This Week in WordPress #306

[00:00:04] Nathan Wrigley: It's time for this week in WordPress episode number 306, entitled I want to badge.

It was recorded on Monday the 19th of August, 2024. My name's Nathan Wrigley. And today I am joined by my cohost, Kathy Zant, but also by Tim Nash and Nathan Ingram.

It's a WordPress podcast. So guess what, we're going to talk about WordPress.

First of all, we talk about Gutenberg 19 and all of the new things which are being introduced, and some of them are really quite interesting.

Also WordPress 6.7, the release squad has been announced. Who's in that?

2025 is going to be the new default theme. And there's quite a lot to get into there. We talk about all of the different patterns and things that you will find in that theme.

HEIC, if you are an Apple user, you may know that is the acronym for the images that you take on your iPhone. And very soon, WordPress will enable those to be uploaded and converted to JPEGs in your WordPress website.

There's a few sad bits of news. WPwatercooler, which is a long running podcast has ended after episode number 405. The hosts have decided to call it a day.

The speakers have been announced for WordCamp US.

And then we get into a whole bunch of security news. And also a chance for Tim to mention his up coming workshop and for Kathy and Nathan to mention their offering in the security space as well.

And it's all coming up next on this week in WordPress.

This episode of the WP Builds podcast is brought to you by GoDaddy Pro, the home of manage WordPress hosting that includes free domain, SSL, and 24 7 support. Bundle that with the hub by GoDaddy Pro to unlock more free benefits to manage multiple sites in one place, invoice clients and get 30% of new purchases. Find out more at go.me/wpuilds.

And by Bluehost. Redefine your web hosting experience with Bluehost Cloud. Managed WordPress hosting that comes with lightning fast websites, 100% network uptime, and 24 7 priority support. With Bluehost Cloud, the possibilities are out of this world. Experience it today at bluehost.com/cloud.

And by Omnisend. Do you sell your stuff online? Then meet Omnisend. Yes, that Omnisend. The email and SMS tool that helps you make 73 bucks for every dollar spent. The one that's so good, it's almost boring. Hate the excitement of rollercoaster sales? Prefer a steady line going up? Try Omnisend today at omnisend.com.

Hello, hello, Good evening. Good afternoon. Good morning. Good, Welcome. That's not even a sentence, but there you go. Good, welcome. I like that. I'm gonna say that more. we are on episode number 306 of this week in WordPress. Just before we started the call, I decided to eat some salt and vinegar.

we call them crisps, you might call them chips, depending on where you are in the world. These are the most salty things I've ever eaten in my life, and I'm now basically dehydrated. I've only had about seven of them, but I'm gonna continue with that. you can see a fine, Cornucopia are great panelists.

I'm gonna start in the corner, actually down there because, Kathy's aunt joins us very regularly. So much so that we've, we've given her and several other people the, the title of co-host. I'm gonna say that to Kathy. Hello. Hello there. Co-host. How are you doing? I. I'm doing well. It's good to see you.

Yeah. And you, really nice. We'll get to the others in a moment, but I'll give Kathy her proper bio first. Kathy is the Director of Content and Community at Motivations ai. Go and Google that. Motivations. ai, the creator of Motivation Code. Motivation Code is an assessment that explains who we are, what motivates us, and how to live a more fulfilling life tied to our individual motivation dimensions.

She's passionate about WordPress, your, excuse me, that's my crisps. your stories, believes everyone's voice deserves to be heard. That is such an interesting project you are involved in. 'cause it's just, maybe there's WordPress kind of bolted into there somewhere with the website and so on, but it's a real departure, isn't it?

Are you enjoying time over there? I am, it's funny because it's very similar to the work my husband used to do back before all of his health events. 'cause he did neurolinguistic programming and, personal coaching and stuff. And so I used to joke that I removed malware from WordPress sites and he removed malware from people.

and in the people space right now, helping leaders do better, helping people understand themselves better and, getting all the gunk out of the way. So it's, fun. I, really should do something like that. I've reached a certain age, Kathy, that age, it ends in a zero and it's quite a big one.

And, and sometimes I sit down and I do have that, I think, what, am I doing? I've got a limited time left. what should I do with the rest of my life to motivate me? Motivations ai. I might, that might be my to call. It's fine. Yeah. Yeah. You, it's a very, it works off, it's cool because you like write stories about times in your life that you felt fulfillment and you felt like you were on and things were going really well, and the system pulls out keywords and using machine language and everything and gives you a dimension of these are your core things that, that get you motivated.

[00:05:53] Kathy Zant: And it, it's cool because it's a lot of businesses are like, okay, productivity and yeah, I optimize your processes and everything. And I, after I took it, I'm like, I'm a visionary. I like big ideas, big things. And I drag all of my coworkers along with me. And I like, I'm an influencer as my secondary dimension.

So I like to it's just kind of me. Yeah, a visionary influencer. So I've got a feeling that if I did it, I, the key words would be couch, cushion, sitting and book. That would probably be what came out for me. I'd love to see what your motivation. yeah. You do it. Share your for with me, I'd love.

All right. thank you. Motivations I a ai, go and Google it. let's go over there. We've got, we joined by Tim Nash, who's actually, he's actually giving away a little bit of his location. Normally we see the wall behind him there, but today we've got a little bit of a green pasture. he's from Yorkshire, much like me.

[00:06:49] Nathan Wrigley: And look, there it is. There's Yorkshire. There's actual Yorkshire there. That's lovely. I was gonna say, if you'd waited a couple of minutes ago, there were some llamas there 'cause Oh God, no. A natural part of Yorkshire. Okay. Is, our, well-known llama food lama. Hud. Yeah. is that a alama farm or something then?

basically, it's a menagerie. Okay. There is any, anyone point out there horses. goats, some sheep. There's a cow. Occasional triceratops, als and Rams and random birds. But that is the Yorkshire mos from there. oh, the Yorkshire from there. If you draw a straight line, you can, there's a couple of roads, but you can more or less go to Carlisle in a straight line.

Nice. Yeah. Yeah. Go off the mos. Did you notice that on Netflix this week? Sorry, apropos of absolutely nothing. There's a brand new, all creatures great and small, which is all about the Yorkshire Veterinary practice anyway. Let's do your bio. Last time Tim was on, he read it in an Edgar Allen Poe kind of accent.

So I've learned my lesson. Okay. And I thought, what should I make Nathan read this time? Oh, really? 'cause I haven't read it. I think you're gonna be excited by this. Okay. Do you want me to read it in an excited way? No. Okay. All right. Okay, here we go. Tim Nash. With decades of experience in development system administration and cybersecurity, Tim has built a reputation in the WordPress and security communities as a trusted security expert to those who build WordPress websites.

[00:08:15] Nathan Wrigley: All good so far? When organizations including security firms need someone to tackle the tricky WordPress security challenges, they come to Tim as the speaker at WordPress and security events worldwide. He's passionate and sometimes a little bit scary when sharing his deep knowledge of website security and helping others to be one.

To one or on stage to hundreds. That's cool. That's nice. Thank you. I was expecting some, I know real humdinger in there, but that was all right. You let me off the hook. Thank you very much just for you. Thank you. Thank you. And last, but by name means least by Nate. There's more Nathan's on this side of the screen than there ever has been before.

The, that's Nathan's all the way. it's Nathan Ingram. How you doing, Nathan? I'm great. How are you? Yeah, good. I can't cope with saying Nathan. That's too weird. I, it's, a power word. Do you, know many Nathan's? 'cause you are literally it. I don't know any other Nathans in the actual real world.

There are not many of us. No, I think we should cherish our uniqueness. indeed. Yeah. So anyway, thank you for joining us. absolutely. Yeah. So here comes Nathan's buyer, hopefully not laced with some bomb halfway through. along with Kathy z, an co-creator of Monster Secure. We'll have a little look at that later.

A user friendly, expert led security course that equips clients with the essentials to stay safe, from hackers. He is also the creator of Monster Contracts, proven contracts for web, sorry, WordPress client work and the host at Solid WPS Solid Academy, which again, we will feature a little bit.

Solid. At least we will. He's been working with clients to build websites for almost 30 years. So thank you for joining us. There is our panel. really nice to have you all. If you want to make any comments, we would love that. It's always really nice when comments come in. the easiest way to do that is probably go to the regular page that we say every single week.

So hopefully you know it by now. WP builds.com/live. If you go there on the right hand side, if you're on a desktop, is a, is a YouTube comment system so you can be logged into your Google account. however, if you don't like Google and you know you'd have good reason not to these days, the, I shouldn't have said that.

I'm gonna get sued. I love Google. I love Google so much. if you, don't like Google, then you can just log into the actual chat in the website platform. It's in the video, top right hand side. It says something like, I dunno, website chat or something. You can try that instead. And if you do put a message in, you never know.

It might come on the screen a little bit like this. Here's Courtney Robertson saying, good day. Nice to see you, Courtney. Thank you very much. Yeah, really nice. And Alan Fuller. Alan is slowly but surely usurping Peter OL's role as the broadcast of the weather. here we go. hi. The weather in wiling UK is overcast.

It's dry, 19 degrees with a southwesterly wind at three knots. Okay. We've never had the direction of the weather, the wind before. It's new. thank you very much. Elliot Sby is joining us and says hi. He's just down the road from me. we are also joined by Rob Cairns. He said, I, guess he wanted to write hey friends there, but instead wrote he.

