News in the WordPress world, May 2016

News in the WordPress world, May 2016

Security, Security, Security

This month was again a proof that you need to keep WordPress, your themes, and your plugins up to date! Security updates were released for Jetpack, Caldera Forms, WP Fastest Cache, WordFence, Yoast SEO, Ninja Forms, and others. WordPress itself released an update to address potential security issues with its media players.

A New Plugin Repository

The plugin repo available at will be redesigned soon. You can check the first prototypes here, and you can chime in on the taxonomies that will be used to sort plugins here. These changes should help each one of us finding the right plugins, faster.

Authentication in the REST API

We’ve talked quite a bit about the REST API in the past year. Agencies and WordPress professionals start using it more and more to build interesting things on top of WordPress. However, until now authentication remained a tricky part. But thanks to the WP API team, we now have the Authentication Broker, a centralized place where you can register applications for the REST API, and that will help you authenticate through a central and reliable server. You can read more about it in the announcement post, and register your apps at

10,000 members in WordPress’ Slack team

Are you a member of the Making WordPress Slack channel yet? You should join us, it’s become an important place to chat with other WordPress community members!

#news, #WordPress, #meetup

News in the WordPress world, February 2016

News in the WordPress world, February 2016

WordPress 4.5 Beta 1 is almost ready for testing

As always, the new release includes tons of bug fixes and new features. Here is a quick preview of some of the new features:

A few other Feature Plugins might still make it to 4.5, and are listed here.

Make sure to check the list, you might be interested in some features, like 2 Factor Authentication or the Fields API; you can test them by installing the plugins right from your dashboard.

WordPress REST API News: what should be in WordPress 4.5?

There was a lot of discussion about this in the past few weeks. The WP REST API just hit version 2.0, and while it’s still very much a work in progress, the team would like to merge the 4 first endpoints in WordPress 4.5:

  • posts
  • terms
  • comments
  • users

These endpoints are mostly ready, short of a few things to iron out, like password-protected posts, or sticky posts.

WordPress’ project lead, Matt Mullenweg, would rather wait until more endpoints are created, until the API supports everything you can do in wp-admin, and only then merge the endpoints into WordPress. While full parity isn’t necessarily his end goal, what he seems to be most interested in is releasing a product that is as much a “minimum viable product” as it is a “minimum lovable product”.

This has created some controversy, and it’s still not clear what will happen with the WP REST API in the next few weeks. The community seems divided between 3 different options:

  1. Will the 4 endpoints be merged into 4.5 as is?
  2. Will the 4 endpoints need to be polished and fully complete before to be merged?
  3. Will more endpoints have to created to reach a wp-admin parity before anything is merged?

You can read more about this here:

Do you use Woocommerce on sites with a very large inventory?

You probably know how hard it can be to maintain good performance and a good Search feature on large Woocommerce sites. Lucky for us, 10up just released ElasticPress WooCommerce, a free plugin in the plugin repository allowing you to run Woocommerce queries through Elasticsearch instead of your local database. All you need is a server running Elasticsearch, and the ElasticPress plugin (also free).

Critical Security Vulnerability Discovered in Elegant Themes Products

If you use an Elegant Themes product, be it a theme or a plugin, go update now!

An information disclosure vulnerability was found in the Divi Builder (included in our Divi and Extra themes, as well as our Divi Builder plugin) which resulted in the potential for user privilege escalation. If properly exploited, it could allow registered users, regardless of role, on your WordPress installation to perform a subset of actions within the Divi Builder, including the ability to manipulate posts.

#news, #WordPress, #meetup

News in the WordPress world, November 2015

News in the WordPress world, November 2015

WordPress 4.4 Release Candidate

Test, test, test! WordPress 4.4 should be released next week, on December 8, and you should be ready. Check this post to find out the new things that will ship with this new release.

WordPress now powers 25% of the web

Matt talked about it on his blog: WordPress now powers 25% of the web. It’s an important milestone. Let’s see what we can do to get to 100%! 😊

A more RESTful WP-CLI

Do you use WP-CLI? Daniel Bachhuber will work on making it fully compatible with the upcoming Core REST API. His Kickstarter campaign was a huge success and helped him get the funds he needed to concentrate on that project in the months to come.

