WP Builds Newsletter #58 – WordPress 5.2 Beta 2, so much security and photos of black holes

Nathan Wrigley: 00:01 Hello, good morning and welcome to this, the WP Builds weekly WordPress newsletter. This is number 58 it covers the WordPress weekly news for the week, commencing the 8th of April, 2019 and it was published on Monday the 15th of April, 2019 a couple of things before we begin, if you wouldn't mind heading over to WP Builds.com forward slash subscribe, you'll be able to join us. It's basically a page which allows you to use all of our channels, get in touch with us. So for example, there's two forms to fill in, one to get onto our regular email newsletter, which tells you about this, the WordPress weekly news and the podcast on a Thursday, but there's also a form which you can fill in which gets you onto our deals newsletter. There's a couple of hundred people on there at the moment and they're all receiving updates. As soon as I find out about them, they're plain text emails saying, go and check out this plugin right away.

Nathan Wrigley: 00:52 It's just knock 20% off its price, that kind of thing. So that's forward. Slash subscribe. You can also do things like join us on the Facebook group, the Youtube Channel, and subscribe on iTunes and the Google podcast apps. So all of that's there. We really appreciate it. If anybody does give us a review on iTunes because allegedly that's the way to get the WordPress weekly news and the WP Builds podcast in front of a wider audience. Okay. The next one is forward slash and deals. We've added a couple of deals this week onto that page. So for example, we've added Mor Cohen's design class. You can get 15% of that plus 30% off WP admin pages pro. They've both been added, but there's probably about 25 deals. So if you're in the market for buying new plugins and you can't wait for black Friday, which is a long way away, go and check out that page.

Nathan Wrigley: 01:42 It might find something there that you need forward slash your webinars. So I'll get to that a little bit later, but there's some webinars that we've recently put out forward slash contribute. If you'd like to come on and join me, uh, doing a screenshare and putting something out into the WordPress community that you yourself have done and forward slash advertise. If you would like to put your adverts on WP built, if you've got a product or a service that you would like people to know about.

New Speaker: 02:12 For example, like this, the WP Builds newsletter is brought to you today by Kinsta are you tired of unreliable or slow hosting? If so, check out. Kinsta who takes managed WordPress hosting to the next level, powered by the Google cloud platform? All their plans include PHP seven ssh and 24 seven experts support migrate today for free at Kinsta Dot Com and we sincerely thank can stuff for their support of the WP Builds newsletter.

Nathan Wrigley: 02:44 So like I say, if you'd like to join Kinsta and have your product or service mentioned on the podcast, that's WP Builds.com forward slash. Advertise. Okie dokie. Let's get stuck into the WordPress weekly news this week. I've changed the format slightly. So if you notice, for example, that you regularly get the email on, I've taken out the quotes, I've done that really just to speed things up. If you feel disgruntled about that and you think I should put the quotes back into the body of the email or the page on the WP Builds.com website, please let me know. But it essentially, it was a bit of a copy and pasting exercise and so hopefully I've streamlined the process a little bit, but it doesn't, I think make this any less valuable. But let me know if you think it does. Okay, so the first item today under the banner of WordPress core is that now we have Word Press 5.2 beta 2 WordPress 5.2 is due to be released on April the 30th so we're getting close. I think since the last Beta release, there've been over a hundred tickets that have been closed. And so we're still in the Beta testing phase. So if that's something you're interested in and you want to make your voice heard, go and check it out. But very importantly, we've added support for Emoji 12 hurrah. Also, there's a brand new WP body open template tag which allows you to, if you've got a plugin or a theme, allows you to add content right after the opening body tag. Superfluous paragraph tags will no longer incorrectly appear in the dynamic block content and I can honestly say that's good news for me and the site health screens have received several bug fixes and tweaks in performance. We've also got this impending 5.6 0.2 minimum PHP version and that's also being pushed.

