This Week in WordPress #159

“XML files are fun”

This week’s WordPress news – Covering The Week Commencing 12th April 2021

With Nathan Wrigley, Paul Lacey (wp_paullacey), Michelle Frechette (@michelleames) and Tim Nash (@tnash).

You can find the Newsletter here which has all the links mentioned in this episode:

We focus on the following stories:

WordPress 5.7.1 Security and Maintenance Release

GoDaddy Pro

Full Site Editing Go/No Go | April 14, 2021

Full Site Editing Is Partly a ‘Go’ for WordPress 5.8
Proposal: Treat FLoC as a security concern

Wix and Their Dirty Tricks
Dear Matt Mullenweg: Another Open Letter from Wix’s CEO, Avishai Abrahami

FSE Outreach Round #5: Venturing out a Query Quest

HeroPress Adopts Hallway Chats

Michelle Frechette on Diversity and Inclusion of Underrepresented Groups in Tech

Zerodium Temporarily Triples Payout to $300K for WordPress Exploits

The WP Builds podcast is brought to you this week by…

GoDaddy Pro

The home of Managed WordPress hosting that includes free domain, SSL, and 24/7 support. Bundle that with the Hub by GoDaddy Pro to unlock more free benefits to manage multiple sites in one place, invoice clients, and get 30% off new purchases! Find out more at

The WP Builds Deals Page

It’s like Black Friday, but everyday of the year! Search and Filter WordPress Deals! Check out the deals now

Transcript (if available)

These transcripts are created using software, so apologies if there are errors in them.

