WP Builds Newsletter #93 – WordPress 5.3.1, plugin vulnerability and Compress or Die

WP Builds Newsletter #93 – WordPress 5.3.1, plugin vulnerability and Compress or Die

This weeks WordPress news – Covering The Week Commencing 9th December 2019:

WordPress Core

WordPress 5.3.1 Includes Security and Bug Fixes, Accessibility Enhancements, and Twenty Twenty Changes

Gutenberg 7.1 Includes Welcome Modal, Improves Multi-Block Selection, and Adds Drag-and-Drop Featured Images

Premium WordPress hosting for everyone, small or large

Twenty Twenty: animated scroll changes in WordPress 5.3.1

Community

WCEU talk and workshop proposals – Tips and advice for your submission

Designing the new WCEU identity: the journey

AB Split Test plugin - the fastest way to create split tests in WordPress

Plugins / Themes

Toolset Blocks 1.0 – Build Beautiful Dynamic Sites Quickly and Easily

PowerPack Update: Introducing Five Brand New Modules

Zero BS CRM 3.0 Improves UI, Changes Database Structure, and Becomes More Extendable

Elementor – Monthly Template Kits #5: The Travel Template Kit
plus New Color Picker & Dark Mode

Using Easy UIkit Flexbox on Beaver Builder Rows

WP Offload SES 1.4 Released: Email Health Report

PublishPress Checklists now has a free version on WordPress.org

Introducing ShareABlock: Brand New Way to Share and Download Free Gutenberg Block & Template Designs

Deals from this week

Yoast holiday calendar

Security

Ultimate Addons for Beaver Builder – Important Security Update!
the same for Ultimate Addons for Elementor
More on this from WebARX

WP Builds

158 – Keeping WordPress secure with Ryan Dewhurst from WPScan

Piccia Neri’s monthly Live UI / UX review

Win a WP Forms Pro license with WP Builds

Jobs

Nothing this week.

Not WordPress, but useful anyway…

What’s powering conversational search? Featured snippets, structured data and actions

Chrome now warns you when your password has been stolen

Compress or Die

Nathan writes posts and creates audio about WordPress on WP Builds. He can also be found in the WP Builds Facebook group.

The WP Builds podcast is sponsored this week by…

Kinsta
and
AB Split Test – The fastest way to create Split Tests in WordPress
and
The WP Builds Deals Page

We thanks them for their support of WP Builds.

Transcript (if available)

These transcripts are created using software, so apologies if there are errors in them.

