Monthly Archives: April 2019

PluginVulnerabilities.com is Protesting WordPress.org Support Forum Moderators by Publishing Zero-Day Vulnerabilities

image credit: Jason Blackeye

A security service called Plugin Vulnerabilities, founded by John Grillot, is taking a vigilante approach to addressing grievances against WordPress.org support forum moderators. The company is protesting the moderators’ actions by publishing zero-day vulnerabilities (those for which no patch has been issued) and then attempting to contact the plugin author via the WordPress.org support forums:

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon).

In the linked incidents cited above, Grillot claims that moderators have deleted his comments, covered up security issues instead of trying to fix them, and promoted certain security companies for fixing hacked sites, among other complaints.

In response, Plugin Vulnerabilities has published a string of vulnerabilities with full disclosure since initiating the protest in September 2018. These posts detail the exact location of the vulnerabilities in the code, along with a proof of concept. The posts are followed up with an attempt to notify the developer through the WordPress.org support forum.

Grillot said he hopes to return to Plugin Vulnerabilities’ previous policy of responsible disclosure but will not end the protest until WordPress.org support forum moderators comply with the list of what he outlined as “appropriate behavior.”

WordPress’ security leadership is currently going through a transitional period after Aaron Campbell, head of WordPress Ecosystem at GoDaddy, stepped down from his position as head of security in December 2018. Automattic Technical Account Engineer Jake Spurlock is coordinating releases while the next person to wrangle the team is selected. This announcement was made in the #security channel, but Josepha Haden said there are plans for a more public post soon. Campbell did wish to publish the details of why he stepped down but said that he thinks it is important to rotate that role and that “the added influx of fresh energy in that position is really healthy.”

When asked about the Plugin Vulnerabilities’ protest against WordPress.org, Spurlock referenced the Responsible Disclosure guidelines on WordPress’ Hackerone profile. It includes the following recommendation regarding publishing vulnerabilities:

Give us a reasonable time to correct the issue before making any information public. We care deeply about security, but as an open-source project, our team is mostly comprised of volunteers.

Spurlock said that since those guidelines are more pertinent to core, dealing with third-party plugins is a trickier scenario. Ideally, the plugin author would be notified first, so they can work with the plugins team to push updates and remove old versions that may contain those vulnerabilities.

“The WordPress open-source project is always looking for responsible disclosure of security vulnerabilities,” Spurlock said. “We have a process for disclosing for plugins and for core. Neither of theses processes include posting 0-day exploits.”

Grillot did not respond to our request for comment, but the company’s recent blog posts contend that following responsible disclosure in the past would sometimes lead to vulnerabilities being “covered up,” and even at times cause them to go unfixed.

WordPress.org support forum moderators do not permit people to report vulnerabilities on the support forums or to engage in discussion regarding vulnerabilities that remain unfixed. The preferred avenue for reporting is to email plugins@wordpress.org so the plugins team can work with authors to patch plugins in a timely way.

However, in the wild west world of plugins, which includes more than 55,000 hosted on WordPress.org, there are times when responsible disclosure falls apart and occasionally fails users. Responsible disclosure is not a perfect policy, but overall it tends to work better than the alternative. The Plugin Vulnerabilities service even states that they intend to return to responsible disclosure after the protest, essentially recognizing that this policy is the best way to coexist with others in the plugin ecosystem.

In the meantime, publishing zero-day vulnerabilities exposes sites to potential attacks if the plugin author is not immediately available to write a patch. The only thing WordPress.org can do is remove the plugin temporarily until a fix can be released. This measure protects new users from downloading vulnerable software but does nothing for users who already have the plugin active. If site owners are going to protect themselves by disabling it until there is a fix, they need to know that the plugin is vulnerable.

Plugin Vulnerabilities’ controversial protest, which some might even call unethical, may not be the most inspired catalyst for improving WordPress.org’s approach to security. It is a symptom of a larger issue. WordPress needs strong, visible security leadership and a team with dedicated resources for improving the plugin ecosystem. Plugin authors need a better notification system for advising users of important security updates inside the WordPress admin. Most users are not subscribed to industry blogs and security services – they depend on WordPress to let them know when an update is important. Refining the infrastructure available to plugin developers and creating a more streamlined security flow is critical for repairing the plugin ecosystem’s reputation.

Source: WP Tavern

WordCamp for Publishers is Coming to Columbus, OH, August 7-9, Call for Speakers Now Open

The third edition of WordCamp for Publishers will be held in Columbus, OH, August 7-9, 2019, at the Vue Columbus. This unique event is a niche-specific WordCamp for professionals working in the publishing industry. Previous locations include Denver and Chicago. In looking for a host city for 2019, organizers had a preference for cities that are “underrepresented media markets” where attendees may not see as many of these types of events. Columbus certainly fits the bill.

