WordPress.org

With one week remaining on its Kickstarter campaign, the Micro.blog indie microblogging project has surged past its original $10K funding goal with $66,710 pledged by 2,381 backers. This puts project creator Manton Reece closer to his stretch goal of $80K, which would enable him to develop a Safe Replies feature to preemptively combat abuse on the platform and hire a part-time community manager.

Micro.blog also picked up support from DreamHost this week, pushing the project past the $50K mark. The hosting company pledged $5,000 towards the campaign.

“What ever happened to the vision of the open web as a distributed network of websites that were owned by their creators?” said Jonathan LaCour, SVP of Product and Technology at DreamHost. “We’d like to make it as easy as possible to launch a WordPress-powered microblog on DreamHost that integrates well with Manton’s upcoming Micro.blog service.”

DreamHost (and all other hosting companies) obviously have a vested interest in getting people to see the need to have their own digital presence. However, the biggest obstacle for WordPress customers is making it convenient to join the IndieWeb. DreamHost is planning to take its support of Micro.blog one step further and create an easy way for customers to get started with independent microblogs.

“As a followup to our contribution to Manton’s Kickstarter campaign, we’re planning on working on making a streamlined, pre-configured Indie microblog with WordPress at DreamHost,” LaCour said in the #indieweb channel on IRC yesterday. “I tend to agree that a simplified, pre-packaged WordPress setup would go a long way to driving Indieweb adoption.”

When asked whether the company would be utilizing Micro.blog or some other service, LaCour said it has not been decided yet. He said the idea is that people could create an independent microblog hosted at DreamHost that is compatible with Micro.blog and other indie microblogs.

“Our major focus at the moment is getting people excited about owning their own website (and entire digital identity),” LaCour said.

Micro.blog is Aiming for Incremental Webmention Support

Webmention is a protocol similar to pingback for notifying a URL when a website links to it and also for requesting notifications when another site mentions one of your URLs. It is an important part of facilitating decentralized communication across the web. On January 12, 2017, the Social Web Working Group published a W3C Recommendation of Webmention with the specification contributed by the IndieWeb community.

WordPress doesn’t natively offer Webmention support and the core trac ticket for adding the feature has had little discussion.

During a preliminary discussion on Slack last year, WordPress lead developer Dion Hulse said he thought Webmentions would be a great feature plugin and that there are a few people interested in it. There hasn’t been much movement on this front in core, but a Webmention plugin is available in the directory.

Reece is working on incorporating IndieWeb protocols into Micro.blog but said it will likely launch with incremental support for Webmention.

“It might take a little while to get everything IndieWeb in there, but that’s the eventual goal,” Reece said. “I’m committed to Micropub and microformats and still exploring how best to support Webmention. (It might be partial support with more later.)”

Micro.blog doesn’t currently handle mentions and replies using Webmention but Reece said his eventual goal is to include it.

“The first step to me is getting more people their own microblog so that the infrastructure for cross-site replies is even possible,” Reece said.

Micro.blog Puts the Focus on Indie Microblogging, Instead of Replacing Twitter

Reece also launched a Slack community where the project’s backers can discuss Micro.blog and other microblogging topics. He said he initially had reservations with starting something on Slack but was surprised to see the community has already grown to more than 300 members.

“I didn’t want to distract from any posts that should happen in the open on blogs,” Reece said. “Some discussion just fits better in chat, though. There’s an emerging community of indie microbloggers. Having a place to share tips, tools, and ask questions about Micro.blog just makes sense.”

Many of the project’s backers are eager to create a community of their own and are interested in using Micro.blog as a Twitter replacement. Other services have attempted to provide alternatives to posting directly on Twitter but none have caught on enough to significantly push IndieWeb adoption forward. App.net, one of the most promising ad-free, microblogging networks, went into maintenance mode in 2014 and will be shutting down March 15, 2017.

Reece, who was an early fan of App.net, published a thank you note to the service’s creators for trying something risky and creating a community around their ideas. He believes it’s the right time for another open platform to emerge.

“We don’t need just another Twitter or Facebook clone,” Reece said. “We need a new platform that encourages blogging on the open web.”

Nevertheless, Reece is preparing Micro.blog from the outset to be capable of replacing Twitter’s functionality, which is one of the reasons he is focusing so heavily on ensuring the platform doesn’t get overrun with abuse. Reece wants to avoid the pitfalls that have contributed to some of the more negative aspects of Twitter, but his focus is on encouraging people to blog from their own space.

“Micro.blog is a success if more people blog,” Reece said. “To provide value it doesn’t need to replace Twitter, but it can.”

The project’s mobile app is key to making it convenient for users to read other people’s posts and post directly to their own websites from the same interface. Reece shared another preview of the iPhone and iPad app that will be ready at launch and said he hopes there will be other apps developed by the community.

“Most RSS traditional readers can’t post,” Reece said. “I think this makes for a more complete experience, and because it’s just a blog I can still use other apps and platforms to post.” He plans to give Micro.blog a 280 character limit before truncating the post.

Keeping the timeline fast and making posting convenient will be critical to the platform’s success as an alternative to the dominant social media silos. Polling blogs for new content is not very aggressive in the current prototype but Reece is tuning this to provide a better experience. The platform uses rssCloud and WebSub (formerly PubSubHubbub) to provide a more Twitter-like, real-time experience.

Micro.blog seems to be landing at the right time, as the idea has already resonated with more than 2,300 people willing to back the project. The service hasn’t even launched but the concept behind it is already attracting a supportive community eager to explore better ways of powering microblogging on the web.

“You don’t replace Twitter overnight, or even try to,” Reece said. “But step by step, we’re going to end up with a better web, and I think independent microblogging is part of that.”

WordPress 4.7.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.7.1 and earlier are affected by three security issues:

1. The user interface for assigning taxonomy terms in Press This is shown to users who do not have permissions to use it. Reported by David Herrera of Alley Interactive.
2. WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Mo Jangda (batmoo).
3. A cross-site scripting (XSS) vulnerability was discovered in the posts list table. Reported by Ian Dunn of the WordPress Security Team.

Thank you to the reporters of these issues for practicing responsible disclosure.

Download WordPress 4.7.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.7.2.

Thanks to everyone who contributed to 4.7.2.

Growing up, I bought into society’s notion of what made for a successful and rewarding life. For me, the blueprint for finding fulfillment looked something like this:

Step 1. Get good grades in school.

Step 2. Attend a nice college.

Step 3. Land a secure job with an attractive salary and benefits.

Step 4. Find a nice man that would make a good husband and father…and marry him.

Step 5. Have children.

Step 6. Die peacefully at an old age. (ha!)

I was convinced that if I simply followed this blueprint, I’d find security and acceptance. And with the exception of Step #6 (a step I’m hoping to postpone for some time), I was able to accomplish everything I’d set out to do. My grades in school were outstanding, which set me up to pursue a degree in mechanical engineering at the University of Illinois. After graduating in 2000, I was presented with several job opportunities. Ultimately, I accepted a position at Procter & Gamble as an engineer for Charmin. Within a year of starting that job, I met my future husband. We married in 2004 and had our first child in 2007. Another child followed in 2008. I was right on track with my blueprint!

And then everything fell apart.

A breakdown wasn’t in the plan

In 2008, I suffered my first real breakdown. I spent several weeks doing my best to get through each day, doing what I needed to as an employee, wife, and mom and trying hard not to let other people down. I fought back tears when I needed to, only letting them flow in private. While the kids were sleeping, I’d escape into the world of TV sitcoms. I knew that something wasn’t right.

While I had followed the blueprint for security, success, and happiness, I didn’t feel like I had achieved any of these things. I felt isolated at work. At home, I felt valued only if I were functioning as the perfect wife and mom. At the time, the solution seemed clear—quit my corporate job and focus 100% on my family. This, I was certain, would lead to ultimate happiness. So I took two extended maternity leaves, eventually leaving the corporate world to focus on being a stay-at-home mom.

Who the hell am I?

Being home with kids full-time, no matter how wonderful your kids may be, is by far the most challenging job. While I was grateful that I had the choice to be a stay-at-home-mom, being at home left me feeling alienated. I didn’t really know who I was anymore or how to get back to “myself.”

So I started experimenting with things I simply felt like doing. These things weren’t part of any blueprint, and there was no guarantee of success or happiness. I just followed my heart.

I needed something challenging to occupy my mind, so I dug out my sports card collection with the intent of finally organizing it. Looking through my old cards felt both nostalgic and therapeutic, and my head started spinning with other ideas. Business ideas. My dad had a successful e-bay business that seemed like a bit of fun, so I thought: why not try selling sports cards on e-bay? I didn’t want to sacrifice my personal collection, so over the course of a few months, I purchased nearly a million sports cards on Craigslist. After repackaging them into 1000-count boxes, I sold them for $10/box, doubling my money in a short period of time. I learned a lot about buying and selling on the Internet but more importantly, I felt like I had discovered something that was really “me.” It was challenging in a new and exciting way, and it fit in with my hectic mom schedule.

This venture into the world of online business opened my eyes in a significant way. I started following entrepreneurs such as Gary Vaynerchuk and Chris Brogan, and flew to Houston for a Mom 2.0 Summit. I loved every blog post I read and all the people I was meeting. It was a whole new world filled with risk and uncertainty but grounded in the values of helping people and living a good life. THIS WAS PERFECT FOR ME.

And then came WordPress

In my newfound fascination with all things Internet-related, it wasn’t surprising that I stumbled upon this thing called WordPress. I had always wanted to build a website, and with the popularity of mom bloggers exploding, I naturally gravitated toward this “easy” platform for my blog. I started the ChicagoActons blog as a way to share our family adventures with others. Building the site was something I enjoyed more than I anticipated. It fed my love of problem solving and I felt great satisfaction in seeing something that I built on the Internet. And I could do it in between changing dirty diapers and cuddling with my kids.

After building ChicagoActons and sharing it via social channels, I started to get requests to build sites for others. Some were paid assignments and some were not, but I was falling in love with using this tool and my brain to help others further efforts they were passionate about. I was finding myself again, and I felt happy.

Where were WordCamps all my life?

By 2010, two years into freelance WordPress development, I was ready to expand my horizons and see what others were doing with the platform. I heard about WordCamp Chicago, and bought a ticket to the event that would confirm that the path I was paving was the right one for me.

At WordCamp Chicago 2010, I learned a great deal about developing with WordPress, but even more life changing were the people I met. They were such a diverse group and so different than I was, yet we all shared the same passion: to support one another in our pursuits to help others. And we all used WordPress as the tool to get the job done.

The feeling of acceptance and growth that I experienced at my first WordCamp was the impetus I needed to continue down the path as a WordPress-based business entrepreneur. I wasn’t following a blueprint anymore, but I was finding success and security in ways that mattered to me.

I was happy.

Living my own blueprint

Fast-forward to today. I couldn’t be more thankful for the life journey I’m on. My kids survived having me as a stay-at-home parent, and as a WordPress-based business entrepreneur, I feel challenged every day to be better at helping others build their passion-driven interests. I would not have gotten here had it not been for WordPress and the WordPress community, which emboldened me to abandon a blueprint for happiness that simply wasn’t working for me and instead embrace life on my own terms.

The post Screw the Blueprint. Design Your Own Path to Fulfillment. appeared first on HeroPress.

WordCamp Europe 2017 opened its call for sponsors at the end of 2016. The organizing team is embracing the challenge of delivering value to sponsors with workshops for those purchasing the two highest sponsorship levels:

This year, for the first time, we are introducing a third track during both conference days. The third track will be solely dedicated to sponsors, giving you the possibility to either hold a talk or a workshop. Like the other two tracks, the sponsor track will have a dedicated space (capacity for approx. 200 people), where the audience would have the opportunity to hear more about your business and product. You can decide whether you would like to use your time to talk more about your business, or to showcase.

The sponsors track has since been renamed to sponsors workshops, but the concept of a dedicated track remains the same. According to WCEU Sponsors Team coordinator Noel Tock, WordCamp Central’s transition into a public benefet corporation affords WordCamps more flexibility than previously allowed.

“This means we’d like to experiment with different concepts — seeking a higher return on investment for sponsors whilst at the same time protecting the core experience of the WordCamp itself,” Tock said.

The new sponsors workshops target large companies, but WCEU organizers have also created a new concept for small businesses. Those that made less than one million Euro in 2016 will qualify for an affordable booth in the middle of the event.

“Similar to TechCrunch’s Startup Alley, we want to help highlight smaller companies or ones that have just started out,” Tock said. “Simply seeking out sponsorship funds the fastest way possible would not be fair to attendees. This helps makes the conversations and experiences a lot more diverse and balanced.”

The sponsors workshops will not need to go through an approval process. They are perks belonging to the Super Admin and Admin sponsorship tiers and these top-level sponsors will have different options for how they want to use their slots.

“They can run user workshops, pass on their slot to smaller players (plugin and theme authors) or find other creative session ideas,” Tock said. “The workshops will be clearly labeled and we’ll seek to provide an agenda/schedule on the same timeline as regular speakers.”

The Challenge of Delivering Value to Sponsors Without Stifling the Spirit of WordCamps

WordCamps are traditionally locally-organized, informal events that bring together attendees from all walks of life. Affordability is one of the hallmarks of a WordCamp, and ticket prices normally range from $20-50. The low cost of entry makes the events more inclusive, keeping the camps from becoming relegated only to elites and those who work for large companies. At a WordCamp, one can meet anyone – core developers, educators, CEOs of multi-million dollar companies, new users, developers, bloggers, and e-commerce store owners.

To give you an idea of how uncommonly low WordCamp ticket prices are in comparison to other tech conferences, DrupalCon ranges from $450-600 per person. PHP UK tickets for the conference days are in the neighborhood of $500 and PHP[World] is nearly double that at $900. CSSconf EU tickets are $430. ReactEurope, which is also being held in Paris, released its first round of tickets in the range of $680. WordCamp Europe tickets are €40.00 (approximately $43) because the vast majority of the cost of attendance is subsidized by sponsors.

Now that WordCamp Europe has been running successfully for five years, Tock said it is easier to get sponsors on board. Sponsorship cost per attendee is one of the contributing factors. In 2016 WordCamp Europe sold 2,199 tickets and organizers expect to sell more than 3,000 this year.

“If you compare the perks and size of the audience, you’ll find that WordCamp Europe can be anywhere from 20% to 50% cheaper then comparable WordCamps,” Tock said. “The bang for buck has meant we have a lot of returning sponsors.”

However, as WCEU attendance and the event’s financial requirements have grown, so has the challenge to deliver value to sponsors who are contributing greater sums of money.