Read Full Transcript

Nathan Wrigley: Hello there. Good morning and welcome to this. The WP Builds weekly WordPress news. This is number 93 it covers the WordPress news for the week, commencing the 9th of December, 2019 and it was published on Monday the 16th of December, 2019. My name's Nathan Wrigley. A couple of bits of housekeeping before we begin, if you wouldn't mind heading over to WP Builds.com forward slash subscribe over there. You're going to find all the ways that you can keep in touch with what we do at WP Builds. So it's things like subscribing to our email lists and finding our Facebook group and our YouTube channel and subscribing on your favorite podcast player, all that kind of stuff. The other pages that I would alert you to are WP Builds.com. Forward. Slash. Win. At the moment we have a pro WP forms license, which is being raffled away, so that's forward. Slash. Win. The other one is WP Builds.com forward slash. Deals. Now that black Friday is over. We're struggling to get those percentages off, but there's quite a few over on that page. So check that out. That's forward. Slash deals. And the last thing I want to mention is WP Builds.com forward. Slash. . Advertise. If you would like to advertise on WP Builds and get your product in front of a word, press the audience a bit like kin stir of Don. Are you tired of unreliable or slow hosting? If so, check out. Kinstler who takes managed WordPress hosting to the next level, powered by the Google cloud platform. All their plans include PHP seven SSH and 24 seven expert support, and you can migrate today for free at dot com. Okay. Before we just crack into the news, I would alert you to the fact that at 2:00 PM every Monday. That is to say 2:00 PM UK time. We do a live. You can find that in the Facebook group. WP Builds.com forward slash, Facebook or over on forward slash, lives. OWP Builds.com forward slash live and it's a lively debate between three or four WordPress's, some special guests, and we do it all live on video. Come and had some comments. It's great. Right. Let's get on with the WordPress news for this week. We always block our WordPress news into various categories, and the first one is always WP core WordPress core, and the first article I've got today is written by Justin Tadlock over on WP Tavern, or. And WordPress Tavern is what it now says. WordPress 5.3 0.1 includes security and bug fixes, accessibility enhancements, and 2020 changes. So hopefully by now you have rolled over automatically to WordPress 5.3 0.1 if not go and do so right away. Because there have been 46 bug fixes and enhancements. it's classified as a security and maintenance released, and the following security issues were addressed. Users without the correct permission could make a poster sticky via the rest API and issue were cross site scripting. XSS could be stored in links hardening the WP underscore case SES bad. Protocol function so that it is aware of the named colon attribute and a stored XSS vulnerability using block editor content. So they were the security things that were released. Also, they were quite a few accessibility problems, allegedly when 5.3 came out. There were, there were some misaligned buttons. That is to say all the buttons in the admin UI were not the same, and that's been corrected. Also, if you chose to have a different color scheme for your, WP admin area. in some cases, the buttons were just simply so difficult to see as that they were, you know. Basically couldn't identify them as buttons at all. So that's all been changed in various ways. So also the 2020 theme has been updated. There was problems with the smooth scrolling for links inside of comments with agitation enabled, and that's been fixed. So all in all, a bunch of a bunch of amendments, but nothing that you need to particularly worry about so long as you are up to date. The next piece that I've got for you today also comes from WP Tavern entitled Guttenberg 7.1 includes a welcome modal, improves multi block selection and adds a dragon drop featured images. So yeah, it looks like Guttenberg is being developed at a real pace at the moment, be since the last version they've been. Total of 161 pull requests over 20 bugs have been squashed. And this is in a period of just, just a matter of weeks really. So it's really going at a pace, which I really liked. So we now have a welcome guide, a modal. So the idea of this is that when you open Gothenburg for the first time, it will give you a pop up. And at the moment it's only got three steps in it. Really isn't all that helpful, says Justin Tadlock. it needs to have links to more comprehensive documentation, but really the idea is just to show what could be possible. So I guess it's a little tutorial. Here's what a block is, here's what it does, here's how you implement it, and so on and so forth. So that's nice. And hopefully in the future it will. Like I say, link out to much more sophisticated and nuanced documentation. The next thing in this article is all about improved multi block selection. I don't know if you've ever tried to copy and paste from multiple blocks, but the, the output can often have the sort of separators, if you like, for want of a better word. The commented out HTML, for the . The parts between, let's say two paragraphs, well now you'll be able to obviate that and you'll be able to paste correctly. And hopefully in the future you'll be able to do kind of half of one paragraph and half of another with appropriate keyboard shortcuts. That would be nice. We also now have the ability to drag and drop