The call for speakers and workshop facilitators is now open. Organizers are looking for presentations from all types of professionals across the publishing industry, including writers, journalists, editors, designers, developers, data journalists, project managers, product managers, and program managers. The event will feature three types of sessions:

  • 45 minute presentations (inclusive of Q&A)
  • 90 minute workshops
  • 5 minute lightning talks

Applicants may submit up to three proposals until the deadline on Monday, May 6th at 11:59 EDT.

Last year’s event brought controversial and thought-provoking presentations, such as “Why we ditched AMP, and other UX choices we made for launching membership” and “Reader revenue and the less open web,” an interesting exploration of the implications of paywalls on the open web. All 2018 presentations are available on WordPress.tv, if speaker applicants need any ideas about the types of presentations that are relevant to the event. Last year’s theme was “Taking Back the Open Web,” but organizers have not yet announced a theme for 2019.

The first batch of tickets is already on sale. Previous years have sold out fairly fast, so make sure to follow @wcpublishers on Twitter for all the latest information.

Source: WP Tavern

WordCamp Europe Publishes 2019 Speaker Lineup, Contributor Day Registration is Now Open

WordCamp Europe 2019 is 66 days away. The event will be held in Berlin on June 20-22, occupying 13,000m² of the Estrel Congress Center. More than 2,266 tickets have been sold so far, roughly 100 tickets short of what the event sold last year.

All 59 speakers have now been announced and the schedule is published on the website. Organizers added a third track this year to accommodate the various lightning and traditional talks, workshops, and panels.

WordCamp Europe received a record-breaking number of submissions and applicants this year after making a stronger effort to improve representation of the diversity of the WordPress’ community. Organizers received 453 submissions from 267 applicants, a 20 percent increase over 2018 submissions. Approximately 1% (4 applicants) identified outside of the gender binary, 34% were female, and 65% male. The breakdown for 2019 selected speakers is 43.4% female and 56.6% male.

Contributor Day registration opened today and will close May 31, 2019. The event will take place on June 20, one the day before the main conference in the same venue. Organizers have build a new Contributor Orientation Tool to help new contributors identify one or more of the Make WordPress teams where they can apply their skills. Tickets are free for WCEU attendees but spots are limited. There were only 157 Contributor Day tickets remaining this morning and those places are going quickly.

Source: WP Tavern

New GPL-licensed Quirk App Open Sources Cognitive Behavioral Therapy

Quirk is a new GPL-licensed Cognitive Behavioral Therapy (CBT) app for iOS and Android built in React Native/Expo. The app helps users challenge their “automatic thoughts,” a term that refers to thoughts that come to a person spontaneously in response to a trigger, which can often be negative.

Quirk lets users record a quick thought and will automatically narrow down a list of potential ways these thoughts are distorted. The distortions were inspired by the ones popularized in Feeling Good: The New Mood Therapy. The user is then invited to challenge those distortions and write an alternative thought.

Quirk demo

Evan Conrad, a software engineer at Segment, created Quirk as a non-commercial, personal project to make it easy for people to take control of their irrational thoughts using a common CBT technique. Quirk is not a substitute for a trained therapist but rather a tool for people to use on their own. Left unchecked, negative automatic thoughts can become emotional weights and lead to distorted thinking. Quirk is a simple app that helps people experience the world in a less negative way and develop more rational thinking patterns.

“It’s super useful for day-to-day stuff,” Conrad said in response to comments on Hacker News. “Take a thought like ‘I took too many hints in that interview question.’

“That thought might lead to ‘I must have failed that interview,’ which leads to ‘I’ll fail all the rest of my interviews,’ which leads to ‘I’ll never get another job,’ which leads to ‘I must be really bad at this, I should just give up.’

“Each step seemed kind of logical at the time, but one thought led to the next and now you feel awful.

“CBT is a counter measure to this; it stops you at that first point and gives you a bunch of common logical fallacies that help you recognize why your thought is overreaching. You don’t know if you really flunked that interview, besides flunking one is good practice to pass the next one.”

Conrad said these types of thought processes aren’t exactly a mental health issue but are common struggles for many people. Quirk can be a useful tool for anyone looking to recognize and remove their own cognitive biases.

The iOS version of the app currently works better than the Android one, as the author said he doesn’t have an Android phone and finds it difficult to support the app on that platform. However, fixes are being pushed out regularly and many of the issues with crashing are getting resolved.

How the GPL Protects Users in Mental Health Tech

The code for Quirk can be found on GitHub and is open source under the GPL-3.0, which is not a popular choice for licensing mobile apps. I asked Conrad why he opted for the GPL license, as opposed to other popular open source licenses.

