Tag Archives: Introduces

WordPress.org Introduces New Security Measures for Plugin and Theme Authors – WP Tavern

[ad_1] Starting October 1st, 2024, WordPress.org will roll out new security measures aimed at enhancing the safety of accounts with commit access to plugins and themes. This was announced by the Automattic-sponsored developer Dion Hulse. Mandatory Two-Factor Authentication Beginning next month, WordPress.org will make two-factor authentication (2FA) mandatory for all plugin and theme authors. Authors can configure 2FA by visiting their WordPress.org profiles, and the platform has already started prompting them to do so.  Dion Hulse emphasized the importance of securely storing backup codes, as losing access to both 2FA methods and backup codes could complicate account recovery. SVN Passwords for Commit Access WordPress.org will also introduce SVN passwords for committing changes to plugins and themes. This feature separates commit access from the main WordPress.org account credentials, offering an extra layer of security. Authors can generate SVN passwords through their profiles, ensuring that their main account passwords are protected. Those using deployment scripts, like GitHub Actions, will need to update their stored passwords with these new SVN credentials. For those wondering why the Plugin Review Team is not using 2FA with SVN, Dion explained, “Due to technical limitations, 2FA cannot be applied to our existing code repositories, that’s why we’ve chosen to secure WordPress.org code through a combination of account-level two-factor authentication, high-entropy SVN passwords, and other deploy-time security features (such as  Release Confirmations).” For more information, authors can refer to the guides on Configuring Two-Factor Authentication and Subversion Access and Chris Christoff’s post on Keeping Your Plugin Committer Accounts Secure Community Reaction  The community has reacted positively to these changes, with some expressing that these updates were long overdue. “At least we were earlier than someone stepping on Mars, ” joked developer Toma Todua. Recently, the WordPress Plugin Team has ramped up efforts to enhance platform security. In June, they temporarily halted plugin releases and forced all plugin authors to reset their passwords after five WordPress.org user accounts were compromised. [ad_2] Source link

Continue reading

Gutenberg 19.1 Introduces Plugin Template Registration API – WP Tavern

[ad_1] Gutenberg 19.1 has arrived, introducing the eagerly anticipated plugin template registration API and updates to image caption styles. This Gutenberg version will be later incorporated into WordPress 6.7. The highlight of this release is the plugin template registration API. It addresses a long-standing issue developers have faced with conflicts between plugins and themes, particularly when dealing with custom post types, taxonomies, or virtual pages. This new feature allows developers to register block templates directly within their plugins, providing fully customizable default content layouts. Till now, developers had to use multiple filters to register templates. By building on the Gutenberg block system, this update makes it easier for themes and users to adapt and personalize templates according to their design and functional needs. Justin Tadlock has published a detailed tutorial on this feature on the Developer Blog and will host a Developer Hours Session with Nick Diego on September 10, 2024. This release also tones down the intensity of the caption background, improving the image caption styles.  Other notable changes in this version include: Improved data view extensibility Better defaults for the zoom out view Added border support for core blocks Applied elevation scale to Modal, Popover, and Snackbar components. Fixed wp-config anchors to make wp-env compatible with WordPress versions older than 5.4. The community’s response has been enthusiastic, with feedback such as “Really like this feature”, “Great one, that I am looking for !” and “Literally the greatest news I’ve heard in years (and I had a baby last year)” [ad_2] Source link

Continue reading

Easy Digital Downloads 3.1 Adds 10 New Core Blocks, Introduces Email Summaries – WP Tavern