“Asking potential sponsors for a few thousand a couple years back was easy enough,” Tock said. “Now that we’re looking for 50k+ Euros from certain sponsors, we need to up our game with it. This means early communication, well-defined packages, and more creative perks.” This year those perks include 360° booths, 30-second ads between talks, after-party branding, and the new sponsor workshops.

I spoke to several other organizers of comparably large WordCamps and all of them were intrigued by the idea of sponsor workshops and interested to see how the experiment turns out.

“I think on the surface it could be considered a controversial idea, but in reality it’s just giving sponsors a different kind of voice,” WordCamp Miami organizer David Bisset said. “If it’s done in a way that treats all sponsors fairly and is a voluntary track, then in some ways it doesn’t differ from a sponsor area, outside of narrowing the spotlight.”

Bisset said he’s interested to see how successful this approach is but notes that it probably would only work for the largest WordCamps.

“I honestly don’t know which side of the fence this lies on in regards the spirit of WordCamps,” Bisset said. “There have been controversial issues and challenges regarding sponsors and WordCamps in the past. It’s a challenge to give sponsors the most bang for their buck, treat everyone fairly, and be a model WordCamp. The jury is still out.”

WordPress Orlando organizer Lisa Melegari thinks the idea of sponsor workshops may bring some legitimacy to what is known as the “hallway track,” where attendees congregate when not attending a session.

“I think it’s a really interesting concept,” Melegari said. “There’s already the joke out there that there’s a phantom extra track at most WordCamps – the Hallway Track. I think this would take that and actually give some legitimacy to the myth.”

Melegari said WordCamp Orlando organizers have seen a significant shift in sponsor availability and enthusiasm in the past few years, especially after WordCamp US launched. She said their local camp lost several past sponsors to the larger WordCamp US. Other sponsors have decided to just focus on local camps and some have dropped sponsorship altogether.

“I really think we need to give our sponsors more opportunity to benefit their businesses, since their success allows them to continue to support our camps,” Melegari said. “Is it worth an entire extra track? Maybe not. That would put an unfair burden on camps that already have difficulty getting space and could deter sponsors from supporting a camp that cannot offer that accommodation.”

Melegari said she likes the idea of allowing sponsors to have a more prominent demo opportunity as long as it doesn’t overshadow the speakers, who volunteer their time.

“Having been a speaker with a very low attendance at a few talks, it’s disheartening, but understandable that another speaker’s talk is more popular,” she said. “I would be afraid the sponsor track would take away the spotlight on speakers.” From an organizer’s perspective, she is interested to see how sponsor workshops can deliver a better value for sponsorship.

“We really do need to provide a better case for WordCamp sponsorship besides exposure, because many of our recurring sponsors have a smaller and smaller pool of new eyes every camp,” Melegari said. “If we are going to keep growing in camp numbers, we’re going to have to figure out something to keep all the camps financially afloat.”

Alx Block, WordCamp US 2015-16 Organizer, understands the importance of sponsors and volunteers, who covered the bulk of the $516 actual cost per person for the most recent event.

“I think that we’re at an impasse when it comes to adding value for sponsors, especially at the larger camps,” Block said. “On the one hand, each sponsorship is really a scholarship for attendees, allowing each camp to greatly reduce the ticket price so that more people can attend and get value from the camp. On the other hand, there’s limited value for the sponsors in terms of ROI. We’ve never thought of it as a business investment, but it’s certainly time to think about that more.”

Keeping ticket prices low, putting on a quality event, and offering an array of perks for sponsorship is a tremendous balancing act for organizers. WordCamp Europe is one of fastest-growing camps that has experimented with doing this at a larger scale every year.

“When you get into the larger dollar amounts that larger camps ask, it’s a different kind of ballgame, and I think that we need to revisit the value that a business receives as part of their sponsorship,” Block said.

“I think something like sponsor workshops is a really neat idea. I can imagine that it doesn’t come with much overhead in terms of actual planning, and will give the sponsors something solid that they can plan for in terms of being able to pitch their product or service.”

Historically, workshops have been events that are ancillary to the main tracks. WordCamp Europe’s plan to run them alongside speaker sessions is a bold experiment. Sponsors will have a great deal of flexibility with how they can utilize their workshop slots, so it will be interesting to see if they choose to incentivize attendance in some way or opt to pass them along to other speakers as a sponsored talk.

“I think there’s a line between a sponsor ‘track’ and sponsor ‘workshops,’ which WCEU hasn’t clearly defined yet,” Block said. “I’m sure that their intention isn’t to have 1/3 of the talks be by people who paid to be there. From what I understand, the intention is to have the top-tier sponsors (maybe 4-6 of them) present on a smaller stage in a kind of rolling fashion, to supplement the full tracks – meaning, it would be a great place for an attendee to go during a time when neither of the other sessions appeals to them, or they’re interested in learning more about a specific product.”

Block said he has seen this type of sponsor perk at other non-WordPress conferences and has sat in on sessions that piqued his interest.

“But this is the real question in my mind: Can we offer something like this without turning WordCamps into a trade show?” Block said.

“I think now that we’re growing so much with these large camps, it’s the perfect time to ask these questions and figure out exactly what type of event WordCamp is. We grow as the community grows, and WordCamp should always reflect the community’s interest. If there’s interest in giving sponsors a place to talk about their wares, I’m all about it, but I’d always want the community to come first.”

photo credit: winterofdiscontent – cc

In October 2016, Matt Mullenweg called out Wix for using GPL-licensed code from the WordPress mobile app and distributing it in its proprietary app. After identifying a path for Wix to comply with the license, Mullenweg confirmed he would be willing to go to court to protect the GPL.

Wix CEO Avishai Abrahami’s response to the allegations failed to address the issue of licensing, dodging the question with references to other open source contributions. Abrahami seemed to indicate that Wix would open source its mobile app but was not clear whether it would be GPL licensed:

“We always shared and admired your commitment to give back, which is exactly why we have those 224 open source projects, and thousands more bugs/improvements available to the open source community and we will release the app you saw as well,” Abrahami said.

The Wix Twitter account also gave the impression that the entire app would be released under the GPL:

@yairwein We'll release the code on Github, where we also shared our previous projects: https://t.co/FBhp2Kd5wn

— Wix.com (@Wix) October 30, 2016

Publicly communicating these intentions bought the company time to educate its developers on the implications of the GPL and find another path forward for the app.

The app has not been released under the GPL and Wix has discontinued development on the GPL-licensed repositories. On November 1, 2016, Wix changed the license on the react-native-wordpress-editor, the repository that was forked from the WordPress mobile app, to GPLv2. The next day, they began work on react-native-zss-rich-text-editor, a new repository forked from the original MIT-licensed library that the WordPress mobile app code built upon.

It appears that Wix never planned on complying with the GPL, since the company immediately began working on an alternative approach. Wix has since released updates to its mobile apps and presumably has incorporated its own editor component that is based on the original MIT-licensed library.

It is not clear whether Wix completely started over with its fork or if the company’s developers incorporated some of the commits previously made in the WordPress mobile app’s GPL-licensed fork. Wix has not responded to numerous attempts to contact them for an official statement.

Wix Invents Its Own “Enhanced” MIT License for the Forked Library

Here’s where the story takes an odd turn. Instead of distributing the new editor code under a standard open source library, Wix has written its own license, which it is calling the “Enhanced” MIT license (EMIT). It explicitly prohibits relicensing under the GPL and requires the developer to license modifications under the EMIT:

This license is exactly like the MIT License, with one exception – Any distribution of this source code or any modification thereof in source code format, must be done under the Enhanced MIT license and not under any other licenses, such as GPL.

Furthermore, the license prohibits the code being redistributed under any copyleft license:

when the Software is distributed as source code, the licensee is prohibited to change the license of the Software to any “viral” copyleft-type license, such as, inter alia: GPL, LGPL, EPL, MPL, etc.

Wix explained the reason behind the creation of the new license in its introduction, citing what it calls a “bug” in the MIT license. The MIT permits developers to re-license their modifications as GPL. The text of the “Enhanced” MIT license characterizes this practice as bullying:

We believe MIT license has a bug since it allows others to use it against its nature. Our belief is that the MIT license is intended to make source code available to anyone who wants to use it without additional obligations, but we have found cases where someone takes a project licensed under MIT license, adds a few lines of source code to it, and then changes the licensing to a different, more restrictive license which is against the nature and the intent of the MIT license. By doing so, the source code released under the original MIT is no longer a true “free/open” source code, thus undermining the intention of the original creator of the source code.

The concept of this Enhanced MIT license is simple and more robust – you can do what you want with this source code, exactly like any other MIT license, but if you release it again as open source (even if modified), you must release it under this Enhanced MIT license – to be clear, this is not a “viral” license, it only refers to the actual source code released under this license and not to other components interacting with it. If GPL is a viral license, this license can be described as a “robust” one as it prevents licensing changes that are against its nature and it defends its own licensing principles. The essence of the Enhanced MIT license is to prevent bullies from using open source code that is truly free and open under the MIT License and turning it into other viral and more restrictive licenses – such as GPL.

The license has only ever been used in this particular instance and does not appear to have been written by a lawyer or someone who has studied copyright and licensing issues professionally. I contacted the Free Software Foundation’s licensing and compliance team regarding the legitimacy of Wix’s “Enhanced” MIT license. FSF copyright and licensing associate Donald Robertson III said the team is currently reviewing it and may require legal counsel before making a definitive comment. When they have completed the review, they will publish a statement and list the license in the FSF directory of free and non-free software licenses. These are also broken down into copyleft and GPL-compatible classifications.

“As you can see from the GPL-incompatible licenses, there are plenty of free software licenses that are incompatible with the GPL, and many of those licenses would be incompatible with other copyleft licenses on the same basis,” Robertson said. “So it is possible for a license to be free even if it doesn’t work well with the GPL. We’ll have to do some review on this particular license before we can make any comment specific to it.”

Wix has not submitted its EMIT license to the Open Source Initiative, a community-recognized organization that acts as stewards of the Open Source Definition (OSD) and also reviews and approves licenses as OSD-conformant. OSI has not yet responded to my inquiry about the legitimacy of the license, but I spoke with Karl Fogel, an open source specialist who consults with organizations on open source licensing and the implications of using it in business.

“This so-called ‘Enhanced MIT’ license is poorly drafted and internally inconsistent,” Fogel said. “I feel on safe ground in saying that were it ever submitted to the OSI for approval, it would be rejected quickly.”

Fogel also commented on the inherent contradictions in the license’s introduction and permissions.

“An obvious internal inconsistency is that in the Introduction, it says that redistribution in source code format ‘must be done under the Enhanced MIT license and not under any other licenses, such as GPL,'” Fogel said. “But then later, in point (2) of the conditional permissions grant, it says ‘when the Software is distributed as source code, the licensee is prohibited to change the license of the Software to any ‘viral’ copyleft-type license, such as, inter alia: GPL, LGPL, EPL, MPL, etc.’

“So the Introduction is saying that redistribution is not permitted under any other open source license, but then the permissions grant section only bars redistribution under copyleft licenses, leaving open the possibility to distribute under other non-copyleft licenses. Which is it?”

According to OSI, copyleft “refers to licenses that allow derivative works but require them to use the same license as the original work.” In requiring the EMIT to be used for derivative works, the license adopts the viral nature Wix ostensibly wanted to avoid with the GPL. This emasculates the MIT, robbing it of its essential freedoms. For this reason and many others, the EMIT appears to be an illegitimate variant of the MIT.

“A larger issue is that the reasoning in the Introduction about how the standard MIT license supposedly has a ‘bug’ makes no sense,” Fogel said. ” It asserts that redistribution under an open source copyleft license would somehow be more restrictive than not doing source redistribution at all (e.g., as with a standard proprietary license). There is no sensible definition of the word ‘restrictive; in which releasing code under a copyleft license would restrict someone’s use of that code more than not having the code in the first place would restrict them.”

Fogel does not think the EMIT is a valid derivative of the MIT license and is not convinced that it can be considered a license at all.

“It is very clear that a lawyer did not write this license,” Fogel said. “I think Abrahami must have written it himself. I hesitate to even call it a license; it’s not clear what a judge would do with it, except perhaps sell tickets.”

Wix’s EMIT License is a Hostile Reaction to the Call for GPL Compliance

The EMIT license not only takes shots at the GPL but also injects a moral pronouncement against all those who subscribe to the tenets of copyleft licensing. The restrictions in the EMIT effectively “weaponize the license” against other open source projects, as one Reddit user said in acomment on the situation. This encompasses a large portion of the open source community.

Wix may not be able to publicly admit its violation of the GPL, as it has not yet answered for the past infringement of distributing the code in its mobile app. In looking back over the timeline of events, Wix’s public communication that implied it would comply with the GPL was disingenuous, as the team was scrambling behind the scenes to fork the original library and slap a new “anti-copyleft” license on it. The company has no respect for the GPL and, in fact, has communicated its disdain for the license in the language of its new EMIT license.

“I remember reading this exchange when it happened,” Fogel said. “This is not a case of gray areas or ‘the truth lies somewhere in the middle.’ Matt Mullenweg of WordPress is 100% right, and Wix CEO Avishai Abrahami is, quite simply, wrong. Mullenweg was extremely direct about what the problem was and how to fix it. Abrahami’s response was an evasive mishmash of brazen non sequiturs and willful refusal to acknowledge Mullenweg’s point, which was simply that if Wix is going to use WordPress code that is distributed under the GNU General Public License, then Wix has to follow the terms of the GPL like anyone else.

“Abrahami’s poor behavior could only have been intentional,” Fogel said. “I just don’t see any other way to interpret it, given how easy to understand Mullenweg’s letter is, and how clear the issues are here.”

Wix’s illegal use of GPL code in a proprietary app could easily be chalked up to ignorance or an oversight if the company had simply attempted to comply. Instead, they wrote a license that swipes back at copyleft proponents everywhere. The EMIT actually manages to trivialize both the GPL and the MIT in one fell swoop.

“The GPL is not a disease,” said Lawrence Rosen in a document titled The Unreasonable Fear of Infection. “It is designed to satisfy certain philosophical and economic objectives that are widely shared by many members of the open source community.”

In writing its own “Enhanced” MIT license Wix has demonstrated a careless disregard for open source licensing and hostility towards those who use copyleft licenses to guarantee user freedoms.

Although some onlookers in the open source community disapproved of the two CEO’s handling the disagreement in open letters, there are plenty more who appreciate that the issue is being hammered out in public. Fogel said he hopes the situation “will draw some attention to the fact that the GPL actually means something and can be enforced.”