Nathan Wrigley: 04:31 But apart from that very minor changes, mostly it was bug fixes, but still if you're into Beta testing, that's important to know. The next article comes from the WP tavern website and it's entitled Gutenberg Team Publishes RFC document on widget block interfaces. This article by Sarah Gooding talks about one of the nine projects for 2019 which Matt Mullenweg spoke about. Um, the idea really is to make it so that blocks are available in the widget area or and in the customizer. In the future, there should be no discernible difference in the way that you edit blocks in the widget area and the customizer area and it really outlines all of the work that's being done to do that. I think the idea here is that people who are unfamiliar with the developments in the, in the block editor really if they're editing things in the old widget area or in the customizer ought to be taken to the new way of doing things so that there's absolutely no disconnect when that capability goes away and when widgets and the customizer finally, finally meet their end.

Nathan Wrigley: 05:36 So it's a very short article, but certainly worth having a look at. Okay. The next two articles come under the banner of community. The first one is again on the WP tavern website entitled Word Session Returns 22nd of May, 2019 speaker application deadline is April. The 19th WordSesh is a online virtual conference which has been going for a few years and how it's been very popular, so much so that it actually spawned like a sub conference called WooSesh, which is a virtual conference for WooCommerce. If you are into speaking at these kind of events and are not able to get on a plane and go to WordCamps, this might be right up your street, but the deadline for submissions is in not not too long. 19th of April, there are some financial stipends, $250 you're entitled to submit two applications with a short video, but there's only going to be 10 speakers so it's going to be fairly competitive.

Nathan Wrigley: 06:35 But if you've got a talk which you've used before and you think that the, the WordPress community might like to hear it. Incidentally, I think the criteria is that it's got to be something which hasn't been talked about explicitly before. Well, go and get your application in and you will hear, I think by the 1st of May, whether or not you've been successful, but some of you budding speakers out there might want to take that on board. The second and last community article is all about go daddy and the fact that they've acquired theme beans, Co blocks, block gallery and block unit tests, whether they did this during the course of this week. Essentially we've got this coalescing of WordPress properties and some of the bigger players, for example, GoDaddy seem to be buying all sorts of things up recently. They, they had a bit of an acquisition round acquiring things like security and various other things.

Nathan Wrigley: 07:25 I think manage WP and WP Curve while they've acquired this new Gutenberg code blocks, theme, beans, Block Gallery and block unit tests from the founder Rich Tabor. And it kind of speaks to me of the fact that they're going all in on Gutenberg and if they've got all of the cool Gutenberg products under their banner, then that puts them in a good position hosting wise, I suppose they've said that they're not going to remove anything from the WordPress repo, so I don't know quite what the premise is here, but it has been bought and rich to boy is now working for and with go daddy. So there you go. More coalition in the WordPress space. Okay. Now this seems to be a massively growing trend. For a few weeks ago I was commenting on the fact that security seems to be growing well this week it's gone. Absolutely. Bananas.

Nathan Wrigley: 08:15 I can't possibly describe everything in detail, so I'm going to keep this as short as possible. Over on the security website, we've got an SQL injection in advanced contact form, sorry, in advance contact forms seven DB, which is a plugin. The plugin I think has been fixed in word in the version 1.6 0.1 but it could still be exploited if you've got an old version. The technical details are that WordPress offers an API that enables developers to create content which can be injected to our web page using a simple short code. The attack vector use to exploit this vulnerability requires the bad actor to have an account on the victim's site. However, it doesn't matter what that account privileges. This is possible thanks to the WP ajax pass media short function defining, defining WordPress core. It's moderately critical. They've described it as dangerous on the website, but if you've got that plugin, you want to go and check it out.