[ad_1] Easy Digital Downloads (EDD) put out a big release today, following several maintenance releases and the last major release in July. Version 3.1 introduces 10 new core blocks available to users who are running WordPress 5.8 or newer: Buy Button Order History Products Registration Form Login Form Download Terms Receipt Confirmation Cart Checkout (Beta) These blocks enable store owners to do more than their shortcode predecessors. Although the shortcodes still work, the block versions allow for much easier customization with a better UI. One example in the announcement is the Order History block. The previous Purchase History shortcode output a simple table of orders, but the new Order History block has a card style view and allows users to easily modify the number of columns and how many orders are displayed per page. Purchase History shortcode output New Order History block The other blocks have been updated in a similar fashion, with extended functionality and greatly expanded customization options. It’s important to note that the new Checkout block was released in beta. It is not turned on by default for new stores yet. Users who want to test the block will notice that EDD has reordered some of the fields to improve conversions, improved the user context detection (only showing necessary fields to users), and redesigned the payment method picker. Email Summaries is a new feature for store owners in 3.1. It sends a weekly or monthly email to the admin or other custom recipients with a store update that includes metrics like gross and net revenue, new customers, and average order amount. It can also be disabled in the admin. A few other notable changes in version 3.1 include the following: New setting to require users to login to download files Success Page has been renamed to Confirmation Page to differentiate it from the receipt More detailed views and filtering options for Reports reCAPTCHA keys added to Downloads » Settings » Misc so users can automatically enable reCAPTCHA for the lost password and the registration forms New color options for purchase buttons New “View Receipt” link in the orders table Easy Digital Downloads is installed on more than 50,000 WordPress sites. The ten-year-old plugin is continuing to evolve and become a more block-friendly tool for selling digital products. Check out the announcement post for a full tour of all the new blocks and their capabilities. Category: News, Plugins Tags: easy digital downloads Share this: Click to email a link to a friend (Opens in new window) Click to share on Facebook (Opens in new window) Click to share on Twitter (Opens in new window) Click to share on Telegram (Opens in new window) Click to share on WhatsApp (Opens in new window) Click to share on Pocket (Opens in new window) Click to share on Reddit (Opens in new window) Like this Like Loading… [ad_2] Source link

Continue reading

Gutenberg 14.4 Introduces Distraction-Free Mode, Redesigns Pattern Inserter – WP Tavern

[ad_1] Gutenberg 14.4 was released today with long-awaited support for distraction-free editing, to the delight of content editors around the world. It hides all non-essential UI and clears the canvas for a focus on text-based content creation. The mode can be toggled on in the options menu in the top toolbar. Distraction-free mode hides the top toolbar, any open sidebars, along with the insertion point indicator and the block toolbar. source: Gutenberg 14.4 release post The project to improve the editing experience for text-based content began with early explorations in February, which progressed into a PR that contributors have been refining for the last few months. This distraction-free mode is a monumental improvement over the days when users struggled to write with various UI elements popping in and out of view. Another major update in 14.4 is the redesigned pattern inserter. It has been updated to show the categories before rendering the patterns, giving users a more fluid visual preview as they browse the pattern library. Patterns can be dragged and dropped from the preview pane into the canvas. source: Gutenberg 14.4 release post Other notable improvements users may notice include the following: Performance benchmarks show an improvement in loading time for both the post and site editors. Check out the release post to see the full list of all the changes and bug fixes included in 14.4. This release will not be included in the upcoming WordPress 6.1 release next week, but users who are eager to adopt these new features can get them right now in the Gutenberg plugin. [ad_2] Source link

Continue reading

ACF 5.10 Introduces Block API v2 Support, Block Preloading, and Security Improvements – WP Tavern