Read Full Transcript

Nathan Wrigley: [00:00:00] It's time for this week in WordPress episode number 159 in titled XML files are fun. It was recorded on Monday, the 19th of April, 2021. My name's Nathan Wrigley. And as always, I'm joined by my cohost Paul Lacey. But this week, By Tim Nash and Michelle Frechette, as we discussed the WordPress news from the previous week and as always, there's a lot going on, we talk about the security update.
WordPress 5.7 0.1 has been updated and Tim gives us a down on why this might be important. There's a vulnerability which needed patching. We also get into the topic of full site editing, how that has been given the go no go label. And what that all means. We also get into the subject briefly of the fights, the discussion between Matt and the founder of Wix and how that's developing over the past week.
Also. There is a new round of full site editing outreach, and we discuss how you can get involved and what it is that they're looking for over on the Robert Jakobi dot com website. This week, we talk about the fact that hero press have adopted the hallway chats podcast. And so it's now got a new home, and then we get into the subject of zero diem, the company that will pay for your exploits and they are now paying $300,000 for WordPress core vulnerabilities.
It's all coming up on this weekend. WordPress, this week in WordPress is brought to you by cloud ways. Cloud ways is a managed cloud hosting platform that ensures simplicity, performance and security. It offers cloud service from five different cloud providers that you can manage through its intuitive platform.
Some of the features include 24 seven support free migrations. And dedicated firewalls. Check it [email protected] and buy AB split test. Do you want to set up your AB split tests in record time? Like in a couple of minutes, use your existing pages and test anything against anything else. Buttons, images, headers, rows, anything.
And the best part is it works with element or BeaverBuilder and the WordPress block editor. You can check it out and get a free [email protected]. Hello, we're on episode number 159 of this week in WordPress. I am almost crying with laughter. I don't know if either Michelle or Tim managed to see that if you're watching the little icons of Paul Lacey, basically dances during the little intro music.
Only this time he was he was dancing and, giving it some muscle at the same time because
Paul Lacey: [00:02:59] guns. Yeah, I don't think Tim and Michelle see it. I don't think, I think it's only you that can see what's going on in
Nathan Wrigley: [00:03:06] that case. I know why
Paul Lacey: [00:03:07] it's my favorite. One minute of the week on a site where the music comes on.
I love it because I know I can get a rise from you.
Nathan Wrigley: [00:03:15] It works every week. Anyway, we're on episode 159 of this week in WordPress. We're not here to talk about Paul's guns. We're here to talk about WordPress. If it's okay. I am going to hand over to Paul and Paul Lacey obviously joins us every week as the cohost.
Paul it's become a bit of a tradition that you introduce the guests. So I'm going to let you introduce our guests for today.
Paul Lacey: [00:03:38] Yeah. Hello everybody. So today we've got Michelle and Tim. So I'll introduce Michelle first. Michelle Fisher is head of customer success at give WP, which is the donation plugin for WordPress.
And also works in the customer success team. We're working with fundraisers all over the world to make a better place the world, a better place. I'm really fudging this one today on I've been spending too much time messing around dancing. Anyway, part of that is helping customers evaluate their websites and researching what works to convert site visitors and supporters to donors.
And there's a ton of other stuff that Michelle does well that she hasn't written in her intro here, but I'm sure we're going to get into some of that later on Tim. I'm going to try and do a better job for you, dude. Tim is a WordPress security geek is generally found yelling, update all the things he helps organizations stay safe and secure on the web through consultancy and training, including public workshops.
Nathan Wrigley: [00:04:33] Very nice. That's okay. Shell is it's very early in the morning where Michelle is in her office environment, just full of people coming in and making coffee. And it's it's quite nice to actually see, cause the rest of us are stuck in rooms in our house. I presuming you're actually mixing and mingling with other people.
Yeah. We're all
Michelle Frechette: [00:04:50] vaccinated, which is a wonderful thing.
Nathan Wrigley: [00:04:52] Nice. Yeah. Okay, I'm going to share my screen if that's all right. And we'll get stuck in just a couple of bits of I dunno advertising, head over to WP That's the website where we produce all of our content each week.
I'm going to keep this really simple. And if you go to this page, WP forward slash subscribe. Then you can find all of the places where we put that content and subscribe to newsletters and YouTube channels and all of that good stuff. But I would like to mention this this is something that I'm organizing with a good friend.
Anshan LaRue, it's called the page builder summit. We run it in October last year and it was really well received. I was really pleased with the way it went. And so we decided we'd do it again. And if you're looking at the screen, you can see the dates it's on this year from the 10th to the 14th of May.
And I'm trying to encourage people just simply to go and click this button and join our wait list. And then we'll be able to notify you when it's actually all happening. So that's page builder, and get yourself signed up. Okay. Let's get actually stuck into the proper news from this week. I didn't have a lot to say about this one because I, for some reason it didn't.
Captivate me, but it's captivated Tim. So I'm going to just briefly say that you should update all the things in capitals, which Tim is nodding out. Very good. And and WordPress 5.7 0.1 rolled along this week with a considerable lack of FunFair. I might say it really eclipsed me until it had happened that it was going to happen, but it's a security patch.
There's a couple of things that have been mentioned in the article that I'm linking to on forward slash news. But I'm going to let Tim take it over because it sounded like he had more to say about it than I did. So Tim, the ball is in your court.
Tim Nash: [00:06:37] Okay. The reason that I find this one particularly interesting and it connects to a couple of things that.
Maybe we'll talk about later in the episode as well, is that this is one of the few times where there is a WordPress vulnerability that doesn't require you to chain a lot of things together to exploits. So one of the particular exploit that is interesting to me was the X E exploit, which many people who hear various acronyms might not have even come across as an acronym.
And it's the XML external entity export. You're basically using an XML document to extract data from your computer, such as, or rather from your server, such as, I don't know, your DP config file or slash et cetera, slash password. For example. Yeah. Yeah. These sort of things and how this particular exploit works is that there was a bug in the media library.
So XML is a very, you think of it, it's just a text document, but it's a very powerful data format. And one of the things you can do with it is you can, in your XML documents say, I want to get information from this other XML document or from this other source. And that can be an external URL, or it could be a local file on your machine.
So if you can set, upload an XML document to a server and say, pass this, and then also grab the information from this location. And depending on what's passing it, it might well go, Oh yes, that's fine. Oh, grew up that information and display it to you as part of the XML document on building. So this can be quite powerful and scary.
Now the exploit used the media library. And it's specific to PHP eight because basically within the media library you have MP3 files, which you can upload. And inside MP3 files, it's an XML documents, which is ID free metadata. And that metadata basically allows you to grow, to have information about the offer and bits and pieces, why this is.
Fun for me is that I was hacking around with ID free metadata, like 13, 15 years ago. I think that for a BBC hack day project, we actually expose the same metadata and effectively the same sort of exploits, but the idea to build a web server out of on an MP3 file so that you could just serve HTML content or XHTML content from the MP3 file.
That was what we were doing 12, 15 years ago. So when I saw it today or last week, I'm there going, Hey, that's really cool. It's the same exploit being used in a different, obviously a malicious way rather than an interesting way. But yeah, the moral of this story is. XML is incredibly powerful and that includes SVGs.
Don't just let random SVGs upload just like you. Wouldn't just be aware that XML is quite dangerous and fun.
Nathan Wrigley: [00:09:36] And but this is all now patched and fixed and everybody should be happy once they've got to 5.7. There's probably a whole range of other things which are discovered, but
Tim Nash: [00:09:46] yeah. Yeah.
Okay. It was only exploitable if you had PHP eight on, because of the way that the conflict frags work, someone fought, we did something that didn't do. Sorry.
Nathan Wrigley: [00:09:58] Okay. Wow, Tim. And
Tim Nash: [00:09:59] you do need to still publicly upload the MP3 file. So it wasn't that easy to exploit, but it was it was more that it was just really interesting attack
Nathan Wrigley: [00:10:08] vector.
Yeah. Yeah. That is interesting. And just really glad that you're on to explain stuff like that because I think I think I would struggle without somebody like Tim. So thank you. That's really good. Good to know. So going up update, I'm sure you have done that already, but, and it also
Michelle Frechette: [00:10:24] really shows you that there are different levels of geekiness.
There is the, I can program my VCR and there's XML files are fun.
And now we know where Tim falls in that spectrum.
Nathan Wrigley: [00:10:39] Yeah. Yeah. If
Tim Nash: [00:10:42] there was a spectrum. Yeah,
Nathan Wrigley: [00:10:45] that is the episode title for this week. XML files are fun. Somebody write that down quickly, XML files off on we'll call it that already decided it can't go any better than that. Yeah, so that was on
And we're going to flip now to Paul. Paul's going to introduce actually poll during the last couple of minutes as managed to grow a dog. And just so the