He friends. I, think that could be better. Oh no. There we go. Hey, he, he corrected himself. this is going to turn into a security show. It is, Rob, it totally is. There's quite a big security bit and here he comes as expected. Peter Ingersol, thank you so much. Every week it's the same. He gives us the weather, wet Kinetica.

Oh, I'm sorry to hear that. After a day of heavy rain, parts of the state are dealing with, oh, blooming heck, dealing with flash flooding in High Rivers, currently 22 degrees, 71 Fahrenheit and cloudy big at Oldum. She's joining us from sunny Germany. And finally, for now, South Carolina. From hello. From there says Chris.

it's lovely to have you all. Honestly. This show is way better if you make comments, please feel free to do that, wp builds.com/live. All right, let's get stuck into it. bit of self-promotion. Sorry about that. Here it comes. It'll be very brief. This is our website, wp builds.com. If you wanna stay updated to what we do, put your email address into this box and then click subscribe and we'll send you two emails a week one when we finally put this episode out, which will get packaged up and what have you and sent out tomorrow morning.

And then we do a podcast episode on a Thursday. They're the only emails that we send, usually. So there is a sort of no spam guarantee in there, but I'm not promising I might turn into the world's biggest spammer next week. CA Caviar mTOR, it's up to you. Put your name in there at your own peril.

That's what I'm saying. The, the show though is sponsored by these three fine companies. Great big thanks to GoDaddy Pro and also to Blue Host and also to Omnis Send for helping us keep the lights on over here. really appreciate it. Okay, let's get stuck into the bits and pieces. just so that the panelists know, it's a bit of a free for all.

If you want to be polite and wait your turn, that's fine. However, if you just wanna over talk and, interrupt, that's also, that's fine. Nathan, you can just carry on now. Tim, shut up. No, please do that. That would be, that would be absolutely perfect. Appreciate it. so here we go. First one, two bits of news here.

The first one is the piece of news that we're looking at, which is called Gutenberg 19, introduces new experiment, sorry, two new experimental features. But the second piece, which is from my point of view, the more interesting one actually is we appear to have a new person, writing on the tavern. if I go, let me just click open the tavern website.

up until recently, and I, forgive me, it sounds like I'm blowing my own trumpet, but it, isn't, it's been me doing the podcast, for weeks and weeks. Nobody's been writing things, but look, it's come to life now. We've got other thumbnail images and, and this is great. We have now, forgive me, jaws.

Joel. Joel Lesner. Can anybody help me? Is it Jo Lesner? We're gonna, I'm gonna go with Lesner. I am so sorry. Lesner. It would be nice to get to know you over the days, weeks and Monster Con, but I'm really glad that somebody's back. So let's do that first. happy the tavern's back. Do you think it's do you think the ship has sailed for the tavern, or are we gonna come flocking back?

What is it now, six or seven, eight months possibly, since it really last was being held together by, the likes of, Sarah Gooding. over to you. What do you think? I think it'll take some time to ramp back up and get integrated again. But I'm really glad to see that. I'm glad to see a fresh new face, a fresh voice.

[00:14:55] Kathy Zant: no shade to all of my friends who did, try for the position and stuff. But it's refreshing to see someone that, isn't, I don't know, just a new face. Yeah. I'm excited. Yeah, I think that's really nice. Yeah, it's not somebody that I know the name is not familiar to me.

[00:15:15] Nathan Wrigley: And usually, we get a first and surname, don't we, on these kind of things. And to, have it as just one name. I don't dunno if that's a surname or a first name. Certainly don't know them. but yeah, nice to have a bit of fresh blood. Tim, Nathan, anything on that? I, just like this idea that in fact, it's somebody you do know and they're just using a pseudonym.

Oh, and this is that you've, your approach. I'm sure it's not. I think it is nice. I, it'd be lovely if perhaps it was, Multiple voices. Yep. both from a, to have different perspectives, but also running a thing like the tavern solo is going to be an incredibly stressful experience with lots of expectations put on them from lots of corners.

And so I think it probably for them, if there isn't another person helping, and there isn't an or there, it, we might find that they don't last that long, which I hope isn't the case. And I hope that we get to have more voices on there. I thought the Hunger Games, approach was probably too many voices, but, so maybe if we could pair it back to just a couple, it'll be quite cool.

[00:16:22] Nathan Wrigley: Yeah. Nice. Thank you. Yeah. Nathan, anything? Yeah. Yeah. I think, I do a lot with WordPress news. We, in our, a monthly news roundup on solid academy and then, working weekly with post status. And when the tavern went dark, we really missed it as just a source of. Things going on it. It's been interesting to see though how other.

[00:16:44] Nathan Ingram: Sites and offerings have filled that space, have filled the void. So it'll be interesting to see if the tavern can get traction back. I share your exact concerns there because I was in exactly the same boat, so obviously we do the show right. And basically it involved me opening up the tavern and that was my first port of call.

[00:17:03] Nathan Wrigley: I actually had it on an RSS feed, so it wasn't quite like that, but essentially it was looking for anything which said WP Tavern on it. And then I would just crib that as the first thing that I wanted to mention and Right. much of it got in, much of it didn't, but then it went all dark. And you're right, I had to scrabble around and that process itself was quite interesting because I ended up with some new things in my feed.

I went looking a little bit further, some new voices came in and and that's been the way for the last nine months or so. I have, and forgive me, I think it was Ray, from the repository wrote about this in her fantastic newsletter, which she puts out on a Friday. It is called The Repository Go and Google that.

Then just put WP and then the repository, and I'm sure you'll get it. she wrote, and I could be misquoting this, she wrote that whoever, Jo Ner, I'm so sorry. whoever they are, they might not be one of the two people that will ultimately get selected. It sounds like maybe they're more on a freelance basis.

I don't know. Anyway, I. However they're writing whatever the structure is for them and whether they're getting paid by Audrey Capital and all of that. this is, great news from my point of view because it means that we've got this trusted source and here's something good to know. If you are writing for the tavern, and I, actually don't know this, I'm just saying it from my point of view.

My podcast gig over at the Tavern comes with absolutely no strings attached. I literally am in control of whatever I wish to do. There is no embargo on what I can write, when I can write what I can record, when I can't record. And but it, it gets paid for. And, I think sometimes when you go to content in the WordPress space, you do get a lot of the promotional fluff around things, and then you get to the content itself, whereas I always felt with the tavern, because those people were paid to do what they did.

Do and contrary to popular opinion, there are no editorial. don't write this thing about automatic say. I think hopefully it can come back as a bit of a trusted source. Anyway, that was apropos of absolutely nothing. So there we go. Gutenberg 19, introduces some new experimental features and I'll just crib what I've highlighted here.

Two new experimental features worth mentioning. The first one is the highly anticipated UI prototype for connecting blocks and custom fields, and essentially there's a teeny tiny little 32nd silent video here where it shows you what you can do, but basically you can now do. I dunno. You can connect a custom field to a block on your webpage, the kind of thing you've been doing forever and ever with things like a CF.

Now you can do it inside of, blocks. It's an experiment at the moment. You've gotta navigate to Gutenberg and experiments. Then the second experimental feature is the quick edit functionality. This is just so great if you're a content creator and you can now basically m do multiple things on multiple pages at one time.

for example, you could, I don't know, make, 10 things published at actually, you've been able to do that for ages, other things like you can change multiple things at the same time using data views. and I just think that's gonna be a real time saver and there's a bunch of other stuff, but I'll leave it for that.

'cause we mentioned this article a bit. Anybody got anything to add about those? just that the, for the ui, for the press type, for the connecting blocks and custom fields, I think, at this has felt like something that should have happened. A decade ago. Yeah. Yeah. so this is so cool when you're there going, oh, we're finally there.

I'm just hoping that then comes with maybe some way of exposing it without the code so that you do, I, not that I wanna do a CF outta business, but really a CF type. What they, what happens with a CF probably should have been in WordPress from day dot, and it's always felt like a a, to be a real CMS.

This is the sort of thing we probably should have. yeah. Yeah, the, the, I, suspect there'll still be a little bit of complexity. I dunno if you've noticed here, if we scroll through the video, the, these attributes are gonna be fairly difficult for a non, non-technical user to track down and things like that.

[00:21:22] Nathan Wrigley: So it's not, UX is still a bit Yeah. Interesting. Be and not quite the same as the rest of the ux. Which I think leads onto this second point, which is, it's the quick edit is really cool, but then doesn't match any UX design patterns in WordPress. Yeah. At all. Yeah. And it's I really like this, don't get me wrong, but I'm like, oh no, not, another one.

I was trying to, it doesn't get implemented across everything. Just as I was saying it, I was trying to think of a useful use case where you would use these data views to be able to bulk edit multiple things. And I was trying to think, what could you actually, what would, usefully be possible with that?

[00:22:01] Nathan Wrigley: 'cause publishing on publishing that can be taken care of with that checkbox. what kind of things would you want? I don't know. I don't know. What you would do that could be done in multiple places at the same time, if Curious. okay. Thanks for that, Tim. Nathan, Kathy, anything on that?