[ad_1] Advanced Custom Fields (ACF) has released version 5.10, the first major release since the plugin was acquired by Delicious Brains. It introduces several new features that were previously experimental, closing out tickets that were started by previous owner Elliot Condon. The release enables HTML escaping by default, which helps prevent Cross-Site Scripting (XSS) attacks. It runs content rendered by ACF through the WordPress wp_kses() function. There was a little confusion about how this works and the release post has been updated to clarify: “It’s important to note that this only affects content rendered by ACF in your WordPress dashboard or any front-end forms rendered through acf_form(),” Iain Poulson said. “This will not affect field values loaded through API functions such as get_field() and the_field(). We don’t make any assumptions about where you are using your field values within your theme and do not escape to them as a result.” Version 5.10 also introduces support for the WordPress Blocks API v2 for ACF blocks. WordPress 5.6 came with a new Block API that makes it easier for theme and plugin developers to style the block content with more consistent results matching the front end. The ACF team has created a Block API v2 help doc with examples that help developers update their blocks and make use of the new block filters included in the update. Other features introduced in this release include block preloading turned on by default, a new full-height setting for blocks, opacity support for the color-picker, and many bug fixes. Next up on the roadmap for the plugin is adding WordPress REST API support to ACF field groups. “As API-powered JavaScript front-ends become more and more popular in the WordPress space, it’s clear that many of our customers want this functionality included in ACF core,” Poulson said. “We also plan to improve the performance of the plugin and work on other quality of life features. Now that our development team has a solid handle on the codebase and the release process, we can start working on these more complicated but long-requested features.” Shortly after the acquisition, Delicious Brains representatives published a pinned thread in the forum, clarifying expectations for free support and response times. The official support forum for both free and PRO users can be found at support.advancedcustomfields.com, which is more active than the WordPress.org forums. Since the plugin is more developer-focused, the team is taking a looser approach to support by giving the community a place to help each other: We rarely provide support in either forum. The exception is after a major release, when we keep an eye on both forums to spot any problems caused by the release. The primary purpose of both forums is for people in the WordPress community who are having trouble with Advanced Custom Fields to help each other. Response times can range from a few days to a few weeks and will likely be from a non-developer. We jump in now and then when the description sounds suspiciously like a bug.  The release of version 5.10 is a good sign that ACF will continue to make progress under its new ownership and a reassuring milestone for the small minority of users who were unsure about the plugin’s future. Like this: Like Loading… [ad_2] Source link

Continue reading

Gutenberg 11.3 Introduces Dimensions Panel, Adds Button Padding Support, and Speeds Up the Inserter – WP Tavern