Paul Lacey: [00:11:08] 5.7 0.1 thing, this is, we always just dismissed that as yeah. Just means you can update the thing now without a break in or something.
There's nothing much in the, but there is the, the these point releases have got some real, super important things in them and that we just totally missed. There's so much going on under the, behind the scenes of this bad press and stuff that we just. Most of the time ignorant too, in terms of my dog news.
This is, I was just saying just before the show, actually my dogs just come back from the groomer. So she's at a set of haircut and she's totally attached to me. So when she comes back from the groomers, she just goes crazy on me. There's absolutely nothing I can do apart from just cradle her and just reassure that everything is okay.
Don't worry. You're back. You look good. So apologies that the dog keeps poking her head into the camera. I literally can't stop, but
Nathan Wrigley: [00:12:00] can I just say I'm now completely torn? I've got two possible titles already. I've got XML files are fun or. In terms of my dog news, which is also another foster, possibly great working title.
Paul Lacey: [00:12:15] You got to go with the title that Paul's in the biggest audience. So yeah there's some proper niches there. So you could, we should split test those with your plugin AB split test. Shouldn't worry. See rich series, Ron. Paul's in the most millions of users. So in a minute, she'll calm down anyway, but we can move on to this one.
In the meantime, and. What we knew last week was that some of the top [email protected] we're meeting to discuss whether or not full site editing would be put into core WordPress in version 5.8. And there was a meeting on April 14th and just Hayden, John Posey was in it and Matt Mullenweg was in it.
And some of the other people that are listed down the page were in that meeting. And first of all, just to say, it was actually super interesting because. They recorded the meeting. And this is just like a normal zoom call. We've just some regular people talking, but these people are making really super important decision for the future of WordPress and the direction it goes.
And you get to see what the dynamic of that kind of conversation is. And, they. Forget almost immediately that this is called and this is recorded and that people are going to be watching this. So it's really interesting just to see how that conversation goes at that level.
Anyway, the news is that the majority, as far as I understand of the features that they were talking about putting into five point, Hey, from full site editing have been approved to go in with some things that have been not approved. And I think the reason is that they feel confident that they can get the majority of these things done by version 5.8, but they, one of the reasons they want to get it in there is so that the third part is, and the rest of the community, you can start playing with this, a full site editing thing and seeing if they're seeing how people can creatively plug it into it.
One thing that I think we have to realize now is that it's happened. It's happening. It's going to be in core. So wherever we like, how it works or not I've tried it, I've done. I was in, I did some of the volunteer testing and I didn't really like it that much, how it works, but I think if they are getting out to the third party two and the rest of the community to develop this, and I'm pretty sure that I can see some of the companies and some of the different brands and some of the individuals working on this in a way that is going to make it all super nice and useful for us.
So it seems that full site editing will be something there'll be there that you can use it if you want. And I imagine if third parties will adapt it to make it more usable for us kind of mere humans and everything, but it's going in. And and so there's probably a bunch of things that I've missed in that.
Tim, especially, you have a lot more knowledge, I think about these kinds of core releases and everything, but apparently it's going in.
Nathan Wrigley: [00:14:54] Five point. Thank you. The the video was quite interesting, wasn't it? Because as you said it quickly became just a chat amongst what I'm imagining a fairly well, I imagine they're quite close to each other.
They probably speak to each other quite a lot. So it did it how'd that how'd, that it just felt like me and EUPOL having a bit of a natter on a Friday afternoon, it was it was really nice to watch. There's a couple of pieces though. The first one that I'm showing now is on
All the links as always will be in the show notes when this comes out tomorrow. But also that was quite interesting. There's the full site editing version on the on the WP Tavern where Justin sort of sums up everything that went in there. There's the video itself. And he talks about the fact that there's this page template editor, which he was quite keen to see in and various other bits and things.
And then some random dude dropped in a comment, which was the only one. Apparently that was the top comment. That was the top comment. Everything else just got deleted because it wasn't as worthy as called Lacey's kind of incidentally polled. Good job with the the Gravatar there. I don't
Paul Lacey: [00:15:58] know where that comes from.
Nathan Wrigley: [00:16:00] in all likelihood. Anybody got anything to add to this excited about this full site editing 5.8?
Tim Nash: [00:16:09] You can't not be excited. So I actually really liked the page templating idea of themes. Really nice. Boy, is it confusing guys? Menus everywhere. There are buttons everywhere and it's got no consistent language style to it.
Things have renamed and repurposed. And, but what I, yeah, I, a lot of this will be ironed out, so it's not very unfair to look at it and go, no, and it just, they're doing a lot better job at communicating this stage than they did previously. There was a lovely comment on the video where Helen just said that you could see that they'd been nattering away for a little bit.
And Helen just suddenly goes, I know this is being recorded, but, and then it goes off, off on a as yeah, it's really nice to see that there are at least trying to communicate this properly this time. And one of the feedings that was mentioned in the call was this idea of having a labs or something to differentiate it away from the term alpha and beta, to explain that this is still experimental and that this is going to develop and grow over time.
And I can't help, but think if Gutenberg had come in with a labs comments attached to it and they'd ran with it, Classic editor in Gutenberg, side-by-side more easily to switch between and get it. And book had been a lapse phase. Then there would have been a much better reception. So I think they've doing quite well with this idea that at least they're communicating it better, even if I'm still there going, I don't know what any of the buttons do and I'd be terrified to press anything.
Nathan Wrigley: [00:17:45] Yeah they did make the point that That there is going to be a lot of renaming because a lot of the, they use the very clever word nomenclature. A lot of the nomenclature has been has been mucked up, shall we say? And words that really, that people who are experienced with WordPress probably use are unfamiliar to people who are now suddenly going to have to start delving into editing their own sites, headers and footers, whereas before they just installed a theme and it took care of all that for them.
So that was quite interesting. And Peter Ingersoll has dropped off. Nice comment. And it's saying, yeah, it was really interesting to watch matches suffer and the others candidly discuss WordPress. And I think you're right, Tim. I think they have actually taken taken taken on board. All of the comments that were made when post Gothenburg, where that just got dropped.
And a lot of people were really poor. Shall we say cross about it? Because there wasn't the feeling of consultation and I don't know in all. Honestly, I don't know what they could have done more than an hour and a half video to demonstrate that they were talking about it and discussing it. And, you may disagree with the decisions in certain parts, but at least they were publishing it.
That is their decision-making process. It's basically a boardroom with the doors flung open and and I commend them for that. That was really great to see. Michelle, have you got anything to
Tim Nash: [00:19:01] add on this?
Michelle Frechette: [00:19:03] I come coming from, out of, from a non-developer standpoint and just love the fact that two of the six names and love in that conversation were women and you know how I am about representation.
And so I think that's great. I would have loved to see it be three out of six, but two out of six is a good start for sure. But as far as everything else goes, I can see a lot of us spinning up sites just to play before we ever start to do anything with production, because. As you say, when you start to change the nomenclature, you start to change the way things behave, especially with page builders and things like that.
We're going to want to play with that a lot before we understand how it really works.
Nathan Wrigley: [00:19:39] Yeah. It was really I can't remember if it was this piece, now it's a piece that we're going to come to later. So I will pause on that. And we'll segue if that's all right, we're going to segue to something which is slightly different from the order on the sheet.
No, it's not. It's been changed. That's fine. So here we go. Now I'm going to put from the,
Paul Lacey: [00:19:55] Oh, sorry. Can I just add one thing? I just wondered how long has been in the role that she is in 600 Krista org in as that particular role? Yep. Yeah, because it just seems to me that I didn't, it's just so ignorant with me.
I didn't, I'd never heard of her before about a year ago, which is crazy. But now, like in the last six to nine months, I just feel like she's communicating to us all so much. And I think it just, it's just really following up for that comment about how they've improved communication. It seems that Josepha has done something or made some decision, or some people have made some decision and she's followed that up and said I'm taking this on now.
I'm going to say things and invite response. And so I just think she's doing a good job. We've whatever. I wasn't sure if she was new in the post in the last couple of years or something, but yeah, something's changed and she's so she feels accessible now. She feels the whole system feels much more accessible than it was with the little kitchen bag thing.