“Mental Health tech is a really weird world,” Conrad said. “There’s a lot of folks who want to do the right thing, but end up doing really sketchy stuff.

“For example, a lot of apps collect the thoughts you’re recording for ML (Machine Learning) or NLP (Natural Language Processing). The stated purpose of this is to help better identify suicide, depression, etc. Partially because of the subject matter, many apps aren’t clearly telling their users that this is happening.

“So what ends up happening is a bunch of well intended researchers get access to your most sensitive thoughts. Which is fine, but they frequently aren’t aware of how valuable of a target they’re holding to a nefarious actor. Because it’s not like a database of passwords or credit card numbers, they tend to not think about security.

“But thoughts are super valuable and dangerous for abusers and blackmailers; plus most people would rather give you their password in plaintext than show you their mental health thoughts.

“So if I made Quirk MIT, I would worry that someone would take Quirk and launch their own version for research that tracks and stores user thoughts. Because the license doesn’t follow them, they could do it without telling a user and there would be little way for an average person to /know/ that this is happening.”

Conrad has taken an inspiring, user-centric approach to licensing and privacy that ensures users of his app (and any derivatives) will have access to the code and a better understanding of where their data is being stored. In a recent Twitter thread, he outlined the privacy principles that underpin Quirk’s architecture:

In Quirk, FOSS and privacy isn’t a focus, it’s a given. Outside the tech world, Quirk is not trying to be a FOSS CBT app, it’s trying to be a really good CBT app that happens to be FOSS. It’s not coming out and saying “hey we don’t store your deepest darkest secrets on some server somewhere.” User’s don’t care. It’s a given. It doesn’t store things on the device because it’s trying to sell you on privacy, it does it because it’s the correct engineering decision.

Regular people don’t look at the Golden Gate bridge and think about the structural quality of the bolts. They pull out their phones and take a picture. The responsibility of software is to make things frictionless and reduce the stuff someone has to think about before buying in.

Conrad said he would like to see other developers build things using the app and conduct research, as long as they do so ethically. The project’s GitHub repo has a detailed writeup of its design and engineering logic. It includes specific goals the code was built around in order to respect users’ privacy and mental health, such as:

  • Thoughts are more valuable than passwords, treat them that way.
  • Be extremely cautious about making engagement your core metric.
  • But be clear and obvious within the app about what’s going on with the user’s data.

“I really do want to see people use Quirk for research,” he said. “I just want it to follow more ethical practices of consent and data security. Someone should willingly give a researcher their thoughts and as little information should be given about the person as possible. When it’s stored, it should be stored safely and not on a publicly exposed DB for example. But for that to happen, it has to be open.”

Beyond GPL-specific licensing, making the app open source has many other benefits. Quirk has already been translated into six different languages. One of the byproducts of making a useful app open source is that it energizes contributors and speeds up the process of bringing the app to new audiences.

Feedback on the app so far has been mostly positive. One commenter on Hacker News thanked Conrad for open sourcing the app because he wasn’t able to continue in-person CBT due to the cost:

I’ve been through CBT and stopped because of the cost. I feel that an app like this can complement those of us that have had face to face time but stopped for whatever reason.

Quirk is an inspiring example of how open source software can help people with every day problems. Its carefully-considered implementation respects users’ sensitive information and doesn’t encourage an unhealthy attachment to the app.

If you like Quirk and want to contribute, you can find the app on GitHub, including directions for translating it into different languages. Mental health professionals who want to contribute are encouraged to audit the descriptions of the cognitive distortions. Users can report bugs as GitHub issues or directly to the app’s creator via email to Humans @ usequirk.com.

Source: WP Tavern

WPGraphQL Project Gains Momentum with Growing Library of Extensions for Popular WordPress Projects

The WPGraphQL project, a plugin that provides an extendable GraphQL schema and API for WordPress sites, has been gaining momentum over the past several months. Creator and maintainer Jason Bahl put the project up on Open Collective last week after people frequently asked how the community can support the project. WPGraphQL already has five backers, an $800 balance, and an estimated annual budget of $2,687.

“Large well-known sites such as qz.com and theplayerstribune.com are in production with JavaScript front-ends that consume data from WordPress via WPGraphQL,” Bahl said. “PostLight Studio maintains a popular “Headless WP Starter” project that initially started as a React + REST API boilerplate, but recently added WPGraphQL support as well.”

One of the most important signs of the project’s growth are the extensions that developers are building on top of it, such as WPGraphQL for Yoast SEO, WPGraphQL for Gutenberg, and WPGraphQL Content Blocks. WPGraphQL for Advanced Custom Fields is getting very close to an initial release and Caldera Forms is also exploring integrations with WPGraphQL.

