Tag Archives: Tavern

Ujwal Thapa, Co-Founder of the WordPress Nepal Community, Passes Away – WordPress Tavern

[ad_1] “Here is my resume of professional Failures,” began his LinkedIn profile. On a site where most are apt to share success, Ujwal Thapa started with nearly a two-decade history of dreams that did not quite work out. Or, maybe they did in some ways. Much of Nepal is reeling from his death today. In the past week, he had been battling multiple health complications from Covid-19. The 44-year-old activist was the founder of the Bibeksheel Nepali political party, originally a peaceful movement that fought against political corruption and social injustice. However, many Nepali WordPress users will remember him as a co-founder of their community. The WordPress Nepal Facebook group has now grown to nearly 8,000 members. Photos shared by Ganga Kafle. In a 2015 interview with Nepal Buzz, he noted his proudest WordPress-related achievement as building this community. “That is not just creating tens and hundreds, but thousands of jobs in Nepal, and has the potential to create tens of thousands more, which basically means we are contributing to the nation by creating opportunities where there are none.” Later in the interview, he said he was a provoker, and he continued to live the remainder of his life in that belief. “I believe that the easiest way to bring change is to align all the positive people in the same direction,” he said. “So my job is to provoke and bring together people with similar interests, and align them in a similar direction, creating the change that they would never believe could come.” Thapa founded Digital Max Solutions in 2002, amidst the Nepalese Civil War. At one point, the company had as many as 35 employees. Over 30 eventually moved on to start their own IT businesses. He also created the Entrepreneurs for Nepal Facebook group, which now has over 100,000 members. From May 2013 to October 2019, he served as the Chairperson of the BibekSheel Nepali party. Many in Nepal’s WordPress community owe him a debt of gratitude for having the vision of building off the core platform. WordPress.org Themes Team representative Ganga Kafle credits at least part of his career and deep involvement with WordPress to Thapa, helping him land an initial internship with Web Experts Nepal. “Ujwal Thapa is the person who introduced WordPress to me in 2012 in a meetup,” he said. “After that, I was in close relation with him. In 2014, after my graduation, I went to Ujwal and asked him about the internship, and he took me to that office and talked with the boss and finalized for the internship. That’s how I jumped in WordPress, and now I am one of the leads of Themes Team.” “Once he said to me, ‘WordPress is giving so much things for free, why you hesitate to put Proudly Powered by WordPress?’” Kafle shared of the mentor, referencing the typical credit line in many WordPress site footers. “He was in love with WordPress.” You can view Thapa’s WordCamp presentations as a speaker and panel moderator via WordPress.tv. Like this: Like Loading… [ad_2] Source link