The Obama Foundation launched its new WordPress-powered website today. The future presidential center, which will be located in Chicago, will manage projects both in the city and other places around the world.

“More than a library or a museum, it will be a living, working center for citizenship,” President Obama said. “That’s why we want to hear from you. Tell us what you want this project to be and tell us what’s on your mind.”

The website integrates the Typeform service for collecting feedback from citizens on their hopes and dreams, as well as the people and organizations that inspire them.

WordPress developers were excited to see that the former President is using the WP REST API introduced in WordPress 4.7.

Oh hai WP REST API pic.twitter.com/EBGDexNwRA

— Daniel Bachhuber (@danielbachhuber) January 20, 2017

The custom theme for the Obama Foundation is built using ZURB’s Foundation as its front-end framework. It integrates the jQuery Cycle Plugin for galleries.

The website was created by Blue State Digital, an agency that got its start on the campaign trail and now focuses on serving causes and brands.

President Obama is the first president to select WordPress for his presidential center website.

BuddyPress 2.8.0 Beta 1 is packed with new features and enhancements and is now available for testing. You can download the BP 2.8.0-beta1 zip or get a copy via our Subversion repository. We’d love to have your feedback and testing help.

BuddyPress 2.8.0 requires PHP 5.3+, and will not be activated on a server with a lower version of PHP. We also remind you that BuddyPress 2.8.0 will require at least WordPress 4.3.

A detailed changelog will be part of our official release notes, but, until then, here’s a list of some of our favorite changes. (Check out this report on Trac for the full list.)

• BP Email: Allow end user to specify which PHPMailer should be used #7286
• Companion Stylesheet – Twentyseventeen #7338
• Minimum PHP version is 5.3 #7325, #7299
• Support List-Unsubscribe header in emails #7390
• Make group search more flexible #7418 and other groups improvements, like #7419, #7399, #7388, #7386, #7375
• Lots of new filters in various parts of the code, like #6667, #5193
• Lots of inline documentation tweaks and other fixes and improvements

BP 2.8.0 is almost ready, but please do not run it in a production environment just yet. Let us know of any issues you find in the support forums and/or development tracker.

Thanks everyone for all your help to date. We are excited to release BuddyPress 2.8.0 in February!

Editor’s note: This guest post is written by Jenny Beaumont, a co-organizer of WordCamp Paris and WordCamp Europe. She’s spent the last two decades building things in and around the web, writes a terrific newsletter, and lives in France.

One of the highlights of my year, and a fitting end to 2016 as my sabbatical drew to a close, was attending the 2nd annual WordCamp US, held December 2-4 in Philadelphia, Pennsylvania.

The trip met my expectations in every way, from the warm-hearted nature of the locals to the super-sized portions at every delicious meal, and from the diversity of attendees to all of the extraordinary conversations I had during that short week I was in town.

“You might have noticed that this year’s programming at WordCamp US had some more of a human side, in addition to just the technical that we’ve had before,” said Matt Mullenweg, co-founder of WordPress and CEO of Automattic, during his much-anticipated State of the Word.

“I think that a lot of our opportunities to grow over the coming year are on the human side, and understanding the humanity of an open source project and working together and creating the code that’s going to touch humanity as well.”

Moving into 2017, ready for new opportunities and with the next edition of WordCamp Europe on the horizon, I find myself thinking about growth past and present, and about what success might look like for all of us in this new year.

Growth and competition for WordPress

“It’s really all about pie,” replied Mullenweg when asked about the future of a WordPress entrepreneur, stating that as long as the pie continues to grow, everyone can get a piece.

He talked about how the new focuses of the WordPress project—the REST API, the Editor and the Customizer—along with an inclusive design-lead approach, should allow WordPress to reach new audiences.

WordPress has seen incredible growth in recent years, now representing over 27% of websites, a full 20% ahead of competing platforms. This translates to 58.5% market share of all monitored content management systems, when looking at the top 10 million sites.

This doesn’t mean that the competition isn’t trying to close the gap. Mullenweg reported that the top proprietary platforms, such as Squarespace and Wix, spent upwards of 320 million in advertising dollars in 2016, often directly targeting search engine queries for WordPress.

“I think that in the past WordPress got by on a lot of sort marketing by happenstance,” he said, admitting the need to look at the marketing of WordPress in new ways, and hopefully pooling the resources of the community to do so.

“I think we have a real opportunity especially as the businesses around WordPress grow larger and larger, to actually coordinate a bit […] there’s no one company in the WordPress ecosystem that’s large enough to match 300 million dollars, and spend on telling people the WordPress story. But no one company needs to be large enough, because we’re a community.”

All in all, he painted a bright picture for the future for the WordPress ecosystem, the community of people who come together around a common purpose and ideal—the WordPress project and its mission to democratize publishing—and in so doing create a new paradigm for work and the web, the byproduct of which is a flourishing economy.

I can’t help but wonder, how big can the pie get? And while we concentrate on growth and competition, how do we measure the success of our mission? How will we know when we’ve democratized publishing? Can or should WordPress achieve this goal alone?

The numbers game for WordCamps

“We must tilt our hat and bow down to Europe, which beat us this year,” Mullenweg capitulated as he wrapped up his report on community growth, expressed in the number of events and event attendance worldwide.

Growth is an indication that we’re doing something right. An increase in the numbers tells us that more people are interested and getting involved. This is what an open source project needs to reach a wider audience, stay competitive and accomplish its mission: people to make it happen.

But should success be measured solely in numbers? Is it healthy to think that there can be winners and losers when it comes to the success of our community as a whole?

In its first three years, WordCamp Europe grew at a slow and predictable rate. Then last year, for some reason, it exploded. We sold our initial batch of 1500 tickets practically overnight, and ended up selling nearly 2200 tickets in total.

What happened? Did WordCamp Europe’s reputation catch up with itself, creating this burgeoning interest? Was Vienna simply an incredibly attractive destination for a lot of people? Or was it the organizing team that did an outstanding job at marketing and outreach?

WordCamp US was in its second year, and we can ask similar questions about why they didn’t see the growth they were expecting. Is the event, with its transition from the long-standing WordCamp San Francisco, still in its infancy, so that slow growth is to be expected? Was going to the same destination two years in a row not as appealing to attendees? Did the team do an adequate job of communicating around the event?

In my mind, both WordCamp Europe and WordCamp US were successful events. Each did a lot of things well, and some other things less well. Attendees I encountered, whether speakers, sponsors, volunteers or the general public, seemed to have a rewarding experience and their expectations met.

Because that’s why we put these events on, right? Not to “get the numbers” or “win”, but to create an enriching experience.

Bigger is not necessarily better

So, how big do we let ourselves get? This has been an ongoing question for us on the WordCamp Europe team since things took on a new dimension in Vienna.

When I asked Paolo Belcastro, WordCamp Europe local team lead in 2016 and global team lead for 2017, what he thought about growth he said, “For me a successful event is when we have one ticket left over. It should be our goal to make sure that everyone who wants to attend, can.”

This is a philosophy that I stand beside. It reflects our focus on attendees and on inclusiveness, so that it doesn’t matter whether we have 1000, 2000 or 3000 people, it only matters that we do our best to accommodate everyone and put on a great event for however many show up.

It does not, however, answer the question.

It’s exciting to run a popular event, and it’s easy to get carried away with that excitement and sense of accomplishment knowing that so many people want to attend, that so many people are being impacted in positive ways. When we focus solely on the numbers, and adopt a “bigger is better” mentality, it’s also easy to lose sight of some important consequences of growth.

Professional level of production

Keep in mind that we didn’t originally plan an event for 2200 people last year, and so we had to improvise, which meant a significant budget increase and a lot of extra work for the organizing team.

It also catapulted us into a new level of production. Putting on a large event is not the same as putting on a smaller one, and once you get up above 2000 attendees, it has a trickle down effect. It means organizing a speakers dinner for upwards of 300 volunteers, and an after party for 1500. These are events in and of themselves. We’re brought to collaborate with professionals in the events world—caterers, vendors, venues—while we’re still volunteers working in our “spare time”, some of us with more experience than others at making this all happen.

Increased cost of WordCamps

While the average ticket price per day has gone down, from $20 to $15.79, the cost of putting on a WordCamp has increased. Mullenweg reported that the cost of WordCamp US was $516 per person, while attendees continue to pay a mere $40 for entry to the two-day event, including lunch both days, free-flowing coffee, access to the contributor day and after party, not to mention the great swag, which included both a t-shirt and an adorable Wapuu plushy this year.

The additional 90% of this cost falls to sponsors. Sponsors are not volunteers running a non-profit, they are businesses. As we ask more and more of them, they understandably are starting to question what they get in return. Our response has typically been, “you’re supporting the community and gaining exposure,” but is that enough and for how long? How much is too much to ask?

Setting expectations for sponsors and attendees

How much is too much to ask of anyone? As we ask more of sponsors they expect more in return. As we grow, try to predict growth and to outdo ourselves every year, the task for organizers becomes more demanding. As we create bigger and better events, attendees expect to find the same elsewhere.

An event with 10,000 attendees would be amazing. We probably couldn’t call it a WordCamp, though. It would be a WordPalooza, and would require a full-time staff and a new approach to programming, sponsorship and organization on the whole. Does an event have to grow into order to be successful? Can maintaining a certain level of participation and quality also be considered a success?

Because it’s also possible that WordCamp US and WordCamp Europe will simply plateau at a certain capacity. The world may not be ready for a WordPalooza.

Competition and success

“One of the reasons why I think WordPress has such a collaborative community, when you see competitors hanging out with each other and getting drinks […] is that it’s a growing pie. So everyone’s slice of that pie can grow alongside. If it were shrinking or a static pie, the only way to grow would be taking some pie from someone else.”

Competition is widely considered good for business. It pushes companies to innovate and guard against complacency. It encourages a focus on customer service and helps protect consumers through competitive pricing. Competition in the marketplace confirms there is a market to be had, that demand is strong for the products or services being offered. It seeks to establish a basis for fairness, while letting companies vie for market share, sales and profit margins.

The friendly, collaborative nature of the WordPress community is born out of the open source philosophy of contribution and sharing. It is, in my mind, our greatest strength. Support within the community is unparalleled. We consistently root for one another, learn from one another, share our triumphs and our difficulties, through mergers, acquisitions, hirings, firings, career changes and even the occasional drama.

How big can WordPress get? Arriving at 100% market share is neither a likely nor a desirable scenario, if you believe in the benefits of competition and fair trade. The pie is not likely to grow exponentially, but rather will turn into something else entirely as the technology, the world and the web evolve, and the project along with them.

Success and expectations

“When we are candid about our shortcoming, it allows us to be better towards going to the future,” Mullenweg said in talking about the WordPress Editor.

This is a sentiment we can apply across the board, to ensure that our philosophy and our mission are reflected in our words and actions as we bring new users to our platform and welcome newcomers to our community.

Healthy competition, whether inside or outside of the community, helps us strive to be the best we can be. Raising the bar can produce some extraordinary results, allowing us to be inspired by one another, taking on ideas that we might find valuable for our audiences, customers, clients. Healthy competition allows us to learn, have fun, grow and share that wealth of knowledge around us.

Unhealthy competition causes us to lose sight of our goals, focusing on numbers instead of the people affected by them. In a community such as ours that prides itself on inclusiveness, we can only succeed or fail together.

In this coming year I’d like to see success shaped through managing expectations and staying true to our purpose. I’d like to see it shaped by people, not numbers, by the humanity of this open source project that brings us together, allows us to create, to innovate, to provide for ourselves and our families.

I’d like to think that a future vision of success could be when growth is neither the goal, nor our limitation, when we’re no longer looking to a growing pie, but rather to a renewable spring or self-sustaining garden. I’d like to think that one day we will be able to say that we’ve succeeded in democratizing publishing, and if and when we do, I doubt that we will have done it alone. And that’s a good thing.

See you in Paris

I have no idea how many people will show up to WordCamp Europe in June, but I do know that it will be another fantastic event. I also know that you can help make it a success by participating. You can apply to speak, to volunteer, to sponsor, and/or buy a ticket. So many ways to be a part of making it happen. So, see you there? Wait, let me rephrase: see you there!

Jetpack is starting 2017 with a major release that is heavy on enhancements and improvements. Version 4.5 includes more than a dozen new shortcodes and widgets, along with revamped support for VideoPress. One of the most intriguing new features announced in this release, however, is the integration with WordAds, WordPress.com’s advertising program.

Jetpack users are required to be on the Premium plan ($9.00/month or $99/year) in order to sign on with WordAds. The feature is then available within the Engagement tab along with settings for adjusting ad placement.

Eligibility for WordAds was previously limited to sites that had thousands of page views per month, but this requirement is lifted for those who have purchased a Premium or Professional Jetpack plan. Unlike Adsense, which pays for clicks, WordAds pays based on the number of impressions combined with many other factors. According to Derek Springer, an Automattic employee who has worked on WordAds for several years, the traffic requirement was given to set earnings expectations and to ensure support resources were adequately available.

How Much Can Publishers Earn through WordAds?

It’s difficult to to gauge how much a publisher can earn using WordAds, and Automattic doesn’t publish any sample earnings. The WordAds network has more than 60 partners bidding for advertising space in realtime, including Google’s AdSense, Google, AdX, Facebook Ads, AOL, Yahoo, and Amazon. WordPress.com’s Daily Post blog likened the network to a stock market with prices rising and falling as available space changes.

When asked about the average return for every 1,000 impressions, Derek Springer said it’s challenging to estimate due to the complex set of factors influencing the revenue publishers can earn. These include location and number of ads, geography of viewer, percentage of viewers with ad blockers, and other factors.

“Generally speaking, a site with majority US views with high-quality content can expect to earn the most, while non-English language, low-quality (copied content, nsfw, spam, purchased traffic) sites can expect to earn very little (if anything),” Springer said. “Our network over the past year or so has gotten pretty good at appropriately rewarding high-quality sites with high-quality traffic (and penalizing the inverse).”

For years, bloggers have traded stats and earning records, speculating on what influences WordAds’ unpredictable payouts. In 2014, the Human Breed Blog published a collection of data from blogs that made their WordAds earnings publicly available. The data demonstrated inconsistency in earnings for many publishers, including the author’s own blog, where earnings varied wildly from 2014-2015:

My earnings have dropped down to half (From $22.55 in October 2014 to $11.77 in May 2015) despite my page views being higher than 20,000 views per month. The return per 1,000 Ad Impression (CPM) has dropped from $2.25 in October 2014 to $1.17 in May 2015 and the return per 1,000 Page views (CPV) has dropped from $1.39 in October 2014 to $0.51 in May 2015.