Nathan Wrigley: [00:20:58] There's one, sorry, Michelle.
Michelle Frechette: [00:21:01] There's two reasons that transparency lacks it. Most organizations one is it's. Deceitful. So we try to hide trends. We try to hide things and be transparent. The other is that things happen so quickly and things happen so rapidly. And there's so many people involved that transparency falls by the wayside.
And I think that neither of those things were intentional. I don't think that there's a lot of deceit in the past and I'm sure that's, there'll be people who will disagree with me on that. But I also think that when things happen as quickly as they do with as many people involved, as there are on the open source project, that transparency actually becomes a burden because there's so much involved in making sure that everybody knows what's happening.
And I think that Jeff has done a really good job at the last, as you say, nine months to a year, perhaps even a little bit longer in making sure that it's actionable, that the transparency is at the forefront and that nothing is hidden and therefore assumed deceitful as opposed to assumed overlooked.
Nathan Wrigley: [00:21:55] Yeah, she so she took on the role six years ago and there was obviously much that I don't know about all of the work that she does, but I did by coincidence recorded a podcast episode with her a few, I dunno, probably about six weeks ago, something like that. And and she made the point that she went on like a six month.
I'm going to say binge for want of a better word, a six month binge trying to figure out what, what had been miscommunicated after Gothenburg. And I don't know who she spoke to and what that process involved, but she deliberately made it, her made it her cause to, to figure out what had gone wrong.
And just in these last few weeks, she's been everywhere. She's got a new podcast, which she's producing every few weeks, which explains on a high level what's been happening in the last couple of weeks. That's commendable loads of. Blog posts coming out on She's appearing on lots of podcasts and she's so communicative.
It's amazing. And so I think she's doing an incredible job. Can you imagine how busy she is on a day-to-day basis and still makes the time to write blog posts and recorded podcasts and go on other people's podcasts and all of that. She, I think she must really spend a very large proportion of her waking time doing this
Michelle Frechette: [00:23:08] genuinely nice person.
If you've ever met her. Face-to-face she is actually just a very genuinely lovely person.
Nathan Wrigley: [00:23:15] Yep. Yep. So Bravo we've had a few nice comments. Daniel and Q, he said that he thinks that appreciates the transparent communication led by Josepha. Okay. All right. We're going to pivot slightly moving away from the community.
Now this is a story, which I'm just going to put it on the screen because the screen's not showing at the moment. Okay. And I'm going to turn this one back over to Tim. Cause it turns out in our pre-record conversation. Tim knows significantly more about this than I do this. I'm just going to paraphrase it.
The Google. I'm going to say Google and forgive me, Tim. If I get this wrong, Google have this initiative called flock FL. Small a C and it's a way of making it so that you can be tracked, but not tracked. So instead of being pixeled and individually pixels, so that you are uniquely identifiable, I feel that it's more about putting you in a pen with a ton of other people and saying, your behavior looks like you are this, and you will be siloed in that little pen.
Maybe it will have a tag or a number or something. And for a couple of weeks, ads will be served to you based upon the little cohort that you're in and the behavior that displayed. And then every few weeks you'll be recycled. And you'll go into another little cohort because all of a sudden you've been searching for holidays instead of dog food or whatever.
But you can imagine the security, sorry, not the security, but the concern amongst the community, because this, whilst it might not allow people like Facebook to gather data, it feels like it's giving Google. All the cards in the deck and Tim just pulled to pieces, everything that I've said. Cause I know I'd probably
Paul Lacey: [00:24:56] add one thing to that because I didn't really understand what this is.
I'm really looking forward to Tim telling us. But I can see on the site in the core section that, and I don't know if this happens every time there's a new post that everybody is discussing it, but the amount of comments on this is quite significant. So whoever does know about this clearly it's a big talking point and yeah.
Sorry Tim, over to you. I just could see there's so much discussion going on in here. And again, this is one that probably went past myself and Nathan is something we probably just didn't really understand that much. So yeah, if you could help fill us all in, that'd be great.
Tim Nash: [00:25:39] To put this in perspective.
At the moment, if you run a business, selling a pet grooming kit and you want to advertise to pet groomers, so you go onto Google and you get some ads and you say, I would like to target people who have dogs. And I don't know, I know mail and our 23 and, however you want to set it up, you set up your adverts and it runs and you get targeted adverts and you can see you're spending your money.
And, your advert is going out to dog lovers. How that works behind the scenes is that Google basically has managed to get itself on enough sites where it's collecting information about you. And it uses a, it basically uses a cookie to do that. So it's, you're cookied across these multiple sites now.
So do many others do this? Facebook, every major advertising platform uses cross-domain cookies. The thing is. That's creepy as anything. And we don't like that as generally as a community. It's it might be great that, the dog grooming gets to advertise directly. But what w what about when they started doing it about your sexuality or basing on other targets saying this isn't good?
What happens when I'm going to certain sites? I just genuinely don't want to have associated with my profile. In that those scenarios, we it's all bad. So basically browsers have all pretty much agreed. We're going to drop this ability to do cross domain cookie. Now this included Google, but Google obviously don't want to lose their ad revenue.
So they've come up with the idea. Our flock and a flock as a name com is weird because they basically come up with a bunch of other technologies that are all got bird names that are all related to advertising. And then flock is a way of unifying it. You can see someone spent a lot of time coming up with the acronym rather than the necessarily the technology protocol.
Michelle Frechette: [00:27:37] Yeah. That tells you that marketing was
Tim Nash: [00:27:41] big money. But what you said to me for an apron is pretty much a spot on the idea is that the browser itself will start to collect data. So this would only affect customers who are using Chrome or a chromium based browser. Now, people, for example, brave is a privacy focused browser and they basically get their code home CHRO.
Now they've said, okay, we're going to take out that feature, funnily enough. But somebody who is say using Firefox, this just wouldn't affect them because Missoula have no intention of putting with this sort of targeting into their browser at the moment. But Google is pushing for this to be a standard across the board to provide a semi-private conscious is not privacy conscious at all.
It could easily be abused to get this sort of half anonymized targeting in place. Now the proposal in WordPress is to say they did Google have said that, if you're a website and you don't want to be involved in this, you can opt out by setting a permissions policy header. So within that, you can specify that you don't want to be to advertise to it.
So basically anybody who comes to your site won't be tracked by the system. We promise maybe, yeah, we don't always have Bay us, but we'll try to remember this the best we can. Now this is the equivalent of the plans for the destruction of the planet are downstairs in the toilet and, locked in the cabinet with the beware of the Panther site.
It's the same sort of level it, this isn't something your average person is likely to go and do set up a hasty header using a particularly new type of hedge to be edit permission policies. Headers are relatively new. It's just awkward. It's not an easy way to opt out. So the proposal on is that WordPress should automatically opt you out.
Now it's worth emphasizing. This is a proposal by one or two people. This is not yet a thing that is going to happen. You can see why it might not happen. There is obviously lots of politics involved with big companies who are pro and against this sort of thing. But the bigger part of this was that the suggestion that they should be released because it was a security issue, not necessarily just a privacy one.
Now, for some people they argue it is a security issue because your website would be leaking. Potentially personal information out. The counter-argument to that is the persons whose information would be leaked to Chrome, which they've opted into. So it isn't really a leak. But the bigger argument is should we be using the security release system to release features and backport features across.
And that is a blurry line that most people seem to be arguing over whether it's right or wrong. If you go through those comments and I know I've put a comment in there there are lots of other. PE people in the WordPress community. So lots of them are very pro-vice and saying, we should implement this as soon as possible.
A few more are saying, we should implement this. This is a lot more complicated than you think. And then there's another group that was saying, this is not necessarily a issue for WordPress. This is a issue that could be opted in via plugin. If you want to do this I say in the, this would be a very cool feature to have, I don't think it should use the security release mechanism because the last thing I want is we had you both of you on earlier saying how wonderful automatic updates are, how you didn't know anything had happened.
That fit that whole making sure it just works that we don't add new features. It just fixes bugs. And it just fixes security issues is vital because if we start fiddling and saying, we're adding a new feature to your site, even though you never asked us to. Then website owners might go well.
Okay. That's great. I don't want flock, but what if you start ramming Katzenberg on me? Do you want that? Yeah. And the answer is going to be no. So they're going to turn off their updates and that could actually cause a genuine security issue. So I'm more from my perspective. That's the thing that worries me this proposal is that there's someone who's going to say.
No, I'd rather turn off my website on principle. I tend to fly updates to my website on principle rather than have the potential where this line disappears and gets blurry.
Paul Lacey: [00:32:18] Yeah. Just takes a little rumor Oh, did you hear, you should turn off your updates, and, hundreds of thousands of people will be like, yeah, I heard that you should turn off the updates because of this thing or whatever.
And Oh, okay then I'll do that. Should I do that on my website? Yeah, I think so. Yeah. My friend told me you should do that. And then you know, that spreads and On update all the things then
Tim Nash: [00:32:42] per cent turn off their automatic updates. Yeah. 40 minutes.
Paul Lacey: [00:32:49] That's a lot.