featured images. You simply click on the image and pull it to another place, just like dragging and dropping an image in, in an editor. So that's quite nice. And we also have limited. table captions, which although limited, is at least the beginning of having, having this set ups a year old ticket. And now you can also align the navigation blocks. So for example, you can justify the items. So the, the, when I say navigation, not the whole block, but the items within the navigation. So all of the links can be central and left aligned and writer line. That's quite nice. And we're also, we've got some new guidance about the somewhat controversial proposal for full site editing templates that came out last week. So certainly a lot going on with Guttenberg and it's going on a real pace. So this is all for the good. I mentioned very briefly, just a moment ago, the fact that WordPress itself has been updated to 5.3 0.1 on the 2020 theme had an amended property as well at the same time. So the scrolling behavior, if you want to scroll to anchor links, has been. Been moved from a fairly complicated, to my understanding Java script based approach to a much more simple CSS approach. And I've linked to an article on make.wordpress.org entitled 2020 animated scroll changes in WordPress 5.3 0.1 so if you've been having trouble with smooth scrolling to anchor links, then now hopefully this will fix that issue. The next section for the news is WordPress community, and I've got two articles for you today, both from WordCamp Europe, 2020 the website, 20 twenty.europe.wordcamp.org the first one is for those of you who are thinking about applying for a talk, and I'm sure many of you will be, this is an article about tips and advice for submitting your talk. So it. Obviously there's more people applying for talks than are available slots. And so, as an example, there were 453 applications in 2019 from 267 speakers. And clearly there aren't that many slots available. So in this article. The, it basically goes on to talk about how it is that you can apply most effectively, how you might lay out your proposal, what format it might take, how you're going to express what it is that you're going to talk about. Essentially all of the detail that you need to put in there. It's not very long. It's about a 10, five to 10 minute read. And probably if you are thinking you, you ought to read this because it will certainly assist you in getting accepted. The next article, which is on the same website, is all about the logo journey, the journey to get the WordCamp Europe 2020 logo done. I love pieces like this. I'm such a bad designer that it's real insight and novelty for me to have kind of a. That bit of insight into how these kinds of things are done starts out by saying, here's some photographs of the kind of place that we're going to. And then from there, the inspiration that was taken to get a much more binary representation of the logo and then finally iterating through kind of pens and pencils and ending up with the final logo if design is your thing. I'm sure that all of this will be entirely obvious things like branding and fonts and so on, but some, for somebody like me, it's really, really fascinating. So yeah. Next up we've got plugin and theme news, and there's really quite a lot that's happened this week actually, but the first one is over on the toolset website. It's entitled toolset blocks of 1.0 beautiful dynamic sites built quickly and easily. And in this article AMEA. Has made a video available in which they show you how you can use the tool set blocks functionality to visually create, views of your own choice. it's very, very simple to do. You can do it all in the Guttenberg editor. So for example, you can create a, an archive page and everything that you do is done in real time and you can see how it's changed and so on and so forth. then of course you can add your custom HTML if you choose to go in that direction. But it's, so it's just a nice little, way of explaining that they moved out of the beta phase. They believe this is now stable and they're into the, you know, the, the 1.0 release cycle. So if you're a toolset user, definitely go and check that out because it certainly makes building, well dynamic websites nice and easy. And the examples that they've done are very straightforward to follow. The one after that that I've got for you is an update to the power pack plugin for Beaver builder. They've introduced five new modules, and I think this is absolutely fabulous. Instead of putting them out one at a time, they've got five all in one go. So now with power pack for BeaverBuilder, you'll be able to have a file download option, which is rather than, I should be able to, Have the ability to assign a file and have a button which you can style in order to allow people to download it from a certain page, which is nice. They've also added the ability to style WP fluent forms. It had a lifetime deal on offer recently and learn lots and lots of people bought it. But the, the output is generally, not as clean and tidy as you might hope. And wrangling the CSS for that can be a little bit difficult. So they've now got a module to do that. They've also added a star rating module, you exactly what you'd expect. You can show star ratings, an author box modules that you can show. Kind of image of an author with some text underneath. That's a little, a little bit of us, a straightforward one. And then finally, the reviews module. So you can show kind of, again, it's a little bit like the star module. you can show kind of what people