The Human Breed Blog 2014-2015 WordAds Earnings

This example is representative of the experience of many WordAds publishers in 2014-2016.

“On my blog SQLwithManoj.com, for the months May, June, and July, the ‘Ad Impressions’ were around ~10k and earnings were in the range of $25 to $48 respectively each month,” said Manoj Pandey, blogger at SQLwithManoj.com. “But in the month of August the ‘Ad Impressions’ were showing ~100k, i.e. ~10 times the previous months, but earnings are still in the same range.”

For many publishers participating in WordAds, there seems to be little correlation between impressions and payouts from month to month. Numerous publishers have reported progressively lower earnings despite having higher traffic numbers than previous months. Clarissa’s Blog, included in the collection of public earnings above, published stats from June 2014 to December 2015 that show a dramatic decrease in the amount paid for impressions.

“You have no way of knowing where the ‘ad impressions’ figure comes from and why it varies from one month to another,” Clarissa said. “You will have to trust WordPress on that. I experimented with placing the maximum amount of ads as opposed to a moderate amount of ads and that had absolutely no impact on the number of ad impressions.”

Things started changing in 2016 for Clarissa who now reports that earnings are increasing. “I have no idea why but the payments seem to have returned to the higher rates,” Clarissa said. “Right now is a good time to do WordAds.”

Others continue to report declines on the WordPress.com forums as recently as this week.

“I used to get $800 for 800K impressions,” said the owner of rebirthonlineworld.com. “A few months ago I got $100 for more than 2 million impressions. Last month, only $90 for 500K impressions. This is a big problem for me.”

WordAds Vastly Overpaid for Low-Quality Traffic During Its First Years

In 2013 WordAds paid out $1 million to publishers on its network. According to Derek Springer, earnings since then have been “pretty flat the past year” due to industry-wide declining ad rates.

“We’ve been slowly clawing our way back from the trough of early 2015, which was a historical low for us,” Springer said. “So more folks were paid out, but rates as a whole were at their lowest point in 2015. We’ve been steadily increasing our rates and paying out less to low-quality content/traffic, so if you’re a high quality site it’s likely your rates haven’t fallen too much.”

Behind the scenes, WordAds was quietly evolving its network to better distinguish sites that would deliver more value to its advertising partners, which accounts for many of the dramatic declines in earnings.

“Pre-WordAds 2.0 our network didn’t have the precision to distinguish between high-quality and low-quality (spam, nsfw, bot views, etc) traffic and we had to make some coarse estimations on how to chop the earnings value up,” Springer said. “The net effect was that we vastly overpaid low-quality traffic for the first handful of years.”

Since WordAds 2.0 the program is gotten better at paying users for high-quality content and traffic. The team has more information on the traffic the network is getting and buyers have more information about the content they are bidding on.

“The net effect is that advertisers refuse to bid on low-quality content and traffic and those sites that were previously earning lots are now getting pennies on the dollar,” Springer said. “I would estimate that after investigation 95% of the time the folks complaining about low payout have something kinda scammy going on, usually copied content or paid traffic (and frequently both).”

“Paid traffic” in this instance refers to users who have paid a service to send bots to a page to refresh constantly in order to artificially inflate pageviews. One recent highly publicized incident of this kind of fraud is a case where Russian hackers stole more than $3 million per day from video advertisers using nonhuman bot traffic. Similar tactics have been used on WordAds, motivated by a misconception that pageviews are equal to ad views.

The Decline of the Advertising Industry

Another factor contributing to lower earnings over the past few years is the general decline of the advertising industry. A 2015 Reuters Institute Digital News survey indicates that nearly half of US internet users have some form of ad blocking software installed. Reuters Institute’s latest predictions forecast a 24% increase in US users with ad blocking in 2017. Advertisers have to fight harder to get the attention of the remaining half of consumers and many companies have decided to allocate those funds elsewhere.

According to the Interactive Advertising Bureau’s latest Internet Advertising Revenue report, search advertising on desktop declined for the first time in 2016, falling 12% to $8.9 billion. However, mobile advertising grew 105% from $3.6 billion to $7.4 billion. Mobile search is having an increasingly strong impact in shaping a site’s traffic.

These factors are outside of WordAds’ control but they weigh heavily on how many impressions publishers will receive. If the vast majority of a site’s visitors are using ad-blockers and the site isn’t easily found via mobile search, it is likely to suffer earning declines on any ad network.

“Ad rates industry wide have fallen over the past few years,” Springer said. “Ad buyers just aren’t paying what they used to and more users are using ad blockers. They heyday of the late aughts/early twenty-teens may never return as ad buyers realized they just aren’t getting the return they were expecting.”

WordAds Needs More Transparency Around Partners and Reporting

It is difficult for publishers to improve their strategies for generating ad revenue when earnings fluctuate wildly without any explanation beyond changes in advertising rates. After reviewing the product’s forums, many are requesting more transparency around why their earnings have dropped despite higher numbers of impressions. They want to know if advertising rates have dropped for the month, if partners have dropped out of the network, or if their content failed to connect with visitors on certain days.

WordAds users have experienced problems with incorrect reporting, record low payouts, and blank banner displays. In the past there have also been considerable delays in publishers receiving their monthly earnings. Springer said improving the reporting process is a top priority for the team this year.

“The flip-side/challenge of working with dozens of networks is that none of them pay us very consistently,” Springer said. “In the past there was no unified collection process on our end, so we would have to wait to collect from each partner and then split it up and send folks earnings out in one batch. However, for the past year and a half or so we’ve been working with a company called IPONWEB to unify our earnings, reporting, and ad buying process (this is what powers WordAds 2.0). We’re at the point where we can begin to provide closer to real-time earnings reporting.”

Automattic is Optimistic about Expanding the
WordAds Program with Jetpack

The number of WordAds sites are up 111% year over year. WordAds currently has a few thousand self-hosted sites running AdControl/Jetpack Ads and Springer said the team is expecting that number to grow considerably now that integration has been added to Jetpack. The AdControl plugin is still available for non-Premium Jetpack users but the standard application and traffic requirements apply. Springer said they plan to phase out the plugin at some point in the future but there are no definite plans yet.

“Tens of thousands of WP.com sites are approved WordAds (meaning they applied and were approved) out of many tens of thousands more total applications,” Springer said. “Additionally, every freemium WordPress.com site is running our ad network, though we naturally keep all the revenue from those sites.”

With a gaggle of new publishers joining WordAds through Jetpack, one might imagine that rates and payouts for existing users would decrease as more advertising space becomes available. However, this isn’t how advertising networks work.

“Generally speaking, advertisers want to display more ads than most publishers are able to provide (known as inventory), so adding more publishers/inventory to a network is a net benefit to advertisers and is what attracts the bigger, higher paying ad buyers,” Springer said. “If we can tell our ad partners ‘We have 10,000,000,000 pageviews available this month across our network,” then that attracts much more lucrative buyers than if a user has to try to attract them on their own. Advertisers also like that they can cut one deal for a million sites as opposed to having to cut them piecemeal and are generally willing to give us better deals. The whole ‘powers 27% of the web’ is a pretty tasty morsel for ad networks.”

Advice for Publishers New to WordAds: Keep Expectations Realistic

Seamless advertising is a major incentive for Jetpack users to sign up for the Premium plan, which also includes backups, one-click restores, security scanning, and 13GB video storage. The prospect of being able to flip the switch to turn on ads and potentially start earning money is very compelling, especially for users who have struggled with other forms of advertising that were not WordPress-compatible.

The general outlook for WordAds is improving, as the product has evolved to reward higher quality content. As advertisers receive a better return on their investments, their confidence in bidding should increase. However, most publishers should expect to see fluctuations on earnings.

WordPress.com’s Daily Post Blog advises new publishers to temper their expectations with the knowledge that they would need “hundreds of thousands of pageviews to generate meaningful earnings.” For most average bloggers, the ad revenue may not buy more than a decent cup of coffee.

Mortiz Linder, an owner of traveluxblog.com, published his earnings and described his experience as “rather average.”

“It’s a nice idea to gain something without effort, to get at least something back for all the work we put into traveluxblog each day,” Moritz said.

In this episode of WordPress Weekly, Marcus Couch recaps his trip to Affiliate Summit 2017 held in Las Vegas, Nevada last weekend. Based on the vendors that were on the expo floor, mobile is the e-commerce platform of the future. We discuss the news of the week and share how you can get involved in the WordPress Marketing Group. We end the show with Marcus’ plugin picks of the week.

Stories Discussed:

Aaron D. Campbell Replaces Nikolay Bachiyski as WordPress’ Security Czar
Postmatic Basic Rebrands as Replyable, Moves Two-Way Email Commenting to SaaS Product
SiteGround Auto-Issues Let’s Encrypt Certificates for New Domains

Plugins Picked By Marcus:

Background Image Cropper adds cropping to background images for parity with header images. This feature is starting out as a plugin to gauge user interest and to determine if it improves the user experience of background images.

Woo Product Remover allows you to remove all WooCommerce products from your site. It removes products, their metadata, relationships, as well as product variations and their related meta data from the database.

WP Tasks After Install completes a series of tasks most commonly performed after WordPress is installed. These tasks include, removing the default Hello World post, setting permalinks to %postname%, activating Akismet, and more. The plugin will automatically deactivate itself when the tasks are completed.

WPWeekly Meta:

Next Episode: Wednesday, January 25th 3:00 P.M. Eastern

Subscribe To WPWeekly Via Itunes: Click here to subscribe

Subscribe To WPWeekly Via RSS: Click here to subscribe

Subscribe To WPWeekly Via Stitcher Radio: Click here to subscribe

Listen To Episode #260:

To me, as well as many others, WordPress is more than a technical choice, it’s a lifestyle choice. I didn’t see it as such right away. Looking at the last 4 years of my life, I can fully appreciate its impact.

Aspiring to a life full of adventures and whimsy; I never really fit the mold. American TV series and movies that taught me my dreams could be achieved if I worked hard enough. Armed with that knowledge (and without a fancy diploma to my name), I worked bank, police, IT, supply chain jobs until I discovered the joy of making websites.

My newfound passion (and many sleepless nights of work) helped me become a webdesigner. At the time, Joomla!, Spip and Typo 3 were the big names out there (in France). After achieving the role of Artistic Director as a freelancer; it took me a few years to open my own web agency. That moment changed my thinking: it was no longer ME but WE. And when a client asked us to use WordPress, we got to experience the CMS and its community.

Focusing on WordPress

Our team quickly realized that WordPress could do much more than “just blogs”. In France, the CMS kept having a reputation as a blog only platform. Complex websites were not made in WordPress. Our agency decided to convince clients otherwise. To achieve our mission and hone our skills, we decided to get closer to the WordPress community. I naively offered my help in evangelization efforts to the Paris WordCamp organizers. Except that there was one clear hurdle in our path: we had never contributed anything to the community before! This meant that we were relatively unknown. Needless to say that the feedback we received wasn’t what we expected.

Contributions: It’s About Helping Others

Contributing meant one thing: bring something to the WordPress ecosystem to help improve it. The WordCamp association’s president asked us to answer questions on the French forum as a token of our goodwill, to show our commitment.

I started to answer questions right away but felt like an imposter. All the questions on the forum seemed so technical. I didn’t know how to contribute since I wasn’t a developer. It wasn’t like I was going to create a theme or plugin anytime soon. I kept obsessing over ways I could provide value to the community. I thought about my skills but couldn’t come up with something that would make a real difference.

Sure I could speak English, but translating documents was not something I felt comfortable doing.

So I turned to the previous WordCamp Paris conference and took a closer look at the participants. There, I found my first clue: a marketing expert! I reached out to him to see if I could interview him. As Marketing Director of a press group, he had lead a big WordPress project for his company. Interviewing him brought me two things: an article for our blog discussing what could be done with WordPress and a solid understanding of how the inner workings of the French WordPress community. He gave me an idea of the path one would take to end up giving a conference at the WordCamp. I didn’t realize it at the time, but by picking a name on a conference program, I would meet one of the key players in my WordPress story: Benjamin.

Meanwhile, I continued to write articles about projects made with WordPress, sometimes ours, sometimes the competition’s. Good WordPress knows no bounds so it was necessary for me to showcase all the amazing websites made with this CMS. It’s also how I discovered my main competitors (before meeting them in the flesh later at various events).

A white paper detailing the success of WordPress as a CMS got my name out. This allowed me to gain the courage to pitch my first conference. Providing feedback on projects allowed me to find my place in the WordPress community. Focusing on my experience and helping others didn’t require developer skills. My contribution was in writing and not in coding.

My First WordPress Conference As A Speaker

My first conference topic was on how to create a multilingual, multi-site project with WordPress in 3 months. Needless to say that I was nervous. I mean, speaking in front of 300 people is not something I had done while working at a bank, or in the police force or in any other job really. Adventure: here I come!

The WordPress community was very kind to me and my first conference experience was a memorable one.

During this conference, I wanted to highlight the plugins we used for this project. I mentioned a French startup that had launched a premium plugin as its first product. I found their approach interesting, so I thought I would give them a little visibility. Showcasing good WordPress websites, themes and plugins was already a habit of mine by then. The French team were happy to be mentioned and happened to be present at the event. They came to talk to me after my conference. Turns out, we had a lot to talk about. The company’s name: WP Media. They would open a new chapter of my WordPress story.

During the closing night, I also met a lot of people. Some of them, just like Benjamin were going to have a big impact on my life. Many became great friends as well as mentors like Jenny Beaumont.

Once I got started, there was no stopping me! I continued to speak at events (WordCamp Lyon, WP Tech Nantes), attended meetups, continued writing articles to highlight WordPress projects.

The following year, I joined the organizing team of WordCamp Paris.

Meanwhile, I go to my first WordCamp Europe which was a major new turn.

WordCamp Europe 2014 Changed My Life

Going to the WordCamp Europe changed my life. It’s an experience I highly recommend. If you can, go to the next WordCamp Europe!

The organizers managed to pack so many international speakers that my head was spinning. Speakers were coming from all over the world. The quality of the talks (and speakers) along with the breadth of subjects covered open so many possibilities. You could end up changing your approach to WordPress or finding a new method of working with your peers.

I attended a conference by Noel Tock named Beyond the code where he explained how he managed his life working in remote while traveling at the same time. He also gave insights as to how to monitor your time and how to optimize it.

Realizing that such a life was possible; that you could achieve this time of freedom by reclaiming your time was a massive discovery.