Nathan Wrigley: 09:13 It's on the security website and you know, update it because it's been fixed. So the next couple of articles relate to similar topics. The first one is on the Wordfence website entitled the user, which is why you said, oh, I don't know quite how to pronounce that. Use. Oh, related posts, a zero day vulnerability exploited in the wild a, there is a plugin user related posts which is installed on 60,000 websites which has been uh, there is an unpatched vulnerability which irresponsibly was disclosed. This also seems to be a bit of a growing trend. We have a few security researchers out there who rather than waiting the typical 60 days and telling the plugin developer or theme developer what the problem is, they just go out and publish it. The moment that they've discovered it. This is I think slightly unconscionable behavior, but there you go.

Nathan Wrigley: 10:04 The nature of the vulnerability is that it's using the is admin function to check if a piece of code should be only run with administrative privileges. Well, it doesn't do all the proper sanitization checks and that leads to the possibility to have malicious redirect on uses websites. So it's pretty bad. Now the, the sort of slightly worrying theme here is that it seems to have all the hallmarks of last month social warfare and easy WP SMTP vulnerabilities because it seems to rely on a script hosted at the same IP address. Hello from honi dot org which resolves to 176 123 9 53 so it would appear that we've got either a single hacker or a group of hackers who are really targeting their, their WordPress work towards all of us, which is never good news. The next one which is slightly related is the fact that MailGun, the website that has their, well, their purpose is to have an automated mail service through WordPress websites.

Nathan Wrigley: 11:12 Their sites was defaced attacked if you like because of this hack and you can find out all about that on the zed Di net.com website, but needless to say some, some of the big actors in the WordPress space are falling foul of this. There's another one. If you've got the yellow pencil, CSS customizer, it's a little bit like micro theme or or CSS Hero. There is a vulnerable vulnerability, a zero day vulnerability in that I think that it's been patched, but essentially it allows privilege escalation. You can execute arbitrary code. Um, and the word fence article that is in the show notes talks about exactly what this is and how it works. And yet again, this attack appears to emanate from exactly the same source as the one I was mentioning a moment ago. So more evidence if it were needed that either someone or some people are really honing in on WordPress.

Nathan Wrigley: 12:11 So Shields Up, ladies and gentlemen. Okay. The next one is on the security blog. It's entitled attacks on closed, the WordPress plugins and put simply, it's about the fact that for example, the, the yuso related posts plugin hack meant that, or sorry, vulnerability meant that the, the plugin was shot down on the WordPress.org repo. Well, if I was a hacker and I wasn't the person who caused that plugin to be taken off WordPress.org as soon as it was taken down, sure. As anything, I'd be going to see why it had been taken down. And therefore in a way it's a bit of a signal to hackers that, oh, there must be something about that plugin that means it's been taken off the WordPress.org repo. So the articles suggesting is potentially, is this a good thing? Should we be keeping vulnerable plugins on there? Um, it's a difficult one because obviously you don't want to anybody fresh installing that plugin equally.

Nathan Wrigley: 13:14 You don't want a bunch of researchers, hackers turning their attention to it if, if they didn't know about it already. So an impossible circle to square but worth a read. Anyway. Now last week we talked about the plugin developers over at the PIP Digg plugin. Well, my goodness me, that was a scandal. You know, they were using your website to do d dos attacks on other people's websites. Well then now kind of refusing to refund people very nicely. The hosting provider of the pipdig plugins code has kind of shot down all the malicious bits. But customer requests for refunds are being ignored. The guys who developed the plugin are claiming that the accusations are either false, twisted or sensationalized. But the, the principle is if you paid with, let's say a credit card or something, you might have 180 day window in order to get this fixed.