[00:22:21] Nathan Ingram: No, I think it's about time. yep, yep. It was interesting. Years ago, automatic was sponsoring pods, pardon me, as a project, and pulled that funding. I, I, always thought maybe some of the core code around pods would be integrated into core, but who knows? That was years ago. Yeah, It, I guess when they're trying to do that, what is it trying to put in? 80% of the, no, eight, 20% of the fee. Something 80, 20 anyway. the idea being that you put things in that a really significant amount of people want, and the, rest of it is plug in territory. Maybe that was the argument.

[00:22:56] Nathan Wrigley: But now that a CF and things have moved the game along in the last 15 years or so, it does feel that this is a core thing inside of WordPress. Anyway, it's coming to a, to a Gutenberg in here you, thanks for that tavern. Really appreciate it. And then we get, Oh, that was the page that I was showing where all the tavern posts are now starting to be written by other people, which is really nice.

and then 6.7, no sooner has 6.6 landed than we start to think about 6.7. There's not really much in this article except to say that this is the squad that's gonna be taken care of it. release lead is gonna be Matt Mullenweg, release coordinator, David ald. and then if you're watching this, you can see the names on the screen.

There's a whole bunch of familiar people in there. We'll mention Nick Diego in a little while, but a whole bunch of familiar people in there. And, yeah, so that is gonna be your release squad for the next version, 6.7 due for release later this year. Don't suppose any of you, two, three, sorry, have got anything to add about that unless you do.

In which case I'll move on. Okay. Alrighty. So here we go. This is nice. a new default WordPress theme. I think it's fair to say that, we're starting to leverage the power of blocks and patterns and all of those kind of things, and full site editing a little bit more. Now it's gonna be called unsurprisingly, 2025.

Who could have predicted that? and it says here, I'll just read from the concept post here. This, by the way, is on the make.wordpress.org website. It was written on the 15th of August, and it's just called Introducing 2025 while ideating 2025. One recurring idea was that simple things should be intuitive.

Whilst complex things should be possible, this concept of simplicity and complexity leads to a reliable foundation for extending a default WordPress experience to make it yours. And then I've just cribbed some of the things which I think are the most interesting. So it's gonna ship with loads of patterns and styles to choose from.

you can see the sort of flavor that they're trying to do with the downloaded default images that come with it, with this public domain repository. The link is in the show notes there. it carries, and I dunno how you classify this, but anyway, it carry, it carries a poetic, universal, and ubiquitous tone.

Go past that. I've never been good at poetry and, I don't really know what that means, but that's what it says. and 2025, as you would expect, is gonna ship with, loads of patterns. It says it offers a robust set of patterns, promoting interoperability, and enabling users to compose intentionally, intentional pages quickly.

they've got things like, patterns for things like categories of services about us, pages, landing pages, products, call to action events, and others. There's a bit of a screenshot there, which gives you some idea of what's going on. They look rather nice. styles, given the themes, global use, high quality and comprehensive fonts that support multiple languages have been considered from the first conceptual steps of the design.

And finally, for me at least anyway, templates. It also features some versatile sets of blog templates, tech-centric blogs with sidebars, photo blogs, that feature highlighted images and more complex blogs as well. And, the default is gonna be this sort of personal blog. So I guess if you just spin up this 2025 theme, this is what you're gonna get.

Sort of fairly straightforward, nice clean design, but there are alternatives. You can click buttons, to get a photo blog, a complex blog where you can see it looks a little bit more like a newspaper or something with sidebars and things like that. And there you go. In a nutshell, that's 2025. Any thoughts?

Tumbleweed today is pretty, yeah, it's pretty, but it's got a lot of, older versions feel to it. I was looking at a couple of the shots and thinking, wow, that reminds me a little bit of 20 10, 20 11. And the magazine one looked a little bit like the 2014. So that's, so there's a feeling that maybe there's Yeah.

Going back to the past a little bit, which is quite cool. Yeah. What more, do we want out of the web than something like that? In all honesty, I sometimes I look at designs and I think, God, we really do overcomplicate things. that to me does do a pretty good job of getting what you need out there.

[00:27:16] Nathan Wrigley: Sorry, I feel like I overtalk somebody. I apologize if I did. I know it looks, if it's gonna work on the web, I need at least six more popups and a couple nice ads. Nice. Yeah. This could work for me. Yeah. Not enough popup. Okay. That's gonna be my, that's gonna be my title for today's show. Not enough popups.

Not enough Popups. Not enough popups. Let's write that down on my hightech. Just doesn't feel like the modern web to me anymore. Yeah. One of the things I noticed about the tavern going back Oh, was that, a popoff started appearing on it. Yeah. Yeah. And I don't know when that happened, but that's new. That happened.

yeah. No, that happened towards the end of what you described as the Hunger Games. It crept in there, but because. I don't, it's obviously not bound to the post type that I've got, which is called podcast. So it, as far as I'm aware, it doesn't appear on the podcast post type. It's ob obviously on posts, but that's been there for a while.

You just haven't seen it because it hasn't, yeah. So essentially it's asking you to submit your email address, right? Is that the one you mean? Yeah. Yeah. And it says continue reading. I can't remember if you have to, if you can click outside of it to make it go away, but yeah. more popups, that's what the, that's what the web needs.

More popups. Okay. Not enough popups. Okay. Nathan, anything to add before we press on? it seems like a good basic framework to build a lot of things. Yeah. Yeah. It'll be fun to see how the FSC interface works with some of these patterns and. New templates. This right here feels like the, where we're gonna be concentrating all of our efforts in, when we inspect a theme in the future, just looking straight at the patterns and getting some idea, what can I do by clicking a button?

Do you remember the days on theme forest where you used to go and try and find a theme and it, oh, it's got a portfolio look and oh, that's what it looks like, and Exactly. Then you went there and it was like, oh, okay. How do I even make that work? hopefully the case here will be different, because it's made with core blocks, you should be able to get, going right out the bat.

But, looks like it designed for a personal blog out of the box. And then you can just out of curiosity, has anybody ever designed back up there to that where we just were That one. anyone ever designed a website with a massive 300 point font like that? hey. Oh, this one? Yeah. No, Never. No, Yeah. That's interesting. Oh, and stories. It's interesting stories. Yeah. No. I'm gonna do a few of the little comments 'cause I've had a few creeping in, which is really nice. going back a few articles that we had a moment ago. Kathy, I can only apologize, I've completely obliterated Kathy's face that, there we go.

That's better. so Chris Malone joining us again saying lots of other publications. So, we're back to the Tavern, right? And the reinvigoration of the tavern. Lots of oth other online, publications have found a place that was monopolized by the tavern previously. I hope it comes back strong though.

True enough. Michelle Che, just saying hi. Hi. Good morning. Good afternoon. Good evening. Ba Bab, Saul saying the same thing. And, whoever a we are Ag. Okay. says hi Ag. Any ideas? Any ideas? It's, Aaron Bowie from We Are Ag. Okay. Okay. Okay. Hi Aaron. That's nice for you to join us. US Cadence users have been doing this for a long time.

They're, their UI is really simple. Do you mean dropping in a pattern? the connecting the custom field. Oh yeah, of course. Yeah, yeah, So that's all taken care of inside. Do you have a custom field generator inside of Cadence as well? Can you build those or do you need a, like a, I don't know, whatever it may be like a CS it will connect with your favorite, custom generator of choice.

Okay. Okay. And then, Courtney saying, Scott Kingsley Clark, the pods leave Dev is continuing to work on the core fields. API, they will have a table at Word Camp US and do intend to work on the data views integration. That man does God's work. Yes. And you know what? I think sometimes it must be fairly difficult from his side, 'cause it doesn't always get the attention I think it deserves. But Scott Kingsley Clark, thank you from me at least. Anyway, I Nathan's nodding his head so we can at least count Nathan in that there's double Nathan's you are double helping of Nathan, and auto play with video. With audio. What did you mean by that?

I wonder? Oh, making the web great. We need more than popups. Popups and not, yeah. Popups and autoplay videos. And the blink, on CSSI think we need more blink, frankly. And Tammy. Oh, Tammy Lister joining us. You can use variable fonts for large tech size. It's amazing. Tell me more, Tammy. 'cause I think I understand what you're saying, but I'd like to know a little bit more.

Anyway, there we go. Tammy's obviously, knows all about the theming and, 2025 is coming to a website near you. I dunno about the bottom, if it gives any indication of Yeah, there's a little bit here at the bottom about future development. So a bunch of people that you can connect to and a bunch of places that you can go.

It looks like there's a meeting happening on the 21st of August at 4:00 PM British Standard Time. So if you wanna go into the core theme Slack channel, you can, get your voice heard if you're into that. Okay? Okay. This is a thing that I didn't really know about. Hands up if you've got an iPhone.

Just, okay. All three of you. Good. Okay. So you knew all about this. I didn't. I have an Android phone, an Android, takes images, and with the JPEG image format, because it's not weird, but Apple, I. I didn't even know this. Apple for years and years apparently have been using, if you take a photograph on an iPhone, it takes it in this format.

HEIC. Now I have known this for about 18 months 'cause I've tried to get some phone, photos off my son's phone and suddenly came up against this problem. And, and obviously if you're trying to put HEIC images, sock them straight off your phone and try to put them on the web, that might be problematic because I, it says here, browser support for HEIC is low.