The second eye-opening conference for me was Simon’s lecture on Running an open source. He explained that that undertaking Open Source also meant contributing and collaborating with a community, including your competitors. Simon showed us for 30 minutes that working with competitors was not only beneficial for us agencies, but also for the customer, and for the WordPress community as a whole.

Professional WordPress

Becoming a strong voice in the professionalisation of WordPress in France and encouraging web agencies to contribute and to exchange more had become priority subjects.

I have launched a WP Next association for professionals

• To ensure the promotion of WordPress, mainly with professionals, managers of information system, internet director, new media, … and more generally all IT decision makers.
• To enhance the skills of WordPress professionals with decision-makers,
• Promote French know-how around the WordPress CMS, associated technologies and services

I also launched with Deborah Donnier a documentary project Think WP to make known WordPress and its community.

A new turn

With these activities I gradually moved away from the creation of websites. Having so many opportunities tied to WordPress available to me, I decided to take a new turn. During the Wordcamps across Europe, I took great pleasure in exchanging with WP Media. We had kept contact since our first meeting. My profile and experience seemed to like a great fit for a new role in the WP Media adventure. I took a leap and became COO of the startup about a year ago. I manage my agency in parallel.

I now work 100% remotely and so does a great portion of my agency. As for WP Media, everyone works remotely. Being a remote worker frees me from constraints that are inherent when you live in the Paris region (it’s a city and province in France). Time spent on commuting is used for other activities.

My experience as a remote worker lets me have greater foresight which in turn allows me to carry out so many activities.

Today, I can proudly say that I attended the US WordCamp last year and am helping organize this year’s WordCamp Europe with Jenny and Benjamin.I feel like I belong in a global community that thrives thanks to its members and their desire to improve WordPress.

WordPress helped me along the path to a life full of adventures and long lasting friendships. It offers so many opportunities to forge beautiful projects, stories and more.

I hope that my story will inspire someone else to get started and find the courage to persevere on the way to a life full of adventures (with or without WordPress). Give yourself time and open yourself to other points of view to help build the life you aspire to.

Thank you for reading my story and see you at WordCamp Europe 2017!

The post Living A Better Life Thanks To WordPress appeared first on HeroPress.

On a site I’m working on that runs BuddyPress, I created a new group and wanted to add nearly 400 registered users to it. Unfortunately, adding users to BuddyPress groups in bulk is not a core feature. I searched Google for a solution and while the BuddyPress Members Import plugin is recommended in many of the support threads, the feature alone is not worth spending $49.

Continuing my search, I discovered a code snippet published by Alexander on the WPMU DEV forums that works perfectly. To use it, copy the code and add it to a custom WordPress plugin or paste it to your theme’s functions.php file. I added the code to the top of my theme’s functions.php file.

Code Snippet at the Top of my Theme’s Functions.php File

The JavaScript portion of the snippet adds a new item to the Bulk Actions drown-down menu named Add to BP Group.

Add to BP Group Bulk Action Menu Item

Select the users you want to add to a group and select Add to BP Group. A prompt appears asking for the Buddy Group ID you want to assign the users to.

BuddyPress Group ID Prompt

To locate the Group ID, click on the Groups admin menu and click on the group’s name. The URL will look something like this admin.php?page=bp-groups&gid=357&action=edit and the ID is the number that appears after gid=. After entering the ID number, click the Ok button. All of the users you selected will be assigned to that group.

In the comments of the code snippet on GitHub, Strand-C said he wasn’t able to move 165 users at a time and had to move 50 instead. I tested this theory by moving nearly 400 registered users at the same time to a new BuddyPress group and didn’t encounter any issues. Keep in mind that the site I’m working on is relatively new, is running WordPress 4.7, and has very little traffic which could explain why I didn’t have a problem.

Being able to manage BuddyPress groups in bulk should be a core feature. There is at least one open ticket on BuddyPress trac to add Bulk Edit options to Groups. Until these features make their way into BuddyPress, the code snippet above is a free work-around that makes adding users to groups in bulk a lot more convenient.

SiteGround is now auto-issuing Let’s Encrypt certificates for every domain hosted on its shared servers. The company has also begun issuing and installing certificates on new accounts automatically after customers register domains or direct new domains to SiteGround’s servers. This also includes add-on domains added in cPanel. The certificates are also auto-renewed as long as the domains are pointed to the host’s servers.

“Since the launch of Let’s Encrypt our customers have installed nearly 40,000 such certificates,” said Hristo Pandjarov, WordPress specialist at SiteGround. “This is less than 10% of the 500,000 domains we host. Together with the paid certificates we may say that 15% of the domains we host were using the HTTPS protocol before we started the auto-issuing procedure.”

SiteGround is a sponsor of Let’s Encrypt and one of the first to auto-issue certificates to self-hosted WordPress customers. Let’s Encrypt passed 20 million active certificates in 2016 and the pressure is on for more sites to adopt SSL in 2017 with Google marking insecure sites in Chrome and using HTTPS as a ranking signal.

“What prompted this decision is that we truly believe HTTPS is the future standard for web protocol and we also believe it is the better protocol,” Pandjarov said. “This is a good enough motivation for us to take the step of installing it automatically. We have decided to automate the SSL issuance and setup almost right after the appearance of the Let’s Encrypt initiative. Matt Mullenweg’s statement at WordCamp US that issuing SSL certificates will be a very important factor in evaluating a web host, was one more validation that this planned automation was a decision in the right direction.”

According to Pandjarov, the vast majority of SiteGround’s customers are running WordPress. Respondents to the company’s 2016 client survey indicated that more than two thirds of them use WordPress, which Pandjarov said is a 10% increase in the popularity of WordPress among SiteGround users.

Next Step for SiteGround: Pre-Configuring WordPress Installs to Use SSL with One Click

Auto-issuing certificates does not guarantee that SiteGround customers will jump through the hoops to configure their sites to use the certificates. Installing a certificate on an existing WordPress site is not as straightforward as a simple click in most cases. SiteGround is working on fully automating this process for its WordPress customers.

“If we really want to get closer to 100% HTTPS usage, we need to do more than just automatically issue the certificate,” Pandjarov said. “Our next step is to provide a way to pre-configure an active WordPress site, hosted on our servers, to work with the already issued SSL with one click. Additionally, our auto-installer is being updated to install all new WordPress sites as https-ready.”

SiteGround doesn’t yet have an ETA for one-click SSL configuration but Pandjarov said the announcement will be coming soon.

Postmatic is rebranding its WordPress.org Postmatic Basic plugin as Replyable and pushing the two-way email commenting feature into a new SaaS product. After discovering that many users simply want email commenting, without additional post delivery and newsletter features, Postmatic launched Replyable to offer this starting at $3/month.

“Replyable was born out of user feedback,” founder Jason Lemieux said. “Postmatic does more than most sites need and the price is squarely mid-market. From the beginning we’ve heard from users that they already use another newsletter service and just want Postmatic to handle comment subscriptions – but that alone isn’t worth $20 to too many people. With Replyable we can offer it for $3.”

Lemieux and his team have now transitioned Postmatic to be purely a Saas product without a presence in the WordPress.org directory.

“Postmatic will continue to grow as a complete engagement system and, if anything, become even more complex and go further up market,” Lemieux said. “Sites which use Postmatic tend to dive in deeply. It is meant to function as a package. Grow a list, deliver to it, get them talking about your ideas, monetize the results.”

The Replyable plugin on WordPress.org now simply covers comment subscriptions with all other features available in the commercial products.

Ripping an existing feature out of a free plugin and making it paid is fairly unusual and can have a negative impact on how users perceive the plugin. However, Postmatic has a plan to allow legacy users to continue using the features they had before by switching to Postmatic Labs. It’s an inconvenient change but is required for those who don’t want to upgrade to a commercial plan.

Although WordPress.org says Postmatic has approximately 1,000 active installs, Lemieux estimates there are 8,000 users including those using the commercial plugin or the Labs plugin. He would not share any specific revenue figures but said he learned some important pricing lessons in leading the bootstrapped startup for the past two years.

“We aren’t a runaway WordPress success story but we’re alive and loving our jobs,” Lemieux said. “About six months ago it became apparent that we needed to get out of the mid market. We had a huge group of people saying, ‘I just want email commenting and will totally pay you 5 bucks a month for it,’ and another group saying, ‘We pay $6,000 a month sending Mailchimp RSS campaigns but yours are better for only $1500. Why so cheap?’ That’s been a frustrating reality and a big lesson in knowing your audience and pricing appropriately.”

Next on Postmatic’s Roadmap: Epoch 2

In July 2015, Postmatic introduced Epoch as a Disqus alternative, offering 100% realtime commenting for WordPress. The plugin submits comments via AJAX so that they appear instantly without refreshing the page. Lemieux and the team have been working on the second version for nearly a year.

“Epoch 2 is a huge step forward,” Lemieux said. “We built it on top of the REST API and Angular. It’s fast and incredibly light. Commenting isn’t sexy – I don’t think it will ever be, but comments are great for SEO, community, and for building brands and authority. Comments aren’t going away. In fact, they are vitally important to keeping the web as a place for discourse, conversation, and the sharing of ideas. We need to continue to make them a better experience. Epoch isn’t groundbreaking in its functionality but it does the job of making sure sites of any size can still run native WordPress comments.”

Postmatic continues to innovate with native comments, an aspect of WordPress that doesn’t have as many commercial players as something like forms or e-commerce. Lemieux attributes this underserved area to the poor reputation of previous non-native solutions.

“I think it is because of the rise and fall of third party commenting system,” Lemieux said. “Early in WordPress history services like Disqus and Livefyre grabbed huge parts of the comment traffic on WordPress sites by offering more features, better speed, and improved moderation tools (with the hidden cost of selling your users down the river). It was certainly a siren song. But most all of them stagnated, violated user trust, or just plain didn’t work well. And commenting got a bad name. Naturally came the trend in disabling comments and, well, now here we are and people are trying to have conversations 140 characters at a time.”

Lemieux said the innovation he sees happening outside WordPress makes him believe that comments can overcome their past reputation.

“Things are getting better – and hopefully more folks will begin to innovate,” Lemieux said. “Lucky for us other blogging and publishing platforms are innovating and coming up with interesting ideas all the time. Some of them, like inline commenting from Medium, do make their way back over to WordPress. That makes me optimistic.”

Aaron D. Campbell, WordPress Core Contributor at GoDaddy, is replacing Nikolay Bachiyski as WordPress’ Security Czar or WordPress Core Security Team Lead. The role was created in 2015 to provide more structure and focus around incident responses.

“The responsibilities of the position include, organizing the security team and making sure all security concerns and reports get triaged and ultimately fixed, coordinating the security side of releases, and being a point of contact for any security related things that need one,” Campbell said.

Matt Mullenweg, co-creator of the WordPress project, thanked Bachiyski for being the first to accept the role and putting the foundation in place for future team leads, “This is also a good time to thank the dozens of volunteers who participate in the security group, and the researchers and reporters who bring issues to our attention,” he said.

Campbell says he plans to finish what Bachiyski started by getting WordPress.org onto HackerOne. “Nikolay did a lot of work around expanding our team as well as getting the foundation laid for moving over to HackerOne,” he said.

“We aren’t quite ready to make the move completely, but I hope to phase out the security@ E-Mail address in favor of HackerOne in the near future.”

In late 2016, GoDaddy hired Campbell to contribute to WordPress core full-time. The company continues to back his involvement in WordPress, “The role is completely voluntary,” Campbell said. “GoDaddy has truly been extremely hands off while funding me to do all this, and I’m grateful to have that continue.”

If you think you’ve discovered a security vulnerability with the self-hosted version of WordPress, you’re encouraged to responsibly disclose it to the security team by emailing security @ wordpress.org and include as much detail as possible.

Yesterday Automattic released a new free plugin the makes it easy for Lightroom users to export their photos to WordPress. Lightroom is an Adobe product for managing and editing photos, and the plugin works with the software on MacOS and Windows. It is compatible with both WordPress.com and Jetpack-powered sites.

The Lightroom plugin requires a WordPress.com account to install. Users can then select photos in Lightroom and export them to a WordPress site with all the standard settings available, such as image resizing, watermarking, output sharpening, and more. The plugin automatically exports titles and captions. A large number of photos can take awhile to export, but once the upload is finished users can find their images in the WordPress media library.

When asked for tips on suggested upload size and compression, Automattic representative John Godley said, “WordPress.com can handle pretty much anything you throw at it! I personally go for a high quality and large size so it looks good on a HiDPI screen, and then let WordPress resize as necessary to fit the viewers device.”

It’s not yet clear how the release of Automattic’s free plugin will affect the commercial products that exist for a similar purpose. FloLight, WPLR Sync, and other solutions will need to offer more features with a quicker setup if they want to compete with the new free Lightroom plugin.

Those who want to use the plugin must already have a Lightroom license (standalone or subscription). Although this is a relatively small subset of overall WordPress users, it saves a great deal of time for photobloggers and those who process a large number of photos with Lightroom before posting online. For most, this plugin simplifies what was previously a tedious, multi-step process of manually uploading the photos after working with them in Lightroom.

For those who failed to “learn JavaScript deeply” last year, 2017 offers a clean slate for restarting your JavaScript learning goals. Wes Bos, a developer and educator known for his high quality video tutorials, recently launched a free 30-day vanilla JS coding challenge course that provides structure for developing a new habit of daily learning.

JavaScript30 walks users through building 30 things in 30 days with no frameworks, no compilers, no libraries, and no boilerplate. The course is suitable for beginner to intermediate developers and designers who want to get a solid grasp of JavaScript fundamentals. It purposely steers clear of abstractions like frameworks to help students gain a better understanding of browser APIs while working in the DOM without a library.

Bos designed the course to help students gain competence through building things, the advice he gives to anyone wanting to improve their JavaScript skills.

“So, you’ve done a few courses and read a few books but still don’t feel great about your relationship with JavaScript,” Bos said. “How do you get better? Build things. Lots of things. Build 1,000 things. Keep it up and don’t stop.” The course is packed full of quick, interesting, and practical projects.

JavaScript30 includes access to 30 videos, 30 days of starter files, and completed HTML, CSS, and JS Solutions for each day. The videos are accessible and ESL-friendly with closed captions provided.

Bos said he spent more than 300 hours creating the videos as a thank-you to those who have supported his paid courses.

“I see a huge need for these videos and I really think it will help many…become comfortable creating with JavaScript,” he said.

Bos is also the author of the free Learn Redux course, which includes 2.5 hours of videos that help students get started with React.js, Redux, and React Router. Some of his other popular courses include React for Beginners, Learn Redux, and ES6 for Everyone.