Nathan Wrigley: [00:32:50] Yeah. I'm sorry. I think we might have some sort of audio overlap thing going on here. I apologize to those people listening or listening to me, just constantly interrupting people. I do apologize. The the thing that I'm curious about is a, I think this is quite a neat idea.
The idea of kind of DNR or anonymizing, I should say, by putting you into cohorts, I'm not sure what the cohort size will be. I'm guessing if you're in the, I don't know. I like pop music cohort. You're probably going to be in amongst millions, possibly billions of others. But if you're in the, I like chihuahuas.
And something else, cohorts, then it might be considerably smaller. And so your anonymity might be lessened. But the thing I suppose, which gives me pause is that this is going to be in the browser. I'm sure they'll communicate it to those people interested, but I'm just slightly concerned that Google in the, in anonymizing, it they're anonymizing it forever.
Anybody else except themselves because I don't know the technology behind flock. I'm guessing there'll be checks and balances, but still it puts Google in that very dominant position in terms of advertising. And you can imagine the Facebook browser hot on the heels of all of this chromium based browser built by Facebook just to get them just to get themselves back in the game.
Facebook has taken it from every angle at the minute. I feel like I'm like, this is just another hit at them, which, fair enough, Michelle, anything.
Michelle Frechette: [00:34:22] I'm always torn because my background's in marketing and I like access to information, but I'm also an individual who likes my privacy.
So it depends on which side which part of the conversation I'm on. But yeah, I guess I can see both sides, but I really err on the side of privacy.
Nathan Wrigley: [00:34:40] It's a really interesting one because if you go back, let's say 20 years to, prior to
now, Tim, I think you and I, for some reason, I think we're like seconds apart from each other. You carry on. I apologize.
Tim Nash: [00:34:57] There's a massive lack of at the moment, but it's worth emphasizing that the browser. Itself can be good fingerprints. You quite eat neatly and your interest groups will fingerprint you very quickly.
You might be one of millions interested in pop, but your specific interests in that thing you did at the weekend, when, which you'd rather not talk about on air combined with your current location, because you Google the opening times for your supermarket combined with your map results search combined with this, and combined with that subtly those interest groups, you might be an individual interest groups for each one of those, but the combination of that is very targeted.
It wouldn't take very much to identify you as an individual from those interest groups.
Nathan Wrigley: [00:35:51] Got a comment, a nice comment from Chris here about us talking over each other before we began the call, Chris, it was pretty obvious that something was broken. I don't quite know what's happening, but I can see Tim in real time that he can see, I think me in real time, but for some reason, we're out of sync with each other.
And so it's something peculiar and a bit strange is going on. Yeah, my, this is to Michelle. I'm curious about this because the promise of all of this stuff in the marketing arena is that the hyper targeting of everything will lead to a significantly better experience in terms of the end user, because we'll receive ads that are potentially of more interest to us.
Also, it will reduce, spend on the advertising side because you'll, you won't be throwing money at a television ad, which is mostly, for people who've got no interest in the product that you're dealing with. Have we reached this kind of Nirvana state? Do we have we got to the point where it really does.
Th this advertising stuff is working in our benefit. Would you say, cause you were conflicted over whether or not that was good or not.
Michelle Frechette: [00:36:53] So as a marketer it's wonderful, of course. But as a consumer, isn't it creepy? Isn't it creepy when you've done some browsing and then suddenly you're being served ads for things or, I've seen people say all I did was talk about it near my phone and suddenly I'm getting ads for XYZ.
And it something that if let's say I have a, I'm using a browser with family and I've been searching things, I'm a 52 year old woman. I'm not having any more children, but let's say that I'm worried that I'm pregnant. And I start to search things about pregnancy and I start to search things about clinics and I start to search for OB GYN and I clear my browser, but the next person that comes in is starting to get served up ads along those lines.
What point is it safe? And at what point is my privacy more important than being served an ad?
Nathan Wrigley: [00:37:43] Yeah. Again, talking about going back 20 years, if we re round the clock and I don't know, let's say 80 years or something, there's no way that people are going to be able to give up television. Now, television is just such a mainstay of everybody's lives.
It's quite normal. I'm just wondering how far the cat is out the back with all this fingerprinting and technology to, to allow marketers, to do their very best, to make sure that we see exactly what they want us to see. And so what I'm really thinking is how hard is it going to be to make the argument that this stuff is scary?
Because it shows, in my case, I really do see the benefit when I'd go onto Google. I do genuinely see advertising for the things that I want to see. It's very rare that I'll see something which is utterly, wildly outlandishly off my radar. So the privacy conscious amongst us see privacy violations all over the place and we just run scared and the, the sky is falling in, but I don't know if that's what the general population believes.
I'm sure that maybe most people just don't care. It's fine.
Michelle Frechette: [00:38:44] I also wonder, I often wonder about incognito browsers and I know that my incognito browser can, spare the other people who may be looking at my computer, but is incognito browser really that incognito from Chrome, do they still know what's made?
Do they still serve me ads for things that I search there? I don't know the answer to that because I haven't. Delved in far enough with that. And in Tim's smiling, he might have some information about that, but but I can see a lot more incognito surfing in the future. If we start to feel creeped out by the ads that are served up to us,
Nathan Wrigley: [00:39:15] just as a question there, Tim, I hope that your audio Tims refresh the browser.
So maybe things that have repaired themselves. I don't know. I'm curious on your setup, Tim, what is it that you use to browse the internet on a daily basis?
Michelle Frechette: [00:39:33] It looks like there's still
Tim Nash: [00:39:34] a
Nathan Wrigley: [00:39:34] lag. I think Tim can't hear a word I'm saying. I don't know. Yeah.
Tim Nash: [00:39:39] Just one second. He just went off at the end, but I'm pretty sure he said something along the lines of. What browser do I use?
Paul Lacey: [00:39:47] That's really what's your, if you can hear me. Okay. What is your setup?
Tim Nash: [00:39:51] Go mute?
Nathan Wrigley: [00:39:53] Yeah, I don't think this is the, I don't think he do you know what I'm gonna, I'm going to allow Tim who cares about the lag. It's fine. We can sit here and listen to five seconds of silence. It's not the end of the world. I'm going to ask that question again, Tim. I'm just curious, because you have a real posture on this.
What do you use? I'm on brave. I, for the life of me, I've been assured that's a pretty good option if I want to block certain things, but I don't really know.
Tim Nash: [00:40:22] Okay. If you're really privacy conscious, there are really, there are privacy specific browsers. Brave is one example. Brave is run by a company. Whereas something like Firefox is run by Mozilla who are a nonprofit organization. Personally, I use Firefox for my day-to-day browsing. Honestly, I don't need to have that set up particularly I don't have too many other, I have a ad blocker on there.
But actually at home I use something called pie hole, which is a a little service that runs on a raspberry PI that does a lot of ad blocking for everybody in the house. That way I don't need to worry about having to configure tablets and things to use special bits. And it also means that, my daughter doesn't like, I don't have to sort out her stuff as well.
That's how I set my bits up. Nice.
Nathan Wrigley: [00:41:12] Yeah, indeed. Okay. Then, wow. That was a fascinating little chat. Thank you, everybody that participate in that, that was lovely. The we're going to go onto the story that keeps on giving. This is the story of Matt Mullenweg and Wix.
I feel that this may go on for certainly it's the we've had to serve. From WEX with their advert emit, using a tennis analogy. Now, they did a real big wallop of a surf Matt steps in does a big forehand with his rebuttal piece that we're looking at the moment where he called them out for an inverted commerce to quote to Wix and the dirty tricks.
And then this week we had the CEO of Wix Avishai, Brahmi and I hope I haven't butchered his name. He did a reply this week and I read it and I just feel that it was a sort of, obviously I'm coming from the WordPress side of things. There is that I've got this history of really enjoying WordPress.
I want to defend it, but I felt that this piece really was like a deliberate attempt to divert. W what Matt has said. He kept going, Matt kept talking about the GPL and the guy from Wix seemed to miss the point deliberately, almost like it was deliberate. It's not that he doesn't understand what's going on, but I was just curious if anybody had any thoughts on this piece and whether there'll be moving it's a Wix in the next couple of weeks.
Michelle Frechette: [00:42:38] They didn't send me headphones. That's okay. Actually, Chris Lama sent me two headphones that are better than that. But anyway, the whole idea behind this, I think was, this volley back and forth, clearly it was just for weeks to get, get in the news. And I don't think that they ever intended to sway anybody that they sent the headphones to.
They just really wanted to create a big. Splash and have people talking about them. But one of the things that I found interesting about that this rebuttal was, they talk about the fact that know your content, that you've always owned your content at Wix. It's your content, but they still never addressed the fact that you can't get it out of their system without just copy paste.
So with WordPress, you can export, you could import into lots of other places we've made it portable. It's easy to get your information out. Yes, sometimes you have to know how to do it or hire somebody to help you. If if you're just, if you own a site and don't understand how to use WordPress, but with Wix, you literally have to copy and paste all of your content.
It's not something that's easily, too easy to explore or be available to export at all.
Tim Nash: [00:43:39] Is it really?
Nathan Wrigley: [00:43:41] Yeah, really. You've got to do that. You've got to go to each page one at a time and copy and paste it. So you okay. There's
Michelle Frechette: [00:43:47] no export feature. You cannot just export your content and the design of for sure.
The design, they own all the design. So there's no, there's no exporting anything that goes there. So even if you've customized and things like that, you're going to lose all of that.
Nathan Wrigley: [00:44:00] Yeah. It says here, I'm going to quote from the piece it says in your recent posts, he's directing this comment app, Matt, in your recent posts, you wrote the Wix makes it difficult to leave for customers, but this isn't true.