“The two most-searched things on WPGraphQL.com are “Advanced Custom Fields” and “WooCommerce,” Bahl said. “People are interested in using WPGraphQL with other popular WordPress projects, and WPGraphQL for WooCommerce is a reaction to the folks that are already looking for alternatives to the WooCommerce REST API.”

WPGraphQL for WooCommerce Seeks $15K in Funding

WPGraphQL for WooCommerce is an extension created by Geoffry Taylor that has started to gain some traction. Taylor is a core contributor to the main WPGraphQL plugin. He has just published a Kickstarter to help fund development of the extension and Bahl is consulting with him on implementation details and code reviews.

Taylor began contributing to the WPGraphQL project last year after discovering the repository and finding that it lacked the features he needed.

“I was looking for a solution that would allow me to create React-Apollo JS apps that could be used as WordPress themes,” he said. “And the solution couldn’t rely on a node server, because a large portion of my clients use shared hosting. WPGraphQL was a perfect fit for what I needed, but it lacked the features I needed at the time. This led to me contributing.”

Since then Taylor has also created other libraries and tools that work directly or indirectly with WPGraphQL, such as WPGraphQL Composer, a React-Apollo component library, and Oil-Based Boilerplate, a boilerplate for developing React-powered WordPress themes, plugins, and guten-blocks that use shared components.

Taylor is seeking $15K in funding for development of the WPGraphQL WooCommerce extension, which would enable him to apply 100% of his time to the project.

“The question I think a lot of people have, is what does this extension provide that WPGraphQL and WooCommerce doesn’t already?” Taylor said. “It adds WooCommerce support to the WPGraphQL server. It is being designed to match and increase the functionality of WooCommerce REST to make it as easy as possible to convert your app from the WooCommerce REST API.”

Taylor said the extension is past the initial explorations and is well into development. If a developer follows the instructions in the README they will be able to query products and their variations, coupons, orders, refunds, customer information, and (after the next update), order items from the WPGraphQL endpoint. He said that with the exception of products, none of the data is queryable for any user without shop-manager level capabilities.

“Customer-level functionality is the target goal right now, meaning customers can register/login, update the cart, and checkout,” Taylor said.

Anyone interested can follow the project’s progress on GitHub or get involved on Slack at wp-graphql.slack.com in the #woocommerce channel.

Source: WP Tavern

WordSesh Returns May 22, 2019, Speaker Application Deadline is April 19

The next edition of WordSesh is scheduled for Wednesday, May 22, 2019, from 10am-8pm EDT (UTC-4) – just a little over one month away. For the past six years, the virtual conference for WordPress professionals has consistently delivered high quality sessions from industry experts. Last year’s event inspired viewing parties across the globe in Belgium, Nigeria, India, and the USA. The event has been so successful that its organizers also created a WooCommerce-focused edition called WooSesh, which was held last year as an alternative to WooConf.

Speaker applications are still open but will close soon on Friday, April 19. Organizers expect applicants to submit original talks that do not already exist online. The process is somewhat competitive, as only 10 speakers will be selected for the event. Those with approved applications will receive two coaching and review sessions for their talks and a $250 stipend. WordSesh organizers plan to notify applicants of their status by Monday, April 29, and will announce the accepted speakers May 1. Applicants may submit two different presentation topics and are also encouraged to record a two-minute video pitch to sell their ideas.

All WordSesh presentations will be recorded and available online after the live event. Previous years’ sessions and interviews can be viewed on the WordSesh Youtube channel. For more information on applying to speak, check out the event’s website.

Source: WP Tavern

WooCommerce 3.6 RC2 Removes Marketplace Suggestions from Product Listing, Adds Setting to Turn them Off

WooCommerce 3.6 RC2 was released today with changes to the planned Marketplace Suggestions feature after core developers received overwhelmingly negative feedback on its implementation. This RC removes the ads from the product listings, which was one of the most controversial placements for them. It also adds a new setting to turn Marketplace Suggestions off entirely.

  • Fix: Remove Product Listing suggestions. #23211
  • Fix: Add setting to turn off Marketplace Suggestions #23218
  • Fix: Add icon to Product Metabox Suggestions #23230
  • Fix: Add link to manage Suggestions #23229
  • Fix: Update text explaining opt-out and details of usage tracking. #23216

For many WooCommerce developers, 3.6 RC1 was the first time they discovered the marketplace suggestions. Some even felt blindsided by the original implementation.

“Last week, the release candidate was running on my staging server, and out of nowhere, I noticed these ads being inserted inline with the rest of the WC admin list tables,” Tobin Fekkes said. “What a shock that was! I thought I’d developed a bad case of malware or something. What nasty plugin was corrupting my core, default products table, order table, etc?! Oh, just core WooCommerce.