think about certain things on your website, be that, I don't know, products or the quality of your website building service. Who knows. Several months ago now, automatic acquired a plugin called zero BS CRM. So CRM obviously stands for customer relationship management, so it's software to keep track of all of your customer interactions. Well, automatic acquired this, and although there were only a a thousand or so installations at the time, I think they. They decided that the quality of the product, the quality of the code was, was definitely worth having. And obviously you can imagine that automatic having their own bespoke CRM would be quite useful. Well, they've come out with, 3.0 just in the last week and. Just in Tadlock over at WP Tavern explains the key, the key updates. So for example, they've moved their database structure. So rather than having everything in sort of Metta of a custom post type, they've now got their own database tables, so that hopefully will speed things up. They've also. Because of this, they've been able to have their own admin UI without other things like SEO, plug plugins, injecting things into the UI. And although the admin UI doesn't really look too much like WordPress, I still think it's a, it's really very attractive. So that's quite nice. And the fact that they've abstracted the database into their own tables means that in the future. Hopefully it will be much more extensible and you know, people will be able to wrangle the code and do all sorts of interesting things with it. Then the articles goes on to talk about how the move from automatic has gone, and by the sounds of it, it's all gone very swimmingly. So yeah, if you're looking for a CRM, this might be worth checking out as everything is held in your WordPress database. Two items this week from the guys at elements, or the first one is to say that they've released another of their monthly template kits. So each month they release a whole ton of templates, all under the umbrella of one generic idea. And this time around, it's the travel template kit. So if you follow the links in the show notes, you can get to how they think a travel orientated website may look. And you can just simply . Click a button and download entire pages and all of the different elements. So that's really nice. And it says there are 15 tailor made elements that you can simply download, which is really nice. Go and have a look at that page and you'll see they're always very tasteful. I really rather like them. The other thing calling, coming from element or this week is they've moved out of beta. We mentioned it last week or the week before. I can't remember that. They've got a new color picker and a dark mode. The color pickers. The best bit about the new color picker is that you can simply click a plus button. Let's say that you've selected a particular shade of green, you can then just click a plus button and it will be added to your custom palette from that moment on. So that's a really nice, easy way of doing it. And you just do that over and over and over again. and you can also get rid of unneeded colors, so you can just drag them into the recycle bin and you can also rearrange that pallet so you can move things from left to right. And. Simply put a dark mode. You've seen this just about everywhere in things like Mac, iOS, and probably on your phone. Then Elementor has got exactly the same feel. All the panels changed from being primarily white or gray to being a very much darker, darker gray or black. It looks really, really nice. If you're a Beaver builder user, you may be interested to watch a video that Beaver plugins have released this week. It's entitled using easy. You are kit Flexbox on Beaver builder arose. Well, if you know anything about Flexbox, you'll know how mightily powerful it is for positioning things and, and well, essentially all of the amazing things that you can do with that to, to move things around and have . Things dynamically fill in to certain parts of your website. Well, the guys over at Beaver plugins have got you. I kit Flexbox. so that you can now do this by altering the classes on BeaverBuilder Rose. I'm going to find it almost impossible to describe how it works. So I would just say, if you're using Beaver builder, you wish to have Flexbox functionality in there, then go and check out this video. It's very, very close to 20 minutes long. Then it will explain exactly how all of that works. Delicious brains have a product called WP offload SES. It's a plugin which enables you to, instead of sending emails from your own IP or server, it sends them out from Amazon's SES simple email service platform. And this week they have announced that they've released 1.4 version 1.4 of the plugin, and they've enabled something called the health reports. And the idea is that they will send you a daily, a weekly or a monthly summary of all of them. The, the sort of stats related to how those emails are going, whether they're being opened and so on. Now you can send this to multiple recipients and the health report is simply lists out the subject line of the email it says, sends, how many have been sent, how many have been opened, and how many things have been clicked, that kind of thing. So it's a nice, nice, straightforward little table based layout of all of the things. And it looks as though you might be able to view a more fully featured report because there is a link in there which is entitled view full report. Anyway, just looks like a nice, a nice update if you're using that plugin. If you work as part of a content