If someone wants to cancel the subscription, all they knew did need to do is click the button, cancel subscription. If a customer cancels within 14 days of a purchase, then getting a refund is automatic. So I'm not sure what you meant. That
Tim Nash: [00:44:24] is clearly
Nathan Wrigley: [00:44:26] I've been canceling is not the same as getting your content out.
Matt meant difficult to leave. In fact, I thought he was really clear about it. He meant get your content, not cancel your account. And clearly that's, he's just deliberately, just
Michelle Frechette: [00:44:42] as he addresses that in the next paragraph down, if you see where he's like that it locks your content or steals it.
No, of course you can always copy and paste your own content, but you can't export it easily. And that's what Matt was talking about.
Nathan Wrigley: [00:44:53] Yeah, exactly. So I feel this was a bit of a fudge. They're a commercial company. This is what they do. They try to keep you in there as long as possible. But anyway, Paul or
Paul Lacey: [00:45:02] Tim, yeah.
They're coming in at, that first of all, it's this is just part of, probably part of Wix, his entire plan for the whole campaign, which is just it's playground stuff. It's let's go and see if we can wind up that group of people over there. And then we'll have a fight. And then, and it's like the kind of lieutenants start first turning headphones out to people.
And eventually the two leaders are facing off and there's a scrap in the playground and everything. It just basically, nothing is resolved. It's a waste of time. And eventually the next day, someone else is talking about something. It just seems to me that Matt, as, being goaded into making a response and his response was probably quite predictable, but the way that Wix is attacking him back is just subverting the concepts that Matt is talking about and putting it from their own perspective.
And yeah, there's definitely some things wrong in the CEO of Wix, his response. But it's just a waste of time. It's just a waste. It's a waste of these people's time to be doing this in my opinion. And I don't, I just cannot see what this is achieving, even from works. Just, from weeks as point of view that they're getting people to talk about Wix in the community.
But to what point there is no point about this. I don't, I just don't get it. It just seems. I don't know if there is, shareholder stuff going on, there is a big deal with Wix coming up. That's yeah, we need to create a load of buzz and it will help us share share value, go up.
If we create a load of buzz or something. I don't know, man. It's not even interesting. I don't, this kind of thing, this kind of thing, should be interesting. We should be finding this really entertaining, but it's actually quite boring. The responses are you got an export tool.
You can cancel your account at any time. Oh, my God. Come on. Can we have a better, a drama than this? Sorry. I don't know. I don't know. What's the
Tim Nash: [00:47:02] to that? There's
Michelle Frechette: [00:47:03] a bit of PT Vardaman at though, right? No, publicity is bad publicity, as long as people are talking you're relevant. And so I think there's a sense of that, about it.
And I think that's what Wix is. Purpose was in all of this. I agree. I don't think they're going to sway very many people. I think that their ads on YouTube long before this were probably more enticing to people who didn't know about how to build their own website, then trying to get involved with a, a slinging match between the two of us.
Nathan Wrigley: [00:47:29] Dare I say, Tim, let's see if you can hear me this time.
Tim Nash: [00:47:37] No, I can hear you the whole time. I just can't reply anytime soon. Just wait five seconds. Yeah, no, what everybody else is saying. I don't really understand why we're talking about it. I would have done this with two minutes, to be honest, given the mass space that we don't need to,
Paul Lacey: [00:47:55] we should move on and kill this story from Caroline.
And, because we're just falling into the trap and talking more about just giving a rise out of the WordPress community,
Nathan Wrigley: [00:48:06] which case we will move to this piece, which is squarely, where we want to be. This is over on WordPress, sorry, WP Tavern. This is a piece by Justin called F S E outreach round five, venturing out a query quest.
And this is to say that Anne McCarthy. Who is a developer, one of the automatic developer relations Wranglers. She is in charge of the outreach program for full site editing. And she's now on round five. She's done various things like create a custom four Oh four page. And we've talked about these in the past.
She's lays out clear, simple instructions for what she wants you to achieve. And then the idea is that you go and try and achieve it and give her some feedback. And now we're onto round five with the query block, which is going to, I feel be one of the most important developments in the block space.
At least in core blocks where you can obviously create different queries and you can you can have it pull different things out of the database and display them in different parts of the sites. Justin, it was just a new route this year. It was just he typically, he got stuck in and he decided to go soup to nuts with it.
And he found a bunch of problems, things that he didn't, wasn't able to achieve. And then Justin being Justin, he thought I'm going to figure out the answer and I'm showing on the screen what he was able to pull together. It looks like a really nice it looks like it's a really nice sort of development.
Like I said, I think it's going to be one of the more important things in the future. So really this is a call to action. If anybody's interested in checking this out, I don't know what the date is by which submissions should be in. I can't remember what that date was, but if you click on the links inside the post that we'll link to in the show notes, you'll be able to go and have a bit of a play and probably run into some problems on the way they're talking about getting rid of the word query and I've forgotten what the word is that we're going to substitute it with, but something much more common and sensible, whereas query to me is it makes sense to us, but it perhaps wouldn't make sense to a regular user.
And they've decided they're going to call it something else. But I have in fact forgotten what it was. So over to you guys, if you want to discuss this one.
Michelle Frechette: [00:50:21] Stories like this often get thrown around in my local meetup where people start to wonder if WordPress is becoming more and more difficult or complex is probably a better word to use it.
I think just the one thing I would point out in this is that no matter what gets added to WordPress, just because features are put out there doesn't mean they have to be used. So this might be a beautiful feature. It might be something that we really enjoy using, but if you're starting out and you're building your first website, it's perfectly fine to build a simple website without using all of the bells and whistles that we tend to keep putting into something like WordPress, because something is a robust tool.
Doesn't mean you need to use all of the
Nathan Wrigley: [00:51:01] features. Yeah, that's a good point. Yeah, really good point. Paul.
Paul Lacey: [00:51:06] I just wanted to interest in trying to come up with new terminology to help us all understand it better. And cause we, I think there was a mention of that in, in one of the other posts that we covered today, where there was some new terminology that they were using for something I'm just I'm wondering how easy it's going to be for instance, to reuse some of these templates.
So queries, I assume it's going to be inherit kind of having an inheritance why did it works? And I imagine that it's going to follow the the WordPress file height, the structure, the hierarchy of structure, how it works. So if you, for instance, only edit one file in the full site, editing like index the equivalent of index dot PHP, then everyone else will inherit from that.
So it'd be interesting to see how that works because what we've seen in full site editing in other systems like Beaver Thema and things like headway theme from way back and and a mentor has got stuff in DV, I think as well, is that you. We are given a very human friendly user interface, too, to think about these things.
We can create a template and then we use an interface of inclusion and exclusion to decide where this template should live. And anyone who's built, parent themes before child themes, or even a thing, remembers the the template hierarchy. And you can see that reflected in this UI, but most people don't know that's being reflected in the UI.
But you can see that it's there and that's what it's calling upon. So I wonder how they will approach that because when I've looked at the full site, it's in demos it does take you back to a kind of virtual file system from what I could tell when I was testing it. But yeah, I think that it seems that they're doing things too.
So make it more accessible. But I do think last week we saw this theme called Michelle. Actually, the thing was called Michelle and and this theme that come out was starting to leverage some of the. Full site editing aspects, not in the way that this is doing it, but it was allowing you in a customizer type view to us too, to have created some block patterns or something, and then set that block group or whatever as your header and your footer.
So I just think that, they're putting this thing in the core and then whatever theme that comes out with it's, whatever new name that is commercially viable, we'll figure out a way to make it so through a wizard or something like that, you set your site up, it's hooking itself into the full site editing, but it's taking you through a wizard.
That's how I think it's going to how this thing is going to roll out. And I think that the, for anyone who is thinking about doing products in the future around, themes and stuff like that, it's definitely worth them taking a look at the results of this full site editing to see the shortfalls and to see, Hey, there's is the opportunity that's there.
They're not going to do that. Are they? They're not going to. Fix that for people they're going to leave that like it is, and they're going to put that in core and that's it's in there now. So I, Caitlyn we can go and fill that gap now. So I think it's it's called for an up perspective to see where they're drawing the line and wherever they, where they're hoping other people will pick things up for them.
Nathan Wrigley: [00:54:08] And I'm going to say the word, Tim, and then we're going to
Tim Nash: [00:54:10] wait.
we're going to write a really long time.
Nathan Wrigley: [00:54:21] I don't think I'm not sure if Tim can hear us. It's the most peculiar thing. Because Tim can, I can see Tim's move. I can Tim. See Tim's lips moving in complete sync. So something weird about the audio side of things, Tim, if you want to comment on that, I will I will shut up again, but if you don't wish to, then I will look, keep talking.
Tim Nash: [00:54:46] Just to say that the particular query block is quite cool, because if you look at all the Gutenberg block collections, they all have a recent posts one and they all work slightly differently. And none of them work particularly like the query per age, if you do be query. So for the people who are more deaf focused and for people who are used to how themes work, actually, you're going to get on with this block a lot more than perhaps you would do with most Gutenberg blocks.