“I have never once gone looking to add a plugin to my site by starting at the ‘Products’ tab. Because it doesn’t belong there. If I want to install an extension or plugin, I will go to the (aptly named) ‘Extensions’ tab or “Plugins” tab.

“It is rather telling that we as longtime developers who attend every Dev chat, bookmark and check this Dev blog daily, and test all your betas and release candidates STILL had no idea about this blatant abuse of trust.”

Todd Wilkens, Head of WooCommerce, addressed the issue of marketplace suggestions seeming to come out of nowhere in a comment on our recent post:

We are committed to working with our community, including the plugin review team, and responding to feedback. Just as a reminder, the Marketplace Suggestions feature was developed in the open in a long-running feature branch/PR which was merged to master a month ago. It was mentioned in the Beta 1 Release notes, and was testable during Beta1 and prior on master.

It is often only when the release candidate comes out that we get certain kinds of feedback. It’s an important stage in the development cycle when we want and expect input. With the 3.6 RC1 live, we received specific feedback that we could take into consideration and act on. Thanks to the developers, end users, and the plugin review team for all their help.

WooCommerce 3.6 RC2 doesn’t make any changes to the frequency with which users will need to dismiss the ads. Some have commented that it is more like “snoozing” the ads, since they require dismissal every day for five days, only to return every month thereafter.

“We continue to be in contact with the plugin review team to ensure the suggestions are in accordance with the guidelines,” Wilkens said. “There is a live conversation on the definition of suggestion/advert dismissibility. We will participate in that conversation and honor the outcomes.”

As this implementation of marketplace suggestions still is not satisfactory to many WooCommerce users and developers, a plugin for turning off has already been submitted and approved in the WordPress plugin directory. WooCommerce Without Marketplace Suggestions removes the suggestions permanently without users having to continually dismiss them.

Source: WP Tavern

GoDaddy Acquires ThemeBeans, CoBlocks, Block Gallery, and Block Unit Tests

GoDaddy has acquired CoBlocks, ThemeBeans, Block Gallery and Block Unit Tests, one of the leading Gutenberg product lines in the WordPress ecosystem. Founder Rich Tabor is joining GoDaddy as Senior Product Manager of WordPress Experience and will lead a team dedicated to understanding users’ needs and expanding the company’s Gutenberg-related products. Tabor’s fellow CoBlocks founders Jeffrey Carandang and Alex Denning will not be joining GoDaddy.

All the commercial themes in the ThemeBeans catalog are now available for free on GitHub. Current customers will continue to receive theme support and remote updates until April 8, 2020.

According to Aaron Campbell, GoDaddy’s head of WordPress Ecosystem & Community, CoBlocks will continue to be freely available on WordPress.org. It currently has more than 3,000 active installations and averages a 4.7-star rating.

“Nothing will change with the plugin except that it will be added to the GoDaddy account on .org,” Campbell said. “It’s possible it might be renamed or rebranded in the future, but that’s unknown either way at this point. And yes, it will still be on the WordPress.org directory for everyone not just GoDaddy customers (and we plan to add more to it as we develop new blocks).”

Campbell could not yet share a roadmap for the plugin as Tabor just started and will be heavily involved in determining the plugin’s future at GoDaddy. Tabor will also be leading a development team that is brining on more React talent to assist with Gutenberg tasks.

“Hiring React devs that are capable with Gutenberg is a newer thing that we’re really not totally sure whether it’ll be difficult or not or even how it’ll look,” Campbell said. “Do you hire WordPress people? React people Only those that do both? Do you hire both and pair them up to learn from each other? It’s a thing we’re learning in this new post-Gutenberg world.”

Tabor said he was surprised that his products had attracted GoDaddy’s interest but also found it to be validating of his own efforts and the potential of the block editor.

“Throughout my time building themes, and then blocks, I’ve learned the real value of getting eyes on a project: Not only do you get the community rallying behind your ideas, such as the Block Manager recently added in Gutenberg 5.3, but you receive a TON of feedback and inspiration,” Tabor said. “Building on that feedback, consistently delivering clever ideas, and executing on the marketing front with inspiring videos, has landed us in a very opportune position.”

GoDaddy has acquired a handful of WordPress companies and services during the past few years (ManageWP, Sucuri, WP Curve), but Tabor’s products are the first Gutenberg-related acquisition for the company.

“I think it means that the WordPress ecosystem is important, that it’s maturing, and probably most of all – that it’s moving and changing,” Tabor said. “And I think all of those are good.

“Gutenberg has changed a lot in WordPress. It’s not just a new editor or new interface, it’s a whole new system that brings with it a whole new group of challenges. Companies like GoDaddy recognizing this and supporting innovation is a healthy sign of growth and maturity.”