I dunno what that means. I dunno if it's like some browsers just simply. Do not support it and whether they're the popular ones. But, coming to WordPress 6.7, this is just such a nice like quality of life improvement that, you're probably never gonna really even notice it's doing its work. But here it comes.

You'll upload A-H-E-I-C image from your phone or wherever you've stashed it. And if you've got WordPress set up correctly and you need, let me get this right, you need image magics with the correct file type HEIC enabled, which is in tools site health in info media handling image magic. That's not easy to remember, is it?

Anyway, I'm sure you'll figure it out. then it will convert them to JPEGs, which of course if you've got an Android phone you didn't need to do so there you go. anything about that? Probably not. if you're an Apple user, does this ever freak you out or annoy you? 'cause it's not standard.

So one of the things that's quite interesting is further down in the comments. because the original implementation wasn't gonna use Image Magic. Oh, but actually it was gonna use it in software. So the idea being that, your, it would be happening in JavaScript on your client rather than necessarily on the server.

[00:34:45] Nathan Wrigley: Got it. Which would've been really cool except for a licensing issue that meant it can't be really cool because of some of GPL being GPL. But that would've been probably a really good use case for a web assembly. The, all the stuff that's happening with playground and stuff, used on a much smaller scale to do the work on the clients so that the server didn't have to worry about it.

Because right now this is a great feature that a lot of web posts don't support because up until very recently. There's been no reason that you had to have Image Magic installed on a web server running WordPress. You could be running it with GD or even running it without any sort of image processing library behind the backend and WordPress.

By introducing this now, a lot of web posts are gonna be going, oh, we've got one more thing I'm gonna have to put in, because the health tool's gonna come up with a big warning. so for a very small group of people may have created quite an interesting change inadvertently for hosts. not a big change, and one that they can nearly all solve with an APT install or a yum install, but it will be genuinely an increase in processor.

Power and processing image magic is much more heavier to use than some of the other lightweight media pro libraries that might have been used instead. So I just, it would've been quite cool if it could have been done in the client, as was the original plan of any. Yeah. So can I just ask you about that?

[00:36:17] Nathan Wrigley: for example, I don't know if you've come across this chapter, there's a Googler called Patrick Bler, or is it Pascal Pascal. Pascal. Bler, who's been doing a lot of fun stuff around web assembly and, uploading a big jpeg and then the browser just shrinks it, or, turns it into a PNG because that's the way you've got it set up.

What was the licensing issue is did Apple, was it an Apple thing? Did Apple say, no, you're not allowed to change things. I, think it was really simple that it was down to the fact that the library, that was certainly for the one that was being used for this particular thing, it is down to the fact that the.

Library that they wanted to use was being licensed with one version of GPL. That's just not compatible with the WordPress version of GI say, I think there is, in fact, Pascal actually has the comment in there. Oh yeah. This is him, isn't it? Is he Swiss? Swiss Spitty? That's him. Go down just slightly.

[00:37:13] Nathan Wrigley: You can see. Oh yeah. There he is. Yeah. There we go. Okay. Okay. So that would've been really nice if it could have just been handled in the browser. and Pascal's been doing a load of really interesting work about, transcoding videos and all sorts of clever stuff, directly in the browser is phenomenal what you can do with web assembly and playground.

Obviously a really good example of that. Anyway, whether you've got, IM, let's assume though that you're on a web host and they've now taken the queue that they wanna install Image Magic and get it enabled correctly with HEIC enabled. If you've got an iPhone, or you're using HEIC, that will automatically happen in the background.

It'll just get converted to a jpeg. so there you go. Anything on that, Nathan? Kathy? No. Okay. I'm gonna take a slog of water because this salt is basically killing me. I just, I envision clients uploading a 20 megapixel iPhone image to, yeah. a website. I just, how foresee that in the future, do you have a fairly up-to-date iPhone?

My, I do. Yeah. My phone is really very old. It's probably about five or six years old, so you know, it probably maxes out on about five megabytes of data storage per image. I think it's probably 10 megapixels or something. what, typically if you set everything on your iPhone up for do super duper everything, what kind of, file size are you looking at?

That's a great question. Big, no big. Okay. Yeah. which does lead to what Nathan was saying, which is what happens to these images? 'cause I'm not actually sure that the image, the HCIC image is deleted, right? That's the question just converted and then it's converted into a bunch of little thumbnails of the various image sizes that are suitable for your media.

So you could end up. With these ginormous images eating away at your file disc space very quickly. Yeah. That's what happens when you upload a massive image. Now WordPress crunches it to the 25 60, but as I understand it, by default, that giant image still sits out there. It's a really peculiar setup.

[00:39:22] Nathan Wrigley: That actually isn't it? And also the fact that it's done really invisibly in the background, for obvious reasons. When WordPress began, that was probably a really good idea. 'cause it was just one less thing for people to worry about. But now I'm imagining if you go into your, if you go into the file structure of your WordPress website and you look, you probably would be fairly appalled at how many images are in there and how many are actually in use on your website.

And there's loads of plugins and things that'll take care of cleaning all that up for you and what have you. But anyway, Rob Cairns says that, apparently if you've got an Android phone, you can set it up to use HEIC by default. And then he says, don't. so I won't, thank you. That's great. Tammy Lister also says, meeting agenda will be up on Make soon.

That must be the meeting that we were talking about just a moment ago for the 2020, 2025 theme. I had to actually do some maths there. and Nathan, do you still primarily use the flip phone? Do you know what Courtney? I'm sad to say that I don't. Let me show it to you. here is, here's my flip phone.

I went to, so I got a real b in my bonnet right about six months ago, and I bought a flip phone, And really basically told everybody to do the same thing. And then I went to Word Camp Europe, and then I put this up to one side, took the SIM card out, got my son's phone, put the sim card in that, took that to Word Camp Europe, gave him this exchange.

He was, not happy. and, and then came back, put my SIM card back in it. No. No, We're not having that. So I replaced, got a new sim card. That doesn't work either. So the mere fact that I went to WordCamp Europe broke my phone. So I'm on a, I'm back on the annoying rectangle that, keeps me awake at night.

Courtney, I'm, I feel thoroughly, ashamed of myself for telling everybody to get a flip phone. And then here I am three or four weeks later, not able to, do that myself. Bertha, this must be Andrew Palmer. I'd love to know how many people actually do this, as it seems to me are really low use case.

You mean upload HEIC images? Andrew? I'm guessing that's what you mean. I'm guessing not very many at the moment. 'cause they won't work. no, that's right. Yeah. Does my flip phone have a camera? It has two cameras, mark. It's got one on the front, which is rubbish, and it's got another one on the inside, which is also rubbish.

And wait for this, it's got two screens, that one, which is tiny. And that one, which is so small, you can't even get three characters of text on it. This is a rubbish phone, but it's exactly what I wanted. So there you go. I wonder how many wp, oh, sorry, Kathy. Gosh. There we go. She's back. I wonder how many WP Mobile apps could be improved and completely reimagined, but also converting the images locally.

Yep. This is the future Pascal's onto Summit. Surely it's all gonna be handled in the browser. try an eim. That sounds illegal. That work with his phone. Oh, it's talking about using a virtual sim rather than that physical sim card. But that phone is a piece of junk that just needs to be put in the bin.

It's not junk. It's a beautiful thing. And it's made by Caterpillar, the company that made trucks. No. Yeah, it says cat there. Look, see, get the angle right, cat. Oh my gosh. You can throw and then this, you can throw this little wall and it still won't work. Can would you like to try that now for us just on to show?

[00:42:53] Nathan Wrigley: No, because it'll damage my wall. That's how good. It's so that phone was made for contractors who like get their phones run over and stuff. Yeah, that's right. Yeah. Who are on like, who regularly fall off buildings and things like that and, they'd be able to retrieve the phone from the, I'm really curious why you chose this phone.

Because, it has a really terrible version of Android on it. And one of the things that I wanted, I know this all sounds so ridiculous, but one of the things that I couldn't let go of was a podcasting app. And Spotify. Sure. That was like, that's an absolute, that has to be on my phone and this phone.

But everything else had to go. Yeah. More or less. Okay. Yeah. Gotcha. I know, And it works so well. I was saying before the call started that my sleeping has been terrible. I now know. it's because of that's staring at the rectangle. Yeah. and by the way, an EIM really does sound like something.

You go to a street corner in the middle of the night to buy, to have fun at raves. anyway, here we go. Andrew, hang on, wait a minute. Andrew Palmer is there as a purple robot, and then moments later he pops up as himself. What's going on, Andrew? You're logged in two places, so if it's a low use case, why bother with it?

Nothing else. More important. Are you talking about the HEIC thing? I think back to that. but you will have a broken wall. Yes, my phone will be intact, but my wall will be bright. Anyway, moving along. This has got nothing to do with WordPress. That's it. Let's go to a little sad story. actually let's go to this one.

If I can make the comments go away and bring back the screen. Here we go. this one is dear to my heart 'cause obviously I like to make podcasts and things like that. as much as I'd like to think that I've been doing podcasting for quite a long time, I haven't really, when compared to some other people in the space.

There's been many people who decided to jump on that bandwagon long before I did. And the folk at WP Water Cooler, were them and this many more. But, WP Water Cooler this week. 9th of August released their very final episode. It was called, so Limitless and Free. and there's not much here to say, but again, I went to the repository email and Ray did a great job of interviewing the, the people like say, and Jason and what have you.

