WP Builds Newsletter #102 – WordPress 5.4 beta 2, multiple security threats and Mac less safe than Windows

WP Builds Newsletter #102 – WordPress 5.4 beta 2, multiple security threats and Mac less safe than Windows

This weeks WordPress news – Covering The Week Commencing 17th February 2020:

WordPress Core

WordPress 5.4 Beta 2

Community

The JavaScript for WordPress Conference – July 8-10th, 2020

Premium WordPress hosting for everyone, small or large

Toolset job board is now live

WooCommerce Partners With Square to Expand Services for CBD Merchants

Plugins / Themes / Blocks

WooCommerce – no more multiple site licenses anymore

AB Split Test plugin - the fastest way to create split tests in WordPress

Appsero – Killer WordPress Analytics, Licensing & Deployment Tool

Introducing Theme Style: We’re Bringing Global Theme Design Into Elementor

GenerateBlocks

LifterLMS Groups

Deals from this week

Get the WP Builds Deals emails delivered to your inbox!

WP Data Tables Lifetime Deal – $49

Wishlist Member Lifetime Deal – $49

Security

Active Attack on Recently Patched Duplicator Plugin Vulnerability Affects Over 1 Million Sites

Critical Issue In ThemeGrill Demo Importer Leads To Database Wipe and Auth Bypass

Zero-Day Vulnerability in ThemeREX Addons Plugin Exploited in the Wild

Vulnerability in wpCentral Plugin Leads to Privilege Escalation

iThemes Security – WordPress Disaster Week

WP Builds

167 – How I use Agile and WordPress to launch a minimal viable product with Marius Vetrici

Latest UI / UX review with Piccia Neri

Jobs

Kinsta – Social Media Manager

Possible resource for finding developers

Not WordPress, but useful anyway…

Sorry, Mac owners, a new report says Windows PCs are safer from malware

Ring, 2FA, and a Win for Consumers

Firefox 75 gets lazy loading support for images and iframes

California court says Apple Store workers must be paid for time spent waiting to be searched

Google users in UK to lose EU data protection – sources

Nathan writes posts and creates audio about WordPress on WP Builds. He can also be found in the WP Builds Facebook group.

The WP Builds podcast is sponsored this week by…

Kinsta
and
AB Split Test – The fastest way to create Split Tests in WordPress
and
The WP Builds Deals Page

We thanks them for their support of WP Builds.

Transcript (if available)

These transcripts are created using software, so apologies if there are errors in them.