Nathan Wrigley: 14:13 So you know, maybe if you've got that plugin you should go and check it out. Interestingly, there's quite a few people coming to the aid of people using the pip Digg plugin. So for example, uh, Mark Jaquith I'm going to say has invented the p three neutralizer plugin, which is a plugin that prevents the p three plugin from updating or phoning home. So that's really nice. Also the, there's a bunch of articles which have popped up online. For example, there's one at WP lift mentioned in the show notes, which go on to describe possible alternatives because it would that the, the WordPress theme that pip dig walls was really aimed at the fashion food and travel industries. Well, they've put together an article saying, well, try these ones instead. The problem of course, is that many of the people that use these plugins are not real WorkPress uses it in that sense. They just installed it, they're happy with it and they don't want the, the efforts of removing it and try a new thing because well that's created tons of new work that they are simply incapable of doing. So maybe the p three neutralizer is, is the way to go. But certainly in the future I think it's fair to say the guys that develop that are probably not to be trusted. So finding an alternative for future updates might be worth doing. Okay. Back on the security.net blog. This is SQL injection in duplicate page WordPress plugin. The, the idea behind this one is that essentially if you've got the duplicate page plugin, there's an SQL injection vulnerability, which is never good that it has been updated. So if you've used the duplicate page WordPress plugin, go and update it, but it's trivial to exploit.

Nathan Wrigley: 16:01 That's why it's in this case, so dangerous because it's an easy one to exploit. Uh, I will not go into the details of this, but again, it's about sanitizing the admin action hook and a or not as the case may be. So if you've, if you are cloning pages with that plugin, go and update it right away because there is that an SQL injection vulnerability around there. Okay. Tons of plugging news this week. So the next bunch are all under that banner. I'm going to keep this really quick word. Sorry. WooCommerce 3.6 release candidate two removes the marketplace suggestions. A couple of weeks ago they threw this in. Essentially if you are using the the WooCommerce 3.6 release candidate one you were getting what felt like advertisements in all sorts of places on your website. This was completely on announced. Nobody knew it was coming and feed people got really cross about it, especially as it felt like a, another way of monetizing the platform.

Nathan Wrigley: 16:59 And so it would appear that that has been removed in release candidate two very similar article. This though is about Jetpacks 7.1 0.2, they've removed their promotions, uh, for paid upgrades from this plugin search screen. So if you're using jetpack, various similar idea, you were getting paid adverts when you did ordinary searches for things like backup plugin. And that has also been removed. They realize this was a mistake and they've taken that down. So that's all the better for the community. I would say the WooCommerce bookings plugging 1.1 4.0 has a new rest API. Uh, I could go into the details of this, but I'm not going to. But if you are a user of the bookings plugin, there is a new rest API which enables you to get all sorts of interesting data out of it. Tool set a couple of articles about this.

Nathan Wrigley: 17:55 The first one is that they've got a new block editor, uh, capability. The article on their blog isn't tough. New Integration with the block editor offers rapid visual design and dynamic content. There's a video, it's not very long, it's a few minutes long, but it shows you how there's new design elements with Toolset. Their layouts plugin is not going to be abandoned. Amir came into the WP Builds Facebook group and made it very clear that that was not going to happen. It's going to be continually developed. But the idea is that with page builders, it was limited functionality with Toolset. However, with the block editor going forward, everything is going to be on the table. And so they've integrated with the block editor and they've got quite a few new design element. So if you're a Toolset user, go and check this out. Certainly worth looking at. In a sense, it kind of means that you can do more with Toolset going forwards.

Nathan Wrigley: 18:49 And speaking of Toolset, the next one is on the same blog Toolset types removed from WP org where to download and what's coming and they have removed Toolset, um, types, which was a free plugin in the WordPress.org repo for a variety of reasons and it spells out what they are and makes a fairly coherent argument for the, the difficulty in supporting people who were using the free version and how much that support was costing. And they go on to say, you know, this plugin is going to be updated. It's, we're now on a hundred percent premium model. So it kind of made sense to go down this route. But check it out. Actually speaking of which, I am actually going to be talking to Amir this week and pushing a little posts out quickly because I'm interested in this and what their reasons were. So stay tuned next week for that.

