Dear WordPress Get Your 💩 Together

Dear WordPress.org,

Get your shit together!

It is 2016, there is no excuse for allowing any plugins with insecure code to make their way into the plugin directory. Full stop.

The story about Custom Content Type Management stealing admin credentials and other shenanigans, is utterly pathetic. I’d bet this incident is just the tip of the iceberg.

If there is a plugin review process, I have seen no evidence of it. In my experience, plugin updates are made live immediately after updating the repo, regardless of if the plugin has a site crashing bug or a security issue.

The plugin directory situation has gotten so bad that people are starting to avoid installing free plugins.

Fix it. Please.

Sincerely,
Everyone who loves WordPress

PS. I stole the emoji graphic from the great article on The Oral History of the Poop Emoji.

The Role of Developers in the WordPress Community

Earlier this week, influential British designer Sazzy wrote a blog post entitled The Elephant In The Room about the depressing state of freelance web design. While not directly related, her post got me thinking about the current plight of the back-end developer inside the WordPress universe.

Over the past 3 or 4 years I’ve focused my work around custom WordPress development. In that time, in spite of (or maybe because of) WordPress’ meteoric rise to popularity, I’ve found interesting backend development work in WordPress to have almost completely dried up.

I believe this is largely because WordPress is mature, stable and has little need for serious back-end developers.

Core Contributions

Earlier this year, I took it upon myself to get a patch into WordPress core. I logged into the WordPress slack daily, watched conversations and dug around TRAC to find something I could contribute back to the community.

In doing so, I came to learn that the core contribution team seems to be a well defined clique of developer who have been there a long time. Breaking into the little club is not easy. Based on my digging around in TRAC is looks like most feature requests are met with bureaucracy and bickering, as tends to happen in nerd forums. More serious issues are already adequately handled by long-time core contributions. The slack conversations are dominated by a few voices who really know what they’re talking about.

Don’t get my wrong, the core contribution community is not unfriendly and none of the things I encountered are bad, per se. I simply got the impression that there’s little room and little need for the average developer in the core contribution team. WordPress is mature and stable, so is the development team.

Plugins

Simply put, most common and many uncommon features/problems/use-cases have been solved by well-established, mature, stable plugins. Most of the more popular plugins are supported by businesses that have sprouted up around them. Not only that, but Automattic seems to be spending even more resources developing plugins — as saw just this week with their AMP plugin.

A few years ago it might have been possible to start a cottage business surrounding a custom developed plugin that solves a popular problem. Something you could implement on all your development client’s sites, while selling support or premium services to the general public.

Today, those unsolved problems are few and far between.

Themes

The theme marketplace is bananas. There… are… just… so… many… themes and a lot of them are technically quite bad. But all that clients need are pretty pictures, slick demos and a low price point. It’s very difficult to sell the average mom & pop on the merits of a custom designed theme. To be honest, a lot of the time there is little value to be gained.

At the end of the day, custom themes are a non-starter for a large portion of the potential clients-base that the average freelance developer could expect to encounter. There are certainly cases where a custom template could be part of an overall design/branding strategy or something to that affect.

WordPress as a CMS

WordPress has always been and still is a bad choice as a general purpose CMS. But that’s a post for another day.


So, what’s left?

In my experience over the past couple of years, there are two related roles being filled by professionals who make their living in the WordPress universe.

The Expert

The WordPress Expert is someone who stays up-to-date with WordPress. They know about key features in the latest release; they maintain a personal list of goto plugins to solve various problems; they have preferred theme vendors and know how to spot a bad theme just by looking at it and they’re just really good at using WordPress.

The WordPress Expert can set you up with a website from start to finish, without ever touching a line of CSS or a PHP template. They act as a liaison between a clue-less client and the confusing world of websites. They can troubleshoot most issues, if not, they’ll know who to call.

The Customizer

The WordPress Customizer has all the skills and knowledge of The Expert and on top of they are usually a skilled front-end developer, with some basic back-end knowledge. They know what a child-theme is and aren’t afraid to use one.

When an off-the-shelf template doesn’t quite fit a client’s needs, the client will end up hiring a Customizer. The Customizer is able to wrangle the theme, bending it to meet he needs and wishes of a particular client.

At the end of the day, this type of customization can often be hard to maintain. Being a good customizer is not always an easy task. But The WordPress Customizer can be a reasonable solution to provide budget conscious clients a more customized website.