[ad_1] Earlier today, Gutenberg 11.3 landed in the WordPress plugin directory. The latest update introduces a new dimensions panel for toggling spacing-related block options. The Button block now supports the padding control, and the Post Featured Image block has new width and height settings. One of the release’s highlights was a speed improvement for both opening and searching within the inserter. The opening time dropped over 200 ms, from 370.35 ms to 137.28 ms. Search speed went from 190.37 ms to 67.24 ms. The latest release includes a simplified color picker library. Rich previews for links, a feature introduced in Gutenberg 10.9 for external URLs, now works with internal site links. Theme authors should enjoy the reduced specificity of the reset and classic editor stylesheets. Such changes always make it a little easier for theme authors to match editor and front-end styling. Dimension Panel for Spacing Controls Toggling the padding and margin controls for the Site Tagline block. Gutenberg 11.3 introduces a new Dimensions panel for blocks that support either margin or padding controls. The feature adds an ellipsis (…) button in place of the typical open/close tab arrow. Users can select which controls they want to use. The long-term goal is to clean up the interface, only exposing controls that a user actually needs. Because such needs are subjective, allowing users to toggle them on/off is an ideal route to take. The current downsides are twofold. Once choosing to display margin or padding controls, the panel itself cannot be collapsed. This exacerbates the very problem that the new feature attempts to solve — decluttering the sidebar interface. For me, at least, I always want quick access to spacing controls. However, I do not always need them shown. The second issue is that the user choice of what to display does not seem to be stored. Each time you work with a block, you must select which controls should appear. The new Dimensions panel is only one part of the process of wrangling sizing (width and height), spacing (padding and margin), and related controls for blocks. Work toward a more well-rounded solution is still underway. Presumably, the development team will address these issues and others in future releases. However, those who run the Gutenberg plugin in production should expect oddities with usage. The Block Visibility plugin has the most user-friendly version of such a toggle control right now. It is not yet a perfect solution, but it works a little better than what is currently in Gutenberg. Button Block Padding Testing the new Button block padding option with TT1 Blocks. It is no secret that I dislike the default padding of the Button block when using the TT1 Blocks theme (block-based version of Twenty Twenty-One). I have made it one of my missions to routinely point it out, even going so far as refusing to use the block in the last call for testing as part of the FSE Outreach Program. An oversized button is not always the wrong stylistic choice on a webpage. Context matters and I somehow continue to run into scenarios where I need something a bit more scaled back. Control over the Button block’s padding has been on my wish list for months, and the Gutenberg development team delivered. As of 11.3, users can control the padding of individual Button blocks. It will now appear as an option within the new Dimensions panel mentioned earlier. Prayer answered. Now, let us move toward adding padding controls to all the blocks. The one potential issue some users might run into is maintaining consistent spacing when using multiple Button blocks together. The easiest way to do this is to add and style the first, then duplicate it to create others with the same spacing. This is not a new issue; it applies to all Button options where users want consistency within a group. Featured Image Dimension Controls Adjusting a Post Featured Image block’s dimensions. The Post Featured Image block has finally received a small but handy upgrade. In the past, users and theme authors only had a single option of deciding whether to link it to the post. Now, they can control the width and height of the image. If a user sets a height for the image, the editor will reveal a separate “Scale” option with the following choices: Cover (default) Contain Stretch What do these options actually do? That would be a good question. Even as someone in the web design and development loop for close to two decades, I sometimes forget and must look them up. They are values for the object-fit CSS property and are likely to confuse users in many instances. Cover and contain allow the image to fit within the containing element’s box while maintaining its aspect ratio (no stretching the image). The difference is that the cover value will be clipped if it does not fit and the contain value may be letterboxed. A stretch value will fill its container regardless of the aspect ratio. Depending on the image’s aspect ratio on its container, each of the values could essentially display the same thing on the screen. Or, they could provide wildly different results. Coupling these dimensions controls with wide and full alignments (also width-related options) could make for some unpredictable experiments too. The theme designer in me wants to disable the UI for this altogether and present something slightly more controlled: an image size selector. Such a selector should not be confused with width and height controls. WordPress theme authors have been registering custom image sizes for years. The primary use case for this was featured images. Users can use these sizes with the current Image and Latest Posts blocks. However, they do not yet have this option with Post Featured Image. I am in the camp that believes image size controls should have been the first addition to the block. It is such an integral part of WordPress theme design that it cannot be left out, and I have

Continue reading

Gutenberg 11.2 Expands Color Support for Search and Pullquote Blocks, Introduces Experimental Flex Layout for Group Block – WP Tavern

[ad_1] Gutenberg 11.2.0 was released today with expanded color support for the Search and Pullquote blocks. Historically, customizing these elements has been out of reach for most users if their themes didn’t include them as options. This release introduces color support and border color support for the search button. Pullquotes are getting a similar treatment with border and color support, enabling some creative design options for those who enjoy taking the reins on customization. It’s these kinds of minute style changes that web developers would have been paid to perform back in the earlier days of theme customization gigs. Now the block editor enables anyone to jump in and do it themselves. These color support additions are part of a larger effort to improve the editor’s design tools to provide consistent application across blocks. “Another important goal of design tools is ensuring a wide range of exquisitely crafted patterns are possible; that best practices are not only possible but encouraged; and that customizing blocks is a consistent and natural experience,” Gutenberg Lead Architect Matias Ventura said in the ticket tracking design tool tasks. Gutenberg 11.2 also introduces support for a new experimental flex layout. The need for additional layouts was described by Rick Banister in a ticket submitted a year ago, requesting a “display horizontal” option for the Group block: When building patterns or trying to achieve a layout with multiple elements arranged horizontally it would help to have a parent block that would automatically arrange its children on a single line. Columns can be used to arrange things side-by-side, but they add quite a lot of extra nesting if you only need to arrange one set of blocks. We could leverage the Group block and add a ‘display horizontally’ or ‘act as a row’ option to it. It would wrap its children and act as a ‘flex container’ (display:flex; flex-direction:row;). Further flex parameters could be optional to align and distribute objects. A flex layout option has the potential to remove some of the complexity in nesting blocks. This early prototype shows a rough, unfinished UI for a layout switcher. It shows the difference between a flex layout and the default “flow” layout, which displays children one after the other vertically without any specific styles. The PR included in Gutenberg 11.2 makes it possible for blocks to support multiple layouts. Gutenberg engineer Riad Benguella said the plan is to introduce more layouts, such as “grid” and “absolute positioning container.” Adding “flex” layout support for the group block is the first step towards proving how multi-layout options can work in the block editor. “In the previous WordPress release, we introduced the layout config and the __experimentalLayout prop for inner blocks,” Benguella said. “The initial reason for these was to make alignments and content widths more declarative for themes. While this was an ambitious goal on its own and a hard one to achieve for the default layout, the goal has always been to absorb and support more kinds of layouts in the editor than the regular vertical list of blocks.” This experimental flex layout support can be useful for theme developers and makes sense in certain use cases with the Cover block, headers, social icons, columns, and other applications. The layout switcher UI is hidden in this release while the Gutenberg team works on a better design and wording for the feature. Like this: Like Loading… [ad_2] Source link