Read Full Transcript

Nathan Wrigley: [00:00:00] Hello, good morning and welcome to this the WP Builds weekly WordPress newsletter. This is number 102 it covers the WordPress news for the week, commencing the 17th of February, 2020 and it was published on Monday the 24th of February, 2020 my name's Nathan Wrigley and a few things just before we begin, a few ways of keeping in touch with all that we do at WP Builds, and we do produce quite a bit of content each week.
Head over to WP Builds.com forward slash, subscribe. And if you do that. You will be presented with all sorts of ways that you can stay in touch. A couple of newsletters, one of them is going to alert you to new posts. So for example, podcasts on a Thursday and the news that you're listening to right now on a Monday, but there's also a deals option as well.
You can subscribe to our deals newsletter, and if you do that, we will give you a little email each time we come across a WordPress deal. There's also options to subscribe to us on your favorite podcast player. Join our Facebook group of over 2,400 word pressers. It's very, very friendly and there's a bunch of other options as well, and you can go and check those out.
The other one I was mentioning deals, WP Builds.com forward slash deals over there, you're going to find a filterable searchable list of WordPress deals. Coupon codes for notable word. Press products. So you may be able to get 10 2030 or more percent off. So if you're in the market for something this week, head over to WP Builds.com forward slash deals and you never know.
You might pick something up. The last one is WP Builds.com forward slash advertise. If you have a product or service and would like to have it put in front of a WordPress specific audience, then go and fill out the form on that page. And you never know. You might be on the podcast a little bit like Kinsta.
Are you tired of unreliable or slow hosting? If so, check out Kinsta, who takes managed WordPress hosting to the next level, powered by the Google cloud platform. All their plans include PHP seven SSH and 24 seven expert support, and you can migrate today for free at Kinsta dot com and we do thank Kinsta for helping us put on the WP Builds weekly WordPress news letter.
Speaking of news, let's get stuck into it. Shall we. We always divide our news up into different sections, and the first section is always WordPress core. One item this week, WordPress 5.4 beta two is the post title on wordpress.org and it's telling us that there is a new beta version. This is not to be tested on a production site.
You might just want to go and play with it on a staging site. Since beta one, which was not that long ago. We have had 27 bugs fixed, and it's minor things. So for example, there's been some amendments to the block editor. Columns in the block library that have on assigned width will now grow equally. The custom gradient picker now works in languages other than English.
There's a few other minor things to do with the block editor as well. Also to do with privacy. The privacy requests form fields have been adjusted to be more consistent on mobile and a whole bunch of other stuff. So 27 bug fix is pretty minor and yep. All moving forward to WordPress. 5.4 in the near future.
The next section is entitled community. Three pieces for you this week. The first one over@thejavascriptforwp.com this piece entitled the Java script for WordPress conference. Zach Gordon is running a nother JavaScript for word press conference. There was one last year. It's going to be running from the eighth to the 10th of July.
2020 and it says the JavaScript for WordPress conference is three days of workshops and talks all focused on Java script as it relates to the WordPress CMS. It's a very short page because essentially it's just a way of gripping your email address to express that you're interested. So if you are. And you want to be notified about future updates for this conference?
There's a registration form sort of halfway down the page, but yeah, maybe time to put it in the calendar. Eighth to the 10th of July this year. The guys over at toolset have something new for you this week. If you are using tools that you may have discovered that it's very capable, very flexible, very powerful, but there may be parts of it that you don't quite understand.
And so they've launched the tool set to job board, which is now live. It's a completely free service, but basically, if you're using toolset and you wish to have something done and it's beyond your means to do it, you can now register for this job board, post a job. And the vetted contractors will be able to make bids.
As I said, it's completely free. and tool set have gone to the lengths of deciding who is going to be on the platform bidding as a kind of professional contractor. It says all contractors listed on toolset.com are carefully vetted to make sure that they're the best at what they do. So that's nice if you are using toolset.
And you are struggling with something and you would just like it fixing and are willing to pay for it. This is a, is a really nice novel idea. So well done guys. The final piece in the community section is our quirky article over on WordPress. The Tavern just in Tadlock writes woo commerce partners with square to expand services for CBD merchants.
I confess, I was not that sure what CBD in this sense meant, but it stands for cannabidiol, which is things basically derived from cannabis. Now, in this case, it's not the, the properties which have psychoactive effects, things like THC and so on. This is the, the stuff which you can extract from cannabis and it has apparently therapeutic effects, but it also brings with it a whole load of legal gray areas.