Continue reading

Chrome Canary Adds Flag for Disabling FLoC Testing – WordPress Tavern

[ad_1] Google’s controversial Federated Learning of Cohorts (FLoC) experiment now has a feature flag within Chrome Canary (the nightly build of Chrome for developers) that allows users to opt out. In January 2020, Google announced its plans to discontinue support for third-party cookies in Chrome within two years. The first bits and pieces of the company’s Privacy Sandbox initiative started landing in Chrome in December 2020 with an initial flag to disable it. FLoC, Google’s proposed replacement for third-party cookies, began testing as a developer origin trial in Chrome at the end of March 2021. In Canary, users can navigate to chrome://flags/#privacy-sandbox-settings-2 to find the Privacy Sandbox Settings 2 flag. Relaunch Canary to save the changes. This will unlock the box that allows users to either reset their FLoC group or opt out of FLoC entirely. The new setting is available under chrome://settings/privacySandbox: If the setting remains enabled, which is the default, Chrome will group users into cohorts based on recent browsing activity and then advertisers select ads for the entire group. Browsing activity for the individual is “kept private on your device,” but Chrome certainly has access that information by way of mediating the cohorts. Google notes that the trial is currently only active in some regions. Users can also opt out of Privacy Sandbox trials on the same page. Current trials include the following: Advertisers and publishers can use FLoC Advertisers and publishers can study the effectiveness of ads in a way that does not track you across sites Google has not specified how users would opt out of FLoC if the experiment is successful and moves forward. Organizations and site owners who are currently on the fence about it may go either way depending on how easy it is for Chrome users to opt out themselves. “Instead of comparing FLoC to its predecessor, third party cookies, I feel it’s actually more like the Facebook Pixel – mostly in the sense that it’s controlled by a single surveillance capital company,” WordPress core contributor Roy Tanck commented on the trac ticket for the discussion. “FLoC may not be quite as nefarious, but I feel it should be something website owners consciously opt into. “WordPress has always advocated for a free and open web, and FLoC appears to actively harm that goal. I think WordPress should take a stand against this, and do it now.” A few others have chimed in on the ticket recently as other open source projects have started blocking FLoC by default. Plugin developer David McCan’s comment referenced analytics data published in early May suggesting that US users choose to opt out of tracking 96 percent of the time following the changes in iOS 14.5. “There is no doubt that coming down on the side of user privacy vs user tracking is the right thing to do,” McCan said. “Which headline would we rather see? ‘By default millions of WordPress websites are allowing users to be tracked’ or ‘WordPress takes steps to block user tracking making millions of websites around the world safe to visit?’ “We already have a policy that opt-in by default tracking’ is not allowed in plugins hosted by WordPress. This is because we recognize the responsibility and benefit of protecting user privacy.” During a live marketing event Google hosted at the end of last week, Jerry Dischler, vice president and general manager of Ads, addressed the recent privacy concerns surrounding FLoC. “We’ll be using these [Privacy Sandbox] APIs for our own ads and measurement products just like everyone else, and we will not build any backdoors for ourselves,” Dischler said. Dischler also reaffirmed Google’s commitment to moving away from third-party cookies. “Third-party cookies and other proposed identifiers that some in the industry are advocating for do not meet the rising expectations consumers have when it comes to privacy,” he said. “They will not stand up to rapidly evolving regulatory restrictions; they simply cannot be relied on in the long term.” Google bears the burden of reassuring advertisers that effective advertising is still possible as the company moves beyond tracking cookies. It is aiming to future-proof advertisers’ measurement of campaign performance with what it claims are “privacy-safe solutions.” The company is pushing hard for advertisers to adopt these new techniques, promising more actionable first-party conversion data. Although consumer expectations have changed, FLoC may not be the answer to the need for a privacy-preserving advertising model. So far it looks like Google will have an uphill battle to gain more broad support from browsers, advertisers, and consumers. Like this: Like Loading… [ad_2] Source link

Continue reading

WordCamp Europe 2021 Online Schedule Announced – WordPress Tavern

[ad_1] Mark your calendars for the next major WordPress event coming up at the beginning of next week. WordCamp Europe is just five days away and will run from June 7-9. In July 2020, organizers announced that in-person events would not resume until 2022. At that time, attendees were deeply disappointed but resigned to the necessity of online events due to the pandemic. One of the advantages of scheduling a virtual event so far in advance is that organizers have been able to eliminate a great deal of uncertainty for attendees and their travel arrangements as well as have more time to create a better online experience. This is one of the few times in WordCamp Europe history where all attendees will be joining virtually, on equal footing from wherever they are in the world. WCEU 2021 organizers have announced the speaker lineup and schedule for the upcoming three days of 30-minute sessions, 10-minute lightning talks, workshops, discussion panels, and interviews. Two tracks will run simultaneously. The schedule includes some big-picture topics like full-site editing and the future of WordPress themes, as well as more technical topics such as how to quickly build custom blocks, setting up a WooCommerce data hub, headless WordPress, and accessing APIs using OAuth on the Federated Web. At the close of day 3, WordPress co-founder Matt Mullenweg will join the event for a virtual chat. Business owners, project managers, designers, and other professionals will all find topics related to their work and interests. The schedule has a built-in favoriting tool so attendees can mark the sessions they plan to attend and then print or email to themselves for a personalized schedule. Every hour or so there will be 10-minute breaks so attendees will have time to talk with others and socialize. WCEU organizers are planning to host virtual networking rooms where attendees can meet sponsors and take part in product demos. Registration is free and attendees will receive online goodiebags. Tickets are still available but organizers expect it to be another “sell out” year. Like this: Like Loading… [ad_2] Source link

