WordPress Tavern is a site focused on all things WordPress. We also cover BuddyPress, bbPress, and any project under the Automattic umbrella. WordPress Tavern is a warm and inviting community where those interested in the software can hang out with fellow WordPressers to engage in enlightening discussions.
There is currently no way to search for Gutenberg-ready themes on WordPress.com themes because there is no filter set up for this. However, the team said users should not any experience any issues with themes breaking with the new editor:
All existing themes should still work with Gutenberg. At worst styles in the editor might not exactly match styles on the site itself, and styling for individual blocks might cause conflicts if the theme treats that type of content in a specific way. But that is true of all WordPress themes, not just the ones on WordPress.com.
Users can activate any theme they want with Gutenberg. The new editor is not going to break any themes, but a theme does need to add support for users to take advantage of specific features like wide alignments and block color palettes. Gutenberg-ready themes also include editor styles to ensure a consistent editing experience between frontend and backend.
Automattic is also working to bring some of those updates from its current set of Gutenberg-ready themes to its free themes hosted on WordPress.org. The company has 109 themes in the directory, which have cumulatively been downloaded more than 17 million times. The majority of its more popular themes fall into the business category, such as Dara (10K active installs), Argent (10K), Edin (6K), and Karuna (5K). Several of these themes are already Gutenberg-ready with the code available on GitHub.
Storefront is by far Automattic’s most popular free theme on WordPress.org with 200,000+ installs and is well on its way towards being ready to support Gutenberg’s new features. Development towards this goal is happening on GitHub. Users can run beta versions of the Storefront theme ahead of time using the Storefront Beta Tester plugin.
In this episode, John James Jacoby and I discuss the news of the week. We talk about the delayed release of WordPress 5.0 and which day would be a suitable release date. We share our opinions on Matt’s answers from his Q&A appearance at WordCamp in Portland, Oregon. We also talk about the changes in WordPress core development, Automatticians in leadership roles, and last, but not least, WordCamp budgeting.
If you’re a NextGEN Gallery plugin user and have been wondering about Gutenberg compatibility, Imagely CEO Erick Danzer announced today that the plugin will ship a gallery block in a release planed for next week. The plugin is currently used on nearly a million WordPress sites (900,000+ active installs). NextGEN Gallery’s Gutenberg block has been in beta testing since May and the plugin will support users who update to use the new editor as well as those who stick with the Classic Editor plugin.
In a post titled “A Plea to Defer the Release of Gutenberg,” Danzer outlined his concerns with the timeline for WordPress 5.0. His thoughts echo many other prominent members of the development community who have written their own calls to delay the release. He cites feedback on WordPress.org and urges the Gutenberg team not to discount the validity of these reviews:
Some people have been dismissive of those reviews and questioned whether they are a legitimate reflection of user experiences with Gutenberg. The reviews often lack detail and can be quite harsh.
But that’s the experience of ALL plugin developers on the WordPress repository. Gutenberg is being reviewed in precisely the same way as every other plugin on the repository. If any other major plugin maintained a 2.3 star rating and refused to accept the feedback as legitimate, it would not be a major plugin for long.
Even without detail, reviews on the repository represent a fair reflection of overall user feelings about a plugin. In the case of Gutenberg, it is clear the plugin is not ‘wowing’ potential users.
Danzer also referenced a release the NextGEN Gallery team shipped in 2013 that included “major and breaking changes” that had been “tested aggressively but in limited ways.” This release broke an estimated 10 percent of the plugin’s installations as well as compatibility with many extensions. It has had a lasting impact on NextGEN’s reputation for the past five years. Danzer said he fears WordPress may be headed in the same direction, except at a much larger scale.
As a postscript to his plea, Danzer assured users reading his post that NextGEN Gallery will have support for Gutenberg in time for the WordPress 5.0 release:
Despite the concerns expressed in this post, I want to assure NextGEN Gallery users that we’ll be ready regardless of the final release decision for Gutenberg. We’ll be officially in the next week. We’ve tested and ensured that your existing galleries will work when you update. We’ve developed our block so that if you add galleries via Gutenberg, they will continue to work if you roll back or install the classic editor. And we’ll have all hands on deck to deal with any issues that arise when Gutenberg is released.