A new CMS in Town, Envato Sites

Envato is one of the biggest businesses related to WordPress (they’re the company behind ThemeForest, CodeCanyon, and others). They announced that they’re working on a brand new site builder, named Envato Sites.

While they’ll continue to release tons of WordPress themes and plugins on ThemeForest and CodeCanyon, that’s definitely something to keep in mind. I can imagine that ThemeForest authors will start spending some time developing themes for that new CMS. If you work with Envato prodcuts, keep an eye on that.

Read the announcement here.

WordCamp US, WordCamp EU

WordCamp US starts on Friday. Even if you don’t travel there, you can purchase a Live Stream ticket if you’re interested in some of the talks. Matt’s State of the Word is always interesting, for example.

WordCamp EU will be in Vienna this year. It’s only a few hours by train or car, so definitely worth the trip. You can already book your tickets here.

A new desktop app, a new admin interface for, and it’s all open source

Automattic, the company behind and Jetpack, open sourced the code they use to run the new amdin interface on

  • It’s built with React and Node.js (more details about the implementation here and there).
  • It interacts with’s WordPress installation via the REST API.
  • The interface is fast, and a big change from wp-admin.
  • You can use that new interface if you own a site, or a self-hosted site where you’ve installed the Jetpack plugin (the plugin is used to communicate with the REST API).
  • The code is open source and available here.
  • A desktop app is available for Mac users, Linux and Windows versions are being tested.

While this is limited to site owners and Jetpack users for now, it’s a good example of what can be done when building a client on top of WordPress, using a REST API.

  • WordPress Core will soon include its own API, and we’ll probably see more clients popping up.
  • Once that API is mature, will be able to adapt its code to use the core REST API instead of the REST API.

Give the app a try, it’s a refreshing experience. It’s still limited in some cases, like when you’ve built things inside wp-admin using custom fields (not supported yet or custom post types (not supported yet).

Want to read more about it?

#news, #WordPress, #meetup

News in the WordPress world, October 2015

News in the WordPress world, October 2015

WordPress 4.4.

WordPress 4.4 Beta 2 is available for testing. The new version of WordPress will include 3 new important features:

Plugin translations

If you’ve had to deal with plugin translations in the past, you know it used to be a cumbersome process: people who translated your plugin had to send you .po and .mo files, and you would commit those files into your plugin’s languages folder in the next release. Things are much easier now, thanks to All translations happen on You can contribute to translations for just about any plugin, and as soon as your translations get approved, they’ll be shipped to everyone using the plugin.

Even the readme can be translated, so we’re slowly moving towards a fully localized plugin repository!

Let’s Encrypt

Not a WordPress news, but something that will affect everyone with a website. Let’s Encrypt is a new free SSL certificate authority, and is now trusted by all major browsers. Soon they’ll stat issuing free SSL certificates to everyone who’d need one. They contribute to a safer internet for everyone.

More XML-RPC news

XML-RPC is a feature allowing you to interact with a WordPress site. It’s used by the mobile apps, by plugins like Jetpack, by services like IFTTT, and by many other apps and services.

Since it can be used to publish posts remotely, it’s one of the points of entry hackers like to target. They’ll try to authenticate to your site via XML-RPC, and access your site through there.

Unfortunately, it can be abused, and the Sucuri security firm discovered that hackers had discovered a new way to abuse that feature. They now use a method named system.multicallto execute multiple methods inside a single request. That means they can test several username / password combinations to get into your site in one single request. That’s consequently not enough to just block folks who do multiple requests to your site’s XML-RPC in a short period of time, you now have to look at what people do in these requests. We’ll cover how to protect yourself against those attacks in my talk, a bit later.

#meetup, #news

News in the WordPress world, April/May 2015

Update all the sites!