Nathan Wrigley: [00:55:18] Thank you. The I guess the thing to be mindful of is that WordPress are not trying to build the perfect solution. Other they're trying to build something and put other people can hook into. And like Paul said, leave plenty of scope for third parties to come along and add different features on top.
And, but this is going to be the groundwork of how you do it in the future. And presumably there'll be a real shortcut for theme developers to put this stuff together. Cause you'll just build on top of what's already there. So anyway, it's
Paul Lacey: [00:55:45] the right way to do it as well because, because one of the scary things for me about this whole system has been, are they going to, really railroad us onto, we have to do it.
You have to do it this way, but if they do keep things quite conceptual a base level and do let everybody build off that, then I feel like we're all a lot safer and we've got a lot less to worry about. And again, it just leaves people. It gives people choice. It gives people a new option. And I think I was talking with Ann mccoffee on Slack just last week after the, after we'd had the show and seeing, the big hosting companies building their platforms, seeing the likes of element or building in what looks like a cloud solution and then seeing Wix and seeing Squarespace and all these kind of huge brands and huge companies trying to lock us all in that, where there is a always, there always will be this open source option for us to use in any way that we want is great.
And that's why I think they should keep things simple. They don't need to push Gutenberg and full site editing too far into being a full solution that end users can go, Oh, that's Oh yeah, I get how that works. That's easy. I think that they just develop it and make it as a stable platform for. The product creators to build on top of and the people who want to learn it.
Nathan Wrigley: [00:57:10] And and Michelle made a good point of course, is that you can always just do a nice straightforward site. You can just create blog posts and, have things in a, with a regular old archive and all of that kind of stuff. Yeah. Yeah. Good
Paul Lacey: [00:57:22] points. Just content. Yeah, content on webpages. It is
Nathan Wrigley: [00:57:26] content which segues nicely into this actually, cause this is content.
This is on Robert and it says that hero press has been bought bolt from word what's the right word here. We said it earlier adopted, we adopted is the right word. Isn't it? Hero, press have adopted hallway chats. It says it isn't an acquisition per se. Just do you guys listen religiously to hallway chats?
I have a laundry list of WordPress podcasts that I listened to, and this is on that list, but from time to time. Yeah. Yeah. And And I'm really pleased to see that it's not going to stagnate. It's quite interesting. Kate to Rosie has comment though. She's she's going into this with their eyes wide open, but it's not necessarily something she envisaged herself doing.
She said on Twitter, I'm not going to lie. Podcasting was the last thing I thought I would ever do. I wanted to do is be very honest about it. And yet the universe has a sense of humor. And so they're going to be taking it over and in the same vein tofa Rosea said, I've always wanted a podcast for hero press and then hallway.
When hallway chats came out, I realized it was the podcast that I always envisioned. So now I'm really happy to have them connected. It looks like it's going to, instead of it disappearing off the face of the earth, it's going to some excited stewardship with people. They hopefully are going to take it over.
And if you follow the hero press side of things, then you will know. That they put an awful lot of time and effort into that. So they seem like great stewards of this and the people that have got the energy and passion to, to keep it going. Michelle, it sounded like you, you've, you're a bit of an advocate of this or a fan.
I'm not sure.
Michelle Frechette: [00:59:06] Absolutely. I have a podcast, as and I tell stories about people. I let P I and enable people to tell their story. They were Pistorious through WP coffee talk, and people have actually approached me and said things like isn't this encroaching on your space? And it's at this something that people are doing something that's, you're doing too.
And what's that guy competing with you? I said first of all, There are thousands, if not hundreds of thousands of stories in WordPress, and there's plenty of room for us to tell them all. Secondly, no, of course not because there's a different style. There's a different way. We present things and there's diff some people may cringe at the sound of my voice, but I love listening to Kate do it.
It's all beautiful and none of us are in it to make money. If I could make a living doing podcasting, I think that I would be entirely different person than I am today. But the whole point is that there's so much room and there's so many stories to tell. And the fact that we all get to do it, I think is a beautiful thing.
And I think that Tofor and Kate have done a beautiful job in allowing people to tell their stories through here a press, to put an audio component to that where they continue hallway chats and marry those things together, I think is beautiful.
Paul Lacey: [01:00:19] Paul Tim. Yeah. Hallway chats is a nice podcast though.
That's a, that's an awful word because it's such a bland word, but it's a, it's very relaxing listen hallway chats. And I think they historically we've always asked, always specifically would try to find people that you'd never really heard of in WordPress space. Like it was all those unsung heroes or not even necessarily the heroes just people who you might meet at a WordPress event or something like that and brought those brought those voices and those stories to be able to listen to.
And I always found it a really nice listen and I think it's really cool that it's been taken over by tofa and Kate. And I think that I know that they're going to do a great job and And they're super psyched about it as well. And it completely just builds upon the success that they've had with, Hey, Ray press.
And I hope that not only just, for fun or whatever it is that they're doing it for, I hope that it brings all sorts of different facets of benefit to them as the people bringing these stories forward. I know it well, it's just these kinds of things. Just bringing opportunity to the people who are guests and the people who are the hosts.
So sweetie, good news, very good news and a new lease of energy being injected into the whole podcast.
Nathan Wrigley: [01:01:38] Okey-doke right. We will move on. I think Tim and Tim's Tim and I figured out a way to overcome the delay problem. And that is to write whether or not Tim wants to contribute in the comments, which is just very successful glove away.
Yeah. But that's really, I wouldn't have thought of doing that, that it shows that Tim is clever and I would just struggle on with Greg excited. So thank you for that. I will move on and talk about the next one, which is, who are these people never heard of either of them? This is, Oh, this is nice.
This is over on post status. I was talking about postdoc. Was it with you earlier this week? Oh yeah. Post status has been going for absolutely ages and they do a boatload of stuff. They got podcasts, they've got a load of content. And they produce an amazing newsletter each and every week, which I consume and and they had somebody on the show this week.
Yeah, she tells it. In fact, I'm just looking around now. Not everybody's sat in the same chairs this week, but there you are. Tell us about this. We've had we've mentioned it before. I don't think you were on, maybe you were on the show that day, but just to reiterate, tell us about why you were talking to Corey this week and the project that you've got going on.
Michelle Frechette: [01:02:49] Sure. So underrepresented in tech is specifically about helping people who are in underrepresented groups be found and be able to participate in projects and on. Find jobs and things like that. So it's a beautiful database where people who are underrepresented can put themselves into the database.
It's free. Of course we want people to be in there. And there's it's not just about people of color, but of course, absolutely people of color as well, but there's lots of ways that people can be underrepresented in technology, including, aging out, so to speak it I'm in my fifties, I'm a woman in my fifties, I'm a rare breed in technology.
And so the gray hair, yes, absolutely. I could point to mine, but I color it. So there you go. But the whole idea is that people like yourself, right? And like me and my, with my podcast, I can search the database and I can find more diversity to bring voices from other groups that are just myself to be included and to be heard because the more diversity we have, the more representation we have, the richer, the experience for everybody who participates.
So anybody who's listening if you're building a product and you have more people. Coming in on the design side of things, you're getting better perspective and you're getting a richer experience for everybody. So the whole idea behind underrepresented in tech is being able to do that.
And one of the things that I talked about, actually, we have a blog now, so we're not actually putting content out through podcasting, but on the blog every week, Allie and I just have open discussion about whatever topics. And last week Allie was actually under the weather. She'd had her vaccination and was having the reaction that so many of us have right after that.
And I had two female podcasters join me and talk about how to get on a podcast. So as and as I know, people are constantly, I have so many people lined up, Tim. I interviewed several weeks ago, his episode still isn't out in WP, coffee tech. Cause I have a backlog of things I'm trying to put out there.
I promised him it's coming. But so I'm not necessarily needing to go out and ask people to be on the podcast. So if you want to be on a podcast, there are ways to do that. And we talk all about that and underrepresented in, because we do want to have better representation of the people who are in our community, in the spotlight of things like podcasts, blogging on stage and events and speaking and things like that.
And so that's what, I'm the representative tech is all about. We don't charge to be in the database. We don't charge to search the database. We don't even, we don't even know who's searching the database and who's contacting whom, because we're not gatekeeping. Any of that information. We did recently offer a for sale services, which is that we will help you.
Look at your career page on your website and see if it really speaks to diversity and really is inviting we're offering marketing services and things like that. And of course we are charging for those because we have to honor our time. But the primary purpose behind the project is for people to be found, to put themselves into the database, to list those things that they're interested in, and then let people who are looking for people in the, in that space be invited through.
And all of that is always going to be free.
Nathan Wrigley: [01:05:57] Thank you very much. Valuable projects. And thank you. You can go and check the link out in the show notes.
Paul Lacey: [01:06:03] Two of my favorite people in WordPress Corey and Michelle and Corey as well. He's always been to me a kind of a someone to look up to in WordPress for his openness to bring to the table, the the difficult and conversations and he's carrying, and now he's getting involved in this conversation with Michelle as well.
I haven't actually watched that interview yet, but I did watch your last vlog, with the other two podcasts. Doesn't that I found that very interesting. But I am going to watch this and, but it's also, the whole thing has been transcribed as well. So you can just read it as an interview if you if you want to as well, but how is the whole project going?
That you're doing, I guess you're not, like you said, Michelle, you're not really measuring it at the moment, which is fine, no one says that you've got to do that. You're just putting, you're just putting it out there and hoping, but do you get much feedback from people that you're helping.
Michelle Frechette: [01:06:56] So give live that we do it. Give WP. We now have co-host for that, that Matt Cromwell found through our database. And so we have we have that, I know that cat Elliot has reached out to me and said that he's been on, I think it was hallway chats actually, because they found him through our database.
And so yes, we do know anecdotally it's working, of course not everybody gives us that feedback. And the database is growing and there's almost 70 people in there now that can be searched. We would love for people to put themselves in there who are interested because, sorry guys, if you're just white gentlemen who have no underrepresented qualities, you are barred from being included, but you're already represented quite a bit in our circles and in our community.
But the whole idea is to bring more richness and more diversity, of course.
Nathan Wrigley: [01:07:42] Can I'm prompted by Tim in the shower. I want to to say, thank you. He's doing a great job over on the chat, telling me all of the things that I should mention. We can tell who's the producer. He's doing great.
We need Tim
Paul Lacey: [01:07:54] in your ear, but don't
Tim Nash: [01:07:57] say this visually brilliant.
Nathan Wrigley: [01:08:00] I'd forgotten what Tim has remembered. And that is to say that you were going to mention the opening of the, on the big orange heart side plant. You want to give us the details about
Michelle Frechette: [01:08:11] that? Yep. So big orange chart. There's a lot going on there right now.
And we are launching the next word Fest. So if you remember, we had word Fest back in January, which was a 24 hour celebration of WordPress with lots of speakers. We are doing that again in July. I'm struggling to remember the date. I think it's July 23rd. Yes. July 23rd. And it will be another 24 hour word Fest, and we are going to be opening the call for speakers, call for sponsors, volunteers.
All of that will be open very soon. We are still working out some final details as we are actually transitioning to be a U S charity. And instead of moving away from the UK charity, just for reach and financial purposes, since most of our donors, a lot of our donors come from the U S and are looking for the ability to have a tax benefit to giving.
And so there's, and there's a lot more to it, of course, than that, but we are absolutely looking a lot of the things that as those ironed out, we're able to launch this. You can register your interest. Now, if you register your interest, you of course will be notified when all of those things are opened up.
Nathan Wrigley: [01:09:13] Thank you. So that's if you go to word Fest dot live you've ever see it and put it in the diary. 23rd of July, 2021. So it's going to be inter it's both speakers. And sponsors at this point, is it
Michelle Frechette: [01:09:28] right? So that will be open very soon. Speakers, sponsors and call for volunteers. I believe we're going to open shortly after that as well.
Nathan Wrigley: [01:09:34] you. Thank you very much. So
Paul Lacey: [01:09:37] actually just to anyone who's never done a talk or anything like that before, but has this feeling that they would love to try, but nervous about it, just submit application to, to get involved and be a speaker because I just can't tell you the, I just cannot tell you the opportunities that can come out of doing these things that you would just not expect and the people that you have made.
And I spoke eventually word Fest live. Last time I dropped out, then I came back in and Nathan did a fireside chat live. Interview with me. So that was interesting. Cause a little story on that was that I had all my notes laid out all over my table, sticky notes everywhere. And I knew exactly, the order of things that was going to say.
And Nathan, as he does said something funny made me laugh and all my notes just blew off the table. I was like, suddenly there's a moment in the talk where my eyes just widened. But even from that talk, I know. So I know some actual opportunities that have turned up as a result of doing that stuff that you just don't expect.
And and no, you, haven't got to go and stand on a physical stage because it's online and you can prerecord it. And if you go and look at the different talks, you will see that there's people, don't have the expectation that everyone's got like a studio or something there because people are just doing their talks with a PowerPoint presentation and a webcam.
And it's all about just the content. If you've got something good to share it, you don't have to think, Oh, it's not going to be as good as this person's thing or anything like that. Just, if you've got something good to share, apply, and you never know what might happen. Yeah. Chrissy was. Hey, fun moment.
When my notes are off the table, I was actually quite
Nathan Wrigley: [01:11:19] surprised that you didn't just say, can I just go and pick them up? But we probably would have spent three minutes putting them all back into the note notes herself, put them in a, like a laminated folder or something. There was a rest
Tim Nash: [01:11:33] to
Paul Lacey: [01:11:33] the desk.
It was supposed to stick to the desk, but they didn't because the, in the post-it notes have bent. Yes that they weren't sticking to the desk and I'll pull up a photo in a minute if I can find it.
Michelle Frechette: [01:11:48] I am the speaker, the organizer for speakers, and I have a deputy this time. We've all got other people.
So we have some redundancy in case anything happens to one of us. Megan Rose from Northeast Ohio. She's one of the organizers for word camp, Northeast, Ohio. She also is working with me on the speakers and this time we're also introducing wellness talks. And specific times every continent for a wellness talks.
And we're also going to be doing lightning talks and we're going to be interviewing WordPress community members. So we're introducing different ways to be involved. I love that you said that Paul, because if you if you've never done it before and like the idea of doing a half-hour talk is a little overwhelming, then think about a lightning talk or volunteer to be interviewed and talk about what you're doing and work from.
Paul Lacey: [01:12:33] I can guarantee anyone who does a lightning talk, thinking, wow, that's too long. We'll be running out of time by the end of their talk, thinking, I got much more to say here. I found a photo of my notes on the table.
Tim Nash: [01:12:45] Oh my
Nathan Wrigley: [01:12:45] goodness. Okay. That, that presumably is pre, the ablation,
Paul Lacey: [01:12:51] laughed through my nose and blew them all off the table.
So yeah. Careful live is always, life is always, just has to be found out today.
Nathan Wrigley: [01:13:04] I don't know now where we go with this, do I actually read your words in the comments as if you're saying them? So Tim is Tim. You seem to be in sync with me now though. Cause you shrugged at the exact moment that I said it. So you can go for it now if you wish.
Tim Nash: [01:13:21] Okay. I will, I may or may not be in sync, but as someone who has done. Far too many talks, lightning talks are much harder. So if you are in fact going to do a talk, don't think doing a lightning talk is the easy version. You're basically going to try and do a full talk and do it in six minutes. That's almost impossible.
So just go and put yourself in for real, for a full stalk jump in and you will enjoy it. I promise Michelle, we'll make sure that you enjoy it. She's got, she will make sure you'll enjoy it. Yeah. They're
Paul Lacey: [01:13:53] very supportive. If you are worried about something, you can contact the big orange heart team, the world Fest team and say, I'm panicking about this talk or something.
Michelle Frechette: [01:14:06] We actually had somebody who had submitted a talk and she was open about it. So Chris Ford submitted a talk and she was struggling to actually record her talk. We, she has anxiety, like I have anxiety and that was one of the things that was causing her anxiety. So I reached out to her. I said, what if we did it as a conversation?
And I asked you questions. And so we recorded that. So I got on with her, I recorded it. She was able to say the things she wanted to say without the stress of sitting in front of it and filming a talk. So there's lots of ways that we can facilitate your sharing of information through a talk, without it necessarily being overwhelming, to create a PowerPoint and present it to the camera.
And pre-record it that way. And Tim, to speak to the idea of sometimes a lightning talk is hard, or at least when you re read your recording them as opposed to trying to do it live, and you realize you've run out of time when you record it, you do have the opportunity to make sure that you're succinct and that you can fit it all in.
So there is that.

