WordPress Tavern is a site focused on all things WordPress. We also cover BuddyPress, bbPress, and any project under the Automattic umbrella. WordPress Tavern is a warm and inviting community where those interested in the software can hang out with fellow WordPressers to engage in enlightening discussions.
WordPress has officially ended support for PHP 5.2 – 5.5 and bumped its minimum required PHP version to 5.6. The plan announced last December was to bump the minimum required version in early 2019 and, depending on the results, bump it again to PHP 7 in December 2019. Sites on PHP 5.5 or earlier can still get security updates but will not be able to upgrade to the latest major WordPress version.
One might wonder why WordPress’ approach isn’t to just bump it all the way up to PHP 7. With its influence and dominant market share, this requirement would inevitably force users to get on board. However, WordPress contributors believe in supporting users who, for whatever reason, need more help upgrading PHP. Steamrolling this requirement has not been the WordPress way, despite years of immense pressure from the developer community.
“Leaving users behind for technical reasons creates a two-folded web with only few being able to leverage its power,” WordPress Core Committer Felix Arntz said. “Collaborating with and supporting these users gives that power to everyone in the long run.”
Gutenberg 5.3 was released today with basic block management, a feature that will be included in WordPress 5.2. It is a new modal that can be launched from the vertical ellipses menu, inspired by Rich Tabor’s CoBlocks implementation. Users can turn individual blocks on/off or even entire sections, such as Common Blocks, Formatting, and Embeds. Block management should help users avoid the bloat that happens when installing block collections with more blocks than they need.
This version’s updates to the Cover Block make it possible to nest other blocks inside of it. Users can now add buttons, paragraphs, and headers to easily create a call to action. It’s not immediately evident that nesting blocks is possible, despite the floating inserter. It takes a little bit of time to discover that it is available. There are still some quirks with this feature, but overall it makes the Cover Block much more useful than previous versions.
A few contributors commenting on the Cover Block’s nesting PR said that it seems like the work on this iteration is essentially a light version of a section block. They questioned if it might be better to finish the work on the Section block (#4900) and build from there. Many developers and designers are eagerly awaiting the addition of a Section block to core, which will provide a standard for the plugin and theme industries to build on.
Gutenberg 5.3 adds an experimental Legacy Widget Block that allows existing WordPress widgets to be added as Gutenberg blocks. It offers a dropdown of available widgets. After selecting one, the block populates that area with the widget’s settings.
This version also improves block outlines for the hover and selected states for a more accessible UI with less distraction. Performance benchmarks show a slight decrease in performance with Gutenberg 5.3. Check out the release post for a full list of enhancements and bug fixes. This is the last plugin release that will be rolled into the upcoming WordPress 5.2 release.
The 11th edition of WordCamp Miami was held this past weekend, a three-day event that featured multiple learning workshops and six different tracks. The speaker ratio was 50% male and 50% female, and nearly half of the speakers were new to WordCamp Miami.
One of the highlights of this year’s event were the WordPress stories coming out of the Kid’s Panel. WordCamp Miami has been hosting learning experiences for kids since 2014 and for the past four years has included a two-day Kid’s Camp along with a Kid’s Panel. More than 100 children (not including parents and guardians) attended this year’s event. Some of the kids who are more experienced with WordPress shared their experiences during the Kid’s Panel.
Kids reported that they using WordPress for blogs, science projects, and robotic competitions. One fifth grade student, who has been using WordPress for three years, said she plans to continue using it to document her life and share her future educational experiences:
“I plan to be using it later in my life when I go to college, so I can be talking about what my life journey was and what I’m going to be studying, which is software engineering.”
Miami to Host New One-Day WordPress Event for Kids and Teachers
The growing popularity of WordCamp Miami’s kids events has inspired organizers to host a new one-day event for kids and teachers. The date has not yet been set but the plan is to have it scheduled for summer 2019.
The event will be divided into two tracks, one for kids aged 6 to 18 and another for teachers and educators. The kid’s track will include talks on WordPress, MineCraft, STEAM/STEM activities, and ways they can improve their coding skills. Teachers and educators will have a dedicated track with talks that will help them incorporate coding, WordPress, and broader STEAM/STEM activities into their curricula.
In their announcement, WordCamp Miami’s organizers said they believe the next generation of WordPress users are “vital to the growth of the open web.” They are looking for sponsors to cover the costs of snacks and lunch for approximately 100 students, volunteers and speakers to give presentations on various subjects for kids and teachers, and people to spread the word to schools in the Dade/Broward area.