NextGEN Gallery’s Gutenberg support includes a block that launches a modal where users can select a gallery to insert. Unless it has significantly changed from the beta preview video published, the gallery block doesn’t seem to offer a preview of the gallery inside the Gutenberg editor once it has been selected and placed within the content. Users who want to test the beta version of Gutenberg support in the plugin can download the latest from the NextGEN Gallery beta page.
Gutenberg appreciation is running high across the CMS pond in the Drupal world. DrupalCamp Oslo 2018, Norway’s biggest national camp to date, was held over the weekend. The event featured two sessions on Gutenberg – one for site builders and one for block developers. Frontkom, the team behind Drupal Gutenberg, took home two Splash Awards for “Best Module” and “Best Integration” for 2018.
The Cloud Blocks plugin for WordPress was released in beta two weeks ago to begin testing the Gutenberg Cloud API, which enables blocks to be shared across CMS’s. The Drupal version of this connector plugin was introduced at DrupalCamp Oslo. Frontkom’s Per André Rønsen and Thor Andre Gretland hosted a session called “Build your pages build with Drupal Gutenberg” where they gave attendees a look at Gutenberg Cloud for D8. It runs as submodule of Drupal Gutenberg.
Changes Coming to Gutenberg Cloud: All Blocks Will Undergo Code Review before Publishing
One of the speakers at the event was a member of the Drupal.org security team. Rønsen said after their session they had good participation during the Q&A time.
“There was some push back on Gutenberg Cloud for letting any developer add new blocks,” Rønsen said. “We explained that this is only during beta phase, and that we do code review of new blocks coming in. However, this led to the decision of switching to white listing instead. Starting next week, block authors will need to email us and ask for code review before we accept the blocks. This will go hand in hand with an upcoming browser on gutenbergcloud.org – meaning each block will get it’s own little landing page online. We think this will be useful for people to see how Gutenberg Cloud can be useful for their site.”
Overall, the Frontkom team saw a positive reception to Gutenberg Cloud at DrupalCamp Oslo and they are working to incorporate some of the valuable feedback they received.
“The interest was amazing,” Rønsen said. “This week, we’ve been in contact with two big dev teams who wants to help out getting the Drupal module a stable release.”
The session for site builders was not filmed but there is an unofficial video from the developer day where Frontkom’s Marco Fernandes and Frank Gjertsen gave a technical session on how to build custom blocks.
How to build a Gutenberg block for your Drupal site - DrupalCamp Oslo 2018 - YouTube
For the last seven years, the maximum amount of money WordCamp organizers could charge for ticket prices was $20 per day. In 2019, this will increase to $25 per day.
The new amount accounts for inflation and provides breathing room for organizers. According to the Bureau of Labor Statistics inflation calculator, $20 in January of 2006 is equal to $25.51 in October of 2018.
Organizers don’t have to charge this amount and are encouraged to keep the ticket price as low as possible. The increase is also part of a delicate balancing act between not being a financial burden and getting 80% or more of attendees to show up.
“The ticket price does not reflect on the value of the event,” Andrea Middleton, Community organizer said.
“In an ideal world, all WordCamp tickets would be free just like WordPress is free but to avoid organizing a conference for 500 registrants and only having 50 people show up on the day of the event, we charge as little as we possibly can for tickets, but just enough that people will show up for the event if they’re sleepy that morning or got a last-minute invitation to a pool party or something.”
When the proposal to increase the maximum ticket price was published in September, many commenters approved of the increase with some suggesting an even higher amount to account for inflation for the next few years. Ian Dunn questioned whether or not budget shortfalls were due to organizing teams spending money on extra things.
“Beyond that, though, I’m curious why camps are having more trouble today than they were 5 or even 10 years ago?” Dunn said.
“Is it harder to get sponsorships? It seems like the opposite is true, especially given how much the global sponsorship program covers.
“Based on experiences in my local community, I suspect that the primary reason for budget shortfalls is that the organizing team is choosing to do extra things, beyond what’s necessary to meet the goals of a WordCamp. For example, holding after-parties at trendy venues, expensive speaker gifts, professional A/V (which I’ve advocated for in the past, but not at the cost of higher ticket prices), etc.”
It is interesting to ponder how much money WordCamps could save globally by eliminating the materialistic aspects of the event such as t-shirts, speaker gifts, lanyards, badges, signs, etc.
At there core, WordCamps are about gathering the local community together in a physical location to share knowledge. Not every WordPress event needs to mimic WordCamp US or WordCamp Europe, two of the largest events in the world.