Nathan Wrigley: [01:15:04] That's fine. That's okay. Okay. I'm going to move to the last piece cause we really have used up a very large amount of time. And this is one I am so caught by this piece. I don't really know what to make of it. This is on WP Tavern again, it's by Sarah Gooding. It's called. So it falls under the umbrella of security readily zero diem, temporarily triples payouts to 300,000, sorry, 300.
Yeah, $300,000 for WordPress exploits. Just read that again. 300. Thousand dollars for WordPress exploits now. So rhodium is one of these businesses that I wish it didn't exist, but I can see why it exists. There are marketplace, if you're an expert hacker and you are able to to let's say, gain access to the Android iOS or Macko S or windows or whatever it may be, you can choose to go to two or three routes for that.
You could you could deliver that vulnerability to the vendor and give them the appropriate 90 days or something and ask them to fix it. Or you could go to as a rhodium and get paid a boatload of cash so that they can sell it to . And you've got to assume that the, any body doesn't have our best interests at heart.
I don't know, really know why they've suddenly decided that they're going to an exploit on WordPress. And I think basically this is a vanilla install of WordPress. Tim can probably fill us in. I'm sure he's got more detail than I have, but the idea that it's, that is worth 300,000. Sorry, Tim, you take it.
Tim Nash: [01:16:36] No, that was really confusing because Paul told me to say that now, and then you kept on talking. Okay. I'm going to start again. Zero diem basically by itself. Vulnerabilities tripling. It's a free hundred thousand. Just think about that for a second. 40% of the web. If you've got a hack that could take over 40% of the web friendly, fast and cheap.
Nathan Wrigley: [01:16:59] Yeah. Good point. That's seriously
Tim Nash: [01:17:01] cheap. Yeah. You could just take over any WordPress website. That's going to cut. So from that perspective, it doesn't sound so bad. We're also talking about vanilla install with no plugins. No, Femes. You cannot have an any user account on that site getting that's hard.
Let's even if we're talking about the ex XC exploit that we were talking about earlier, that required you to at least set up your site in such a way as to allow someone from the front end to upload an MP3 file. That wouldn't have qualified for this bounty. It has to be something where they can literally drop the payload and get straight in as for why it's now 300,000.
I'm sure there are plenty of good, bad weather. I don't think there's any good actors, but there's plenty of bad actors and state actors who would love to have access to all those WordPress websites. Everything from the white house's website or through to lots of medical research sites.
And these are, they're not necessarily even aiming to target the WordPress website itself. They're just using that as a door into them, pivot to other information. If you think of things like the Panama papers hack, which was supposedly got by an exploit in WordPress that allowed them access to get enough information to get onto the.
A secondary server, which then allowed them access to all that information. Similar thing could happen here. You've got vaccine research is a good example where you can imagine that there that some AstraZeneca would, their nice front face, WordPress facing website gets hacked. The marketing person's credentials gets leaked onto pivots onto their SharePoint server.
And next thing, a rogue nation now has that data. I pick that at random. I have no idea where AstraZeneca has a WordPress website, et cetera, et cetera, but you can see why it would say that how much is that worth to them? If they know that's one of their roots in, if you're a a rogue nation, are you willing to pay for a hundred thousand?
Of course you are. Are you willing to pay a million dollars to get access to that sort of information? Probably 10,000,020. So you can, yeah, it's cheap. This is the scary part of that, as the company exists, It is always going to exist. I just don't, you don't want to know about it, this idea of a gray market.
You don't want to be know that if it wasn't this company, it would be another company. I am the fact that I want to do they pay
Nathan Wrigley: [01:19:35] tax.
That would be, yeah, I very much doubted the exploits for, I think Android, certainly Sarah in the article mentioned that if you can get into Android, then it's two and a half million. I think it was obviously you know, that everybody's walking around with Android in their pockets. There's probably an awful lot of data to be had there, but I'm assuming that this price is.
Reflective of the double fronted marketplace that they must operate. In other words, they've got people coming to them saying, we will pay you X, if you can deliver us WordPress on a platter. And then they turn around and say to the hacker community that they've got in their in their community.
We're going to make it 300,000 because we've got a boatload of people just waiting to pay us for it. So you can only imagine if somebody does manage to do that exact task. I'm sure as the rhodium will be rubbing their hands together for a pay day much bigger than 300,000, but man alive. Oh, they also can
Tim Nash: [01:20:36] share that to multiple companies.
Yep. So once they've got that once they've got very exploit, they're the people in charge of it for distributing it. So they can then start distributing out to multiple actors. They, they will also the person who, they're saying, Hey, we're gonna we'll take 300 pounds, give you 300,000 for this exploit.
That's not what they're selling it for. Yes. They may well be selling that on it to free 4 million.
Nathan Wrigley: [01:21:04] Yes. We're all in the wrong business. Aren't we? Yeah, actually, no, Tim probably could go and work for the rodeo, but it was decided to do the right thing. Tim does Tim?
Tim Nash: [01:21:20] Yeah. Bug bounties, but bounties are a legitimate business though.
There are things like hacker, one exists WordPress that in fact has a bug bounty scheme on hacker one. So there, there is legitimate ways where you actually report the bugs to the organization whose buggy is, and then they can fix it. And it's a rodeo means a gives bug bounties, a bad reputation, which is unfortunate because bug bounties is a very effective tool in helping us find vulnerabilities.
Don't yeah. And the security researchers themselves, the problem is that you're going to be surely tempted. If you're sitting there going, I have found this critical vulnerability in WordPress. Yes. I will get some fame. From, saying, Hey here's the vulnerability. And I might get some money from having a vulnerability of WordPress, but it's not going to be massive amount or I could get 300,000 and a nice new house.
That is a moral dilemma. That is well. Yeah, unfortunate if you end up with it. And I've, I suspect quite a few of us would publicly state that. No, I would never sell to them. And then privately their their other halves may be asking why exactly are you not selling to them?
Nathan Wrigley: [01:22:29] It's a life-changing amount of money.
Nigel makes a really good point in the in the comments he says might be a lot easier to plant sleeper agents. We've never said the word sleeper agents on this podcast, we're getting a bit dark, but I'm loving it. Might be a lot easier to plant sleeper agents as core contributors and wait for an opportunity.
To sneak in vulnerabilities. work has been waiting for this day. He is in fact of the dark Lord. And he's been building this project to get to its target. It's 50% of the internet. And then he's just going to take it all down.
Michelle Frechette: [01:23:01] I need to, now I need to wonder though, if we need to worry about Nigel,
Nathan Wrigley: [01:23:06] Nigel knows.
That's interesting though. Good grief. The plot thickens.
Paul Lacey: [01:23:13] I'm sure. I'm sure Nigel's not the first person to have the idea that, us getting up, doing a kind of setting out time for money, while these people making, you know that the people involved in things like Zildjian was just thinking on a different.
Different logical way than we are at about how, how you get things done and how you achieve your goals and everything. So it's just a really interesting, I'm now frightened of what is going on in WordPress. It's a
Nathan Wrigley: [01:23:42] proper career path. If you are good at hacking and you can turn up to these hacking, punk to own and things, the people who, the teams should I say, who managed to, I don't know, get out of Chrome sandbox and things.
And then on the next day they do something else. And then on the day after that day, something else, they walk away with millions. Not millions, but certainly hundreds of thousands. And then next year they turn up and do it all. Again. It's an actual career. It's I liked the idea of doing those festivals though, where it's on display and everybody gets to see what's happened.
This all seems a bit dark and murky. Let's hope one day. I shouldn't say this out loud because somebody will come and hack power. So let's say one day zero sodium gets hacked and we'll see how it see how they like that. Expunge that from the record. I never said it. I don't want bad things to happen to me right on that bombshell.
I think we're done. We've had, well over two, one and a half hours. We normally do a quick, super quick thing at the end where we just say, if anything's happening to us this week, so I'll start with you, Paul, anything going on
Paul Lacey: [01:24:43] two major things. One of them is finishing off my talk that he's late for the page builder,
Is it page builder, It is. Yeah. Yep. And so I can't wait to finish that off. And then the other major important thing in my life is I've got a new set of blinds down there to put up in the next few days. That's
Nathan Wrigley: [01:25:06] exciting stuff window over at the Lacey household, but thank you for your contributions to the summit.
Paul Lacey: [01:25:12] This is my window. This is my blinds at the moment. This piece of cardboard,
Nathan Wrigley: [01:25:17] it's doing good duty. I'd say that's pretty much
Paul Lacey: [01:25:19] enough. That's what happens. Yeah. It's better without the piece of cardboard actually. So yeah. Yeah.
Nathan Wrigley: [01:25:25] It's a big step happening what's happening to you this week.
Tim Nash: [01:25:30] So this week I have a hacked workshop.
So I'm doing a workshop where we're going through how to fix hack sites, how to identify them, et cetera, et cetera. There's still a space left. If one more person wants to come and join us. And the details are up on my site, but that's tell us free much me. I'm now deep into the weeds of
Nathan Wrigley: [01:25:49] that. Tim, in the comment that a little private chat, will you put the URL where somebody could go and subscribe to that, by the way, we should say it's sponsored by the rhodium.
Tim Nash.
It's not sponsored by if you put it in the chat I'll mention it and put it in the show notes. Cause we'd like to get that space filled. We don't want one empty space on that Dewey and Michelle.
Michelle Frechette: [01:26:12] First, how come when Paul took the cardboard out of his window? Suddenly Tim had light in his face.
I don't understand that connection. That's
Tim Nash: [01:26:19] not too
Paul Lacey: [01:26:21] bizarre. Sorry, Tim. Put it back up in a minute.
Michelle Frechette: [01:26:26] I'm not sure if Nathan knows, but I believe I'm going to be speaking at the page builder summit because I'm working with week lot. And I think I'm going to be presenting on their behalf.
Nathan Wrigley: [01:26:35] Nice bit of synchronicity there.
Thank you. It's
Tim Nash: [01:26:38] good
Michelle Frechette: [01:26:39] to know. I need to put that together. I'm working with Tomas from week. So I'm sure you'll be hearing from them about that soon. And yeah. And other than that, I'm working on several different blog posts this week for big orange charge for post status. Forgive the VP. And on my own website works by Michelle.
Nathan Wrigley: [01:26:56] Wow. There's a lot happening. I'm just going to be editing video this week for the, the summit.
Michelle Frechette: [01:27:02] Can you say just like that, doesn't take loads and buckets of
Nathan Wrigley: [01:27:05] time actually. Do you know what, do you know what it is? It does a lot of there's a lot of Mac fan action. That's what I'm going to say.
I was saying to Tim before we began, I've got a fairly old Mac. It's not. Not prehistoric, but it's pretty old. It could do with an upgrade. And so when I render the videos, basically the fan comes on the, for the next two weeks, my fan will be ready, blow in a hurricane in this room. But yeah hopefully it will be all be worth it.
That's it do join us next week. I can't tell you who's on next week. Cause I can't remember, but it will be it'll be me and Paul and a couple of other people, but it's been very nice having you again. Sorry about the technical difficulties to those people listening. And particularly to Tim, who's had to put up with the horrible lag, at least there wasn't an echo, echo, and he's shrugging.
So that's good. He's not, it's not too bad. Now we reached that moment in the show where we have to awkwardly wave as I press the end broadcast button with no conception of how long it's going to take for the show to end could be two seconds. It could be 20 seconds. So let's wave and I'll say goodbye.
Tim Nash: [01:28:09] Give back.

Support WP Builds

We put out this content as often as we can, and we hope that you like! If you do and feel like keeping the WP Builds podcast going then...

Donate to WP Builds

Thank you!

Nathan Wrigley
Nathan Wrigley

Nathan writes posts and creates audio about WordPress on WP Builds and WP Tavern. He can also be found in the WP Builds Facebook group, and on Mastodon at Feel free to donate to WP Builds to keep the lights on as well!

Articles: 786

Filter Deals

Filter Deals

% discounted

% discounted

Filter Deals

Filter Deals


  • WordPress (38)
  • Plugin (34)
  • Admin (29)
  • Content (18)
  • Design (12)
  • Blocks (6)
  • Maintenance (6)
  • Security (5)
  • Hosting (3)
  • Theme (3)
  • SaaS app (2)
  • Training (2)
  • WooCommerce (2)
  • Lifetime Deal (1)
  • Not WordPress (1)

% discounted

% discounted



WP Builds WordPress Podcast



WP Builds WordPress Podcast
%d bloggers like this: