There are a lot going on and sometimes it is hard to follow every new thing that comes out, so we go through 3 major WordPress plugin news.
WordPress releases new designs for its home page and download page
WordPress.org has a new look with a fresh, jazzy design that goes well with the updated News pages.
“The new homepage emphasizes the benefits and experience of using WordPress, as well as the community and resources to get started,” said Nicholas Garofalo, a member of the Automattic-funded WordPress marketing team.
“The new download page has a new design that makes it even easier to get started with WordPress by putting the download and hosting options right at the top.”
At the top of the Download page, there are now clear links for downloading and installing WordPress, as well as suggestions for how to set it up through a hosting provider. It also has links to resources that can help you get started, such as WordPress courses, developer resources, help, and user forums.
Even though the designs have gotten mostly good feedback, there were a few bumps in the road on the way to making them. When the Meta team posted an update about putting the designs into development less than three weeks after the design kickoff, some community members were upset by Matt Mullenweg’s comments about how fast the project was moving.
Mullenweg said about the plans to make a block theme for the new designs, “This is not a good use of time, and it doesn’t help us reach the real goals of a new homepage or download page. We have better ways to spend our development time.”
Mullenweg responded to the criticism on Twitter by saying, “Whether someone is a volunteer or paid, open source developers need to be able to debate and discuss our work in public, as we have since the beginning of wp-hackers, so that we can get the best result for users.”
Alex Shiels, a contributor who was paid by Automattic, defended the amount of time spent on the project and talked about some of the work that went on behind the scenes. Mullenweg said that it should have taken a lot less time to get Figma designs turned into a theme.
Mullenweg said, “On the ‘hours, not weeks’ to implement, it’s such a simple layout that it’s hard to imagine a single person needing more than a day on Squarespace, Wix, Webflow, or one of the WP page builders.”
“So, if we’re just making something look better, let’s make those changes quickly with the code we already have and move on to something more important. If you want to help WP itself, you need to do things in a completely different way.”
Some people saw these comments as a vote on how easy it is to use the block editor. Shiels’s plan for developing the new theme included making custom blocks so that an MVP could be released. Some people wondered if the block editor was living up to its “dream it, build it” slogan.
“The core team has to change the core blocks for such a simple layout. What should regular users and developers expect after more than two years?” Aleksandar Perisic, who works on WordPress, said something.
Mike McAlister, a software engineer at WP Engine, said, “Dog-fooding is just as important as code-focused contributions right now.” “One lets the other know. I’ve been working on FSE for months, and no one seems to have tried to make a REAL site with it.
In addition to giving WordPress.org a fresh coat of paint, the project has started a larger conversation about how hard it still is, even for the people who make WordPress, to make simple designs with the block editor.
A security audit of WordPress plugin finds dozens of flaws that affect 60,000 websites
A security researcher at Cyllective found flaws in dozens of WordPress plugin that could affect tens of thousands of installations.
Dave Miller, who is in charge of Cyllective’s penetration testing team, says that they began by testing randomly chosen plugins and quickly found a SQL injection vulnerability that didn’t require authentication.
They also found a number of problems with local file inclusion and remote code execution (RCE). But because these problems were found in plugins that were more than two years old, the team decided to focus on the 5,000 plugins that have been updated in the last two years.
Opened up endpoints
The researcher used a system of tags to find plugin that showed interaction with the WordPress database, string interpolation in SQL-like strings, security measures related to sanitization attempts, and exposure of unauthenticated endpoints. He was especially interested in unauthenticated SQL injection vulnerabilities.
Miller says that after three months of research, they found a total of 35 vulnerabilities. All of them could have been used by attackers without credentials, and they affected about 60,500 WordPress plugins.
“The vast majority of the vulnerabilities I reported were unauthenticated SQL injection vulnerabilities, which would have let an attacker dump the entire contents of the WordPress database,” Miller tells The Daily Swig. “However, these weren’t the most dangerous ones.”
“The sitemap-by-click5 plugin had a flaw that allowed arbitrary options to be changed without authentication. This would have let an attacker turn on the registration feature and set the default user role to that of an administrator.”