Kids engaging with WordPress is one of the most inspiring things happening in the community right now. It’s the spark of a new generation of users who are embracing the concept of sharing their ideas on the open web. WordPress’ Community team also has a new Kids Event Working Group that kicked off last month to support the growth of these kinds of events around the world. They are currently working on documentation, training guides, legal documents, supply lists, and other resources. This is another way to get involved if you don’t live near a local kid’s event.
WordPress contributor teams have shipped several new tools for theme developers in the past couple weeks, which have the potential to raise the quality of new themes coming into the ecosystem. The Theme Sniffer plugin is a new effort from the Theme Review team that uses custom sniffs for PHP_CodeSniffer to test a theme against WordPress coding standards and check for PHP version compatibility.
The plugin is useful for both theme reviewers and developers who want to get their themes approved for the WordPress.org directory. It includes several optional standards to test against beyond the ruleset for theme review requirements. Passing the Theme Sniffer checks is not required for themes entering the directory but reviewers can use the plugin to speed the process up.
The Accessibility Team also published a new tool called WP Theme Auditor that runs Axe tests against a theme for automated accessibility feedback. Axe is an open source library and testing engine created by the accessibility experts at Deque. The WP Theme Auditor package can be installed into a theme’s root directory. Developers can then add test cases. Examples are available in the project’s README file. The tests are run against http://one.wordpress.test by default but developers can specify a different test environment URL.
The Accessibility team plans to expand the test cases in the tool to include all the content from the current Theme Unit Test Data package. In the most recent team meeting, they decided to recommend WP Theme Auditor as a WordPress testing tool and plan to post more details about it on the make.wordpress.org/accessibility blog.
At WordCamp Nordic’s contributor day I had the opportunity to chat with Andrey “Rarst” Savchenko about WordPress’ Date/Time component, the code that manages date, time, and timezone functionality. Savchenko is one of the maintainers of this lesser-known component, which includes code that dates back to PHP 4 times. After volunteering for years in the WordPress Stack Exchange forums, he encountered some of the worst Date/Time bugs, eventually spurring him on to get involved improving the code.
“From there it was a slow descent into the madness of the component,” Savchenko said. “Much of my experience ended up in my WpDateTime library. By last year I was, at last, confident I had a good grasp on the extent of the problem and a way forward for core.”
Date/Time issues affect both developers and users. Savchenko said most of the problems, by volume, are related to an incorrect output of localized time by `date_i18n()`. These things can trickle down to users and affect post scheduling, querying, and other operations.
“Some of them are outright bugs and some are easy to break due to incompatibility with Unix timestamps,” Savchenko said. “But many other parts of the core have problems related to time – most often around time zones and daylight savings time. Posts can end up with the wrong time, not published when needed, sorted in the wrong order, and so on.”
The requirement for backwards compatibility makes progress slow but Savchenko and fellow contributors shipped some of their work in the most recent release of WordPress. They will have more solutions available to pursue when the minimum required PHP version is bumped.
“Corporate contributions to the third-party open source projects can still be a source of friction and ambiguity,” GitHub Product Manager Ben Balter said. “We’re beta testing a new platform-agnostic commit pattern we hope can help you contribute on behalf of your employer.”
Committers who are members of an organization can add a commit trailer in the following format:
On-behalf-of: @ORG <ORG CONTACT EMAIL>
The committer must use an email that matches the organization’s verified domain and sign the commit. Committing on behalf of an organization can also be done via the command line.
Balter posted a demo of how the organization’s badge appears next to the committer’s. The feature is now in public beta:
It will be interesting to see how well this is adopted among individuals and organizations committing to open source projects. Some projects have more overt contribution from commercial entities than others. Having individuals commit on behalf of their employers makes it easier to track contributions funded by organizations. It may also provide project owners a more accurate picture of how deeply companies are invested in a project, especially in scenarios where the lines between individual and employer contributions are blurry or unclear.
10up has released a GitHub Action that enables developers to deploy to the WordPress.org Plugin repository by tagging a new version on GitHub. Helen Hou-Sandí, 10up’s Director of Open Source Initiatives, explained how it works:
You’ll be able to manage your entire development lifecycle in GitHub—no more futzing with local Bash scripts or controlling commit/push access in multiple places. You reference our action in your plugin repo’s workflow file, filtered to only run when a tag is pushed, and set your username/password secrets. After that, each time you tag a new version on GitHub, whether by pushing a Git tag from the command line or making one using the GitHub releases interface, your plugin will be deployed to WordPress.org.
