Category: WordPress

Categories
travel WordPress

WordCamp US 2023

A photo of the WordCamp US 2023 exhibitor hall from the perspective of its entrance.

I attended my first WordCamp US this year and it was great!

The Travel

WCUS 2023 was held in National Harbor, Maryland. It was my first time visiting the DC area.

DC is such a well documented and important city that I felt like I knew exactly what to expect and it delivered. Basically to the extent that my own personal experiences feel a little trite given the vast amount that has already been written about the city.

Personal highlights though were finally meeting some of my teammates IRL and biking around DC with them on the Sunday (also frisbee).

So I’ll forego the usual travel blog and jump right to the talks.

The Talks

Videos of the talks have just been posted online (full playlist).

Here are my highlights

Most Groundbreaking

The WordPress Playground has existed for a little while now and it’s one of those things I filled away in my mind to check out later.

It is absolutely incredible.

It’s literally a copy of WordPress running PHP in your browser! It’s not a virtual machine you’re remote desktop-ing into, it’s actually running in your browser! There’s a tonne of potential applications.

Antonio Sejas talks through some of them.

Check it out, I have a feeling this could be the future.

WordPress Playground, present and future applications

Most Engaging

How do you make a dry topic like core web vitals engaging?

Enter Henri Helvetica.

Easily one of the best talks on any subject that I’ve ever seen. It’s fun and you might even learn something.

Core Web Vitals 2023: User Experience and Performance Evolved

War stories

Two talks I am putting under the “war stories” slash “how we built this really cool thing” category.

If you’ve ever worked on client projects I think you’ll find these two talks validating.

For All Userkind: NASA Web Modernization
All The Presidents Websites

Contributor Day

The Thursday before the event was set aside for “contributor day.”

Essentially, anyone interested working on WordPress itself could break into small groups to contribute to a specific area of the project (be it core, documentation, infrastructure, etc.). Apparently, at previous WordCamps the contributor day was held after the main conference when everyone was tired/hungover. The day before definitely seems like the right choice to me.

I fell in with the group making a renewed push for a core fields API.

Read Scott’s post.

Fields API Progress Summary: WCUS Contributor Day 2023

And check out the repo: https://github.com/sc0ttkclark/wordpress-fields-api

I’m actually semi-interested to start a local regular contributor day, if I can find any collaborators.

Oh, And The Swag…

I got some.

Verdict

I met a lot of cool people, had a lot of great food and conversation.

10 out of 10. Would WordCamp again.

Get Involved

So hey, if you’re local to me in the Winnipeg area and you’re interested in WordPress, check out the monthly meetup.

It’s not just for developers, in fact most of the attendees are often end-users.

It’s the on the first Wednesday of the month at 7PM at Red River College downtown campus, more info and RSVP on eventbrite.

Categories
WordPress

WordPress Websites Now Only $499

Early this week Automattic launched “Built by WordPress.com Express,” an awkwardly named “webdesign” service.

Here’s the sales video:

The tagline “Real sites, built by real people.” is a good one. It acknowledges that most people who need a website are not web designers. It positions their service as an alternative the steep learning curve to doing-it-yourself (with WordPress or elsewhere).

It feels a little like WordPress VIP lite (very lite!). In fact, I’m fairly certain some of the screenshots in the video are from VIP clients.

Reading between the lines, the service seems to be a layout service. You pick a pre-existing theme, provide the content and US$500 and then they’ll “do it for you.”

This is bad on so many levels! (well at least 4 I can think of off the top of my head)

Easy To Replicate

Some are speculating that this service is a desperate attempt to increase profitability for an upcoming IPO. I find this plausible.

Unfortunately, if this service proves to be a hit, is incredibly easy for Elementor, Wix, Squaresquares, etc to replicate. Set up a network of “experts” poached from fivrr and some minimal organization to manage the workflow.

Whether A8C’s competitors could pull it off as well with good templates, solutions that work and great support is almost besides the point. This segment of the market is just looking for a solution to the basic problem of “I need a website.”

Hard to Support

A $500 WP Express customer is going to expect the same level of support as a $500,000 WP VIP customer. Period. If the goal is raising profit, the support costs are sure to challenge that goal.

Solves Half The Problem

The design — as in the visual appearance — is only half the problem you need to solve when building a website. Maybe even less than half in many cause.

A beautiful website is useless without a cohesive content strategy. Professionally written, thoughtful content will always give you a leg up on the competition… the competition who whipped together a website for $500 without a second thought.

The marketing copy on the sales page strongly implies that your content is unimportant. Providing content is simply the 3rd item on a 5-item list, equal weight to providing your business address and sitting back and relaxing.

oof.

Devaules WordPress

This is the biggest problem.

The popularity of WordPress is built on the hard work and goodwill of freelancers. Passionate people who’ve spent the past 2 decades spreading the Gospel of Matt.

Any of these freelancers will tell how hard it can be to convince a potential client that their website is worth more than approximately $500. Imagine how much harder this becomes when wordpress.com is setting the going rate at $500! Why would they ever hire you?

To quote @briancoords on twitter “a massive private company and also the sole entity allowed to commercially profit off the WordPress trademark devaluing WordPress could be harmful for anyone trying to earn a living anywhere at any price point.”