Continue reading

Custom User Avatar Plugins for WordPress – WordPress Tavern

[ad_1] You know what one of the great things about open source is? Others can use a project’s code, share it wholesale, modify it, and/or distribute their changes. These are the pillars upon which WordPress stands. It is a beautiful thing to watch in practice. Most often, it means we can build off the shoulders of those giants who came before us, continually improving the software for ourselves and others. It is how WordPress got its start nearly two decades ago as a fork of the b2/cafelog blogging system. Sometimes, it just means having the freedom to give your friend a copy of something you love and letting them use it. Other times, it is the gateway for a budding developer learning how functions or classes work for the first time, ripping apart a project to see what makes it tick. Every so often, the promise of free software means that others can decide to go their own way when they do not like the direction a project is heading. They can fork the code, carving a new destination for its future. This is what happened when ProfilePress overhauled its WP User Avatar plugin, turning it into a full-fledged membership solution. While its average user may not be able or willing to dip their toes into the depths of the development waters, when you have a 400,000+ user base, a few of them are bound to be programmers. Or at least tech-savvy enough to create a copy of the previous version and distribute it directly. It did not take long — mere days — before ex-users began sharing their forks. The beauty of open source is that they have the power to do this without some corporation cracking down on them. I wanted to acknowledge what they accomplished by jumping into a messy situation and making quick alternatives for many users who felt abandoned. This is my symbolic handclap. 👏 It is not often that we get to mention WordPress’s license without gearing up for battle. However, the GPL played a crucial role in making these forks possible. The license protected the plugin’s user base, giving them multiple alternative paths to take. Without further preaching the merits of open source, the following are the current forks of WP User Avatar: One User Avatar by Daniel Tara (One Designs). It already has nine translations and is available on WordPress.org. Custom User Avatar by David Artiss. It is currently available on GitHub, but it appears he plans to add it to the plugin directory. Orig User Avatar by Philipp Stracker. This one is also only available on GitHub. Each fork looks like a straight port of the latest version of WP User Avatar before version 3.0. There are some necessary code and branding changes. The first two also remove all advertising from the plugin. For anyone looking to return to the exact same functionality as the old plugin, any one of these will do the job. Alternative Solutions Straight ports are nice to have, especially for those who need to keep their data intact for many user accounts, but this could also be an opportunity for others to look at alternatives. And, custom user avatar solutions are a dime a dozen. There is a little something for everyone out there. The following is nowhere near a comprehensive list. I have either tested or used most of these in the past couple of years. I encourage anyone to share plugins I did not include in the comments. Simple Local Avatars Topping any list of custom avatar solutions is Simple Local Avatars by 10up. The WordPress company is one of the most respected in the community, and its employees contribute heavily to core development. 10up tends to put together solid plugins. Simple Local Avatars does just what it says on the box. It allows users to upload custom avatars to their site. It also generates requested image sizes on demand. It works alongside Gravatar, a feature that can be enabled or disabled. It also has built-in options for site administrators to grant permission to non-authorized roles to upload their photos. WP User Avatars WP User Avatars by John James Jacoby, a lead developer for bbPress and BuddyPress, is another simple plugin. Like many similar solutions, it adds a form for users to manage their avatar from their profile pages. It is unique in that it works alongside a suite of other user-related plugins that Jacoby offers. While it can work on its own, it is at least worth checking out his WP User Profiles plugin, which overhauls WordPress profile pages. It and his other user-related plugins work in conjunction with each other. Plugin users can pick and choose which they wish to install. User Profile Picture There seems to be a pattern emerging here — users tend to love these simple avatar solutions. User Profile Picture by Cozmoslabs is another that fits this mold. It also includes a block to allow post or page authors to output any user’s profile (avatar, name, description, and posts link) on the site front end. Users without permission to upload an image cannot add an avatar with this plugin alone. By default, this is the Administrator, Editor, and Author roles. Site admins will need to install either a permissions plugin or Cozmoslabs’ Profile Builder for the extra capability. Pixel Avatars (Toolbelt) Pixel Avatars is a privacy-first Gravatar replacement. It takes a different route than similar options by not providing a method to upload a custom avatar. Instead, it automatically generates unique avatars for each user with a bit of JavaScript. It is a fun twist on the typical avatar system. Technically, this is not a standalone avatar plugin. The Pixel Avatars system is a sub-component of the Toolbelt plugin. Created by Ben Gillbanks, it is a collection of tools that he uses for most of his WordPress projects. It may be overkill for many, but each plugin module can be enabled or disabled based on user needs.