team or you are in charge of a content team, then this might be of interest to you. Publish press have now made their published press checklists plugin available for free on wordpress.org previously, you had to have . Premium version of their plugin to, to receive this. Essentially what it does is it enables you to create a set of criteria, which unless they are all fulfilled the PO, the post will not be able to be published. So a very simple example might be that you have included at least two, two tags, say something between two and five tags, that it has a thousand words or more, that you've added some categories. all of those kinds of things. It can even check to make sure that you've. Spelt WordPress, right? Dang it. And so on and so forth. And as you go through and make, make these things happen, little red crosses turn into green ticks. So in other words, once you hop over, the to tag market goes from red to green. And then finally, if you turn all of the requirements to green, then the publish button becomes available. Up until that point, there's a little, like a warning sign, like a no end. Tree type sign. So the, the kind of things that you can do, while you can check that the expert has texts, you can require a minimum or maximum number of categories. Same for tags, same for words, and you can also require a featured image. So yeah, nice. Nice plug in. And it's really, really great that they've suddenly made this completely available for free. Deals of the week. We have to mention these kinds of deals. The only one I've got for you this week is Yoast holiday calendar. If you click on the link in the show notes, it's kind of like an advent calendar. At the time that I'm reading this, we're onto number 16 and many of the others have expired and. You can imagine. It's like opening one each day. So really it's just a little bit of a fun gimmick to get you in the Christmas spirit. But also they're offering things like Yoast premium on certain days for a significant saving, and they're offering contests on other days and advice and tips and tricks on other days. So that's all I've got for you, except of course, WP Bell's dot com forward slash deals whether a deals 365 days of the year. Next stop. We touch very lightly on the security news. In fact, I'm only going to touch on one piece of security news this week, which no doubt you will have heard of out if you are a user of ultimate add-ons for Beaver builder or the similar elemental product, ultimate Adams for elemental this week, they've been sending out lots of emails. I'm trying to get you to update to the latest version of those plugins you should by now, hopefully beyond version 1.0. 2.0 sorry. One point 20.1 for the elemental plugin and one point 24.14 the Beaver builder version of the product. And I've also linked to an article on web arcs entitled critical vulnerability and ultimate addons for Elementor and ultimate Adams for Beaver builder plugins. And the attack appears to have begun, at least from web arcs, his perspective on the 11th of December and how that. The problem is that there is, an authentication bypass. The, the plugins allow people to log in using a regular username and password combination or using Facebook and Google logins. However. The Facebook and Google authentication methods, they didn't verify the returned token, which would have come from Facebook and Google to sort of clarify that everything was hunky Dory. So basically there was a no password check and this was exploited. And what happened was, whoever the mysterious actor is, the malicious actor in this case was able to log in. Using the at the admin, and then from there they were able to install a plugin and that plugin then created a backdoor gaining root access to your website. And from there, obviously anything at all can be done. So I would really, really urge you to get those plugins updated. And there are some links in the web arcs. article, which, which link you to the response from brainstorm force who are behind those two plugins. Okay, now it's the blatantly self-promotional. WP Builds bit three things for you this week that we've done. We put out a podcast episode, which is number 158 it was with Ryan Jew Hurst from WP scam, and in it he talks about wealth, WP scan and all the things that they do over there. There's a lot more to WP scan than meets the eye. There's the free version, which is kind of like a command line utility. There's the. The premium version, which is WP scan.io, and there's also their WP scan vulnerability database. Ryan is a serious advocate of security in WordPress, and so this talk is all about that. Why to hackers hack things? What do they hope to gain from it? What kind of, what kind of things can we expect in the future and so on and so forth. So it urge you to listen to that. He's really, really interesting guy. The other thing that we did was we had a UI and UX review from Pictionary. We went through two websites in great detail and lots of people making nice comments about how useful that was whilst we were actually doing the live video. So as always, you can submit your own site, WP Bell's dot com forward slash UI and see what Peter thinks of those. And the last one, which I've already mentioned, is we've got a WP forms pro-license going on at the moment. Go to WP Builds.com forward slash win. And then so the ruffle competition over there. That's it for the WordPress news this week, but we have three articles that are under the section of, not WordPress, but useful. Anyway. First one is over at Yoast, which is obviously