GoDaddy’s resources will enable CoBlocks, ThemeBeans, and Block Gallery to move faster and add features that were previously out of reach for Tabor’s small team.

“We’ll go from just two developers, to a team of incredibly bright engineers,” Tabor said. “And I won’t be spending time figuring out all the intricacies of monetizing a premium plugin in today’s ever-changing WordPress ecosystem. Instead, I can focus on leading the team’s efforts on bringing a better page building experience to WordPress.”

He will also have access to insights and data that will enable his team to make more informed decisions about the tools and blocks they build.

“This view into how entrepreneurs and business owners are using WordPress is something I could never have achieved at a meaningful scale, and I know it will help me move more confidently in the future landscape of Gutenberg,” Tabor said.

Source: WP Tavern

Pipdig Under Investigation, Company is Refusing Customers’ Refund Requests

In the wake of last week’s Pipdidg scandal, the WordPress blogger and developer communities have been working together to help the company’s customers get on new themes and ensure the safety of their websites. Pipdig has been reported to various UK and internet authorities and is currently under investigation.

Pipdig’s hosting provider has proactively disabled malicious code in certain files while the company conducts its own investigation.

Meanwhile, Pipdig has been denying customers’ refund requests, in accordance with its “no refund” policy. Customers have received responses from the company claiming that the recent accusations were either “false, twisted, or sensationalized.”

Customers who have purchased Pipdig products within the last 180 days may still be able to receive a refund through other channels. The Twitter thread below suggests lodging a payment dispute with PayPal or your bank or credit card provider, by referencing consumer protection laws and providing evidence of Pipdig’s false and misleading conduct.

Help for Affected Pipdig Customers Switching to New Themes

If you work in WordPress every day, you may not realize how much of a challenge it is for some users to switch themes. WordPress developers and bloggers are stepping up to provide resources to help those who want to transition to a new theme.

“I understand that bloggers using Pipdig themes for WordPress might want to switch away, but don’t have the time, money, or skills to do so right away,” Mark Jaquith said. “So here’s P3 Neutraliser — a plugin that will prevent the P3 plugin from updating or ‘phoning home.’” The plugin is available on GitHub with step-by-step instructions for downloading and installing it. It is intended as a stopgap measure for users to activate while they are in the process of transitioning to a new theme.

Former Pipdig customers are struggling to find new themes, as a large number of them fall into the fashion blogger demographic. This is a niche with specific requirements for design and functionality. Many are also confused about the findings in the reports and don’t know how to act on this information.

Searching WordPress.org for fashion-inspired themes does not turn up many relevant results. Former Pipdig customers hunting for new themes will need a more curated list of recommendations. WordPress developer Tia Wood published a post with a list of both free and commercial alternative themes that may be helpful to those still looking. Freelance designer Rachel Sulek has a Twitter thread with options that are comparable to Pipdig’s theme designs.

Source: WP Tavern

Gutenberg Team Publishes RFC Document on Widget-Block Interfaces

The Gutenberg team has published a Blocks in Widget Areas RFC (request for comments) document, detailing a technical approach that brings blocks to the wp-admin/widgets.php screen and the Customizer. This is one of the goals on the roadmap Matt Mullenweg outlined in his 9 Projects for 2019 post.

Based on the requirements outlined in the beginning of the document, it looks like the Gutenberg team is working to make the transition from widgets to blocks as seamless as possible:

  • Editing blocks in wp-admin/widgets.php and the wp-admin/customize.php should use the same block editor that wp-admin/post-new.php uses.
  • The block editor should read and update blocks in widget-editing areas via the REST API.
  • Upgrading WordPress must not affect the appearance of the user’s site, or any of their existing widgets.
  • Existing Core and third-party widgets must remain functional in the new block-based interface.
  • Backwards compatibility must be maintained. That is, themes and plugins that use public widget APIs must remain functional.
  • During a transition period, it should be possible to disable the block-based interface and return to the classic widget-editing interface.

The requirements for backwards compatibility are a tall order but will make it much easier for users to trust WordPress during this transition. Content will not be forced into the new interface and users will retain the option to use the classic widget-editing screen if they prefer. The team has not yet announced a date for when widgets will be officially deprecated.

Gutenberg version 5.4 was released last week with vertical alignment support for the columns block, a playsInline option in the video block, and a number of other minor enhancements. It also contains nearly two dozen bug fixes that will be rolled into the next beta of WordPress 5.2.

Gutenberg phase 2 technical lead Riad Bengella also confirmed in comments on the release post that the long-awaited section/container block is coming in the next release of the plugin. This will be an important milestone on the journey to full site editing with the block interface.