Although the WordPress Community team tracks data such as how much each WordCamp charges for ticket prices, the information is not readily available. This is because of the large volume of data that would need to be calculated and displayed. It would be interesting to see an info-graphic of this data where you can compare the average ticket price for WordCamps per country.
Hugh Lashbrooke, a WordPress Community team contributor who has access to the data says that, “globally the majority of camps have lower prices.”
WordCamp organizers are highly encouraged to keep track of attendance as the data is used to help make better informed decisions. The team will review the no-show rates at WordCamps at the end of 2019 to determine if the price increase had any effect. If not, the team may increase the price again for 2020.
Alberto Medina and Weston Ruter gave a presentation on Progressive Content Management Systems yesterday at Chrome Dev Summit 2018 in San Francisco. Medina is a developer advocate at Google and Ruter recently transitioned into a new role as a Developer Programs Engineer after eight years at XWP.
Medina began the session with a quick overview of the increasingly complex CMS space, which is growing, according to figures he cited from w3techs: 54% of sites are built with some kind of CMS (11% YoY growth). Many CMS’s face common challenges when it comes to integrating modern web technologies into their platforms, such as large code bases, legacy code, and technical debt.
In addressing the challenges that WordPress faces, Google is looking to make an impact on a large swath of the web. Medina outlined the two-part approach Google is using with the WordPress ecosystem. This includes AMP integration via the AMP plugin for WordPress. It’s currently at version 1.0 RC2 and the sable version is scheduled for release at the end of this month.
The second part of the approach is integration of modern web capabilities and APIs in core, so that things like service workers and background sync are supported natively in a way that the entire ecosystem can take advantage of them. Google has invested resources to get these features added to core.
Ruter demonstrated a single page application built in WordPress using a standard theme as the basis and the AMP plugin as a foundation. Medina said the team plans to continue expanding this work integrating AMP content into WordPress, specifically in the context of Gutenberg. He gave a quick demo of how they are working to help content creators easily take advantage of features like AMP stories via a Gutenberg integration.
Medina said AMP stories are formed by components and work well with Gutenberg, since everything in the new editor corresponds to a block.
“We want powerful components like these to become available across all CMS’s,” Medina said. “The CMS space is moving steadily along the progressive web road.”
Check out the video below to learn more about Google’s experience integrating modern web capabilities and progressive technologies into the WordPress platform and ecosystem.
Progressive Content Management Systems (Chrome Dev Summit 2018) - YouTube
Tickets for the first ever WordCamp Nordic went on sale today and 100 seats sold within 20 minutes. The event is scheduled to be held in Helsinki, Finland, March 7-8, 2019. There are currently 97 regular tickets and 59 micro-sponsor tickets remaining in the first batch, but more will be released in another round.
If there was any question about whether this new regional WordCamp would gain support, the record-setting buy up of all the sponsor packages has put them to rest. All of the Gold packages (3000 €) were purchased within one minute. Silver packages (1500 €) and Bronze packages (750 €) were all purchased within four minutes and 35 minutes, respectively.
“Sponsor packages tend to go in a few hours whenever there’s a WordCamp in Finland, largely thanks to our communications team and the fact that most companies involved with WordPress follow the conversations on our local Slack/Twitter where these things get announced,” co-organizer Niko Pettersen said. “But this must have been a record even for us. WordCamp Nordic seems to be drawing a lot of interest.”
The call for speakers opened on November 7 and submissions close January 7, 2019. All of the sessions will be held in English and the camp is planning to have two tracks. Those interested to speak may apply for a long talk (40 minutes) or a lightning talk (15 minutes). Selections will be made by mid-January and speakers will be announced in February. Follow @WordCampNordic for all the latest news from the event.
At the end of last week, a plugin called WP GDPR Compliance sent out a security update for a privilege escalation vulnerability that was reported to the WordPress Plugin Directory team on November 6. The plugin was temporarily removed and then reinstated after the issues were patched within 24 hours by its creators, Van Ons, a WordPress development shop based in Amsterdam.
The changelog for the most recent release states that previous versions are vulnerable to SQL injection due to “wrong handling of possible user input in combination with unsafe unserialization.” The fixes are in version 1.4.3, which includes the following:
Security fix: Removed base64_decode() function
Security fix: Correctly escape input in $wpdb->prepare() function
Security fix: Only allow modifying WordPress options used by the plugin and by the user capabilities
Van Ons said they requested the Plugin Directory team do a forced update but they said it was not an option in this case.