In this episode, Marcus Couch and I recap the news that made headlines during the second half of 2016. I explain why there wasn’t a show last week and we close out the episode with our predictions for 2017. We’ll be back to our regular show format on Wednesday, January 18th.

WPWeekly Meta:

Next Episode: Wednesday, January 18th 3:00 P.M. Eastern

Subscribe To WPWeekly Via Itunes: Click here to subscribe

Subscribe To WPWeekly Via RSS: Click here to subscribe

Subscribe To WPWeekly Via Stitcher Radio: Click here to subscribe

Listen To Episode #259:

The second edition of Karl Fogel‘s “Producing Open Source Software: How to Run a Successful Free Software Project” is now available for download. Fogel, a partner at Open Tech Strategies and OSS contributor since 1997, was a founding developer in the Subversion project. He has worked for more than a decade as an open source specialist, helping businesses and organizations evaluate, launch, and manage open source projects.

Producing Open Source Software version 2 was released for free this week under the Attribution-ShareAlike 4.0 International license. The first edition was published in 2005 but the landscape of OSS has changed drastically over the past 12 years. In 2013, Fogel successfully raised $15,376 towards his $10,000 Kickstarter goal to fund the revision.

The book includes topics like ‘Free’ Versus ‘Open Source,’ choosing a license, version control, social and political infrastructure, the economics of open source, culture, and communication. It was written for managers and software developers but can also be informative for newcomers to open source projects.

Fogel originally planned on finishing the second edition by the end of 2013 but experienced delays due to starting his company. Some chapters also took longer to revise than he anticipated.

“In retrospect, if I had understood what the pressures of a young and growing company would be, I would not have started the 2nd edition when I did,” Fogel said. “It has been a lesson.” Fortunately, for the 314 Kickstarter backers who might have been waiting on his work for four years, progress was immediately available in the public repository for the book. Fogel didn’t keep any private version of the book elsewhere.

“While there are substantial changes throughout the book, the most expanded chapter is probably Chapter 5, ‘Participating as a Business, Non-Profit, or Government Agency,'” Fogel said. “That chapter’s title used to be just ‘Money,’ so that gives you some idea of what the new material is.”

He also found the third chapter on technical infrastructure to be more time consuming than the others due to all of the changes in the past decade. It took roughly four and a half months to revise it to include modern development tools.

One of the central focuses of the book is the value of collaboration and the direct benefits it provides to an open source software project.

“Competence at cooperation itself is one of the most highly valued skills in free software,” Fogel wrote in the preface. “Good free software is a worthy goal in itself… But beyond that I also hope to convey something of the sheer pleasure to be had from working with a motivated team of open source developers, and from interacting with users in the wonderfully direct way that open source encourages. Participating in a successful free software project is a deep pleasure, and ultimately that’s what keeps the whole system going.”

Editor’s Note: This is a guest post by Jack Lenox. Jack is a developer at Automattic and hails from the United Kingdom.

For just over a year now, I have been working on the WordPress.com VIP team at Automattic. I had been working at Automattic for the two years prior to this – and had been developing sites with PHP and WordPress for almost ten years prior to that. So you might imagine that I had a pretty good handle on developing stuff with WordPress.

And you would be wrong. Getting started with the VIP team was an eye-opening and occasionally terrifying learning experience, occasionally resulting in me thinking: “please excuse me for a moment while I go and fix some horrible vulnerability in all of my WordPress sites.”

Recently, I have cautiously found myself feeling slightly more comfortable with my position on the team. For some time, I have been wanting to document the most interesting and impactful things that I have learned in the past year.

As some readers may know, a significant part of a developer’s job on the VIP team is reviewing code. Thus, with us being at the start a new year, I have hereby compiled some of the most interesting best practices I have discovered as a list of New Year’s Resolutions:

1. Use strict comparison operators

One of the many quirks of PHP is that it enjoys juggling. In particular, it enjoys juggling types. This means that without explicit instruction, PHP doesn’t see a difference between a string of “string”, an integer of 0, and a boolean value of true.

So for example this:

$var = 0;
if ( $var == 'safe_string' ) {
    return true;
}

Will return true. I know, what?! The easy solution here is to simply use strict comparison operators.

So that’s === instead of ==, and !== instead of !=. This pops up in a few other places too. By default the in_array() function has its strict parameter set to false.

So:

in_array( 0, ['safe_value', 'another string'] );

Will return true. To fix this, simply pass a third parameter of true.

While we’re here, there’s one other form of comparison we should be aware of, and that’s hash_equals(). This provides a string comparison that prevents timing attacks.

While a relatively uncommon form of attack on the web, it’s worth being aware of a timing attack. What is it? Well, when PHP compares two strings, it compares them one character at a time.

So in the case of something like this:

$submitted_password = $_POST['password']; // For argument's sake, let's say it's "pa45word"
$password = "pa55word";

if ( $submitted password === $password ) {
    go_forth();
}

PHP’s thought process in human terms is: Is the first character of each string p? Yes it is. Is the second character of each string a? Yes it is. And so on.

It will do this until it realizes that the third characters differ and at that point it will bail. Thus, with sophisticated timing software, a password can gradually be worked out by calculating how long the process is taking. If the process takes slightly longer with one character than it does with every other character, an attacker will know that they have worked out the first character.

Automated processes can keep doing this until the entire password is worked out. hash_equals() will compare two values, but will not bail early if it detects a difference.

In conclusion, if you’re comparing sensitive values, use hash_equals()!

2. Use Yoda condition checks, you must

The WordPress PHP Coding Standards suggest that you should: “always put the variable on the right side and put constants, literals or function calls on the left side.” Initially, this might just sound like a bit of pedantry, but it actually has a very practical application.

Consider how catastrophic the following typo could be:

if ( $session_authorized = true ) {
    unleash_the_secrets();
}

Oh dear, instead of checking that $session_authorized is true, I am instead assigning the value of true to that variable.

Now the secrets are being unleashed to whoever wants them. This could easily be missed when checking the code for bugs, even by a reviewer.

Now imagine if the first line was expressed as:

if ( true = $session_authorized ) {

Well, it doesn’t. We can’t assign a variable to the static boolean value of true.

Hopefully it won’t take us too long to work out why our code is still broken, but the secrets remain safe. So we’re good!

3. ABE. A Always, B Be, E Escaping. Always Be Escaping. ALWAYS Be Escaping.

Not having a firm grasp of the concepts of validation, sanitization and escaping can make you a very dangerous developer indeed.

To the extent that libraries like React escape all output by default and to bypass this functionality, you have to use the attribute: dangerouslySetInnerHTML

Validation is checking that what your code is being passed is even vaguely what it’s expecting. So for instance, if we’re expecting an integer, we can use something like: $zipcode = intval( $_POST['my-zipcode'] )

The intval() function returns its input as an integer and defaults to zero if the input was a non-numeric value. So while this won’t prevent our code from being passed zipcodes that aren’t valid, it does protect our code from being passed anything that isn’t a number.

Naturally, we could go a step further to see if the zipcode actually appears to be valid. For example, 1111111111111 is not a valid zip code, but intval() doesn’t know that.

Fortunately, beyond integers, WordPress has a bunch of handy helper functions for almost every data type including my favourite: is_email().

Sanitization is cleaning input to make sure that it’s safe in the context where we want to use it. This prevents one of the most common forms of security vulnerability, an SQL injection attack.

We also sanitize to fix practical things, like checking for invalid UTF-8 characters. WordPress has a class of sanitize_*() helper functions; here’s an example of how one looks in the wild:

$title = sanitize_text_field( $_POST['title'] );
update_post_meta( $post->ID, 'title', $title );

Therefore no matter what garbage we might have been passed in $_POST['title'], it won’t cause any real problems.

Escaping is similar to sanitization, but instead it is cleaning what we’re sending out, rather than what we’re taking in. A major reason for doing this is to prevent another of the most common forms of security vulnerability, a Cross-site Scripting (or XSS) attack.

We want to clean our output to ensure we aren’t accidentally echoing out something very dangerous that we didn’t realize we were inadvertently storing in our database (or perhaps fetched from an API).

WordPress has a bunch of very useful helper functions here. Some common examples of these in the wild are:

<h4><?php echo esc_html( $title ); ?></h4>

<img alt="" src="<?php echo esc_url( $great_user_picture_url ); ?>" />

<ul class="<?php echo esc_attr( $stored_class ); ?>">

There is also wp_kses() which can be used on everything that is expected to contain HTML, and will filter out elements that are not explicitly allowed.

As a general rule, the the_*() and get_the_*() theme functions are already escaped. However, the get_bloginfo() function, for example, is not escaped.

For further information here, I highly recommend checking out the VIP team’s documentation on Validating, Sanitizing, and Escaping.

4. Stop trusting everything

Don’t trust user input. Don’t trust what’s in your database. Don’t trust any variables.

Treat every variable with contempt.

This way, even if, for example, someone sneaks some dodgy XSS code into your database, it’ll still get escaped on output and your site will be better protected.

5. Avoid inserting HTML directly into the document (when using JavaScript)

Doing something like this is dangerous because the data that we’re using could include many more DOM elements that dramatically alter the anticipated behavior of this code, and make it vulnerable to XSS attacks:

jQuery.ajax({
    url: 'http://any-site.com/endpoint.json'
}).done( function( data ) {
    var link = '<a href="' + data.url + '">' + data.title + '</a>';

jQuery( '#my-div' ).html( link );
});

Instead, we should programmatically create DOM nodes and append them to the DOM. So the above instead becomes this:

jQuery.ajax({
    url: 'http://any-site.com/endpoint.json'
}).done( function( data ) {
    var a = jQuery( '<a />' );
    a.attr( 'href', data.url );
    a.text( data.title );

jQuery( '#my-div' ).append( a );
});

This is how a library like React does things behind the scenes. You can read more about this in a wonderful post about preventing XSS attacks in JavaScript by my colleague, Nick Daugherty.

6. Review code

Have you ever reviewed a plugin before using it? I know, who’s got time for that right? I’ll tell you who: you.

I have come to realize that reviewing code is possibly one of the best exercises for improving as a developer. Even if you’re quite new to programming or development, and you still feel pretty green, you really should give it a go.

A great way to start is to review the next plugin you decide to use on your website. Before activating it, pop it open in your text editor of choice, and just spend some time scanning through it to understand what it does.

A method I like to use here is to interpret each line of the code in simple English. You can even say it loud if you like – assuming you’re not sitting in a café or co-working space where people might become worried about you.

You might be surprised at how often you find bugs and quirks in the code, or that the code isn’t conforming to the best practices outlined above. And if you discover issues, why not create a patch? Or if the plugin is on GitHub, create a pull request.

You can also review your own code. A great method for doing this is to never deploy code straight into production. Instead, leave it on the day you finish it, and review it line by line in the morning. This method is easiest to adopt if you’re using something like GitHub where you can create a pull request with the changes, then review the pull request yourself the next day before merging it.

In this vein, I highly recommend watching my colleague, Ryan Markel’s, fantastic talk on this topic from WordCamp US 2016.

7. Upgrade your tools (or at least use PHP_CodeSniffer)

There are lots of tools that help make web development easier, but if you’re doing a lot of WordPress development, the most valuable is probably PHPCodeSniffer. It reads your code and automatically reviews it for bugs and coding standards inconsistencies while you type.

It’s kind of like a spell checker, but for code. No matter how good your English is, you still use spell check right? So why wouldn’t you spell check your code?

Here’s a bonus for you: the WordPress VIP Coding Standards are available by default with the WordPress Coding Standards for PHPCodeSniffer. So with that, it’ll check if you’re following most of the above resolutions.

As you might imagine, using PHP_CodeSniffer also really helps highlight potential problems when you’re reviewing plugins and other people’s code.

8. Be curious

Far too often, I’m guilty of searching to try to find out what a particular WordPress function does, or scanning Stack Overflow to see if someone’s having the same problem as me.

I have historically had a bad habit of seeing much of what WordPress does as magic, and avoiding getting too deep in the inner workings. But actually, it can be very beneficial to find out answers for yourself, instead of trying to find others who have already done the work.

In essence, WordPress is quite simple. The code largely consists of functions taking arguments, and doing things with those arguments, and passing the results onto other functions taking arguments, and so on.

It doesn’t take much to start unpicking something, and working out exactly what’s happening behind the scenes. So next time you’re struggling with a function, try going straight to looking at what the function actually does.

Personally I find the WordPress GitHub repo that mirrors the core SVN repo to be a very useful way of doing this.

The WordPress strapline is that “code is poetry”, and for its flaws I find that on the most part, the WordPress codebase is very readable, if nothing else!

I’ll conclude by taking this opportunity to wish you a very happy and prosperous new year!

Note: Some of the above has been gleefully plagiarized from WordPress.com VIP’s Code Review documentation. It’s an Aladdin’s cave of useful advice, and I highly recommend working your way through it as and when you can.

Daily blogger and plugin author Tom McFarlin has found a new maintainer for five of his WordPress.org plugins. Within two days of putting the plugins up for adoption, McFarlin announced that Philip Arthur Moore will be taking over Category Sticky Post, Comment Tweets, Single Post Message, Tag Sticky Post, and Tipsy Social Icons. Moore, who is currently working as CTO at Professional Themes, has inherited roughly 10,000 users overnight in the transfer of maintainership.

WordPress.org plugin adoption stories are few and far between. The most common scenario for an orphaned plugin is to languish in the directory until it disappears from search results (with the exception of exact matches) after two years of no updates. In McFarlin’s case, he was looking to tie up some loose ends before shifting Pressware’s focus to launching Blogging Plugins, a marketplace for extensions that streamline WordPress for regular bloggers.

“Last year, I had a few false starts when trying to launch what was originally called Pressware Plugins,” McFarlin said. “Fast-forward a few months and we’re going to focus on something called Blogging Plugins. We already have two free plugins available, though there’s an entire set of plugins, marketplace, and more coming.”

Moore’s adoption of the plugins, which includes the first plugin McFarlin ever wrote, allows Pressware to move forward with its 2017 objectives. McFarlin said he selected Moore based on the quality of his open source projects and reputation in the WordPress community.

“For those of you who aren’t familiar with Philip’s side projects, you may be familiar with Subtitles,” McFarlin said. “It’s a plugin that falls right in line with my personal ethos of how things should work with WordPress: You activate it, it’s ready to go, and it feels native within the application.”

Why would I adopt @tommcfarlin's work? Because I owe him. He's ethical, an amazing man, and a stellar coder: https://t.co/WM66Xu1vm1

— Philip Arthur Moore (@philip_arthur) January 6, 2017

The adopt-me tag is used on WordPress.org to indicate plugins where the author is looking for a new maintainer. With just two pages of listings, it’s not yet widely used. Most developers find it easier to fork an open source plugin and WordPress.org has recently made it easier than ever for authors to close a plugin by simply emailing the plugin team.