And really it's just like a little, shed a little tear. It's a bit of an end of an era and I'm guessing from what they said to Ray, at least, anyway, it sounds like they've fallen out of love with the process of making a podcast. And if you make any content, video, audio, you know what it's like, some weeks it just all comes out and it's dead easy.

Other weeks it's a blooming slog and, maybe, the time was just right for them. hat tip, thank you for all your content over the years. This was episode number 485, and let's work on the basis of what, 50 a year, something like that. If you do one a week, that's. That's quite a few years. I'm not gonna try, nine years, something like that.

Let's go for that. It's, certainly a long time. So thank you for all of the pieces of content and I hope that, hope that during the time that you did it, you got everything that you wanted to get out of it. Anything on that, ladies and gentlemen? I would just wish them well and thanks for the memories.

Yeah, and on that note, bye-Bye. This is the final episode of this WordPress much internal discussion. There was about do we have 14 more episodes in us? Yeah. Can we get to 4 9 9 Oh yeah. Before the final nine. Yeah. Yeah. You gotta get it to episode. Yeah. They could have just re released Nicholas Cages, that three minutes, 38 or whatever it is where it's just white noise.

They could have done 15 episodes of just silence. Got themselves, caught themselves up to 500. Anyway, honestly, thank you. I know how much of a struggle it can be actually just, that is a good point. If you are thinking of making content, and I know that. More or less. Everybody, everybody on this call.

so me, Nathan, Kathy, Tim, at times we've all strayed into making content. Some of us more regularly than others I suspect, but it, is a slog sometimes, right? The, battle, the thing is real. Sometimes you sit there and the juice is flowing, it all just comes out and other times you stare at the screen and you've got that white page.

And, so I know, your pain and yeah. Thank you for all your content, diviv. Oh, Andrew, thank you. Didn't know that divvy chat ended last week or so as well. Oh gosh. Okay. and oh, the AI took over, says Andrew, but now he's back and Aaron says, haha and I dunno what to, but there we go. there is no such, he's also doing the double flip thing.

'cause we are, he was, we are Ag. Oh, okay. Okay. he's got a flip phone as well. Nevermind. Okay. Alright. Okay. I'm not on my best form today. There's no such thing as the final episode of this week in WordPress. No, it's gonna keep going. My intention, Michelle, is to get to 999 episodes and then, I don't know, just do something outrageous do episode 1000 and end it there.

[00:48:03] Nathan Wrigley: Let's see if we can get that far. Ready, ho Let's move on. word camp us. if you're into that, if you wanna attend, then go to the Word Camp US website. You can see some of the speakers now. Oh, there's Pascal that we were just talking about, but, I'm guessing that this is gonna keep coming over the days and weeks to come, we can see six people on each day announced and then just the other day, 17th of August, two more people.

But I'm guessing it won't end there because there's lots and lots of, opportunities to speak. Anybody go into that? Nathan, Kathy in particular? Yeah, you are. Yeah, I'll be there. I. Nice. I'm gonna be there too. Tim, I'm not going, but I do wanna give a shout out to Austin who's in, the round three.

he works for, amnesty. he worked, he's working on the Amnesty International Oh, theme. And, he spoke at Word Camp Whitley Bay. He did, I remember. I now see his face. Yeah. That was a nice talk, wasn't it? Yeah. That's great. so yeah, I'll be there. Are you getting involved in this unusual day and the name of it I've now forgotten?

[00:49:08] Nathan Wrigley: Kathy and Nathan, what's it called? the something, it's not the Contra Day. They've got this extra day, haven't they? And I've forgotten what it's called. But are you, no, not involved. Apparently not. no. I can't remember what it's called. So it's, Adrian, have you considered that there isn't an extra day and they're just getting rid of you?

Ah, this always happens, Tim and I never remember it. Yeah, I get hit over the head with a shovel and push into the back garden and yeah. okay, here we go. Oh, showcase day. That's it. Showcase day. Yeah. I'm not entirely sure what that is, but anyway, showcase day I think is an opportunity for people to show off different bits and pieces that they're doing.

Here we go. showcase. Thank you Andrew as well. Yeah. Cheers. Okay. this one is just a bit of a hat tip to the hosting company hosting. I hadn't heard of them until about three and a half years ago when I saw them at WordCamp in Porto. And I had a giant, really big, sponsor booth. The kind that you don't have unless you are, you've got fairly deep pockets.

And I thought that's curious because I've, you don't normally see a company in the WordPress space at that level that you've never heard of before, but there they were and, and I didn't realize that they've been around for so long anyway. They're congratulating themselves in this post by hitting 3 million, count them, gosh, what the heck?

3 million clients. it says that they're managing 5 million domains. I don't know quite how many of those are on WordPress or not, but they've definitely thrown themselves at the WordPress space, WordPress events and all of that kind of thing. So I have nothing to add except, well done. That's a pretty amazing achievement in what is presumably a fairly cutthroat space.

I'll just add this took 17 years. To reach, the first million clients. it took a further three years to get to 2 million, and it's taken one year to get from two to three. So they're on a little bit of a clip at some point. If you follow that exponential curve, it will take the milliseconds to get the next million, but that's about 20 years away.

but well done to hosting her. That's pretty remarkable. Congratulations. Anything on that, ladies and gentlemen? No. Okay. All right. On more solid ground. See what I did there? here we go. So I'm gonna hand this one probably over to Nathan and, so that you can talk a little bit about it. This one is solid performance.

This is, a new feature coming to you, solid subscription people. it's all about increasing your site speed. It feels like it's an MVP at the moment, I'm guessing. Nathan, do you want to just tell us a little bit about this? yeah. It's, it's a solid, but it's a basic, page, caching plugin.

[00:51:56] Nathan Ingram: it does a great job with, there are really no settings. You just, install it and activate it. it's smart enough to know that you're running WooCommerce if you are, and automatically remove the appropriate, or the, pages of WooCommerce that shouldn't be cashed. It knows that as well as give wp, but it is absolutely an MVP, first step and additional features will be added.

[00:52:19] Nathan Wrigley: So this, I think, is the setting, right? If we go to the actual solid WP website, you've got one, one radio, one tick box basically. That is the setting page. Yeah, that's it. You've got the one enable the page cache. Can I just ask why, would you go into a space which is obviously, taken care of by lots and lots of other solutions?

Is this because you've got a, like you said, like a bigger roadmap, you wanna flesh it out, but the idea is launch this MVP, which has this one setting, and then just iterate over time and make it into a commercial rival for all the other ones that we know about. so as a contractor for solid wp Yeah.

[00:52:56] Nathan Ingram: Thank you to a lot of things. but what I do wanna know is that the whole mission of solid WP is to create plugins that are, the foundational plugins that you would use for a solid WordPress site, which include things like backups and security and. Performance. So here's what it says on the website.

[00:53:18] Nathan Wrigley: you've got that one box to tick at the moment and it says, it en enables full page caching. solid performance currently focuses on full page caching, providing a robust foundation, significant enhancements, your site speed. they say, user friendly admin experience, and obviously at the moment really simplified settings.

And, like you said at the moment, it knows that if you've got a WooCommerce website, we don't really wanna be caching that in the same way. As same if you've got, give wp. and here we go. While the initial release centers on page caching solid performances built with future growth in mind, we, imagine, I guess we aim to extend the capabilities to cover a broader range of performance enhancing features.

So there we go. If you've got a subscription, to solid, maybe this is something that you're gonna be interested in, there's the website itself, solid wp.com, and you can see the solid performance stuff. There, Kathy, Tim, before we move on to the developers thing that I've got on the screen, anything about that?

No, they're brave. Yeah, it's tough. Tough market, right? Brave to go into that market. and to go in with something actually so simple might actually do them good. 'cause a lot of their competition is overly complex and I fear for them that they are going to chase the features and that will prove they're down.

if they're going, if you're gonna make something like that, you need to differentiate yourself. And actually a plugin that has virtually no buttons is quite a revolutionary experience. It shouldn't be, but it's, quite a revolutionary experience. Yeah. Its just in that space. So I, can see some people going, oh, I quite like the outlook of that, so I just hope that they don't then follow all the features.

'cause I suspect that is where madness will lie. As is the case with caching plugin on the planet caching plugins. one of the few things where I genuinely have no idea often what I am being presented with. I, you imagine the incumbents, all the big name players and you get buried into the settings.

[00:55:24] Nathan Wrigley: And then the settings within the settings and the setting within the settings. And I genuinely don't know what I'm reading, it says, okay, do you wanna enable this? And then I read the what it's about bit, I still don't know what that means. Still no idea. And you're not alone. Yeah.

Yeah. There, there's a lot of, when I was cleaning hack sites, I'd get it, somebody asking for a clean, and it was just that they had set up something wrong with caching or one of the caching plugins had decided to do something and they didn't know how to fix it. So it, can be very confusing and very.

[00:55:59] Kathy Zant: Cumbersome for people who aren't aware of what all of the settings do. Yeah. It's ing it. Literally the only plugins where you can press one button and your site is screwed. Yeah. And you're like going, I promise I didn't. And you're like, no, you just need to go and go in here. And cl the number of support people in the who go.