 

Over the years, my roll has morphed into that of a customizer. I enjoy the work, but it doesn’t really scratch my programmer itch. Calling it “web development” seems like a stretch.

 

Peach Came From a Can

Social app Peach hit the interwebs over the weekend, harder than a late 1990s grunge-esque anthem skipping on a discman playing through a cassette tape adapter.

You could write off peach as another social networking app for tech groupies. But you’d be missing a very unique feature.

Chatbots.

(Sorta. They’re almost more like command-line keywords.)

Peach does this one little thing that I’ve never seen an app of this type do before. A series of text commands enable quick access device sensors and various other APIs. For example, `move` posts the number of footsteps the device has recorded today, `gif: keyword` returns a gif search, `here` posts your location, etc.

I’m not sure whether to call this innovative per se, chatbots have existed on IRC for decades and Slack does something similar with third party app integrations.

However, Peach is the first time I’ve seen this sort of thing implemented for purely entertainment purposes and I find it extremely interesting. Mostly likely, an early sign of things to come.

If you do check it out, add me, I’m ohryan.

TeeVee for WP: building Apple TV apps with WordPress Plugins

Imagine you create tonnes of great video content every day and publish it all through WordPress. Your viewer can watch your amazing shows everywhere…on iPhones, iPads, iMacs, but not their TVs. Wouldn’t it be great to have a branded Apple TV app so that all your viewers could watch your content in full screen glory? Well I’ve got just the WordPress plugin for you…

Behold, TeeVee for WP!

A straightforward WordPress plugin I created to allow content creators to use WordPress as a data source Apple TV apps. TeeVee for WP attaches video metadata to blog posts. The metadata is used to to generate TVML1 which gets ingested by a custom/branded TvOS app.

Screenshot 2015-12-06 21.01.03


On the xCode end you simply create a new TvOS single-view application, with an AppDelegate that looks something like this:

Modify the `TVDomain` to point the domain where TeeVee for WP is install and the rest is show business.

The project is up on github here: https://github.com/ohryan/teevee.

Contributions would be much appreciated.

If you have any questions or suggestions hit me up on twitter at @ohryan or email me [email protected].

  1. TVML is this cool little XML apple created for basic layout – check out Apple’s documentation for more information. []

Facebook’s History of Spying

Reading Wikipedia this morning, I came across an interesting tidbit from the days when facebook was still thefacebook.com. As seen in The Social Network, after launching the site Mark Zuckerberg was under investigation for potentially stealing the idea from the Winklevoss brothers.

Not covered in the movie though, while this investigation was going on Zuckerberg did a little investigating of his own, by accessing the email accounts of the investigators:

Zuckerberg knew about the investigation so he used TheFacebook.com to find members in the site who identified themselves as members of the Crimson. He examined a history of failed logins to see if any of the Crimson members have ever entered an incorrect password into TheFacebook.com. In the cases in which they had failed to login, Mark tried to use them to access the Crimson members’ Harvard email accounts, and he was successful in accessing two of them. In the end, three Crimson members filed a lawsuit against Zuckerberg which was later settled.

~ The History of Facebook, Wikipedia

The way I read this, thefacebook.com was logging failed passwords! Meaning, when you entered an incorrect password on thefacebook.com’s login page, the website would save the text you entered. Obviously websites have to have a record of your password in order to authenticate you. Passwords are normally encrypted in such a way that developers cannot access the password. The wikipedia article doesn’t say whether or not regular passwords were encrypted.

However, if you were intending to use a website you created to log into email accounts of the site’s users, collecting  passwords that failed would give you more passwords to try when logging in to those user’s third party email accounts.

Zuckerberg was caught breaking in to 2 accounts, but one has to wonder how many other accounts he broke in to. Remember, in 2004 (prior to gmail), email accounts did not have 2-factor authentication, they did not detect suspicious login activity, they did not have the security features we’ve come to take for granted. Anybody could log into any body else’s email accounts undetected.

Password security is the most basic of implicit trust between a website and its users. A site that is logging passwords and password attempts cannot be trusted, period.

Who knows if or how the culture at Facebook has changed. Nevertheless, if the company’s CEO was willing to exploit users for personal gain in the early days, what sort of things are they willing to do when governments or other powerful entities pressure them?