s not yet clear whether this will be the actual implementation.

AMP is a Big Win for the Open Web

Google is firing back at Facebook’s Instant Articles with the official launch of AMP today. Facebook’s attempt to speed up mobile viewing is platform-specific and only available within its app. AMP, on the other hand, works anywhere online and is controlled and customized by the publisher.

In October 2015, WordPress.com was one of the first publishers to partner with Google on this initiative to speed up the mobile web. Paul Maiorana, VP of Platform Services at Automattic, announced the company’s involvement in the project on the VIP blog:

We believe that open source is one of the most powerful ideas of our generation. We strongly and actively support a free, open internet. We’re very happy to support an open source initiative like AMP, which brings publishers and technology companies together to make a better mobile experience for everyone.

The mobile web is currently a zombie wasteland of bloated, sluggish pages – many sites are unbearable to browse and users quickly abandon slow-loading pages. The AMP project helps publishers deliver a leaner version of posts. It makes mobile browsing faster for everyone, not just those using a few select apps. As such, it is a victory for the open web.

For more background on the project with comments from WordPress.com’s Paul Maiorana, check out video below:

Ben Casnocha is an interesting and innovative character in his own right, and it’s worth reading his essay slash short book on the years he spent as the right hand man of Reid Hoffman.

One of the challenges of organizing a WordCamp is coming up with general swag for the event that will delight attendees, as opposed to filling swag bags with cheap plastic junk. Organizers are also tasked with arranging a gift for speakers. WordCamp Miami, which will be entering its ninth year running in 2017, is well known for creating fun collectibles for attendees and speakers. Last year the team gave “WordPress developer” cards as speaker gifts.

This year organizers created a deck of Wapuu Uno cards, dubbed “Wapuuno,” as a gift for speakers. Each card features a different wapuu, most of which were designed for past WordCamps in various locations around the world. Organizer David Bisset created the deck based on open source Wapuus that are publicly available.

I asked Bisset what he would recommend to other WordCamp organizers who are stumped about what to get speakers. “I don’t think speaker gifts need to be anything meaningful,” he said. “Miami does these out of fun, but organizers shouldn’t be pressured to do these things. If they are stumped, sometimes a gift is simply a nice coffee or trinket.”

The Wapuuno cards are now available on GitHub for anyone to download and print. Bisset joked that WordCamp Miami organizers are looking into creating Candy Land style Wapuu cards in 2017 but is hoping that other WordCamp organizers will beat them to it.

WooCommerce is currently the most popular way to add a store to WordPress. Its usage is on the rise and seems to be growing in tandem with global WordPress usage. Wappalyzer estimates a 31% marketshare in the e-commerce category and BuiltWith has WooCommerce at roughly 29% among other shopping cart technologies. Either way you slice it, WooCommerce accounts for a big piece of the pie.

Store managers are attracted to WooCommerce because of its ease of use and its ecosystem that offers hundreds of free and commercial extensions. The reason many stores are still built on Magento, an open source shopping cart with a more complicated store management interface, is because it was built to handle massive stores with thousands of products and complex searches. WooCommerce is rapidly becoming a more viable option for these types of stores, with continual performance improvements and the new open source ElasticPress WooCommerce extension from 10up.

In 2014 the engineering team at 10up created ElasticPress to improve WordPress search, allow for complex search filters, and allow for cross-blog search within multisite (a feature missing from existing ElasticSearch plugins at the time).

Taylor Lovett, 10up’s Director of Web Engineering, said he was surprised by the amount of feedback they received on the project.

“The plugin grew from just search to improving WordPress performance by routing slow queries through Elasticsearch,” Lovett said. “As such, we continued to iterate on the project, supporting as many WP_Query parameters as possible and making things as developer friendly as possible.”

During that time Lovett was traveling to WordCamps around the world talking about the power of ElasticPress. He met other developers who asked what it would take to support WooCommerce queries.

“ElasticPress has a very powerful API that allows it to route almost all WordPress functionality through Elasticsearch instead of MySQL,” Lovett said. “However, in order to make the plugin really work for WooCommerce, we needed a ‘connector’ of sorts. The connector mostly enables Elasticsearch integration in the admin, adds support for indexing ALL post statuses and public post types, and passes appropriate GET parameters to WP_Query in ElasticPress proper formats. ElasticPress tries to support all of WP_Query functionality but there are some holes that the connector needed to fill.

“I knew that WooCommerce sites could suffer from performance problems given the complex product/order queries that they run,” he said. “As such, we built ElasticPress WooCommerce to solve those problems.”

After testing the plugin locally on a store with about 10,000 products and 20,000 orders, 10up found that “ElasticPress WooCommerce can easily turn database queries that take 3-4 seconds into Elasticsearch queries that take 30 milliseconds.” According to Lovett, the tests included about 20 WooCommerce extensions and the database queries were timed using the Debug Bar, Debug Bar Extender, and Debug Bar ElasticPress.

ElasticPress WooCommerce provides roughly a 100% data retrieval performance improvement when it comes to filtering products on both the frontend and in the admin. This helps stores render pages faster to capture potential customers while they’re in the buying mood.

Using ElasticPress WooCommerce for Performance Increases with Other Extensions

ElasticPress WooCommerce requires ElasticPress 1.8+ and PHP 5.2.4+. Once those are in place, it is relatively plug-and-play. Lovett said that the only caveat is that it is not guaranteed to support the hundreds of WooCommerce extensions completely. If an extension uses WP_Query in a way that’s compatible with ElasticPress then it should automatically take advantage of the performance increases.

“We try to support as much extension functionality as we can but there is just too much to tackle,” he said. “The way those extensions use WP_Query varies. We can’t predict how every extension interacts with WP_Query and don’t have time to test every single one.

“Some extensions have no bearing on ElasticPress WooCommerce,” Lovett said. “For example, a different payment gateway. Extensions that involve showing/filtering products and orders should test their extensions with the plugin and refer to the ElasticPress documentation to make sure they are only using supported WP_Query parameters.”

10up is looking for more developers to test and collaborate on the project, which is hosted on both GitHub and WordPress.org. The company plans to improve the plugin based on experience with enterprise WooCommerce customers. If you are looking to scale WooCommerce or are currently managing a sluggish store, ElasticPress WooCommerce is one option that you may want to test.