Apparently in the United States, the selling of this. Type of product was made legal last year. However, there are some jurisdictions within the United States where it is still not legal to sell this, so they have partnered with square to take away some of the problems. Now, the article, I would suggest that you read it in its entirety because there are still restrictions and there are still problems.
So for example, you're not allowed to connect to any automatic with the . Two T's service because they, in their terms and conditions, simply don't allow merchants to sell this through their, through their infrastructure. So you've got to be a little bit careful. So you can't use wordpress.com or Wu commerce.com you've got to have your own self hosted store anyway.
If you are into this, or I have a client who is trying to sell CBD or hemp derived products, go and check it out square now. There's an option that you can use to process payments. It isn't as simple as just signing up. You've got to be vetted by square, and that is to say you have to prove that you are entitled to sell these products legally.
But yeah. What a what a strange article and a WooCommerce being used to sell CBD products. The next section is all about plugins, themes, and blocks. And the first piece I've got for you today is actually a post in our Facebook group. You can find that by the way, at WP Builds.com forward slash Facebook and Chris Hughes has discovered that WooCommerce extensions are going to get a little bit more expensive because from now on, there are no more multiple site licenses.
there's quite a few comments, 39 comments as. I'm reading this out just now and quite a few people saying that a yet they've discovered this too, and you're not going to be able to take multiple licenses from the store anymore. At the moment. You have to go and add them individually to the cart, and so it's going to be a little bit more expensive.
Anyway, there you go. Have a look at that post and you'll be able to decide for yourself what you think about woo commerce is new pricing option. This next one is completely new to me because I think it's actually brand new. It's called app Cerro AWP. S. E. R. O. Again, Lincoln, the show notes, and it's a licensing tool.
So they're describing it as the killer WordPress analytics licensing and deployment tool. And the idea is that you, you purchase this, it's in beta at the moment, and that means that it's completely free during the beta time, there's going to be no charges. And so it says, why use. App sero, and it says you can deploy fast, like really fast.
It's completely free whilst it's in beta and you get a ton of data visualization as well. So it handles things like software licensing. So if you're a plugin author, you obviously are trying to go. Going to license the premium versions. And there are several ways that you can do that. There's, things like freemium and of course, easy digital downloads, those kinds of things.
So this is another option, which is a little bit like that. They can be deployed automatically. Your updates via get hub bit bucket or get lab. there's no limits. It's, Well, they say that they can also sync data right out of EDD. We will commerce or Envato. So anyway, if you are a plug in author and you've kind of grown frustrated with the way that you're doing your licensing and getting data about how many installs and uninstalls, that kind of thing, then maybe go and have a look at apps.
Sarah. One of the difficulties of using WordPress is there's so many ways to edit things in so many places that you can go in order to update colors of buttons and so on. And page builders have been trying to get to the point where they're tackling this properly and element or have a new post from Ben Pines entitled introducing theme style.
We're bringing global theme design into element, or this is talking about version 2.9. Which has just launched, and it allows you to globally alter headings, backgrounds, images, buttons, and more. There's a video at the top. It's very, very short, but it enables you to get an understanding of how this will work.
Essentially, there is a theme styles panel, and over there you can change globally. Things like the typography, the color of the different H tags and the color of different buttons and the rounded corner notice of different buttons and so on and so forth. So. It's really looking very, very straightforward.
Essentially click a few buttons and everything on your entire site will be changed. Great stuff. It says that they are working with images, form fields, buttons, headings, links, text background, and more. Brilliant. Those of you that have used generate press before have no doubt, been impressed by Tom Osborne's capability to create slim, lightweight products and support them really well.
Well, he's done it again this time. It's a pack of blocks. It's over it to generate blocks.com it's hot off the press and it says powerful WordPress and blocks without the bloat. It's a small collection of lightweight. WordPress blocks that can accomplish nearly anything and there are only a handful of them and he's keeping it very, very trimmed down.
So one of the blocks is the container block says, organize your content into rows and sections. The backbone backbone of our blocks create beautiful containers inside and outside your grids. This block gives you full control over how. You make your website look. So there's the container block. Also, there's the grid block.