WP GDPR Compliance has more than 100,000 active installs. According to Wordfence, the vulnerability is being actively exploited in the wild and many users are reporting new administrator accounts being created on their affected sites. The Wordfence blog has a breakdown of how attackers are taking advantage of these sites:
We’ve already begun seeing cases of live sites infected through this attack vector. In these cases, the ability to update arbitrary options values is being used to install new administrator accounts onto the impacted sites.
By leveraging this flaw to set the users_can_register option to 1, and changing the default_role of new users to “administrator”, attackers can simply fill out the form at /wp-login.php?action=register and immediately access a privileged account. From this point, they can change these options back to normal and install a malicious plugin or theme containing a web shell or other malware to further infect the victim site.
Wordfence has seen multiple malicious administrator accounts present on sites that have been compromised, with variations of the username t2trollherten. Several WP GDPR Compliance plugin users have commented on the Wordfence post saying they were victims of the exploit, having found new admin users with a backdoor and file injections added.
The plugin has its own website where the vulnerability was announced. Its creators recommend that anyone who didn’t update right away on November 7, 2018, should look for changes in their databases. The most obvious symptom of attack is likely to be new users with administrator privileges. Any unrecognized users should be deleted. They also recommend restoring a complete backup of the site before November 6 and then updating to version 1.4.3 right away.
The WP GDPR Compliance plugin lets users add a GDPR checkbox to Contact Form 7, Gravity Forms, WooCommerce, and WordPress comments. It allows visitors and customers to opt into allowing the site to handle their personal data for a defined purpose. It also allows visitors to request data stored in the website’s database through a Data Request page that allows them to request data to be deleted.
While the name of the plugin includes the word “compliance,” users should note that the plugin details includes a disclaimer:
“ACTIVATING THIS PLUGIN DOES NOT GUARANTEE YOU FULLY COMPLY WITH GDPR. PLEASE CONTACT A GDPR CONSULTANT OR LAW FIRM TO ASSESS NECESSARY MEASURES.”
A relatively new amendment to section 9 of the plugin development guidelines restricts plugin authors from implying that a plugin can create, provide, automate, or guarantee legal compliance. Heather Burns, a member of WordPress Privacy team, worked together with Mika Epstein last April to put this change into effect. This guideline is especially important for users to remember when a plugin author uses GDPR Compliance in the name of the plugin. It isn’t a guarantee of compliance, just a useful tool as part of larger plan to protect users’ privacy.
Matt Mullenweg joined attendees at WordCamp Portland, OR, for a Q&A session last weekend and the recording is now available on WordPress.tv.
The first question came from a user who tried Gutenberg and turned it off because of a plugin conflict. She asked if users will have to use Gutenberg when 5.0 is released. Mullenweg said one of the reasons Gutenberg has been tested so early is to give plugin developers time to get their products compatible. He also said that it has been the fastest growing plugin in WordPress’ history, with more than 600,000 installations since it was first made available.
In response to her question he said users will have the option to use the Classic Editor and that the team is considering updating it to include per-user controls and the possibility to turn it on/off for different post types.
Subsequent questions went deeper into recent controversies surrounding Gutenberg, which Mullenweg addressed more in depth.
“The tough part of any open source project – there’s kind of a crucible of open source development which can sometimes be more adversarial and sometimes even acrimonious,” he said. “Working within the same company, you can kind of assume everyone is rowing in the same direction. In a wide open source ecosystem, some people might actually want the opposite of what you’re doing, because it might be in their own economic self-interest, or for any number of reasons.
“I liken it much more to being a mayor of a city than being a CEO of a company. I’ve done WordPress now for 15 years so I’m pretty used to it. It might seem kind of controversial if you’re just coming in, but this is not the most controversial thing we have ever brought into WordPress. The last time we had a big fork of WordPress was actually when we brought in WYSIWYG the first time. Maybe there’s something about messing with the editor that sets people off.”
Mullenweg commented on how polarizing Twitter can be as a medium and how that can impact conversations in negatives ways. He said people tend to read the worst into things that have been said and that has been a new challenge during this particular time in WordPress’ history. WordPress tweets are sprinkled into timelines along with politics and current events in a way that can cause people to react differently than if the discussion was held in a trac ticket, for example.
