Tag Archives: Authors

WordPress.org Introduces New Security Measures for Plugin and Theme Authors – WP Tavern

[ad_1] Starting October 1st, 2024, WordPress.org will roll out new security measures aimed at enhancing the safety of accounts with commit access to plugins and themes. This was announced by the Automattic-sponsored developer Dion Hulse. Mandatory Two-Factor Authentication Beginning next month, WordPress.org will make two-factor authentication (2FA) mandatory for all plugin and theme authors. Authors can configure 2FA by visiting their WordPress.org profiles, and the platform has already started prompting them to do so.  Dion Hulse emphasized the importance of securely storing backup codes, as losing access to both 2FA methods and backup codes could complicate account recovery. SVN Passwords for Commit Access WordPress.org will also introduce SVN passwords for committing changes to plugins and themes. This feature separates commit access from the main WordPress.org account credentials, offering an extra layer of security. Authors can generate SVN passwords through their profiles, ensuring that their main account passwords are protected. Those using deployment scripts, like GitHub Actions, will need to update their stored passwords with these new SVN credentials. For those wondering why the Plugin Review Team is not using 2FA with SVN, Dion explained, “Due to technical limitations, 2FA cannot be applied to our existing code repositories, that’s why we’ve chosen to secure WordPress.org code through a combination of account-level two-factor authentication, high-entropy SVN passwords, and other deploy-time security features (such as  Release Confirmations).” For more information, authors can refer to the guides on Configuring Two-Factor Authentication and Subversion Access and Chris Christoff’s post on Keeping Your Plugin Committer Accounts Secure Community Reaction  The community has reacted positively to these changes, with some expressing that these updates were long overdue. “At least we were earlier than someone stepping on Mars, ” joked developer Toma Todua. Recently, the WordPress Plugin Team has ramped up efforts to enhance platform security. In June, they temporarily halted plugin releases and forced all plugin authors to reset their passwords after five WordPress.org user accounts were compromised. [ad_2] Source link

Continue reading

Theme Authors Should Be Able To Opt Out of Any Design Feature – WP Tavern

[ad_1] As I debugged issues with the new block gap feature added in Gutenberg 11.4 last week, I found the ticket introducing it. And, there was already a new ticket for one problem I had hit. However, there was some discussion over whether themes should be allowed to opt-out, rolling their own solution. There was no way to do it at the time. It felt like a no-brainer, something I would not think twice about. I quickly chimed in: Should theme authors be able to opt out? If this is ever a question that comes up, the answer is always: Absolutely, 100%, yes! The front end of a site is the theme author’s domain. Ultimately, they define how things work there. At least, this is how it has always been. Before the advent of the block system, there were cases where WordPress added its own spin to front-end features, such as styles for the gallery shortcode and emoji JavaScript-image replacement. Themes have always had methods for disabling those. With the introduction of the Gutenberg project and its evolving feature set, WordPress continues stepping into front-end design. This carries the benefit of standardizing the relationship between the platform, themes, and users. It makes things like block patterns universal, and it will continue doing so as we get into more advanced layout tools. This is a future that I am eager to witness because it will make theming much easier. However, within the in-ticket discussion, I came across one of the fundamental rifts between some people working on Gutenberg and third-party developers: I disagree with this take. This means that everything should be optional in WordPress and goes against the decisions not options. some things need to be options but not everything…I don’t think it should be a rule to have an opt-out for everything personally. For instance for structural styles, I’d rather have the themes rely on Core always instead of reinventing their own. Themes are here to bring personality and design but not to define what “horizontal alignment” means for instance. Riad Benguella If such a stance becomes one of the cornerstones of block theme development, it will turn many traditional themers away. I agree with the principle that this should be the foundation, the default way that theming works in WordPress going forward. The more pieces that we can standardize, the better. But, as a rule of thumb, theme authors should be able to opt out of any design-related feature. Then, we make rare exceptions to that rule when the need arises. Regardless of what Gutenberg and, ultimately, WordPress does, theme authors will find a way around it. Let us pretend that “horizontal alignment” is defined by CSS flexbox in core. I guarantee that someone will come along and use CSS grid. In the case of the “block gap” feature introduced in Gutenberg 11.4, it is essentially a fancy name for a global top margin that gets applied to blocks (not to be confused with the actual CSS gap property). In essence, it is a system for defining part of the default vertical rhythm. This feature has long been on my wish list, but the idea of mandating it never crossed my mind. If you want to see a heated discussion, throw a handful of web designers in a room and have them discuss the myriad ways of handling vertical spacing between elements. I am in the top margin camp. Fortunately, theme authors will be able to enable or disable the block gap feature. But, that is merely one battle. I had planned to reply in-ticket, but I did not want to get too far off-topic. I also wanted to give some consideration to the other side. However, I could think of few instances where WordPress should always be the deciding factor on front-end design. From that position, I envision little more than theme authors creating workarounds for what they will see as a broken system. There is nothing wrong with WordPress defining the defaults. However, it should always be from the mindset that developers will want to venture out. The best way to keep them happy is to not get in the way. Build a system that they want to use, not that they must use. And, for those who decide to go a different route, make it easy. Even if we think those rebel designers are creating a broken user experience, that is OK. It is their project to make or break. What makes WordPress so uniquely WordPress is that the platform has always catered to those who want to extend it in just about any imaginable way. If it starts creating stumbling blocks that need not be there, we have done a poor job as stewards of the software. Like this: Like Loading… [ad_2] Source link