Source: WP Tavern

Jetpack 7.2.1 Removes Promotions for Paid Upgrades from the Plugin Search Screen

Earlier this month, Jetpack 7.1 added suggestions to the plugin search screen, a controversial change that has sparked debate this week. When users search for a plugin that matches a term for an existing Jetpack feature, the plugin now inserts an artificial, dismissible search result into the first plugin card slot, identifying the corresponding Jetpack feature.

The Jetpack team said users have a hard time knowing what features are available, with 45 modules packaged into the plugin. The idea behind the proof of concept for the suggestions was to improve the discoverability of Jetpack’s existing features. Many in the developer community became outraged after it was discovered that Jetpack was also advertising paid upgrades in this space as well.

The fact that it was rolled out with promotions for paid upgrades made it seem to many onlookers that the discoverability problem was just a pretext for injecting advertising. The WordPress Plugin Team also said it may or may not be a violation of the plugin directory guidelines but that the team was still “arguing about the semantics internally.”

Version 7.2.1 was released today, removing all feature suggestions that previously advertised upgrades.

“We made a mistake, and we’re moving to correct it immediately,” Jetpack team representative Jesse Friedman said. “Our intention with these feature hints is to help you discover helpful features of Jetpack that you already have, right when you need them most. Today we’re correcting an error in judgement that resulted in the hints suggesting Jetpack features that actually required an upgrade.”

Characterizing the mistake as “an error in judgment” is an admission that rolling out feature suggestions with paid upgrades was a conscious decision. One month later, the Jetpack team decided it was a poor choice. This appears to have be driven by the community’s reaction, but Jetpack did not elaborate on how or why they reached the decision to revert the promotions for paid upgrades.

Jetpack 7.2.1 Updates Design for “Hints,” Plans to Adopt WordPress Core Solution in the Future

The 7.2.1 maintenance release also changes the design for the feature suggestions, which they are now referring to as “Feature Hints.”

“We’re reducing confusion around feature hints by simplifying the design and changing some text; this way it’s clear that feature hints are from Jetpack and are easily dismissible,” Friedman said.

After updating to the latest release, you can see the revised design on the plugin search screen with new text: “This suggestion was made by Jetpack, the security and performance plugin already installed on your site.” Jetpack will disable the hints once administrators have dismissed three hints.

“Going forward we want to help create a feature hints solution that works for all WordPress users and plugin developers,” Friedman said. “We are excited to work with suggestions like this one, by Joost de Valk, and see how we might be able to find a solution in WordPress core to help users discover plugin features, and prevent this very common issue. Once a core solution is available, we plan to adopt it for Jetpack.”

Developers who still do not want to see any sort of feature hint when searching for plugins can use the jetpackcom_remove_search_hints filter to turn it off. Users can also install the Hide Jetpack Promotions plugin as an alternative.

Source: WP Tavern

WooCommerce 3.6 to Add Marketplace Suggestions, Despite Overwhelmingly Negative Feedback from Developer Community

In one of the most unpopular changes in the history of the WooCommerce open source project, version 3.6 will introduce “Marketplace Suggestions.” The update adds suggestions to the products admin screen, which vary based on whether it’s an empty state or within the list of products.

“They are contextual mentions of official extensions that may be relevant to a customer,” Todd Wilkens, Head of WooCommerce, said. “This currently includes all extensions on the official WooCommerce marketplace, which is open for submissions and lists extensions written by Automattic as well as by trusted partners and third-party developers.”

The suggestions are on by default for users who can install and activate plugins. They are dismissible, but the frequency with which they will be shown is one of the most contentious aspects of WooCommerce’s proposed implementation:

  • We’ll only show 1 on the Products screen, and 5 on the Product – empty state, Orders – empty state or Edit Product metabox.
  • Each suggestion is dismissible, we are not providing an option to dismiss all suggestions (other than if you choose to hide them).
  • We’re only showing 1 suggestion at a time, if a customer dismisses this, they won’t see another one for 24-hours.
  • If suggestions are dismissed more than five times. No further suggestions are shown in that location ( i.e. Products Listing ) for a month.

WooCommerce is providing a filter to turn off the suggestions, and this will likely soon be available as a plugin from the community. It is not something that is easy for non-technical store owners to implement.

add_filter( ‘woocommerce_allow_marketplace_suggestions’, ‘__return_false’ );

“If the above removal-by-script option proves to be difficult to implement – for example, for those who are not comfortable adding custom code – we will explore introducing a simpler way to turn them off and include this in a point release (e.g. a toggle in core settings),” Wilkens said.