One attendee asked, “With Gutenberg there’s a lot of uncertainty. Where do you see the tipping point where you see people become more favorable to Gutenberg than the Classic Editor?”
“Part of getting these two plugins, Gutenberg and Classic Editor, out early, was that it could remove uncertainty for people,” Mullenweg said. “Months before they were released you could kind of choose your path. The hope is that the 5.0 release day is the most anti-climactic thing ever. Because we have over a million sites that have either chosen to not use Gutenberg, which is totally ok, or have already opted in and have been getting these sometimes weekly updates. We have hosts that have been actually been pre-installing, pre-activating Gutenberg with all of their sites.”
Mullenweg said hosts that have pre-installed Gutenberg have not reported a higher than normal support load and that it has basically been “a non-event.” It’s the users who are updating to 5.0 after many years of using WordPress who will have the most to learn.
“Gutenberg does by some measures five or ten measures more than what you could really accomplish in the classic editor,” Mullenweg said. “That also means there’s more buttons, there’s more blocks. That is part of the idea – to open up people’s flexibility and creativity to do things they would either need code or a crazy theme to do in the past. And now we’re going to open that up to do WordPress’ mission, which is to democratize publishing and make it accessible to everyone.”
Gutenberg’s current state of accessibility has been a hot topic lately and one attendee asked for his thoughts about the recent discussions. Mullenweg said there is room for improvement in how this aspect of the project was handled and that WordPress can work better across teams in the future:
Accessibility has been core to WordPress from the very beginning. It’s part of why we started – adoption of web standards and accessibility things. We’ve been a member of the web standards project for many many years. We did kind of have some project management fails in this process where we had a team of volunteers that felt like they were disconnected from the rapid development that was happening with Gutenberg. Definitely there were some things we could do better there. In the future I think that we need – I don’t know if it makes sense to have separate accessibility as a separate kind of process from the core development. It really needs to be integrated at every single stage. We did do a lot, as Matias did a big long post on it. We’ve done a ton of keyboard accessibility stuff, there’s ARIA elements on everything. One of their feedbacks was that we did it wrong, but we did it the best that we knew how to and it’s been in there for awhile. There’s been over 200 closed issues from really the very beginning. We also took the opportunity to fix some things that had been poorly accessible in WordPress from the beginning. It’s not that WordPress is perfectly accessible and all WCAG AA and it’s reverting. It’s actually that huge swaths of WP are inaccessible – they just might not be considered core paths from the current accessibility team but I consider them core.
“This is not the finish line,” Mullenweg said. “5.0 is almost like the starting point. Expect just as much time invested into Gutenberg after the 5.0 release as before – to get it to that place where we don’t think it’s just better than what we have today but it’s actually like a world-class web-defining experience, which is what we want to create and what you all deserve.”
The WordPress 5.0 release date has been pushed back to November 27. The previous schedule outlined the possibility of a slip date where the first target date could slip by up to eight days if necessary.
“As discussed during the Core devchat this week, the initial November 19th target date is looking a bit too soon for a release date,” Gutenberg technical lead Matias Ventura said in today’s announcement on the make.wordpress.org/core blog. “After listening to a lot of feedback — as well as looking at current issues, ongoing pull requests, and general progress — we’re going to take an extra week to make sure everything is fully dialed in and the release date is now targeted for November 27th.”
Ventura outlined a new plan where beta 4 and beta 5 releases will coincide with Gutenberg 4.3 and 4.4 releases. RC1 is expected to be released November 19. He said contributors will be posting daily high level updates on the current status of the release, including things like open pull requests to be reviewed and outstanding bugs, to the #core-editor channel.
The announcement also includes a short video demonstration of Gutenberg fully integrated with the new default Twenty Nineteen theme.
Given the recent pushback on the timeline from prominent WordPress developers and business owners, the updated November 27 timeline may still not offer enough time to resolve the issues remaining and allow the ecosystem to prepare training materials that accurately reflect late stage UI changes.
At a spontaneous Q&A session at WordCamp Portland this weekend, Matt Mullenweg said WordPress 5.0 was branched from 4.9.8 so this release has been tightly wound to the previous one to allow for a more seamless transition.
The next targeted release day falls on the Tuesday after Cyber Monday, which should be a relief to anyone running a WordPress-powered e-commerce site. If WordPress misses the updated November 27 release date, it will be pushed back to the secondary target date of January 22, 2019.