Nathan Wrigley: 19:43 Okay. David Vongries, a longtime friend of the podcast has pushed a new advanced blog layout option for the PR. It's a premium add on for the page builder framework. He's got a four minute video online where he shows all of the, all of the options or the customization options and essentially if you using the page builder framework or want a really quick way to make your, your blog archives and so on, look fancy masonry and so on and so forth is all there. You know, you just drag sliders and change padding and margins and all of that and it looks very cool and, and you know, if you're using that plugin, uh sorry that a theme code, check it out. Breezy 2.0 has rolled over and now you've got the capability to white label. Not much more to say really, you need a pro license, but you can now activate it.

Nathan Wrigley: 20:33 They've got quite an interesting way of activating it and there's not like a check box in the back end. You've got to add something to your functions. Dot Php file, which means that then the capability to interact will, um, will appear if you remove it, when you log out of that session, those capabilities will disappear. So it's a kind of bulletproof iron floodway that your clients will never be able to see that you've been using breezy, which is quite nice. And you can, you can basically white label everything so that wherever the word breezy appears, you've now got a whatever branding is that you've chosen to, to use WP rocket 3.3 has come around. This is all about lazy loading images. Essentially in the past they were only able to lazy load a certain proportion of the images, anything inside the image tag. But now they've added capabilities, meaning that they can hook into a load more stuff.

Nathan Wrigley: 21:27 So if you're using WP rocket, your images should load a lot faster from now on. Okay. The next three are under the banner of WP Builds. The first one is the fact that we released a podcast with Joe Casabona talking about his creator courses this week. It's really interesting. He's a blogger, he's a coder, he's a creator of courses and we had a nice long chat with him and you can get yourself 30% off if you go to the page and look at his courses, but it was a lovely little chat. We also had a couple of webinars this week and they've been recorded and put on the WP Builds website and I've linked to them in the show notes. We had one with a Arindo Duque, the creator of the WP admin pages pro where he showed us inside and out how his new plugin works. It enables you to customize every single thing within the WP admin.

Nathan Wrigley: 22:17 So for example, you might want to remove certain items and add other items and it allows you to do all of that with a page builder, so it's remarkably easy to create really bespoke admin pages. Strongly recommended, really liked that plugin. If you've got any thoughts of doing that, then go check it out. And the other one was I was chatting to Mor Cohen about her design class course and she goes into, uh, an in depth process of how to build branded beautiful branded websites on a webinar that we also did this week. So you know, if, if design is not your thing and you'd like to know what her course is about, then go and check out that Webinar. Very, very nice indeed. Couple of things. Okay. Then last one today, which has nothing to do with WordPress at all, is about the fact that wow, we photographed a black hole and on the BBC website this week, they talk to Katy Bouman, who is an MIT researcher. She's 29 years old. And she was the person that helped develop the algorithm, which enabled this photography to take place utterly breathtaking that we have now seen, actually seen a black hole. And there's a picture on there, it looks a little bit like a, a polo mint, which is around mint with a hole in the middle. But instead of it being white, it's kind of fiery, orange and red, but absolutely breathtaking. We now know what they look like and no doubt this stuff will only get better.

Nathan Wrigley: 23:46 Thank you for listening to the WP Builds newsletter this week. I hope that you got something out of it. The WP Builds newsletter was brought to you this week by Kinsta can Kinsta takes managed WordPress hosting to the next level, powered by the Google cloud platform. Your site is secured like Fort Knox and runs on speed obsessive architecture. You get access to the latest software and developer tools such as PHP seven ssh and staging environments, and the best part, their expert team of WordPress engineers are available 24 seven if you need help, you can migrate today for free at Kinsta Dot Com and we thank Insta for their support of the WP Builds podcast and if you'd like to join them, go to Kinsta dot com forward slash advertise. Okay. That's it for this week. I hope you got something out of it. Like I say, join us on Thursday for a new podcast episode, and if not, we'll see you back here next Monday. Bye Bye for now.