Continue reading

Delicious Brains Acquires Advanced Custom Fields Plugin – WordPress Tavern

[ad_1] Delicious Brains, the company behind WP Migrate DB Pro and SpinupWP, has acquired the Advanced Custom Fields (ACF) plugin from its creator, Elliot Condon. After 10 years, the plugin has more than 1 million active installs and a thriving business based on the Pro version. It has become an indispensable part of the workflow for thousands of WordPress developers around the globe. The plugin allows developers to easily customize WordPress edit screens and custom field data. In 2019, the Pro version introduced ACF Blocks, a PHP-based framework for developing custom blocks. This came as a great relief to many developers who did not know how they were going to keep pace with learning the JavaScript required to use WordPress’ Block API. General reaction to the news was positive, as ACF fits in neatly with Delicious Brains’ suite of well-maintained developer products. The company’s founders also possess a genuine appreciation of ACF and its importance to the WordPress developer community. “I don’t think WordPress would be where it is today without ACF,” Brad Touesnard said on a recent episode of the Delicious Brain Waves podcast. Condon cited the scale of the project and “technology complexity and user expectation” as factors in his decision to sell ACF. As a one-person team, he was unable to keep up with the growth of ACF over the years. “Stepping away from ACF has not been an easy decision to make,” Condon said. “The reasoning behind it comes from a place of humility. As the number of installs have grown from thousands to millions, the needs of the product have outgrown my ability to develop solutions. The last thing I want to do to this amazing community is unintentionally hold back the project, so something needed to change.” Delicious Brains’ announcement stated that the company will be reviewing Condon’s roadmap for the product in hopes of fulfilling his vision moving forward. “Two of our greatest strengths that we’ll bring to ACF are design (UI/UX) and developer education,” Touesnard said. “We’ll be focusing our initial efforts in those areas. I have a few UI/UX improvements in mind that would make a huge difference to users. We also see a significant opportunity to produce developer-focused content focused on effectively using ACF in your WordPress projects.” Touesnard also confirmed that Delicious Brains will not be making any drastic changes to ACF or ACF Pro, nor do they plan to adjust the pricing of the product anytime soon. “If we ever decide to update pricing in the future, we won’t force existing customers onto the new pricing,” he said. After the initial announcement, there was some confusion surrounding lifetime licenses that originated from a hasty response to a customer inquiry. Delicious Brains has since updated the post to clarify the company’s commitment to ACF Pro’s lifetime customers. “We are committed to honoring lifetime licenses forever,” Touesnard said. “Lifetime license holders will get all ACF Pro software updates forever.” More information on how the acquisition happened, as well as what customers can expect in the future, is available on the most recent episode of the Delicious Brain Waves podcast. Like this: Like Loading… [ad_2] Source link