Create advanced labs with flexible grids. Our grid blocks sets a new standard for get grid creation like no other plugin. You have complete control over your grid alignment, flow and responsiveness. Moving on, we've got the headline block. Take your topography to the next level, and finally you can also take control of buttons.
It says drive conversions. With the beautiful buttons and it just looks really nice, very slim, very compact, only a few on offer, so he's not trying to go the route of here's a block pack with 15 1625 which I know that a lot of the rivals are doing. So go check it out. Generate blocks. If you are using the block editor, this might be something you want to have in your arsenal.
Creators of online courses have perhaps come across a lifter LMS before a learning management system plugin for WordPress. Well, they have a new feature. It's called lifter LMS groups, and the idea is that you can sell courses, memberships, and so on to groups all at the same time. So rather than selling it to one person at a time and another person and another person, you can simply set up a group, perhaps for a discount or something like that.
So it says, offer your courses and memberships to groups with. Additional group management features and group new group leader role with lifter LMS groups, you'll be able to sell courses and memberships to a group of buyer, have a group leader invites enroll and manage group users into seats, have a group leader view progress and reporting for only their users.
So in a sense, it's a bit like handing control over to somebody else. And you know, if you have a course that they would like to oversee for their own students, then now you can do that right. With lifter LMS. It was mooted to have come out at the end of last week, so it should be available now. I believe that if you've got the infinity bundle, it's rolled into that, but I'm not unfortunately clear on the pricing right now.
Just a few words on deals. Our next section, it says deals from this week. There is the first link lead you to our deals email alert form, and if you go and fill out this form, you will be alerted every time I come across a WordPress product that is on offer. The plain text emails and they are very, very simple.
The title in itself will, the subject I should say will tell you whether or not you want to open it, because if it's a plugin that you've never heard of and got no interest and you can just bend the email anyway, there you go. You can get deal alerts as soon as I hear about them and the other two that I'm mentioning are us.
Still over on AppSumo lifetime deals at $49 don't know how long they're going to be before they sell out, but there is WP data tables, a way of linking your WordPress site to things like Excel spreadsheets and Google sheets, and then displaying the data in every which way. That's imaginable and wishlist member of solid solution for having membership sites that is also on offer for $49 click on the link in the show notes to find out more.
As always. The next section is a very light touch on the security scene for this week. Don't go too deep into this, but I basically mentioned them. Plug in names and link to some articles so that if you, if you say to yourself, Oh, that sounds familiar, I've heard of that plugin before, I might have that on one of my client's sites.
You can go and check it out and see. So the first one is over on Wordfence. It says, active attack on recently patched duplicator plugin. This vulnerability affects over 1 million sites. Well, that's a gigantic number, isn't it? A critical security update was recently shooed for duplicator, one of the most popular plugins in the WordPress ecosystem.
apparently this is a pretty, pretty serious, infection because it says 1 million sites were affected by a vulnerability allowing attackers to download arbitrary files from victims sites. We urge all duplicator users to update to 1.3 0.28 as soon as possible. So that's the first one. The second one is over on the web arcs website.
It says critical issue in. The grill or demo in Porter leads to database wipe and off the bypass. And again, if that rings a bell theme grill demo importer that plugin over 200,000 installs, you must go and get that checked out as well. There is an update on the 18th of February saying that the number of the counts has dropped to 100,000 from 200,000 so obviously, yeah.
A lot of people are on installing it. There's an active growth chart, which just drops off a cliff as people have begun to on install this. So that's interesting. There's also a zero day vulnerability in theme. Rex add on plugin is being exploited in the wild. So theme Rex add ons is a WordPress plugin apparently on 44,000 sites.
This floor allows attackers to remotely execute code on a site. With the plugin installed, including the ability to execute code that can inject administrative user accounts or that doesn't sound good. And finally, Wordfence again, vulnerability in WP central plugin leads to privilege escalation. This one on 60,000 sites.
The floor allows anyone to escalate their privilege to those of administrator, including subscriber level users. Given open registration. This was enabled on a WordPress site with the vulnerable plugin installed DHEA. And finally the last one is WordPress disaster week, I. E. themes security. The guys over there have got something going on next week.
It's running for two or three days from the 24th of February right up until the 26th of February, and it says the WordPress disaster week schedule. Are you ready if your WordPress site gets hacked or if it crashes? Is there anything you can do to prepare or prevent a website disaster? How do you recover when disaster strikes swell?