Continue reading

WordPress 5.8 “Tatum” Introduces Block Widgets, Duotone Media Filters, New Emoji Support, and More – WP Tavern

[ad_1] WordPress 5.8 “Tatum,” named in honor of jazz pianist Art Tatum, landed earlier today. It is the second major release in 2021. It includes duotone media filters, block-based widgets, theme-related blocks, template editing, and theme JSON file support. The release also ships tons of other notable features, such as support for new Emoji and an Update URI field for plugin authors to offer custom updates. The latest update also drops support for IE11, saying goodbye to the era of Internet Explorer. Matt Mullenweg led the WordPress 5.8 release, which saw contributions from 530 volunteers. The entire release team closed 320 Trac tickets and over 1,500 GitHub pull requests. The official release squad members were: Release Co-Coordinator: Jeffrey Paul Release Co-Coordinator: Jonathan Desrosiers Editor Tech Lead: Riad Benguella Marketing and Communications Lead: Josepha Haden Chomphosy Documentation Lead: Milana Cap Test Lead: Piotrek Boniu Support Lead: Mary Job Duotone and Media Improvements Duotone filter + gradient overlay on a Cover block. The Image and Cover blocks received a new duotone feature. It is a filter that allows users to lay two colors over their media, creating unique effects. The colors overwrite the shadows and highlights of the image or video. Users can use WordPress’s defaults, theme-defined colors, or create their own mixes. WordPress 5.8 also introduces several upgrades to the media library. The development team replaced infinite scrolling with a “load more” button, improving the experience for screen-reader and keyboard users. End-users can now copy media file URLs from the Add New media screen. The latest release offers WebP image format support for the first time, and developers have a new image_editor_output_format filter hook to fine-tune the experience. Block Widgets Widgets screen with a Gallery block in the Footer sidebar. For the first time since the block system launched with WordPress 5.0 nearly three years ago, blocks are no longer confined to the post content editor. Users can now use them in any available sidebar. This is a stepping stone in the Full Site Editing experience that will eventually lead to block themes and the site editor. In the meantime, it is a way for users to begin trying out blocks in new ways. However, those experiences may vary, depending on the active theme. Some older projects may not hold up well with this system. Authors may need to opt-out of the feature. Users who do not want to use block widgets or run into trouble can install the Classic Widgets plugin. Query Loop and Theme Blocks Query Loop pattern inserter: carousel view. The power to create lists, grids, and other designs around a group of posts has long been solely in the wheelhouse of developers. Users had to rely on their themes or specialized plugins to make such changes. This is no longer the case. Users will have the power to create almost any type of post list they want from now and far into the future with the Query Loop block. And, this is just the beginning. WordPress 5.8’s new block is merely an introduction to what will eventually be one of the foundational elements to Full Site Editing in the coming years. As more and more blocks continue to mature, users and theme authors will continue building all sorts of layouts from this simple starting point. The Query Loop block will also be the first introduction of the pattern inserter to many users. This is a new tool that allows users to scroll through block patterns, choose one, and customize. In the future, it will become a more prominent feature. Inserting lists of posts is just scratching the surface. WordPress 5.8 ships a new “Theme” category of blocks for users to play around with. Many of these are primarily for use within the Query Loop, such as the Post* blocks. However, others like Site Title and Site Tagline will be handy in the template editor. Template Editor Creating a custom landing page template. The new template editor provides users with a method of creating reusable templates. And, they do not need a 100% block theme to do it. The feature opens an overlay from the content-editing screen for users to customize their page header, footer, and everything in between. This is essentially a scaled-back version of the upcoming site editor. With 5.8, its primary use case will be for creating custom landing pages. It is a lot of power in the hands of the average user. And, it helps WordPress inch closer to its goal of not only democratizing publishing but also design. The downside to this feature? It is currently opt-in. The active theme must declare support for users to access it. Many will not see it until developers submit updates. Developers: theme.json Support Real-world theme.json file. WordPress 5.8 lets theme authors begin tapping into global styles and settings configuration via the new theme.json system. In the coming years, this will be the foundation of how themers build their projects. Essentially, the new file is a bridge between themes, WordPress, and users, a standardized method of communication that puts them all on the same page. Theme authors define which settings it supports and its default styles. WordPress reflects these via the editing interfaces and on the front end. And, users can overwrite them on a per-block basis or, eventually, through the Global Styles feature. Right now, it is an opt-in feature that both traditional and block themes can utilize. Themers will want to start moving their projects over to using it now that WordPress 5.8 is on the doorstep. Like this: Like Loading… [ad_2] Source link