Did you clear the cache? And that was that tone. Yeah. Did you clear the cache? No. That the, the, thing is I'm into not just, not that I don't just understand what the individual thing is asking me, the whole setting page that I'm on. I don't understand what everything on that page is for. And obviously I'm not like a real robust nerd when it comes to caching and things like that.

[00:56:48] Nathan Wrigley: But it is curious that we're using a solution where all of that is available and, the idea of I don't know, a flattened WordPress website or something like that would just deliver the HML content and the CSS just straight away. But we go to all of these great lengths to unpick the stuff that WordPress is doing.

it's always the cash. Says Andrew Palmer. And am I late? I don't know, Colin. it depends what, for if it was this show, you're a little late, but it's fine. Don't you worry. We don't mind. And Paul Halfpenny, I want an alarm setting with Tim saying, did you clear the cache? Yeah, that'd be so good. Seven o'clock.

Did you clear the cache? Do it in the Ed Edgar Allen Poe voice, Tim. And, and I will send it to Paul Halfpenny as a, as an audio file for him to upload to his watch or something like that. Okay. Let's move on. Anyway, there you go. Solid performance. You can check that out on the solid wp.com website.

Alright, here we go. This is me just giving, there's too much in this for me to really go into, but just. Just because I like Justin and he's summed up nicely, all of the different bits and pieces that have been happening in August. We've covered most of these, but I just thought it was nice if you weren't watching the previous shows.

Justin has summed up the developer things, and I'll just go through a few. if you didn't know, the Learn WordPress website has had a bit of a redesign. That's what it looks like now. It's really nice. Looks really modern to my eye at least. Anyway, like that. this is super cool. Honestly, possibly the best thing that's happened since playground.

now playground is available, in offline mode and as a PWA, I don't really know too much about this bit, but the, offline mode enables you to take WordPress playground. Which if you haven't been following, is a, whole install of WordPress inside the browser up until now. If you did that and then close the browser tab, then that would go away.

No more. So you can have a fully permanent, I don't know, project side hustle, just something that you're working on that you want to tinker with. Maybe you wanna check out a new plugin that's hit the repo or something like that. They'll, in many cases take care of that full with the pre provided button, but super cool.

And, I can only imagine what kind of fun uses people are gonna, developers are gonna come up with, and I'll stop after this one and loads of extra, block supports and I'm hold, I'm showing a chart. So for example, buttons now support border color and padding. The group block now has a shadow to it.

And if you're very nerdy, it's probably a all good fun. There's a bunch of other stuff in here, but the post is called What's New for Developers August, 2020. Four on the playground thing. Anybody vaguely excited by that? Honestly, I am ludicrously excited about it. no. And I'm not being sarcastic.

I was talking to the Adam, oh my goodness, I never remember his name. Somebody in the chat help me out. The, Aian who is behind, who was the first person to come up with playground? Adam Zelensky. I got it by myself, when I was interviewing him. I said, it felt to me a bit like the moment when the iPhone got the app store, like the iPhone was fab.

It was really nice, but you couldn't do much more than Apple shipped with. And then the I store the Apple store came along, the app store and all of a sudden all these people piled in with different things. I feel that playground is that for WordPress. I think we're gonna get people coming along doing very clever things that are here to unimagined and playground will be at the, the base of it.

I'll probably be wrong and if I am, I will, eat some humble pie. But, until then, anyway, anybody got any comments on that article? If not, I will move a along. I miss Justin Tadlock writing for the Tavern. Oh, don't you just, what a fabulous contributor he was. He had a background in journalism as well, didn't he?

I think he did a journalism degree and and he's a fellow Alabama guy like myself. Yes. He re I follow him on social media. And do you know there are people in life who you envy. he's one of them 'cause he just posts pictures of his fabulous garden where he is like eating stuff that he's been growing for many years and you just think, ah, Justin, I wanna be Justin Tadlock, that's the other name for this possible.

Maybe it's not gonna be not enough Pop-ups to be. I want to be Justin Tadlock. Let me write that down and we'll vote at the end. oh, WP Rocket. Apparently Andrew Palmer has started off with a one click solution. It isn't that anymore. okay. Let's move on. Did you know that you can get $31,200 out of Wordfence?

All you do is you send them a postcard. No, you don't. You have to do things. You have to do things in extreme. oh gosh, everybody's going off to send a postcard. they've got a bug bounty scheme, which means that, if you're a white hat hacker and you go and find vulnerabilities, they will, in exchange for that vulnerability and the public disclosure thereof, they'll give you some cash.

And, Tim's brought this to my attention. Why, this piece in particular? 'cause this, isn't new, is it? They've had this Bug Bounty for a while, right? Yep. They've had this, bug bounty. And to be Fair, patch Stack have a bug bounty and WordPress has a bug bounty on Hacker One, which is an, entire platform for bug bounties.

but. I wanted to bring it up 'cause there's three people who are interested in security on here and book bounties are one of these sort of a little bit feels like the dark side of what we do because security researchers either work for companies directly, people there are security researchers work for patch Stack, work for Wordfence and similar and who look for vulnerabilities in WordPress.

But then we have these sort of semi independent people who often find vulnerabilities and struggle to report them. You can report 'em to, if it's a on wordpress.org, you can report to the plugins team and. Action varies as to what happens. If it's a commercial plugin, it's sometimes you can report it to the plugin owners.

but there's no necessarily central way of doing this. So what they tend to do, or certainly a pattern that you find happening is that they'll report it to site owners. And you, I'm pretty sure everybody who's ran a, a site, not just a WordPress website, has had an email that says, hi, my name is so and and I found a cross site scripting error on your website, and if you give me $250 or Bitcoin or a Bitcoin, which could be $250 or $250,000, depending on the money, yeah.

Then I will tell you all about it and you'll go, oh, should I, pay that? What is this? and sometimes this can be a genuine thing with locked, and if they hadn't pointed out to you, it could have been a problem. Quite often it's things like, Hey, you've got X-M-L-R-P-C open, or your DNA, we, my favorite one, we found this insecure URL, that's WP login php.

You wanted $200 for me to not find out. It was. So having legitimate bug bounty schemes offers a way for to, for researchers to legitimately find them, publish the, these things and gives them access to companies who have relationships to do the disclosure responsibly, et cetera. So I really wanted to bring it up as a more of a general chat as to whether or not this is a good thing, a bad thing, or a different, but also wordfence have made one massive thing that might make all the difference.

They now give you a shiny badge. Oh. Oh, we all want the badge. I want a badge. Yeah, I want a badge. Yeah. You could become a superhero with a superhero. And that was actually what that article was about. It wasn't the money, it was the shiny badge that is a shiny badge. There are a couple of caveats, by the way, on this website.

[01:05:13] Nathan Wrigley: that is to say that if you want to, if you want to win $31,200, which is such a peculiar amount of money, why not 30 or 31? Anyways, it'll be done on, CVSS score. Oh, okay. Okay. Thank you. you need to find a vulnerability in a plugin or a theme with over 5 million, active installs. Obviously, that's to qualify, I presume, for this sort of higher level.

so I'm gonna throw my lot in. I think these across the industry, not just WordPress, I reckon these are cracking ideas, especially if the money's good. If you can turn the heads of people who are seriously good at this kind of thing and they can earn a decent wage without going to the, dark side, let's call it that, then, then I think this is good because my understanding is that the people, the leading hackers, white ha hackers who do these kind of things, they make really quite credible livings.

Now, maybe they could make more by, doing the, naughty stuff that we all wish people didn't do. But it seems on the, certainly from my point of view, I, can't see these as being a bad idea. I do wonder though, if that $31,000 top tier is enough money. For the people who take this very seriously.

I don't know. So the vulnerabilities in WordPress core go. WordPress itself can't pay for that. if you were to go and point go to a nation state and say, Hey, would you like to have access to the White house.gov website? They will probably go, oh, that sounds fun. How much do you want?

And you can probably start naming your price. So vulnerable, direct remote code exploits in WordPress core will, you could go to almost anybody and get a larger, much, much larger amount of money than that. The good news is they're quite rare, which is why we host our sites using WordPress. 'cause WordPress core is relatively secure.

but for a plugin, if you imagine, let's say somebody like, I'm not you saying Yost does, but let's use Yost 'cause they've got like millions of users. If there was a vulnerability in that, would you, if you. It's suddenly is 31,000 seems like a really good deal for them. And it seems like, it would be a lot harder to extract that money from lots of individuals.

So maybe going and saying, Hey, I want my 31,000. That's a nice easy payday. Once it's get gets disclosed, I can still go and do all my other going and talking to the other people. And that's the other, the downside and the sort of like the opposite end of this is it can turn into a racketeering business.

Yeah. 'cause you can be paid by multiple sources for the same vulnerability. Oh. Oh, okay. So that 31,000 could quickly be like 131,000 if you Okay. All right. Especially because we live in a world where actually in the WordPress community, we're quite collaborative and our major security vendors do tend to be.

Little bit. they communicate a bit. they're not busy best buddies, but they're communicating a bit along the way. So there is there are plenty, plenty of places though, where you can end up with a scenario where you can go to four or five bug bounty vendors and get a payday from each one of them for the same vulnerability and then go and extort and blackmail on top of that if you that way inclined.