Apparently this is going to help you. Session one is on the 24th of February. It's entitled prevention. It's security one Oh one how to defend your site from the most common types of attacks. Login security, session two the following day, the 25th is called recovery. What's to measure or monitor signs that you've been hacked?
How to restore from a backup and the final session on the 26. Providing security services for clients, preparing a site for the client, packaging and pricing, and selling the service. So there you go. Interesting little initiative by the guys I themes. The completely self-promotional WP Builds bit two things for you this week.
The first one is to say that we had a podcast episode go out. It was number 167 in titled how I use agile and WordPress to launch a minimal viable product with Marius for treat cheese. I'm joined by Marius who has a team. We talk about some of the disasters that he's had when launching products in the past and how this has led him to have an agile approach.
If you don't know what agile is. Then the podcast is a really nice primer in that he talks about all of the different phases, how you can go about making it so that your clients have an absolute understanding of what you're doing and that you are building something which is going to be profitable for you.
By putting an MVP together using WordPress and a handful of plugins. So it's a really interesting approach. And the second one is to say that I was joined this week by Pictionary, and we did our monthly WP Bill's UI UX review. We reviewed three sites. This this time around, and the video is linked to in the show notes, you can go and see what it is that Peter has to say.
She's always got some. Insights, which I find to be very revealing. There's a lot of stuff that she just seems to instinctively know, which I hadn't the faintest idea about. So click on the link and go and check out that. Next section is jobs, and I've got a couple of things to mention here this week. The first one is that the guys over at Kinsta are looking for a social media manager says, we are looking for an experienced social media manager to take the reins of our established social media profiles and to define and implement a comprehensive social media marketing strategy.
This will be a new role within our rapidly expanding marketing team. So there's an awful lot more to say about that, including all of the requirements and the skills that you must have brought to the job already. But go and click on the show notes and you can find out about that if it, if it sounds like you and.
Speaking of jobs. I've got a website up here this week called developers for hire.com it forward slash a WordPress, and this is for those people who are trying to find somebody to help them with their WordPress website. In other words, WordPress developers, and they claim that there'll be able to hook you up with the right kind of person in under 60 seconds.
I confess, I've never used this service. Before I was contacted by the people who put it together, and so I thought, well, why not? See if anybody else wants to go and check it out. Anyway, the link is in the show notes. That's all the WordPress stuff that I've got for you this week, but we always rounded off where the, not WordPress, but useful.
Anyway. How many people have heard the phrase get a Mac? It's far more secure than windows. Well, interesting. There's an article on Mashable this week. It says, sorry, Mac owners and new report says that windows PCs are safer from malware. This is a report by the antivirus company Malwarebytes who threw together a big report, and it's all about the, the number of.
Devices really that are connected. They call them end points. And so max back in 2018 had 4.8 threats per endpoint. That is to say perm machine with, with, with Macko S on it. this number went up to 11 in 2019 so. 11 threats per Mac install, whereas the windows equivalent was 5.8 now the numbers are obviously gigantically different that I think it's true to say that Mac S represents a tiny fraction of the installed base of windows.
So I'm not sure this is entirely truthful. Sounds like it might be a little bit of clickbait Enos. But nevertheless, it's interesting that, that it is moving, you know, people are beginning to attack the Mac. It's. Largely to do with Adwerx cleaning programs like Mac keeper and Mac booster, so not sure how much of this is actually going to seriously damage your machine after all, it's classified as well at ware as opposed to malware, but nevertheless, an interesting, an interesting shift.
Staying on the theme of security. This is an interesting one. over@foundationdotmozilla.org ring two factor authentication and a win for consumers ring who manufacture things like doorbells with cameras in them have recently been running to a little bit of a . Problem in that some of those devices, which obviously, as I said, I've got cameras in them have been hacked and people have been spied on.
So these devices might live on the outside of your house looking down. you know, looking at people who are approaching your doors. They might of course, be on the inside, and that would not be good if people were able to hack a device on the inside of your house and see what was going on in there.
Well, allegedly the Mozilla foundation got behind some campaigning along with the usual suspects. Things like the election. Tronic frontier, foundation, eff, and so on. And they, they petitioned ring to up their game. And so now, as of this moment, it says today, Amazon, who is the parent company of ring announced the two factor authentication is now mandatory for all ring users.