However, not all orphaned plugins are ready for end of life measures. Circumstances change in plugin authors’ lives, but the strength of the user base is one of the primary indicators of a project that could thrive in new hands. The built-in user base is also one of the main advantages of adopting a plugin as opposed to forking it.

Developer and ZDNet columnist David Gewirtz discovered the full weight of adopting a plugin’s users when he took on 10 plugins from the adopt-me section of the directory. Gewirtz, who inherited approximately 50,000 users, said the experience helped him reconnect with real users.

“The value I’ve gained as a columnist, advisor, and educator that has come from interacting with users from so many nations with so many different skill sets and missions has been off the charts,” Gewirtz said. “I thought I’d keep my programming chops up, and I’ve certainly done that. But I never expected I’d gain a much broader perspective that I’d be able to apply to all of the areas of my professional life and meet so many cool people.”

Adoption is arguably the healthiest outcome for any orphaned project – not just for the sake of reducing plugin abandonment but also for continuing support for users. Many of them blindly depend on plugins with no understanding of how they work.

Once a plugin is downloaded and installed on users’ sites, it gains a life of its own. Adoption strengthens a project’s history by proving it can weather storms that might otherwise cause the plugin to become obsolete and wipe out the user base.

I’m taking it easy this week, nothing too crazy — just sharing good meals and wine with friends. Which is probably a good example of my goals for the year: putting family and loved ones first, slowing down (to go further), and deliciousness. (Single Thread Farms blew me away.)

2016 was a year of incredible contrasts: it was the saddest and most challenged I’ve ever been with the passing of my father, and while that overshadowed everything there were also bright moments of coming closer to family, deepening friendships, and growing professionally with incredible progress from both WordPress and Automattic. That momentum on the professional side is carrying through and right now I’m the most optimistic I can recall, and thrilled to wake up and get to work every day with the people I do.

I talked about trying to spend longer stretches of time in fewer places, and that definitely happened. I flew 162k fewer miles than the year before, and visited 35 fewer cities. My blogging decreased a lot too — from 252 posts in 2015 to 76 posts in 2016, but the posts I did write were at least 50% longer. I made it to 9 more of the Top 50 restaurants and stand currently at 50% of the list. I finished 22 books, including a lot more fiction including my first few graphic novels like Ex Machina, Y: The Last Man, and Watchmen. I watched 35 movies, 9 of which were from the Marvel universe on a single flight from Cape Town to Dubai.

Last year I said, “it’s exciting to make the most of the opportunity that the volatility, love, loss, glory, failure, inspirations, and setbacks that 2016 will bring.” I didn’t know how right I would be, and wish I hadn’t been.

This year doesn’t start with new plans, but rather three intentions continued from a few months ago. I revealed one yesterday, and promised I would expand today on the others, so here they are:

1. Symmetry — Balance in all things, including my body which is stronger on my right side and much tighter on my left side. We also need symmetry in WordPress between the .org and .com products which differ too much.
2. Stillness — In echoes of Pico Iyer, so much of my life in my 20s was about movement, and “going places to be moved.” In my 30s I’m looking inward. As Saint Augustine said in Book X, chapter 8 of Confessions: “Men go forth to wonder at the heights of mountains, the huge waves of the sea, the broad flow of the rivers, the vast compass of the ocean, the courses of the stars, and they pass by themselves without wondering.”
3. Yellow Arrows — The idea that there are clear indications of where to go next at every fork in the road, and if not you should paint them. I wrote more on this  yesterday.

Previously: 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, and 32.

WordPress 4.7.1 is available for download and fixes eight security issues that affect WordPress 4.7 and below. The PHPMailer library was updated to patch a remote code execution (RCE) vulnerability. WordFence reported the vulnerability last month as critical and that it affects WordPress core.

However, in the announcement post for 4.7.1, Aaron Campbell, WordPress’ new Security Czar says that, “No specific issue appears to affect WordPress or any of the major plugins we investigated but, out of an abundance of caution, we updated PHPMailer in this release.” Dawid Golunski and Paul Buonopane are credited with responsibly disclosing the vulnerability.

WordPress 4.7.1 also fixes an issue where the REST API exposed user data for all users who authored a post of a public post type. This release limits this ability to only post types which have specified that they should be shown within the API. Brian Krogsgard and Chris Jean are credited with responsibly disclosing the vulnerability.

In addition to patching eight security issues, this release fixes 62 bugs. To see a full list of changes, visit the release notes page or you can view them on Trac. Sites should update automatically but if you’d like to update sooner, visit your site’s Dashboard, select Updates, and click the Update Now button.

After taking heat for the proliferation of “fake news” and misinformation on its platform during the US presidential election, Facebook is aiming to strengthen its ties with the news industry.

“We care a great deal about making sure that a healthy news ecosystem and journalism can thrive,” Facebook director of product Fidji Simo said in the announcement today.

The new Facebook Journalism Project will focus on creating news products with feedback from publishers, providing training and tools for journalists, and promoting news literacy for the public.

In 2015 Facebook launched Instant Articles to deliver publishers’ content instantly in exchange for advertising revenue. The platform will be expanding the feature to combine multiple Instant Articles in one post, starting January 12, 2017.

image credit: Facebook

“We’ve heard from editors that they want to be able to present packages of stories to their most engaged readers on Facebook,” Simo said. “We’re starting to work with several partners on how best to do this. We’re going to start testing this using Instant Articles, so that readers can start to see multiple stories at a time from their favorite news organizations.” Facebook is currently testing this feature with BILD, BuzzFeed, El Pais, Fox News, Hindustan Times, The Sun, The Washington Post, and other publishers.

In April 2016, Automattic partnered with Facebook and VIP-Featured-Partner agency Dekode to develop Instant Articles for WP, a plugin that outputs a compliant feed of posts wrapped in the required markup for Facebook. The plugin passed 10K active installs at the end of 2016, but its star rating continues to plummet due to numerous errors with updates and a lack of support. Only 1 of 42 support threads has been marked resolved in the last two months. Publishers who depend on the plugin may need to have a developer on staff to handle issues with the plugin or select another solution.

Facebook is also planning to collaborate with publishers on subscription business models for their content. Participation in this feature will require the publisher to make its content available through Instant Articles.

“Many of our partners have placed a renewed emphasis on growing their subscription funnel, and we’ve already begun exploring ways we can support these efforts,” Simo said. “This month our engineering team in collaboration with the engineering team of the German news organization BILD will launch a test to explore offering free trials to engaged readers, right from within Instant Articles.” Simo also said they are working on other monetization options for publishing partners, including advertising breaks in regular videos.

This story involves me as a blogger, the Prime Minister, me again as a web developer, an Islamic cult attempting a coup d’état, and me again as a solopreneur. Oh, and WordPress. And ISIS.

WordPress: My First Encounter

In the beginning of 2006, everyone in Turkey was talking about blogs. It was the hot new thing on the web. Forums were “out” and blogs were “in”. Anyways, I was getting ready for the ÖSS and studying to get into a university but I was psyched enough to register a blog on WordPress.com, on January 2006. (I moved the blog into a free hosting space the next month, and opened up beyn.org in July 2006.) I was in Kocaeli, the city right next to İstanbul.

After the registration, I realized that I had nothing to write about. So I wrote about the day I had. The next day, I did the same thing. And the next day. And the next seven and a half years. Of course, I skipped four or five days. But that kind of dedication earned me a reputation and an award for “Best Personal Blogger of 2008”.

But I didn’t just write about my days. After getting accepted into Ankara University in September 2006, I began to read and think about politics, as nearly all young Turks do in university. Eventually, I started writing about politics as well. Because you know what they say: If you want to learn something, write about it.

Oh, I learned it pretty well, and I learned it the (somewhat) hard way.

Facing Jail Time with a Blog Post

2010 was probably my darkest year in my entire life. (2016 is the next candidate.) I was 22 years old, blogging daily, learning about web design and WordPress (more on that later), and keeping up with what’s going on with the country. Things were crazy back then: A very big prosecution was going on called the Ergenekon Case about military people allegedly planning a coup (Hint: This is not the coup I mentioned in the intro! These guys were all acquitted later.) and a big campaign for a constitutional referandum was more than enough to keep the whole country busy.

In December 2010, Recep Tayyip Erdoğan, the Prime Minister of the time (and the President since 2014) sued me for one of my blog posts. It was about one of the slogans he used in his referandum rallies (“The terrorists and the opposition parties are soul mates!”) and me using the same sentence against him. Like, the exact same sentence. He didn’t like the way that the slogan was used against him, so he reported me and the state brought charges against me. I was 22 and I was being sued by the most powerful man in the country, because I used his words against him.

When the Prime Minister sues you, you go to jail. There were little to no instances of winning a case against the government, especially when they were the one suing you. Thankfully, I was one of the few instances: I won the case in my third trial, February 14, 2012. (“Lovely” day, isn’t it?)

There were one downside though: With the fear of the government suing me, I stopped writing about politics in 2011 and 2012, and even a few months after I won. And to this day, even though that fear is long gone, and even though I’m writing about politics again on Beyn, I still can’t write regularly like I did back then.

Anyways. Moving on with the “web development” phase of my life.

Learning to Develop WordPress, and Teaching It at the Same Time

When I started Beyn, I immediately loved WordPress. I had some experience on HTML and CSS on Dreamweaver (never was a FrontPage guy), and I happily retired DW because I won’t be able to work on it while I was learning WordPress.

I don’t remember trying to learn something with such passion. I loved the idea of plugins and themes extending the core. Beyn became my playground for new tricks, my laboratory for new experiments about WordPress. I installed plugins, edited themes, learned what’s right and what’s wrong with what I did… I probably crashed the website more than a hundred times!

By 2012, I’d already started making websites for other people and getting paid. I had developed a few plugins, made a couple of themes from scratch. While still learning what awesome things I’m able to do with WordPress, I applied for a small writing gig at Wptuts+, which was later renamed Tuts+ Code. Because you know what they say: If you want to learn something, write about it.

That “small writing gig” was in fact my biggest source of education. I wasn’t a WordPress expert, but that gig was the ultimate reason to learn more and more about WordPress. I remember constantly feeling that “I’ve finished telling about everything I know about WordPress, so now I have to learn more!” and doing research on things to write about.

I was aware that I don’t have any chance to write a sloppy tutorial, so I nagged my editors (first Japh Thomson, then Tom McFarlin) about my writing style, my choice of topics and of course, my English. They said my English was very good, and my topics are relevant and suitable for publishing on Tuts+. In almost exactly four years (from April 2012 to March 2016), I wrote 134 posts and I’m very proud of (almost) all my work there.

While it was sad to leave Tuts+, I had a project in my mind that I put off so long: Optimocha.

WordPress Speed Optimization with Terrorists, Bombs and Death

That title came out grimmer than I expected. Heh. Anyways.

2015 was the year when I first thought about a speed optimization service for WordPress-based websites. Then I thought that I would better use my energy on the upcoming general elections in June. I worked for an NGO called “Vote and Beyond” to ensure transparency in observering of ballot count in the elections.

2015 was also the year with a whole lot of terrorist attacks. PKK, a terrorist organization pretending to defend Kurds’ rights (while giving a bad name for all Kurds countrywide) and ISIS (you know them) were the most active terrorist organizations in 2015. They killed more than 250 people and injured more than 1000 in a series of shootings and bombings throughout the year.

Worst year ever, right? Not even close. Let me quickly summarize the hell we’ve been through:

1. ISIS killed 116 people in 5 different attacks.
2. PKK killed 176 people in 15 different attacks.
3. TAK, PKK’s even uglier cousin, killed 43 people in 4 different attacks.
4. FETO killed 248 people across the country in their coup d’état attempt on July 15.

583 people killed in terrorist attacks in 2016. So, just a few more than all those lovely celebrities.

What’s that FETO sticking out among the others, attempting a coup? That’s FEthullahist Terrorist Organization: The organization of Fethullah Gülen, an Islamic cult leader comfortably residing in Pennsylvania, plotting to take over the government for (I kid you not) over 40 years. Even I had made peace with the President because of the much needed “purges” to scrape his crypto-disciples in the government organizations. FETO is one of the enemies that can let you make peace with the ones against your values.

(By the way: While celebrating that we got rid off that horror show of 2016, ISIS killed 39 more people with an AK-47 in a New Year party on January 1, in the middle of the night.)

Still waiting for the part where I founded Optimocha, right? Sorry it took a bit long.

April 2016 was the month I registered my company by paying for the usual fees to register a sole proprietorship, accountant fees, rent for an office (because by law, you can’t register a company without an office), some paperwork. All my funds vanished, leaving me with nothing to spend on marketing.

PayPal halted operations in Turkey on June, because of conflicts with the government. 2CheckOut followed. I was going to use 2CO, so I was left with no payment gateway provider. Along with the terrorist attacks, I decided to spend Ramadan (the holy month for Muslims, passed on June 2016) sleeping, lying and moping around with depression.

At the beginning of July, I was ready to work again, amped up for success! Except the coup attempt happened. Bombs and sonic booms in my city. Back to depression.

By October, I was almost ready to go live with the website. I didn’t. I forced myself to finish it in November, before Black Friday. I did! People responded to my emails, said they’ll publish my deal on their blogs. People who saw the deal also responded and purchased my services. Yay.

Conclusion

Blogging is hard. Blogging with the most powerful man in your country trying to lock you up is the hardest.

Solopreneurship is hard. Solopreneurship with several, highly active terrorist organizations killing people next to you is the hardest.

Yet, and I’m sure this is going to sound cheesy, I have hope. This is the price we have to pay in order to get rid of the scum in the world. Turkey isn’t the worst country in the world suffering from terror–we’re just a country stuck between Europe, Russia, the Middle East and Africa. (Talk about a rock and a hard place…) We will survive this, and this too will pass.

Turkey may be viewed as “yet another Middle Eastern country”, but it was founded almost a hundred years ago with the heritage of the Ottoman Empire, but also with a Western, secular mindset. Even today, you can’t find a sensible person talking trash about Mustafa Kemal Atatürk, who declined the Ottoman monarchy to set the foundation of a democratic republic in a time of dictatorships across Europe and Asia. Emphasis on the words “even today”, because the principles of his vision of the Republic of Turkey is in danger, a very large portion of the country has the confidence and equipment to defend those principles.

Again: We will survive this, and this too will pass. You have my word.