Continue reading

WordPress 5.8 Introduces Support for WebP Images – WordPress Tavern

[ad_1] WebP support is coming to WordPress 5.8. This modern image file format was created by Google in September 2010, and is now supported by 95% of the web browsers in use worldwide. It has distinct advantages over more commonly used formats, providing both lossless and lossy compression that is 26% smaller in size compared to PNGs and 25-34% smaller than comparable JPEG images. WebP is currently used by 1.6% of all the top 10 million websites, according to W3Techs, and usage has increased over the past five years. W3Techs: Historical yearly trends in the usage statistics of image file formats for websites Adding WebP support to core won’t make all WordPress sites instantly faster, but it will give every site owner the opportunity to reduce bandwidth by uploading WebP images. In the dev note, Adam Silverstein suggested converting images to WebP using command line conversion tools or web based tools like Squoosh, but there are also many plugins that can perform conversion on upload. WebP Express uses the WebP Convert library to convert the images and then serves them to supporting browsers. It is used on more than 100,000 WordPress sites. Imagify is one of the most popular plugins in use with more than 500,000 active installs. It has a Bulk Optimizer tool that can convert previously uploaded images with one click. The EWWW Image Optimizer plugin, used on more than 800,000 websites, also has support for automatically converting images to the WebP format. By default, WordPress will create the sub-sized images as the same image format as the uploaded file. More adventurous users can experiment with Silverstein’s plugin that offers a setting for specifying the default image format used for the sub-sized images WordPress generates. A new wp_editor_set_quality filter is available for developers to modify the quality setting for uploaded images. “The media component team is also exploring the option of having WordPress perform the image format conversion on uploaded images – using WebP as the default output format for sub-sized images,” Silverstein said. “We are also keeping our eyes on even more modern formats like AVIF and JPEGXL that will both improve compression and further reduce resources required for compression.” WordPress 5.8 is expected to be released on July 20, introducing WebP support for uploads. The new release also adds information to the Media Handling section of the Site Health screen, showing the ImageMagick/Imagick supported file formats for the site in case users need it for debugging. Like this: Like Loading… [ad_2] Source link