I would suggest that two factor authentication really ought to be deployed just about anywhere that it's possible to be deployed. But if you've got one of those devices. This is a good step, adds an extra layer of security to hopefully prevent people spying through your doorbell camera. Towards the middle of last year, we mentioned an article which told us that Chrome was going to introduce lazy loading of images and eye frames natively into the browser so that you didn't have to use Java script solutions for that.
Well, they did that a little while ago. It was in Chrome 76 and as of now. Firefox did not have that capability. It was still in the kind of like the bleeding edge, the nightly releases and so on. But now it's going to be rolling out into Firefox 75 so this is going to become standard. I would imagine. At this point, most of the browsers have this capability, which is great.
It means that we no longer have to deploy Java script solutions to do. What really, I think the browser should have been doing for a long time. You can go and read about this on the G hacks.net website, but if you're a Firefox user, good to know that this is all happening natively. Now, I'm sure that we've all visited Apple stores in the past.
They're very big Island, aren't they? Lots of empty space and people milling around trying to explain how the Apple technology works. Well, a California Supreme court this week has ruled that. Apple store workers must be paid for time spent waiting to be searched. Allegedly, Apple workers are searched upon leaving the store, not arriving to the store, because obviously they would be bringing in devices.
Perhaps there was a spate of theft in the past. I don't know. But certainly the, the expensive items are very, very small. So it's mandatory for these workers to be, to, well, to have all of their bags and whatnot examined on the way out. And Apple. Had quite a job doing this, and in some cases, some of the staff were saying they had to wait in line for up to 45 minutes because there was a queue.
Every single pocket of every single bag had to be emptied and checked and so on. And so the staff was saying, well, look, if this is going to be something that we have to go through, then surely this is part of the job. Apple's. Claim counter claim was that, well, just don't bring a bag to work. If you don't bring a bag, you won't have any problem with this.
You can just leave. You know, you get Pat your pockets and turn them outside and what have you, and you can just leave. But they thought, Oh, you know, most of us want to bring a bag. We've probably got things going on before and after work. And so this has now been. Overturned by the courts and now Apple must pay their staff for this time.
And I, for one, think that Apple is a company with plenty of money. I'm sure that this isn't going to hurt their bottom line all that much. The last one I've got for you today. If you're a user of Google's products or services and based in the U K you're going to be receiving an email in the near future because reuters.com have an article entitled Google users in UK to lose EU data protection.
Your data is no longer going to be held in great Britain or indeed in Ireland, which is staying in the EU. It's going to be shifted over to a U S jurisdiction that's going to be happening fairly soon, and as I said, you should be receiving an email in order to tell you about these new terms and conditions.
There was obviously quite a lot of. Privacy advocates who've managed to get things like the GDPR working in the U K and I, I think it's fair to say certainly the Reuters article makes the point that the, the difference between privacy in the EU and the U S is quite considerable. And so if this kind of thing is of concern to you, perhaps go and read that article in full and find out how this affects you.
Right? That's all the news I've got for you this week. I hope that you found it useful and that there was something in there that will be of use for you in the coming weeks. Please do leave some comments. Join us in our Facebook group and let us know if you find it useful. Or you could leave a comment on the website.
It's entirely up to you. The WP Builds weekly WordPress news was brought to you today by Kinsta. Kinsta takes managed WordPress hosting to the next level, powered by the Google cloud platform. Your site is secured like Fort Knox and runs on speed obsessive architecture. You get access to the latest software and developer tools such as PHP seven SSH and staging environments.
And the best part, their expert team of WordPress engineers are available 24 seven if you need help. So you can migrate today for free at Kinsta dot com and we thank Kinsta for supporting the WP Builds weekly WordPress news. We will be back next week for some more news. Just like this. Join us live though.
2:00 PM every Monday UK time in the Facebook group or WP Builds.com forward slash. Live. We have a live version of the news where we chat through with some notable WordPress guests and it's good fun. It's really nice. Probably a nice way to, to round off your day in the, in the UK or possibly to begin your day if you are in the U S.
We'll, we'll also be having a podcast as well, so join us for that. Alright, I hope that you enjoyed that. Bye. Bye for now.

RECOMMENDED STUFF

These are affiliate links and the small amount of income we derive from affiliate income allows us to pay the bills and keep the lights on