The post Blogging, Solopreneurship, & Terrorism appeared first on HeroPress.

WordPress 4.7 has been downloaded over 10 million times since its release on December 6, 2016 and we are pleased to announce the immediate availability of WordPress 4.7.1. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.7 and earlier are affected by eight security issues:

1. Remote code execution (RCE) in PHPMailer – No specific issue appears to affect WordPress or any of the major plugins we investigated but, out of an abundance of caution, we updated PHPMailer in this release. This issue was fixed in PHPMailer thanks to Dawid Golunski and Paul Buonopane.
2. The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API. Reported by Krogsgard and Chris Jean.
3. Cross-site scripting (XSS) via the plugin name or version header on update-core.php. Reported by Dominik Schilling of the WordPress Security Team.
4. Cross-site request forgery (CSRF) bypass via uploading a Flash file. Reported by Abdullah Hussam.
5. Cross-site scripting (XSS) via theme name fallback. Reported by Mehmet Ince.
6. Post via email checks mail.example.com if default settings aren’t changed. Reported by John Blackbourn of the WordPress Security Team.
7. A cross-site request forgery (CSRF) was discovered in the accessibility mode of widget editing. Reported by Ronnie Skansing.
8. Weak cryptographic security for multisite activation key. Reported by Jack.

Thank you to the reporters for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.7.1 fixes 62 bugs from 4.7. For more information, see the release notes or consult the list of changes.

Download WordPress 4.7.1 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.7.1.

Thanks to everyone who contributed to 4.7.1: Aaron D. Campbell, Aaron Jorbin, Adam Silverstein, Andrea Fercia, Andrew Ozz, bonger, Boone Gorges, Chandra Patel, Christian Chung, David Herrera, David Shanske, Dion Hulse, Dominik Schilling (ocean90), DreamOn11, Edwin Cromley, Ella van Dorpe, Gary Pendergast, Hristo Pandjarov, James Nylen, Jeff Bowen, Jeremy Felt, Jeremy Pry, Joe Hoyle, Joe McGill, John Blackbourn, Keanan Koppenhaver, Konstantin Obenland, laurelfulford, Marin Atanasov, mattyrob, monikarao, Nate Reist, Nick Halsey, Nikhil Chavan, nullvariable, Payton Swick, Peter Wilson, Presskopp, Rachel Baker, Ryan McCue, Sanket Parmar, Sebastian Pisula, sfpt, shazahm1, Stanimir Stoyanov, Steven Word, szaqal21, timph, voldemortensen, vortfu, and Weston Ruter.

My friend Kamal Ravikant has a new book out, Rebirth, which I highly recommend. I had the good fortune to read it a few months ago and the story of the Camino de Santiago touched and inspired me.

Because of the impact of the book, I ended up adopting a few New Year’s intentions long before January 1st — things to ruminate on and keep in mind as the year wound down. The outlook of the world seemed uncertain, and I’m learning to navigate the world without my father.

Yellow Arrows

The Camino de Santiago is a pilgrimage path in Spain that people have walked since the 9th century AD. The 500 mile path winds through mountains, fields, and sometimes cities, and many pilgrims take a month or more on it. In some ways it is similar to the Kumano Kodo walk I did with Dan and Craig last year.

There are places where the path isn’t exactly clear, either because the trail isn’t strong, there’s been growth, or you might be in a crowded urban area like a city. Over the years pilgrims and people who live on the trail have marked it with yellow arrows pointing the way. If someone gets lost or confused, it’s an opportunity for an additional sign to bring them back on track.

When you know the path, is it clear where someone else walking it should go next? It’s an interesting concept that applies across life. In your relationships, does your friend, loved one, or partner know what to expect, and where you’re headed together? Even in WordPress I feel like there are too many places where we bring someone to a fork in the road and there is no clear indication which way they should take.

Give some thought to the yellow arrows in your life, and I’ll write more about the other two things I’ve been thinking about tomorrow. Also don’t forget to pick up a copy of Kamal’s book. I loved it and I think it will be one I’m recommending to many friends.

(Image from Camino Travel Center.)

Year In WP is a new site by Jesper van Engelen that creates a personalized review of a user’s contributions to WordPress in 2016. Entering the WordPress.org username of a plugin or theme author or a WordPress core contributor into the field generates a list of statistics that includes:

• Profile information
• Number of times their plugins and themes were downloaded
• Most downloaded plugins and themes
• Average number of downloads per week
• Plugin and theme review rating average
• Percentage of five-star ratings
• A selection of five-star reviews
• Number of commits, changes, and comments to WordPress core
• Number of WordPress releases contributed to

Engelen got the idea to create the site in 2014 after Spotify launched its ‘Year in Music‘ that highlighted trends based on what 50 million users listened too.

“I’d been active in the WordPress plugin market for about four years at that point, and I figured it would be really cool to get some year-over-year insight into your WordPress plugins,” Engelen said.

“Having become a partner at Admin Columns (a freemium WordPress plugin) in 2014, I found out that I really liked analyzing statistics of downloads, sales and other data, and that, properly grouped and reported, they could have a pretty big influence on decision-making from a business perspective.”

Engelen started the site by experimenting with fetching data from WordPress.org through its API that would show the change in the number of downloads to a user’s plugins.

“That is basically what lead to the ‘Your most popular plugins’ overview page,” Engelen said. “Spending some free hours each week on working on the project, more and more ideas of data to include popped up.”

The site displays a lot of data, but it doesn’t include everything. Engelen would like to eventually display sections for contributions to WordPress translations, plugins, themes, core, design, etc.

The Technical Details

The data displayed on Year in WordPress is gathered using the WordPress.org API, subversion, and web scraping. Engelen would have used the WordPress REST API but it was not available at the time, “Fetching the reviews and support topics yielded quite a bit of annoyance, as they’re done by scraping,” he said.

He uses a Python framework to fetch relevant data in parallel. The data is stored in an SQL database, which is accessed by a front-end tool. The front-end of the site features a design that was reused from AdminColumns.com.

“jQuery, combined with Chart.js and Fullpage.js power the interactive portion of Year in WordPress. I’ve also written some simple sentiment analysis code for filtering out the most popular reviews to show for each plugin/theme developer,” Engelen said.

Fun Facts about Year in WordPress

Engelen provided the Tavern with these fun facts related to Year in WordPress:

• There’s a Year in Review for about 100,000 users on WordPress.org — or all users who have contributed to a plugin or theme, created a review or a support ticket, or contributed to WordPress core.
• The full database takes about 500MB of space.
• There were 364,763,308 plugin/theme downloads in 2015, and 434,865,745 in 2016. That’s 19.2% growth!
• 2016 was the first year where the number of new core Trac tickets shrunk (4,044 in 2014; 4,392 in 2015; 4,028 in 2016)
• 73% of all plugins received zero reviews in 2016

Year in WordPress 2017 Is Not Guaranteed

Engelen is not making any promises for continued development in 2017 as it’s contingent on his free time. However, the main thing he would like to change is to include a wider spectrum of data.

“When I pitched the idea of Year in WordPress to a core committer and showed the beta version, he said ‘there’s so much more than core itself’ and that stuck with me,” he said.

“The perfect ‘Year in WordPress’ would feature cool statistics about all types of contributions people make to WordPress — whether it’s creating plugins and themes, writing code for core, translating or testing. Furthermore, I’m really looking forward to making use of all of the REST API’s that I can use this time around.”

WordPress core doesn’t make it easy to edit text strings, but a little plugin called Say What? has been quietly gaining a solid user base by providing this functionality. It allows users to edit text strings without editing WordPress core or plugin code. Lee Willis released Say What in 2013, but the plugin had a significant jump in users in 2016, doubling the number of active installs from 5,000 to 10,000 sites.

Willis, who is the author of 22 plugins hosted on WordPress.org and many more commercial extensions, created Say What while working as a Drupal developer.

“One of our must-install Drupal modules was called String Overrides, which inspired Say What?” he said. “At the agency I was working at we used it regularly on virtually every site build to override plugin, theme, and core strings in a ‘non-hacky’ way. Given that, I knew that the problem was there to be solved on WordPress, and that something that worked well would be useful to people.”

Say What adds a new screen for editing text under Tools > Text changes for configuring string replacements. Users enter the current string, text domain, and replacement text.

This plugin is a good option for those who are not comfortable sifting through PHP files and adding a filter to change the text. If you just have a handful of strings to replace, it’s more convenient than using a translation tool like POEDIT to edit the language files. All of the text changes are listed together in the Say What admin panel, so they can be easily changed at any time without editing any files.

Willis said users don’t often experience conflicts with themes and plugins, as there is so little frontend functionality included in the plugin.

“The main areas of support tend to be around locating particular strings, or issues where broken custom code is breaking the filters that Say What uses,” Willis said. After speaking with friends at a WordCamp in March 2015, he decided to create a commercial version to address this issue and a number of other feature requests.

“The free version was out for about two years before I launched the Pro version,” Willis said. “The only issue people tended to have with the free version was around finding the information they needed for the ‘original string,’ so I decided to build out the String Discovery feature as the first feature of the Pro version. This lets users search for the string using autocomplete functionality, making it much easier to set up replacements without delving through theme or plugin code.”

Say What increased in popularity in 2016 and has maintained a 4.6-star rating on WordPress.org. It is becoming more frequently recommended by support teams of other plugins when customers ask about how to change text strings.

“It’s great to know that it’s being used to help people build more future-proof sites without resorting to hacking plugin or core code just to change strings,” Willis said. “Even for people familiar with plugin and theme code, the String Discovery feature makes it a lot easier and quicker to set up replacements. It’s had a few new features over the last year, including support for multi-line, and single/plural style replacements.”

Willis said his Pro version proved to be fairly popular during 2016 and became one of his highest selling plugins. He recently added support for multilingual sites, the most often requested feature, allowing users to set up different replacements for different languages.

Willis does not have an extensive roadmap for the plugin, as he prefers to keep it uncomplicated and free of clutter. “I’m a big believer in plugins that do one thing, and do it well,” he said.

Say What is another successful instance of a developer solving one of his own problems and striking upon a successful commercial product. Willis said he didn’t fully anticipate how popular the plugin would become.

“As with most of my plugins it was also built to solve a problem that I personally was having at the time,” he said. “That said, I’m always (pleasantly) surprised when something does get popular.”

After testing Say What I found that Willis’ implementation is the simplest way for non-technical users to make a few simple string changes without the risk of breaking their websites. He is also very responsive on the support forums. The success of the Pro version is a good indication that Willis will be able to continue support and maintenance on the free plugin for the foreseeable future.

This opinion piece was contributed by guest author Peter Suhm. Peter is a web developer from the Land of the Danes. He is the creator of WP Pusher and a huge travel addict, bringing his work along with him as he goes.
 

---

Laravel Forge is a server and application provisioning tool that was originally built to serve the Laravel PHP crowd. Recently, it has been made available to WordPress developers too, with the introduction of 1-click installs of WordPress on Digital Ocean, Linode and AWS cloud servers. In this post, I’ll give you a brief introduction to Laravel Forge and show you how you can use it to manage all of your WordPress installations in the cloud.

Laravel Forge is good news for WordPress developers

Because so many WordPress developers are used to managed hosting, the thought of running their own servers seem quite intimidating. That’s a shame with so many great cloud server companies offering virtual servers for very low costs. Unless your traffic is very heavy, a small ($5 to $10 per month) server can run quite a few WordPress websites. Laravel Forge takes care of provisioning your servers and can even setup your database and install WordPress for you. This makes cloud hosting much more available to WordPress developers at a low cost (Laravel Forge is $15 per month for unlimited servers), compared to many of the existing options.

Here are a few reasons why I think Laravel Forge is great for WordPress hosting:

• Your servers are configured in a secure way by default, with SSH authentication, firewalls, automatic security updates and free SSL certificates from Let’s Encrypt
• Your servers are going to be really fast with PHP 7
• You can run a lot of WordPress installs on 1 single server *
• You can scale your servers if you need more horse power *

* Goes for the cloud in general

Creating a new server

Here is how the “Create Server” screen looks in Forge:

If you use Digital Ocean, Forge can also create your servers. If you use another provider like Linode or AWS, Forge can only do the provisioning part.

For Digital Ocean servers, here are the options you can configure:

• Which credentials to use, if you are managing multiple Digital Ocean accounts
• The server name
• The server size
• The server region
• The PHP version
• The default database name

You can then choose to:

• Configure the server as a load balancer (if you have really heavy traffic and is running WordPress across multiple servers)
• Install MariaDB instead of MySQL, which is a drop-in, faster replacement
• Enable weekly backups on Digital Ocean

When Laravel Forge is done with the provisioning, your server is ready to go.

Setting up a database

Once your server has been created, setting up a database for your WordPress installation is very easy. You can create the user at the same time you’re creating the database, or you can create the user afterwards.

Installing WordPress

Before you install WordPress, you need to create a new “site” on your server. You can just stick with the defaults:

For the “Root Domain”, you need to add the domain name of the site you are setting up. Remember that you need to add a DNS record for your domain that points to the IP address of your newly created server. If you are just testing, you can always add a record in your computer’s hosts file with a test domain that points to your server. Something like this:

# /etc/hosts

# Replace xx.xx.xx.xx with your server's IP address
xx.xx.xx.xx wordpress-forge.test

Once you click the “Add Site” button, you will see a spinning wheel while Forge is setting up your site’s nginx configuration.

When the installation is done, you need to click the “Manage” icon next to your site in order to install WordPress. The first screen you will be presented with gives you the option to install an “App” on your site. Click the “WordPress” button, select your database and user from the previous step and relax while Laravel Forge completes the installation. Fun fact: Laravel Forge is actually using WP-CLI to install WordPress on your server.

When the installation has completed, visit your site in a browser and you’ll be met with something familiar:

Setting up a free SSL certificate

Finally, you should set up SSL for your WordPress site. It’s more secure and Google likes it!

Head over on the “SSL” tab and click the “LetsEncrypt (Beta)” button. Click the “Obtain Certificate” button and wait while Forge creates and installs the certificate. Once the certificate is installed, click the “Activate” icon and voila! Your site is now all set up and secured with SSL.

That’s how easy it is to setup WordPress on a cloud server with Laravel Forge. I hope to see a lot of more products and tools like this that can help us building better, faster, and more secure WordPress websites. In fact, Laravel Forge was the original inspiration for my own product WP Pusher. I wanted to create a similar experience, but for WordPress plugins and themes instead.

Note on backups and security

Please note that even though Laravel Forge makes for a great starting point, ultimately you are the one in charge of the security of your servers. You should always try to educate yourself about security and have a backup strategy for your data.