Continue reading

Jetpack 9.8 Introduces WordPress Stories Block Alongside Forced Security Update – WordPress Tavern

[ad_1] Jetpack 9.8 was released this week, introducing WordPress Stories as the headline feature. The Story block, which allows users to create interactive stories, was previously only available on mobile. It can now be used in the web editor. Stories went into public beta on the Android app in January 2021, and were officially released on the mobile apps in March. Version 9.8 also included a security patch for all sites using the Carousel feature. The vulnerability allowed the comments of non-published pages/posts to be leaked. It was severe enough for the Jetpack team to work with WordPress.org to release 78 patched versions – every version of Jetpack since 2.0. Sites not using the Carousel feature were not vulnerable but could be in the future if it was enabled and left unpatched. In a rare move, WordPress.org pushed a forced update to all vulnerable versions, surprising those who have auto-updates disabled. Several Jetpack users posted in the support forums, asking why the plugin had updated automatically without permission and in some cases not to the newest version. So this update was a forced update on WordPress sites even with auto-updates disabled? We had this go live on a prod site at 2am last night that has auto-updates disabled for very specific reasons. Not cool Jetpack. https://t.co/55upBmyeHp — Brad Williams (@williamsba) June 3, 2021 Jetpack team member Jeremy Herve said the vulnerability was responsibly disclosed via Hackerone, allowing them to work on a patch for the issue. After it was ready to go, the Jetpack team reached out to the WordPress.org security team to inform them of a vulnerability impacting multiple versions of the plugin. “We sent them the patch alongside all the info we had (a PoC for the vulnerability, what features had to be active, what versions of Jetpack were impacted),” Herve said. “They recommended we release point releases for older versions of Jetpack as well. “We created those new releases, and when we were ready to release them, someone from the WordPress.org team made some changes on the WordPress.org side so folks running old, vulnerable versions of the plugin would get auto-updated, just like it works for Core versions of WordPress.” Jetpack team member Brandon Kraft estimated the number of vulnerable sites at 18% of the plugin’s active installs. He said that Jetpack was not part of the discussion about the pushing out a forced update. We weren’t part of the discussion. Provided details and got the response, but I wouldn’t expect a security convo to be public. But, yes. Single feature impacted. A few things need to be all true for it to matter on a site, which looked like qualified about 18% of sites IIRC. — A Guy Called Kraft 😷💉 (@Kraft) June 3, 2021 “What probably adds to the confusion is that WordPress 5.5 added a UI for plugin (and theme) autoupdates,” Herve said. “That UI, while helping one manage plugin autoupdates on their site, is a bit different from Core’s forced update process. Both of those update types can be deactivated by site owners, just like core’s autoupdates can be deactivated, but I don’t believe (and honestly wouldn’t recommend) that many folks deactivate those updates.” Brandon Kraft dug deeper into the topic and published a post that explains the differences between auto-updates and forced updates. It includes how to lock down file modifications if you don’t want to receive any forced updates in the future. Forced updates, however, are exceedingly rare, and Kraft counts only three for Jetpack since 2013. In this instance, the Jetpack team followed the official process for reporting a critical vulnerability to the plugin and security teams who determine the impact for users based on a set criteria. Users who received an email notification about an automatic update from Jetpack, despite having the UI in the dashboard set to disable them, should be aware that these forced updates can come once in a blue moon for security purposes. Tony Perez, founder of NOC and former CEO at Sucuri, contends that forcing a security update like this violates the intent users’ assign when using the auto-updates UI in WordPress. He highlighted the potential for abuse if the system were to become vulnerable to a bad actor. “The platform is making an active decision that is arguably contrary to what the site administrator is intending when they explicitly say they don’t want something done,” Perez said. “Put plainly, it’s an abuse of trust that exists between the WordPress user and the Foundation that helps maintain the project. “My position is not that it shouldn’t exist. That’s a much deeper ideological debate, but it is about respecting an administrators explicit intent.” Like this: Like Loading… [ad_2] Source link

Continue reading