[01:08:44] Nathan Wrigley: I think at this point what we need to do is see the badge. That's what we've all come for. And there it is. Look at that. You too. You too. I don't want that badge. Oh, okay. Yeah, it's, should have hired a designer with 31,000 whatever dollars. Oh, poor badge. but yeah. Okay. That's the badge that you're gonna get.

I, might just, download that. as an HEIC image, upload it to a WordPress website in my choice and then just stick it, bring it to Word cam, US exploit. There it is. But, yeah, I think these are a good thing. So Kathy, Nathan, any thoughts just generally on Bug Bounty programs? I just say that's a terrible badge.

It is a bad badge. It's a bad batch. Okay. Yeah. So like for the last several years, in our monthly news roundup on Solid Academy, we do like a recap of security things and, solid WP sends like a weekly vulnerability report and so forth. And I remember when we first started doing those, there was like 40 to 50 a month and we'd sometimes read the list of plugins, if it was a slowed news month or whatever, and it became 80 and then a hundred, and now it's like 500 a month.

[01:09:55] Nathan Ingram: and the, I think the, one of the things we deal with as a WordPress community is that lingering statement that WordPress is not secure. And oh, there's now hundreds of vulnerabilities in WordPress, until you realize, no, these are, this is good. they're not new. They've been there and now people are incentivized to find them, which is good.

But I think there's a flip side of this, and I'm speaking, as someone that works a lot with agency owners, if you're using some sort of security solution, like we use solid security with Patch Stack and we get, vulnerability notifications like this, and now I start getting all these notifications from all these bug bounties that are insig well.

In, the levels of security, vulnerability, seriousness, they're minor. You're getting all these notifications now from security plugins that you have an insecure plugin. the chances of the boy who cried wolf syndrome happening, it's like I'm getting all these notifications. I might just start ignoring them altogether.

And so there could be a negative, unintended consequence to some of these bug bounties.

[01:11:02] Nathan Wrigley: I, I just can't help myself. I just keep putting my hand in this crisp packet and I am in some level of pain from the salt. oh. It's a salt. That was a joke. Alright, patch Stack, apparently Andrew Palmer says, has a good bug bounty program. Yeah, there's a bunch, right? We should probably Patch. Patch Stack also has a great program where they help plugin developers 'cause a lot of plugin developers will get all of these bugs and vulnerability reports and sifting through the ones that are valid.

[01:11:35] Kathy Zant: And the ones that are just, somebody looking for their Bitcoin payout can be very challenging for somebody who's actually trying to develop a plugin and trying to maintain it and trying to deal with customers and all of that. So Patch Stack has a free program that they do to help, basically validate those reports as they're coming in for the plugin ma developers.

And, testing the vulnerability, the, report that's coming in to making sure that it's real. Helping the developer make sense of it, get it patched, make sure the patch is okay, and that program, the managed vulnerability. Reporting program, I think it's called Uhhuh, is, really a great service.

And I, I'm really happy to see that bug bounties are getting paid because you see, like in larger software platforms such as like Instagram meta will pay out $300,000 for, a bug. And when I first started in Word Pro Security, there were a lot of security researchers that. Weren't making anything for the work that they were doing.

And, just, the way our, space is set up, there's 60,000 plugins and how many ever themes. And so getting that kind of payout for a vulnerability report, I understood why there were so many people, going over to the gray hat side or going to the black hat side because there's more money to exploit it than there is to be ethical and reported and actually help the community stay safe.

So the fact that. Dollars are being put behind these security researchers as an incentive to, to stay on the white hat side of things, or at least not go gray hat so much is a good thing for everyone in the community. So I'm glad that, word fonts and patch stack are doing this. It's also really great that WordPress is such a big space and there's multiple CNAs giving out CBEs to researchers that there's a lot of people on it, which is just a testament to open source and lots of eyes on the code bases.

[01:13:36] Nathan Wrigley: Yeah. Thank you. that was a nice summation of it. By the way. I went gray hat quite a while ago after decided to go. That Also, another thing, you may not realize it, Tim Nash, but all the birds in the world have decided to hang out and now they've gone. Just a minute ago there were like 50 birds flapping around in your window.

I dunno what you did, but now they've all cleared off. But it was quite funny. whenever I start talking doom and gloo, my magpie, select and Crow selection come through, it was occasional raven and a rook will come and join me. It was quite entertaining. So some thoughts on that. Colin says, given the scale of WordPress, this bounty and the requisites for it should be far higher.

Maybe they're just working off what they can afford. yeah, it would be lovely, wouldn't it? If you could pay gigantic amounts of money. I, and my understanding is if you go to things like, p to own, then because you're dealing with the Chrome browser and things like that, the, amount of money is literally eye watering.

It's like retirement amounts of money. But you are then stringing together like four or five things in eye, wateringly, difficult situations. Andrew Palmer, he's back. He says, I get blackmailed every day about plugin vulnerabilities, all of which are nonsense. Yeah, I am sorry about that, Andrew. I will stop doing that.

I think one of the things that's really cool about Andrew's statement is that they are not all, but I, he gets blackmailed with hun loads of these every day, but he knows what he's doing and looking, when he looks through them, he can go, oh yeah, I'm being blackmailed. That's fine. It's the ones there, it's really hard if you have no, education and knowledge.

And one of the reasons it's great, we can talk about this now and why we talk about flooding vulnerabilities and bits, is because your average site owner and administrator cannot tell a good vulnerability report from a bad one though, as a general rule, if they're not going to tell you what the vulnerability is.

It's probably not a bad good, it's not a useful report regardless. So if someone's asking for money without offering anything, if someone comes to you with, here's the vulnerability, oh, by the way, could you bug me some money? Yeah, Something slightly that's slightly different conversation.

[01:15:50] Nathan Wrigley: Slightly really. It's yeah, no, but what if you are a site owner, make sure you've got something like a security text, which is a text file that says, Hey, this is our policy. if you google security dot text, it will, there's a good website that will is a, basically it's a standard Yeah.

For how to, set up your, how you contact us about security issues, a link to our security policy, a link to our disclosure policy. And who are people, are you through this process yourselves? So if you're a site, you can do that and as a plugin and, owner, if you are a commercial plugin owner, there are like, there is things like Open Bug Bty and Hacker one, as well as things like Patch Stack program that you can join.

So you can join a bug bounty scheme and say, Hey, we belong to this scheme. You report it this way. Word WordPress is hacker one, isn't it? wordpress.org is in the, is it hacker one? Is it that one? I think.com is, but they'll accept org submissions. Okay. It's a bit, of a weird one. Yeah. Okay. and there's an, an article which is related to this, but we probably won't have time to get into it, but I'll just raise it onto the screen in case you're interested.

[01:17:06] Nathan Wrigley: It's by Eric Mann. again, this is courtesy of Tim, and, it's Eric Mann blog. and this one's called Bug, bounties and Risk. Was there anything you particularly wanted to air about that? it was just, this is like the exact opposite. This is someone who went, oh, I don't want anything, I'm just gonna tell you about a problem.

Yeah. And the first thing that they got was a legal threat. Yeah. Isn't that brilliant? You love that. Here's, hi, here's a problem with your site. I'm just being really nice and friendly. oh, hello, Mr. Lawyer. Yeah. Gosh, some people have got the incentives all wrong. so here it is, bug, bounties and risk and I will put that into the show notes so you can read that tomorrow.

[01:17:49] Nathan Wrigley: But as I said, it's Eric ERI c.man with two ns dot. Blog. So there we go. And we're back actually to solid. and on a security related thing, and I think Tim, maybe it was Tim, mentioned a minute ago about disabling x. I can't say this, there's no way this is coming outta my mouth. XM, if I say it at this speed, we've got a chance.

X ml R pc, first time. Nice. X mlr, pctp. I got it. I believe you're pronouncing not like Zi, xml R pc. and there's an article here on the, solid WP blog about why it's a good idea. is there really any justification for it being in a WordPress website these days? If you go and download a vanilla version of WordPress, does anybody want this anymore?

[01:18:42] Kathy Zant: Plugin Stone. Easy Jet. Jet Pack. Jet Pack. Yeah. Yeah, there's a couple of things, I guess jet pack and maybe some other things. But basically if you're not using something that you know is gonna be using X-M-L-R-P-C, the advice appears to be, make it go away, disable it. And I would imagine that all the security vendors have got a toggle to switch this off and, and if not, you can do it with a little bit of code, or a plugin.

[01:19:09] Nathan Wrigley: In fact, Tim, you've got a, Tim's got a frowny face. What you thinking there? I'm just, it's more nuanced than just disable it. Yeah. Okay. Don't just disable it. You, could say just disable it. The other thing is that everything that's in this article, you could pretty much put to graph QL and A API and the rest API, it all comes funnily back down to users and, bru, the brute force.

If you have good brute force protection on. And you've disabled the functions that you don't use in xml, RPC. xml. RPC is fine. The thing is that people don't understand the risks associated with it. And, you do find lots of hosts turned off and then lots of hosts go, huh, why don't your pack not work?

Or, why does my weird, it's really weird. Esoteric software that fails and they get come up with useful answer. Col Colin says, xr, I can't say it. That thing, is used by any app service that plugs into wp. Okay. yeah, if you've got like a, I don't know, a SaaS app or something like that, the mobile app is never good again.