There were quite a few releases in the past few weeks:

  • 4.1.2, 4.2, 4.2.1, 4.2.2
  • Popular plugins, Security plugins (iThemes Security), Core, … Everyone has had their share of security issues in the past few weeks.
  • Luckily, WordPress’ Automatic Updater took care of most of these updates for you. You can learn more about the updater and how to configure it here.
  • The last security issue concerned Genericons, an icon font that’s bundled into several themes including Twenty Fifteen, and in popular plugins like Jetpack. You can read more about the vulnerability here.
  • Update fatigue is dangerous. Don’t give up, update, and thank the Core Security team who’s there to save us by reacting quickly and shipping new releases to fix all these issues. Now Requires Theme Authors to Use the Customizer to Build Theme Options

From now on, all themes submitted to the theme repository will have to use the Customizer for their theme options:


If you are not familiar with the customizer, and if you’d like to add options to your theme, I would suggest checking out the Customizer API docs on

WordPress 4.3 will be all about enabling users of touch and small-screen devices.

WordPress 4.2 was shipped a couple of weeks ago, and the core developers are already planning 4.3. You can find out more about the focus of the next major WordPress release here:


I would also suggest subscribing to make/flow if you’d like to help with testing and share your opinions.

WordPress’s Rest API is still in the works, version 2.0 was released a few weeks ago

  • The developers in charge of the API are looking for testers. If you’re interested, and if you want that feature to make it into core sooner rather than later, watch the GitHub repo and submit bug reports!

#meetup, #news

News in the WordPress world, March 2015

Here is a quick recap of last night’s News section. Any questions, shoot!

Security updates

There were a few important security vulnerabilities discovered in WordPress plugins this month:

For some of these updates, the WordPress Security team automatically updated the plugins remotely, using the automatic update system that was added to WordPress in version 3.7. You can read more about this process here.
This automatic update was really useful to patch a lot of WordPress installations in very little time, but some people felt uncomfortable seeing the WordPress security team update code on their site without their consent. Here is a post arguing against automatic plugin updates: On Automatic WordPress Updates.

WordPress 4.2 Beta

The next version of WordPress is just around the corner, and you can help test it! To do so, install this plugin.

To find out what’s new in WordPress 4.2, you can check this post: WordPress 4.2 Beta 1.

Of note, a better plugin installer, a new Press This feature, even more things in the Customizer, and Emojis.

We also talked about the changes to taxonomy terms: you can read more about it here. If you’re a plugin author, you’ll want to review this guide. You can use this plugin to find out if your site includes any shared terms.

If you have any other news to share, post them here!

#meetup, #news

News in the WordPress world, January 2015

Before we get to post pictures and presentations about last night’s meetup, here is a quick summary of the news topics we talked about.

WordPress Lead Developer changes

Ryan Boren and Peter Westwood step down and are replaced by Helen Hou-Sandi and Dion Hulse.

Ryan Boren becomes UX lead for 2015. If you don’t already, I’d suggest following to find out more about some of the biggest UX issues in WordPress.

Read about it on Poststatus

The plugin installation flow will be improved in WP 4.2.

Done with the boring steps appearing when you would install a plugin. Check trunk, it’s already in there. #29820-core

New frontend editor walkthrough

If you follow, you probably know about the frontend editor that is being worked on. You can already install it on your test sites, it’s worth giving it a try. Her is a walkthrough from Elegant Themes.


Pressnomics is a WordPress conference for entrepreneurs and business owners. A few weeks ago, over 250 attendees met in Phoenix to talk about the economics around WordPress. One of the key events of the conference was a QA with Matt Mullenweg, founder of WordPress and CEO of Automattic.

The session wasn’t recorded, but a few quotes generated quite a lot of talk around the future of WordPress, our competitors, and how we need to change to create the next WordPress.

Here are a few of Matt’s quotes:

Following discussion

Matt was referring to plugins transforming WordPress in a turn-key solution including the features that people creating websites have come to expect: social, mobile, stats, … These are all baked in tools like Wix, Squarespace, or Weebly.

Chris Lema – Is the Future Success of WordPress tied to Jetpack?
WP Tavern – How Important is Jetpack on WordPress’ Road to 50% Market Share?

WP Pusher, deploy WordPress themes and plugins from GitHub

cc @sinisterstuf who will talk about deployment methods in our next meetup!

#meetup, #news