a WordPress company, but this one is all about voice search. So entitled what's powering conversational search, featured snippets, structured data and actions. Now, maybe not occurred to you, but when you do a search on your Google home or your Siri or what have you. You can't exactly present the user with a whole array of SERPs, so you can't list like 10 things. Essentially the, the idea is that you would return the single most useful result and that will be the definitive answer. And obviously Google at owl are trying to make this a a. Well a reality. yo say this isn't happening as quickly as possible. And then the article goes into say things like, well, how, how do, how do Google present this data? How do they get their data? Where are they searching from and what kinds of things can you include on your site? Like for example, just schemer matter, and then going on to explain how you actually perform these searches on those devices. Now. If you really in the future believe that voice search is going to be key, then you really need to be in the top one of the results. So maybe this is something the Vanguard for the future, but obviously Yost are taking it seriously. Maybe go and read the article. If you've ever had a password stolen or in some way extracted from something, then you'll know how annoying that can be. Well, Chrome is trying to make this a little bit easier for you and on the verge, we have an article entitled, Chrome now warns you when your password has been stolen. This is Chrome 79 now, in the past they were able to do this, but you had to have an extension installed into your Chrome browser. But from now on, this is going to be part of the, the core version of Chrome. You can sort of fiddle with this functionality in the sync settings in Chrome, and it uses a technique called private set intersection with blinding to figure out if your password has entered one of the many. Stolen password databases. I'm not sure what it is that they do at that point, whether they pop up some kind of warning because it's a very, very short article, but it's just quite nice that Google in a, in an anonymous way with a, you know, zero knowledge way. They're letting you know that hang on. It would appear that your random password has a popped up somewhere, so you might want to go change that wherever you've used it. The very final one for you today comes from a post in our Facebook group. I apologize, I can't off the top of my head, remember who posted this, but this is fabulous image compression for free on the internet. It's called compress or die.com and there are hyphens between the words compress or and die. So two hyphens, and this is just a fabulous suite of. Image compression tools. Essentially what you do is you open up image, sorry, compress or die.com drag an image onto anywhere in the page. It then uploads it, and then you can do a JPEG or PNG, a GIP, a GIF, or a web P image, and then it gives you a whole ton of options for how you would like the output to be viewed. So, for example, you can. Downgrade its size right down to 1% of its original size. You can, make it sort of blurred. You can have different compressions. So for example, you could turn it from RGB into gray scale. You can have progressive or baseline structure. You can make the output image Photoshop compatible. I'm not sure exactly what that means. You can alter the brightness, the color quality, the aspect ratio, all sorts. And. Transparency background color as well. It's just fabulous, completely free. And it uses a load of, quantification tables. So for example, you can use JPEG, annex flats, custom, and this, it just loads, image magic and so on and so forth. And I just think it's fabulous. So whoever it was, thank you for sending this my way. obviously it's a bit more manual than using a plugin to do this, but if you're only doing one or two images every so often this, this seems like a very credible way of doing it. Okay. That's all I've got for you this week. I hope you found some of that useful. Always appreciate it. If you are able to communicate with me in some way, leave a comment somewhere and just let me know that you find this useful five-star iTunes reviews. I'm not even sure if it's called iTunes anymore, but those, those iTunes reviews are very, very well received. The WP Builds news is brought to you today by Ken stir. Ken stir takes managed WordPress hosting to the next level, powered by the Google cloud platform. Your site is secured like Fort Knox and runs on speed obsessive architecture. You get access to the latest software and developer tools such as PHP seven SSH and staging environments, and the best part, their expert team of WordPress engineers are available 24 seven if you need help, and you can migrate today for free at dot com. Okay. Join us on Thursday for the podcast. Join us next Monday for this. Again, the WordPress weekly news, but it'll be obviously fresh news from the, from the week that's about to begin and join us at 2:00 PM UK time if you would like to have a live chat, a live, live video of the news with. Myself and two or three other word Pressy people you can comment and hopefully we'll put some of those comments on the screen. That can be done in our Facebook group, WP Builds.com forward slash Facebook or WP Builds.com forward slash. Live right. Thank you for your attention. I hope that you enjoyed it and I will say bye bye for now.

RECOMMENDED STUFF

These are affiliate links and the small amount of income we derive from affiliate income allows us to pay the bills and keep the lights on