Not to mention that the templates themselves are kind of ugly.

This feels like a gut punch.

I’m always rooting for Automattic. But I hope this goes nowhere fast and we never hear about it every again.

Categories
WordPress

Huge Vulnerability in WordPress 4.8

Anthony Ferrara discovered a significant security vulnerability and an even more fundamental security flaw in WordPress.

The correct fix is to ditch this whole prepare mechanism (which returns a string SQL query). Do what basically everyone else does and return a statement/query object or execute the query directly. That way you can’t double-prepare a string.

It’s worth saying that this would be a major breaking change for WP. One that many other platforms have done successfully (PHPBB did this exact thing, and went from having massive SQL Injection vulnerabilities to almost none).

WordPress has made great strides in modernizing  and hardening core. I really had no idea WPDB was still in the dark ages! For shame!

Read his post for all the gory details.

Categories
Tips & How To's Web Development WordPress

How to Keep Your New WordPress Site Running Smoothly

So you just launched a WordPress site for your business, everything is up and running. Pages load quickly, SEO is better than ever, you paid your development team. Now you’re all set for the next few year, right?

In an ideal world, this would be true. Unfortunately, the Internet is a dangerous place and software is not perfect. With WordPress presently powering 1/4 of the Internet, it is a huge target for hackers and internet miscreants. Left untouched, your site is almost guaranteed to become infected by malware at some point in the future.

Click “Update!”

Clicking that “update” button in the WordPress admin is the single most important thing any WordPress site owner can do. In Windows or macOS these types of security updates can seem like a pain, annoying nag messages that you always dismiss immediately. While these updates are important for desktop computers, in reality, your desktop machine is typically removed from outside attackers by 1 or 2 levels of routers. Your website on the other hand has to be accessible to the broader internet in order for the public to have access to it.

One fact that might be overlooked if you’re unfamiliar with software development is that the vast majority of security patches are in response to a reported issue. What this means is that, potential attackers already have the information to create mass exploitation tools by the time you see the update notification in WordPress.

To put it another way: In my time working with WordPress, I’ve never see a compromised WordPress site that is totally up to date with all updates.

Is It Safe?

One concern that causes many computer users to put off software updates is the fear that something will break. While this fear is not totally unfounded, most software updates are safe, most of the time. When dealing with WordPress updates, you’re looking at new code from different sources. Core updates come from the WordPress open source project, these updates are all vetted by professional developers. Plugin updates are submitted by the plugin author. The experience level of these authors varies widely, they could be hobbyists working on the weekend or large teams of professional developers.

So is it safe?

Minor WordPress Core updates are safe. The minor updates are the updates where the main version number (ie. 4) does not change. The WordPress team takes great care to ensure that updates do not break anything.

Major WordPress updates are probably safe. Again, the WordPress team has a great track record of building in backwards compatibility. So, your site probably won’t break. However there are two caveats. 1) Major features in the WordPress admin will likely look and/or act differently; 2) Some plugins may stop working.

Plugin updates should be safe, but it depends. With a few notable exceptions, most well written plugins will update without issue.The same rule of thumb about major and minor updates apply to plugin updates, a major version update is more likely to break something. A good WordPress site developer will only install plugins that they’ve individually vetted, I never install plugins for my clients that I do not trust.

Be Proactive

A number of plugins and security solutions have started to become available for WordPress over the past few years. They are essentially virus scanners and firewalls for WordPress. By setting these up, you should be able to fend off additional threats or at the very least disable malware if it happens to make it onto your site. A Google search will reveal many good options. My current go to plugin is Wordfence security, I install it on all new sites. I like it because it works well out of the box and it typically does a better job finding malware than the other plugins I’ve tried.

Conclusions

As developers, I think we often do a bad job communicating the importance of ongoing maintenance and security. After all, it’s a little embarrassing to have to concede that this great product you just spent weeks of time and a good chunk of money on, is a giant bullseye for internet miscreants. It can seem like a slimy up-sell to suggest a maintenance contract.

In reality, if you’re comfortable reading and digesting release notes, you should be able to handle keeping WordPress up to date. If you’re less of a tech-DIY person, you may want to get in touch with a developer.

One more thing: Backups

Backups are always a good last resort. I didn’t mention them in this post because backups are typically a poor malware recovery solution. Two main reasons: 1) The type of malware that affects WordPress rarely corrupts content; 2) it can be difficult to pinpoint when a malware infection started, so you won’t know which backup to restore to.

Categories
Web Development WordPress

Dear WordPress Get Your 💩 Together

Dear WordPress.org,

Get your shit together!

It is 2016, there is no excuse for allowing any plugins with insecure code to make their way into the plugin directory. Full stop.

The story about Custom Content Type Management stealing admin credentials and other shenanigans, is utterly pathetic. I’d bet this incident is just the tip of the iceberg.

If there is a plugin review process, I have seen no evidence of it. In my experience, plugin updates are made live immediately after updating the repo, regardless of if the plugin has a site crashing bug or a security issue.

The plugin directory situation has gotten so bad that people are starting to avoid installing free plugins.

Fix it. Please.

Sincerely,
Everyone who loves WordPress

PS. I stole the emoji graphic from the great article on The Oral History of the Poop Emoji.