Developers who want to use this Action will need to sign up for beta access to GitHub Actions in order to create their own Actions-enabled repo for pushing plugin releases to WordPress.org. Check out 10up’s release post and the README file for instructions on how to use and customize the WordPress.org Plugin Deploy action.
Reception from the WordPress development community has been enthusiastic, as anything that removes WordPress.org’s requirement to use SVN qualifies as a little piece of magic. 10up is working on more WordPress Actions that they plan to release soon.
WordCamp Miami (WCMIA) is heading into its 11th year running this weekend, making it one of the longest running non-profit tech conferences in South Florida. Known for its many learning opportunities and workshops, the event spans three days from March 15 – 17 at Florida International University.
For the vast majority of the WordPress world that cannot make it to Miami, the next best alternative is tuning into the free livestream. WCMIA will be broadcasting a selection of workshops and sessions from the schedule, beginning with the Freelancer’s Workshop on Friday, March 15. The main event features six different tracks, and Saturday’s live broadcast will include sessions from “WordPress & The Web” and the “Design & Community” tracks. Sunday’s livestream will broadcast sessions from the Business track.
As you get closer the air gets smoggier and you realize it’s a vast metropolis. It’s surrounded by high concrete walls, completely contained. Inside it’s bustling, lots of honking traffic, people everywhere, the sound is deafening. You see people arguing in bars and chatting on street corners. Billboards and advertisements are everywhere, touting ever kind of good and service. It’s noisy and dense and overwhelming.
This is Facebook.
The video also likens Instagram to a cookie cutter housing development that is actually just a collection of billboards with no one living there.
My expectation before playing the video was that it would enumerate the positive aspects of the open web but I was surprised to find it juxtaposed with Facebook and Instagram in a somewhat jarring fashion midway through. It effectively communicates the stark contrast between the limitations and restrictions of social media silos and the freedom of owning your website.
A meditation on the open web - YouTube
Open Web Meditation was created as a design experiment at Automattic that encourages viewers to look beyond the walls of dominant social media platforms and consider how our experiences on the web differ based on where we choose to share our ideas. The company is looking to gain global exposure for the video by inviting people to create their own versions of it in their own languages.
Automattic’s video is a timely message, as the world pauses to reflect on the 30th birthday of the World Wide Web this week. In his open letter published by the Web Foundation, Tim Berners-Lee urged companies, governments, and the web’s citizens not to give up on building a better web. He identified “system design that creates perverse incentives,” where user value is sacrificed, as one of the most dangerous threats to the web at this time.
“You can’t just blame one government, one social network or the human spirit,” Berners-Lee said. “Simplistic narratives risk exhausting our energy as we chase the symptoms of these problems instead of focusing on their root causes. To get this right, we will need to come together as a global web community.”
Many commercial entities have enjoyed extraordinary and unprecedented opportunities and influence because of the creation of the world wide web. Berners-Lee underscored their responsibility toward the public as stewards of the open web.
“Companies must do more to ensure their pursuit of short-term profit is not at the expense of human rights, democracy, scientific fact or public safety. Platforms and products must be designed with privacy, diversity and security in mind. This year, we’ve seen a number of tech employees stand up and demand better business practices. We need to encourage that spirit.”
In an interview with the BBC, Berners-Lee said that global action is required tackle the web’s “downward plunge to a dysfunctional future.” This 30-year anniversary is a good time to re-examine our complex relationships with centralized services and return to the guiding principles that have made the web a universal, open place of opportunity.
WordPress 5.1.1 was released yesterday evening with an important security update for a critical cross-site scripting vulnerability found in 5.1 and prior versions. The release post credited Simon Scannell of RIPS Technologies for discovering and reporting the vulnerability. Scannell published a post summarizing how an unauthenticated attacker could take over any WordPress site that has comments enabled:
An attacker can take over any WordPress site that has comments enabled by tricking an administrator of a target blog to visit a website set up by the attacker. As soon as the victim administrator visits the malicious website, a cross-site request forgery (CSRF) exploit is run against the target WordPress blog in the background, without the victim noticing. The CSRF exploit abuses multiple logic flaws and sanitization errors that when combined lead to Remote Code Execution and a full site takeover.
Since WordPress ships with comments enabled by default, an attacker could exploit this vulnerability on any site with the default settings. Auto-updates went out yesterday but administrators who have background updates disabled are advised to update immediately.