[01:20:10] Nathan Wrigley: Yeah, of course. The WordPress mobile app is using website. but you can do things to limit this. So you could be limiting this by IP by, you can make sure that certain users don't have access to any XMR PC functions by default. You can also drop things like ping back and stuff. So th there are lots.

Simply disabling it is like the level one answer and then the li, the higher up answers are, it depends, and this is the same with everything to do with security, isn't it? Or, yeah, do this you can, very blunt version and then they, yeah, here's the nuanced a bit more. Or you can hire Tim Nash, or other fine people are available or other fine people are available.

[01:20:51] Nathan Wrigley: Speaking of which. It's not quite hiring Tim Nash, but it's a bit like hiring. It's like it's hiring part of Tim's brain. look, there's this, and we'll show you something else from, from Kathy and Nathan in just a moment. We'll start here. so Tim has got a workshop. He's been on this podcast many times before and you've heard his wisdom.

he speaks confidently about security. And this is a workshop that you've got going on in what, 10 days time? 29th of August. Yeah. Where's it happening online? What's going on online? you can, we are doing it via Zoom again. So I've done a couple of these style workshops before. This is the first one doing WordPress users security.

And I created this because there really wasn't anything else that I could find that was quite what I was, what this is the user security workshop I wanted to give myself and my colleagues historically the one I've wanted to get. So I. So much of WordPress security is install a plugin and you are fine.

And it's yeah, back to this really basic versus things on, there's way more nuance, there's way more things that are important and user security is a massive thing from, how do you handle session management? That what is session management through to, have you, do you know what users are actually on your site?

this is something that I do, site reviews and the first question I come along is go, oh, how many administrators do you have? 29? Sure. Yikes. Okay, we can get rid of a few of these. Oh, there are four separate web posts on here. This is a genuine sort of scenarios that everyday users come across because no one told them, Hey, did you get rid of your last web post support team's account?

Oh, by the way, they're the worst people for using the same password. So if you know the master password for certain web posts, you can get into an awful lot of websites with just username and passwords. Yeah. Okay. So it's stuff like that. It's learning about the best way to manage roles users. It is aimed at anybody who has a website, but it's prime, There's a lot of heavy focus on agencies that are not agencies passing on the information to their client, but agency setting up sites. but it's, yeah, it's available. there'll be a video on demand afterwards and it's really full of interesting things. I obviously, I'm trying very carefully not to say anything that would then, because I know Yeah, we're moving Daffy course.

I don't wanna say anything that's gonna like disparage You should go on both courses is what I, And we'll show you the other bits and pieces in a moment. But first of all, Tim, I've just gotta say I've been scrambling around on this website for a moment or two now I've noticed something. and I'm sure you're gonna address it.

[01:23:45] Nathan Wrigley: I don't see any mention of the badge, frankly. where's the badge, right? If I take this, if you come on the workshop, I will scroll you a terrible badge. Okay? Okay. You heard it here first. You're gonna get a bespoke handwritten badge, that says something like that will be then digitally sent to me as an NFT token or something ridiculous like that.

Okay? So in all seriousness, it's happening 3:00 PM UK time on the 29th of August. You can claim your spot now and, Tim nash.co uk slash workshop. And, yeah, you can attend that. And all of the bits and pieces that Tim mentioned will be mentioned. However, given that, Kathy and Nathan are both here, I, it was the perfect opportunity to mention this one.

This is something very similar. monster Secure, you're gonna find [email protected]. what, tell us about this, Nathan, Kathy. okay. Yeah. So this, the idea for this, this came across, several months ago when Tom Rafe of We Watch Your website was on with me on solid, academy. And, this is when the stolen session cookie, issues were starting to come to light.

Okay? Yeah. Yeah. and what struck me is, we teach people how to, build their sites, to be secure and, multilayer security strategy and all the things. But an agency owner who has clients logging into their websites, you can spend thousands of dollars on security and spend hours locking down a site.

[01:25:26] Nathan Ingram: And one single untrained user can mess everything up, because two outta three vulnerabilities are caused by user issues, not insecure WordPress themes and plugins. And that's based on that. We've got the link there on the. to Thomas's blog post. they're monitoring about 18 million WordPress sites.

and that's what they came up with. It's a pretty amazing statistic. so what Kathy and I did was create a course that is made for, WordPress agencies to purchase and add their clients to. It's a basic course that can be completed in about 30 minutes that gives WordPress site editors the essentials to stay secure.

It's Kathy doing the video, so it's awesome. nice. And my go on, Kathy, please. Yeah, my goal with it was just to make security super easy, super simple. Sometimes Nathan had to reel me back in Essentials, Kathy, just because I'm like, I'll talk about anything security for a long time. But this was just very user friendly.

[01:26:35] Kathy Zant: how to set up two FA. There's still a lot of people out there who are adding content to WordPress sites that don't really understand what two FA even is, and we shortcut that all the time and showing how to do that with a couple of different, plugins and just making it super simple and help helping people to understand how the decisions they make day to day, not just with their WordPress site, but like with.

All of their digital life have ramifications because people will be like, oh yeah, Tom is just gonna come in and add some blog posts so he can just use my admin account, that type of thing. And just helping people understand that making those kinds of decisions can have larger range impacts. So we wanted to make it very simple for, and my goal with this is, and I always feel like WordPress security is like the gateway education for larger security education so that people make better decisions about their bank accounts, about how they help their mom, set up Facebook, that kind of stuff so that people have this larger understanding of just the security landscape as a whole, but making it super simple and super easy for anyone to understand so it doesn't, feel unapproachable.

[01:27:49] Nathan Wrigley: That's great. Thank you so much for telling us all about that. Now, there is one thing I've gotta say, Nathan and Kathy, I, don't see the badge, frankly. where's, what the heck? You, gotta buy the course to get the badge buy course. Then you get the badge. You gotta badge. It's a secret's. I want it to be this man.

[01:28:06] Kathy Zant: I want it to be this chap here on the badge that, that's what I want. so badges included. Just, you heard it here first. so Monster ins, sorry. Monster Insights, something else. monster secure.com and tim nash.co uk slash workshop. You can go check those out there. that's Tom Rae's website.

[01:28:27] Nathan Wrigley: We've done that already. dah. I think, Tim, if you can do this one very quickly, we can cover this off if you want. this is all about reactivating inactive meetup groups. And you said it 'cause it had something to do with Sheffield. Yeah. WordPress Shefield is the, in the UK was the third oldest user group in the country after, leads in London.

And it I see the way you got that ordered, by the way, I'm just saying you got leads in there. I'm just doing it in order of the oldest. You the bit of rivalry there. Nathan and Kathy leads London. They like to claim both of them that they're the oldest one anyway. Sorry. Carry on. There's about a week between the two.

Yeah. Okay. It really, but yeah. Anyway, WordPress Sheffield was, has been around for many years. it was one of the. after leads, it was the, like the next word, WordPresses group I ever went to. it's where I met a lot of people who have been for years. I, remember a very young, human made team turning up once and them, and going.

God, they're not gonna get me out to very much, are they? Boy, did I get that wrong? Yeah, you got that wrong. they, it's like they gave me little presentations like, oh, bless them. And now I, so I feel really, but it was a lovely low user group and it's had a word camp. I'm actually, the reason I mentioned it was because I'm wearing on FLT shirts, and it was one of the best word camps in the UK for a while, and it's really sad to see it go.

But that's happening across the world. there's been a big push to get more user groups reactivated and those that they can't reactivate, they are killing off, which I guess is. Yeah, I suppose in a way, if it's not gonna, if it hasn't got any legs, it's West less than in the uk Glasgow's on the list, and there's a couple of others that are on the list as well.

so it, it's, it's sad to see them go. And that was really all I wanted to say and to highlight, yeah, the field in particular. So we've got a Divvy podcast going, we've got a bunch of inactive WordPress user groups going. We've got a WP Water cooler going. Yeah, interesting. But we also have new life.

Yeah, we have new life, we have new courses, yours, for example, and we have new life over at the tavern. what's the word? What's the expression? I wanna say out with the old and inm with the new. But that sounds too blunt and horrible. I don't mean that. You know what I mean? Something akin to that.

[01:30:50] Nathan Wrigley: Life moves on things that, things that have come and so are the days of our lives. There you go. That's the way to do it. Incidentally, I dunno what all the salt in my Chris has done, but it's made my entire room go white. that's what happens when you have too much salt, it seems right. That's it.

We've reached the time limit. it is now 31 minutes past three in the uk so it's time for me to say Ciara. But before I do that, I'm gonna ask the three of us. the. Me plus the three of you to raise your hands in some slightly humiliating gesture. Oh look, everybody totally into it. Tim always leans right.

He always like that, which I quite like. that's great. And I'll use that as the album art. Thank you so much to, Kathy Z, who's, our co-host today. Really appreciate that. Thanks to Tim Nash and to Nathan Ingram. It's been a pleasure. Thank you to all of you who made comments. It's what makes this show, really tick along.

And, it looks like Aaron might, have bought your course, Tim. 'cause he says Don deal, Tim, so that's nice. I am slowly going to heaven based on his back. That's right. 20 minutes from now, I'm gonna be in rapture. and on that bombshell, I will, say Siara. Have a nice time. We'll see you next time on this week in WordPress.

If I can click the button, which ends the show, which apparently is not possible to do, I'm gonna find it. Here it is.