Continue reading

Building Featured Boxes With the WordPress Block Editor – WordPress Tavern

[ad_1] It is a new day with another chase for that elusive block plugin that will bring a little joy into my life. Today’s experiment comes courtesy of the Feature Box plugin by Sumaiya Siddika. It is a simple block that allows end-users to upload an image and add some content to an offset box. The plugin’s output is a typical pattern on the web. As usual, I am excited to see plugin authors experimenting with bringing these features to WordPress users. I want to see more of it, especially from first-time plugin contributors. I was able to quickly get the block up and running, adding my custom content. The following is what the block looked like after entering my content and customizing it. I envisioned myself as a recipe blogger for this test. Inserting and modifying the Feature Box block. On a technical level, the plugin worked well. I ran into no errors. Everything was simple to customize. However, it never felt like an ideal user experience. The first thing I immediately noticed is that image uploading happens in the block options sidebar. Core WordPress blocks have a dedicated button in the toolbar for adding images and other media. I also found myself wanting more direct control over individual elements. How could I change the heading font size? Where were the typical button styles like Outline and Solid Color? How do I insert other blocks, like a list? None of those things were possible. Like many other blocks, the developer has created a system with specific parameters, and the user cannot move outside of them. There are times when that rigidity makes sense, such as when building custom blocks for clients. However, more often than not, publicly-released plugins should be far more open. This tightly controlled block is reflective of how WordPress worked in the past. It was often inflexible, leaving users to what theme and plugin developers thought was best for their sites. The block system is about tossing out these overly rigid concepts and giving users power over their content. The job of plugins and themes is to define the framework the user is operating under. They set up some rules to more or less keep things from breaking, but the users get to strap themselves into the driver’s seat. Their destination is their own. The block would have been far more well-rounded if users could control all of the content in the box. Ideally, they could put whatever blocks they wanted into the “content” area of the Feature Box block. The design would match their theme better too. A couple of weeks ago, I wrote a post titled You Might Not Need That Block. The premise was that users could recreate some blocks with the current editor and that themers could make this easier by offering patterns. I knew replicating this particular block would be impossible without at least a little custom code. WordPress’s editor does not have a feature for offsetting a block’s position. A theme author could easily duplicate this functionality. Typically, I would create a custom pattern, complete with all the existing pieces in place. However, I wanted to approach this with custom block styles. This would allow end-users to select the content offset from the sidebar and switch it around if needed. Note: For those who wish to learn how to create custom block styles, Carolina Nymark’s tutorial is the best resource. The Cover block made an ideal candidate for this. Because it has an existing “inner wrapper” element, it meant that I could target it with CSS and move it around. The following is a screenshot of the Offset Left style I created: Offset Left Cover block style. I simply replicated the code and changed a few values to create an Offset Right style immediately after. The code is available as a GitHub Gist. It is a simple proof-of-concept and not a polished product. There are various approaches to this, and several Cover block options are left unhandled. Theme authors are free to take the code and run with it. These block styles looked far better because they matched my theme. Everything from the spacing to the border-radius to the button looked as it should. Offset Left and Right block styles. The big win was that I had design control over every aspect of the content box. I could select the button style I wanted. I could change my font sizes. The default spacing matched my theme as it should. The problem I ran into with the block style method is allowing users to control the content box’s background color. The Feature Box plugin wins in the user experience category here because it has an option for this. The block style I created inherits its background from the Cover block parent. It may not be immediately obvious how to change it. The other “problem” with the block style is that it does not handle wide and full alignments for the Cover block. That is because I did not take the experiment that far, only replicating the plugin’s layout. I will leave that to theme designers to tinker around with. There are many possibilities to explore; don’t wait for me to provide all the ideas. My goal with this post and similar ones is to show how I would approach these things as both a user and developer. As a user, I want flexibility in all things. As a developer, I want to provide the solutions that I desire as a user. I also want to see plugin and theme authors thinking beyond their initial use case when building blocks, patterns, styles, and more. Lay the groundwork. Then, expand on that initial idea by thinking of all the ways that users might want to customize what you have built. Like this: Like Loading… [ad_2] Source link

Continue reading

Create Per-Post Social Media Images With the Social Image Generator WordPress Plugin – WordPress Tavern

[ad_1] It was a bit of a low-key announcement when Daniel Post introduced Social Image Generator to the world in February via tweet. But, when you get repped by Chris Coyier of CSS-Tricks and the co-founder of WordPress uses your plugin (come on, Matt, set a default image), it means your product is on the right track. I am not easily impressed by every new plugin to fly across my metaphorical desk. I probably install at least a couple dozen every week. Sometimes, I do so because something looks handy on the surface, and I want to see if I can find some use for it. Other times, I think it might be worth sharing with Tavern readers. More often than not, I consider most of them cringeworthy. I have high standards. As I chatted with Post about this new plugin, I was excited enough to call Social Image Generator one of those OMG-where-have-you-been? types of plugins. You will not hear that from me often. Post quit his day job to venture out earlier this year, creating his one-man WordPress agency named Posty Studio. Social Image Generator is its first product. “I kept seeing tutorials on my Twitter feed on how to automatically generate images for your social media posts, but unfortunately, they all used a similar approach (Node.js) that just wasn’t suitable for WordPress,” said Post of the inspiration for the plugin. “This got me thinking: would it be possible to make this for WordPress? I started playing around with image generation in PHP, and when I got my proof of concept working, I realized that this might actually be something I should pursue.” In our chat over Slack, we actually saw the plugin in action. As he shared Coyier’s article from CSS-Tricks, the chatting platform displayed the social image in real-time. Auto-generated image appearing via Slack. Maybe it was fate. Maybe Post knew it would happen and thought it would be a good idea to show off his work as we talked about his project. Either way, it was enough to impress the writer who is unafraid to call your plugin a dumpster fire if he smells smoke. Post seems to be hitting all the right notes with this commercial plugin. It has a slew of features built into version 1.x, which we will get to shortly. It is dead simple to use. It is something nearly any website owner needs, assuming they want to share their content via social networks. And, with a $39/year starting price, it is not an overly expensive product for those on the fence about buying. How the Plugin Works After installing and activating Social Image Generator, users are taken to the plugin’s settings screen. Other than a license key field and a button for clearing the image cache, most users will want to dive straight into the template editor. At the moment, the plugin includes 23 templates. From Twenty Seventeen to Twenty Twenty-One, each of the last four default WordPress themes also has a dedicated template. After selecting one, users can customize the colors for the logo, post title, and more — the amount of customization depends on the chosen template. Browsing the plugin’s templates. Aside from selecting colors, users can choose between various logo and text options. They can also upload a default image for posts without featured images. Editing a template from Social Image Generator. When it comes time to publish, the plugin adds a meta box to the post sidebar. Users can further customize their social image and text on a per-post basis. Social image preview box on the post-editing screen. Once published, the plugin creates an image that will appear when a post is shared on social media. On the whole, there is a ton that anyone can do with the built-in templates. There is also an API for developers to create their own. For a first outing, it is a robust offering. However, there is so much more that can be done to make the plugin more flexible. Version 2.0 and Beyond Thus far, Post said he has received tons of positive feedback along with feature requests. Primarily, users are asking for more customization options and the ability to create and use multiple templates. These are the focus areas for the next version. With a 1,718% increase in revenue in the past month, it seems he might have the initial financial backing to invest in them. “I’ve started building a completely overhauled drag-n-drop editor, which will allow you to create basically any custom image you want,” he said. “It will be heavily inspired by the block editor, and I want to keep the UI and UX as close to the block editor as possible.” The new template editor would allow users to create multiple layers, an idea similar to how Photoshop, Gimp, and other image-editing software works. The difference would be that it can pull in data from WordPress. “For example, an ‘Image’ layer will have options such as height/width and positioning, as well as some stylistic options like color filters and gradient overlays,” said Post. “A ‘Text’ layer can be any font, color, and size and can show predefined options (post title, date, etc.) or whatever you want. You can add an infinite number of layers and order them however you’d like.” He seems excited about opening up new possibilities with an overhauled editor. Users could potentially create social image templates for each post type. A custom layer might pull in post metadata, such as displaying product pricing or ratings from eCommerce plugins like WooCommerce. “The prebuilt templates will still exist, similar to Block Patterns in the block editor,” said the plugin developer. “They will, however, serve as a starting point rather than the final product. I’ll also try to implement theme styling as much as possible. “The possibilities here are so endless, and I’m incredibly excited for this next part.” Like this: Like Loading… [ad_2] Source link

Continue reading

Jetpack 9.8 Introduces WordPress Stories Block Alongside Forced Security Update – WordPress Tavern

[ad_1] Jetpack 9.8 was released this week, introducing WordPress Stories as the headline feature. The Story block, which allows users to create interactive stories, was previously only available on mobile. It can now be used in the web editor. Stories went into public beta on the Android app in January 2021, and were officially released on the mobile apps in March. Version 9.8 also included a security patch for all sites using the Carousel feature. The vulnerability allowed the comments of non-published pages/posts to be leaked. It was severe enough for the Jetpack team to work with WordPress.org to release 78 patched versions – every version of Jetpack since 2.0. Sites not using the Carousel feature were not vulnerable but could be in the future if it was enabled and left unpatched. In a rare move, WordPress.org pushed a forced update to all vulnerable versions, surprising those who have auto-updates disabled. Several Jetpack users posted in the support forums, asking why the plugin had updated automatically without permission and in some cases not to the newest version. So this update was a forced update on WordPress sites even with auto-updates disabled? We had this go live on a prod site at 2am last night that has auto-updates disabled for very specific reasons. Not cool Jetpack. https://t.co/55upBmyeHp — Brad Williams (@williamsba) June 3, 2021 Jetpack team member Jeremy Herve said the vulnerability was responsibly disclosed via Hackerone, allowing them to work on a patch for the issue. After it was ready to go, the Jetpack team reached out to the WordPress.org security team to inform them of a vulnerability impacting multiple versions of the plugin. “We sent them the patch alongside all the info we had (a PoC for the vulnerability, what features had to be active, what versions of Jetpack were impacted),” Herve said. “They recommended we release point releases for older versions of Jetpack as well. “We created those new releases, and when we were ready to release them, someone from the WordPress.org team made some changes on the WordPress.org side so folks running old, vulnerable versions of the plugin would get auto-updated, just like it works for Core versions of WordPress.” Jetpack team member Brandon Kraft estimated the number of vulnerable sites at 18% of the plugin’s active installs. He said that Jetpack was not part of the discussion about the pushing out a forced update. We weren’t part of the discussion. Provided details and got the response, but I wouldn’t expect a security convo to be public. But, yes. Single feature impacted. A few things need to be all true for it to matter on a site, which looked like qualified about 18% of sites IIRC. — A Guy Called Kraft 😷💉 (@Kraft) June 3, 2021 “What probably adds to the confusion is that WordPress 5.5 added a UI for plugin (and theme) autoupdates,” Herve said. “That UI, while helping one manage plugin autoupdates on their site, is a bit different from Core’s forced update process. Both of those update types can be deactivated by site owners, just like core’s autoupdates can be deactivated, but I don’t believe (and honestly wouldn’t recommend) that many folks deactivate those updates.” Brandon Kraft dug deeper into the topic and published a post that explains the differences between auto-updates and forced updates. It includes how to lock down file modifications if you don’t want to receive any forced updates in the future. Forced updates, however, are exceedingly rare, and Kraft counts only three for Jetpack since 2013. In this instance, the Jetpack team followed the official process for reporting a critical vulnerability to the plugin and security teams who determine the impact for users based on a set criteria. Users who received an email notification about an automatic update from Jetpack, despite having the UI in the dashboard set to disable them, should be aware that these forced updates can come once in a blue moon for security purposes. Tony Perez, founder of NOC and former CEO at Sucuri, contends that forcing a security update like this violates the intent users’ assign when using the auto-updates UI in WordPress. He highlighted the potential for abuse if the system were to become vulnerable to a bad actor. “The platform is making an active decision that is arguably contrary to what the site administrator is intending when they explicitly say they don’t want something done,” Perez said. “Put plainly, it’s an abuse of trust that exists between the WordPress user and the Foundation that helps maintain the project. “My position is not that it shouldn’t exist. That’s a much deeper ideological debate, but it is about respecting an administrators explicit intent.” Like this: Like Loading… [ad_2] Source link

Continue reading
1 18 19 20