WooCommerce Developer Community Sees Marketplace Suggestions as a Major Disruption to Store Owners’ Workflow

The feedback coming in on the announcement post and WooCommerce’s GitHub repository is overwhelmingly negative. In a comment on an issue titled “Rethinking 3.6’s Dashboard Ads,” Josh Kohlbach contends that WooCommerce should limit its marketing to the plugin’s dedicated Extensions screen in the dashboard:

In addition, didn’t anyone think it might be a conflict of interest for WooCommerce the commercial entity to use WooCommerce the open source plugin to show ads in this manner? Bit anti-competitive to all the 3rd party devs out there (of which there are a lot).

WooCommerce already has an amazing page under WooCommerce->Extensions with full searching capabilities etc. Why would you want to show irrelevant ads during a user’s everyday workflow?! Store owners use these screen daily, it’s terrible UX.

I suggest that it gets ripped out in its entirety and filed under “cool implementation/fun to code but horrible idea for actual users.

For those who do not stand to benefit from profits from the 400+ extensions on the WooCommerce.com marketplace, the intrusions in the product admins screen seem all the more offensive. Marketplace suggestions have not been well-received by third-party extension developers.

“This is in direct competition to every third-party developer that is not selling on WooCommerce’s marketplace,” Jamie Madden, founder of the WC Vendors Marketplace, said. “I am one of these. This is advertising for your commercial products, no matter how you try and wrap this. You have an extensions page already which is more than enough, but advertising your products every 24 hours is going too far. This is completely unacceptable.”

The general consensus of those participating in the ticket is that injecting ads into product management screens will create a disruption to store managers’ workflow.

“I too am very concerned about this,” digital agency owner Erik Bernskiold said. “I get that WooCommerce want to benefit from their commercial side, too, and there are many ways to do this. But in this case, it feels like this is at a great disregard for the users. Hijacking a product list, order list or a user interface element in this way is a major interruption of the user experience. It’s not the place for an ad.”

Several participants in the discussion have suggested that WooCommerce make it an opt-in toggle in the settings.

“There is only one scenario where I think this feature should stay in place and could be beneficial: If this feature is controlled by an opt-in toggle in WC settings,” Prospress developer Jeremy Pry said. “Otherwise, this whole feature should be removed entirely. Store owners don’t need advertisements in their admin dashboard. In my opinion, leaving this feature in place would be very harmful to the WooCommerce community.”

Marketplace Suggestions Require Dismissal Every Day for 5 Days, Only to Return 1 Month Later

The fact that the suggestions cannot actually be dismissed for good is one issue that developers predict will end up aggravating WooCommerce users.

“Dismissing just to keep hounding the user, that’s not dismissing… that is snoozing,” WordPress developer Patrick Garman said. “Because I told you 5 times that I don’t want to see your ads, that doesn’t mean come back in a month. The average user shouldn’t have to use a filter to make ads go away.”

I would not be surprised if WooCommerce ends up dialing back the frequency of the ads after they are closed, given that nearly all those participating in the conversation consider it unacceptable to require dismissal five days in a row, with the same process repeated every month thereafter. The frequency with which they are displayed is unusually aggressive.

“I don’t think it technically violates the guidelines it’s just obnoxious and makes WooCommerce look like a low rent solution,” Astoundify founder Adam Pickering said. “It seems we are in a midst of a monetization push and they are looking for any where they can add up sells. Apparently doing so gracefully has gone out the window.”

Despite the overwhelmingly negative feedback, WooCommerce appears to be ploughing forward on its plan to ramp up its marketing in the admin. Automattic is a business and it needs to make money with WooCommerce. Most participants in the discussion do not seem opposed to WooCommerce making money with marketplace suggestions but are strongly requesting that they do not inject ads in places where users are working on their own products in the admin.

“There’s nothing necessarily wrong with ya’ll trying to squeeze out some more money from users – so long as it’s done tastefully, and in a way that actually provides value to the user, instead of spamming and hindering them,” @justlevine commented on the GitHub issue.

Based on the WooCommerce developer community’s feedback, many are in agreement that they will only support changes will be respectful to store owners working in the admin. They would prefer WooCommerce focused its efforts on improving the existing Extensions tab, instead of injecting items from the marketplace on other screens. The current implementation of marketplace suggestions needs work, because it is too heavy-handed in displaying ads after users indicate through the UI that they want to dismiss them.

Most participants in the discussion are in favor of letting store owners decide if they want to see ads for extensions on their product admin screens. They would prefer that users opt in through a more transparent way than simply agreeing to terms of service. At the very least, most prefer WooCommerce add a setting that would allow store owners to easily turn marketplace suggestions off. If Automattic wants this new feature to be successful, the company needs to revise the implementation to be something that doesn’t instantly make the majority of the WooCommerce developer community want to turn it off.

Source: WP Tavern