Continue reading

Open Survey for WordPress Theme Authors on JSON Files and Block Themes – WP Tavern

[ad_1] WordPress 5.8 introduced an opt-in system for themes to configure block settings, styles, templates, and more. It is done through a new theme.json file that authors can put at the root of their theme folders. Anne McCarthy, the lead of the FSE Outreach Program, announced a survey earlier today to get feedback from developers on this feature. “Since this new mechanism is an early step towards a comprehensive style system for the future of WordPress, it’s important to hear from everyone who is currently using theme.json to learn more about how folks are using this tool and what might make sense to include in Core going forward,” she wrote in the announcement. The survey is open to all theme authors who have used theme.json, giving them a chance to put in some early feedback and help steer the ship going forward. Because I have worked extensively with this system over the past few months, I had a few things to say. Plus, I just like participating in WordPress-related surveys. I also decided it would be an opportunity to share some of my unfiltered thoughts from a development perspective on the current state of theme.json. What follows are my responses to the survey’s questions — well, the tidied-up version. Note: This is a developer-centric post that might not universally appeal to all of our readers. I have attempted to explain some things in user-friendly terminology, but some prerequisite knowledge of theme development may be necessary. Experience The first question of the survey is pretty cut-and-dry. It asks what your experience is with building block themes or using theme.json. It provides four choices (and an “other” option): I have built and launched block themes. I have experimented with building block themes. I have explored using theme.json with a classic theme. I have used a block theme, but I have not built one yet. I chose the first option because I have already built two block themes for family and friends. These were simple personal sites that I already maintain for free — honestly, I need to start charging. I am also working on a theme that I hope to release publicly. How It Started and How It’s Going The second question asks how one got started with block themes and theme.json. The choices are between forking an existing theme, using the Empty Theme, or starting from scratch. Again, this is one of those things where I have experimented with each direction, but I cannot remember the exact starting point. The bulk of my work has come from forking a theme that I last worked on in 2019. I plan to release this as a new theme for free at some point. I am mostly waiting on the following: Navigation block development to settle down The Post Author block to be split into smaller blocks A robust set of comment-related blocks Post Featured Image block to have a size option I think I could realistically release a use-at-your-own-risk beta version of my theme today if those items were addressed. Templates and Template Parts The survey asked which templates and template parts themers always include in their block-based themes. There was a freeform comment field — steps upon soapbox… I have a love/hate relationship with block templates at the moment. The static nature of HTML templates reminds me of simpler times when theme development was less complicated. However, this also presents a problem in a dynamic system. I cannot remember the last time I have built a traditional, PHP-based theme with more than one top-level template: index.php. The dynamic pieces have always been the guts of the thing, which are template parts. With PHP, it is easy to set some variable or use a function call to contextually load the templates parts necessary for whichever page a visitor is currently viewing on a site. The block template system does not work like that. It essentially forces developers into breaking the Don’t Repeat Yourself (DRY) principle. For example, if a designer wanted to display a different header template part for pages and posts, they would only need to create a header-page.php or header-post.php template in traditional themes. However, because the block template system is different, they must now create two top-level templates, single.html (post) and page.html, to accomplish the same thing. This is a “bad thing” because theme authors must duplicate all the other code in each of the top-level templates. There is no way to contextually load different template parts. To answer the question: I am using almost all of the possible top-level templates out of necessity. I also answered the second part of the question and listed my most commonly used template parts (broken down by hierarchy): Header Content– Loop– Sidebar Footer The content-*.html and loop-*.html template parts are those with the most variations. Defining Colors The next section of the survey asks how theme authors define their color palette slugs in theme.json. Believe it or not, naming colors may be the most controversial topic in the theming world in years. The only two things generally agreed upon are “background” and “foreground” colors. Morten Rand-Hendriksen opened a ticket in 2018 for standardizing a theme color naming scheme. It was not the first discussion and has not been the last. The problem it was meant to address was the slugs for colors in the system, which is how themes define their palettes. Once a user makes use of a preset color, the slug is hardcoded into their content. Switch to another theme with different slugs, and the old colors disappear and do not automatically change to the new theme’s colors. I use semantic names that follow something that closely resembles the Tailwind CSS framework’s shading system. Instead of red-medium (descriptive), I would use primary-500 (semantic), for example. A semantic approach would allow theme authors to define a set of colors that are updated each time a user switches themes. Of course, there are other schools of thought, and even everyone who prefers

Continue reading