He says that this would basically let an attacker who wasn’t authenticated make a new administrator account and take control of the WordPress instance. And from there, the attacker could upload malicious PHP files, which would let the attacker run code remotely on the server as a low-privileged user.
Looking for patterns
Miller says that the team’s tag strategy could be used to find flaws other than SQL injection vulnerabilities with a little more engineering.
“To be able to find them, new patterns would have to be made that take into account the details of the vulnerability class,” he says. “However, this method makes it hard or even impossible to find some classes of vulnerabilities.”
Miller says that the disclosure process went smoothly, even though there were a lot of vulnerabilities found. This is because the team reported each vulnerability as it was found, sometimes as many as four or five per day.
“WPScan, a WordPress security company, made sure that the researcher, the plugin author, and the WordPress plugin team all talked to each other at the right time,” he says.
He also says that the team is still going through more plugins and that more security holes are being found and shared in a responsible way.
“Security is the plugin developer’s job in the end,” a WordPress representative tells The Daily Swig. “The Plugin team encourages this as much as it can.”
“In order to do this, plugin authors can look at the guidelines before adding their plugins to the directory. These are the rules that all developers should follow. Also, they have a Plugin Handbook that tells them how to do things right when it comes to security.
Free Plugin Closes Newsletter with Glue on WordPress.org
The people who made Newsletter Glue took the free plugin off of WordPress.org so they could focus on the paid version. The plugin makes the publishing process easier for people who write newsletters and also post to their WordPress sites. It has blocks and patterns for use in subscriber forms and email templates. Five months ago, the plugin’s creators told users that they would shut down the free version and stop updating it on May 1. However, the process of getting rid of the free version didn’t start until today.
The plugin’s co-founder, Lesley Sim, announced on Twitter that it was going away and gave some good advice for WordPress product businesses that want to use WordPress.org as their main way to sell their products.
“We set up free vs. paid in a bunch of noob mistakes,” Sim said. “Which made the way the customer upgrade went a little strange. I think it would have been possible. We just didn’t set it up right, and there’s no point in fixing it.”
About 200 people were using the free Newsletter Glue plugin when it was shut down, which seems low for a commercial plugin that is growing. This is because when a user went from the free version to the pro version, the free version was uninstalled, so it never gave a good picture of how many people were using the product. Sim said that the number of free users of Newsletter Glue wasn’t growing and that it was “just sitting there like a dead tree stump.” It hadn’t been changed in more than a year.
“We stupidly set it up so that when a user upgrades, they install the pro version and the free version uninstalls itself,” Sim said. “So, as a “reward” for new conversions, we lost free-to-use users.”
Because of how it was built, WordPress.org wasn’t bringing the product a lot of traffic or people who might want to upgrade.
“We didn’t have enough features a year ago to make good decisions about what to put in the free version and what to put in the pro version,” Sim said. “We used to have all of our integrations on the free plugin, but now we have some integrations that you have to pay for. I think this was a bad choice, and it led to our number of installs stopping right away. This could have been done the other way around, so I don’t think it was a big reason. But it was a sign that we should start thinking about removing the plugin from the repo since it wasn’t getting us any more traffic or installs.
Even though Sim didn’t think WordPress.org was a good way to get people to buy the product, he said it wasn’t easy to decide to shut it down.
“Here’s what we missed out on:” Sim said. “1) Biggest distribution channel in WP. 2) A simple way for reviewers to try out the plugin without having to get in touch with me. 3) Credibility source (reviews).”
Users who already have it can still use it, but it won’t get any more updates. Instead of a free plugin, Newsletter Glue gives users the chance to try it out on a demo site before buying it. The company took a unique path to becoming a commercial plugin that is distributed completely on its own.
“I hate with all my heart how the WP directory changes from free to paid users,” Sim said. “We had a pro plugin that worked on its own, so it was hard to upgrade. We’d get emails from people who were using the free version saying, “I just upgraded, but I don’t see any pro features on my site.” What’s the matter? I also had some great customers who would pay for an upgrade but then keep using the free version for more than a year without realizing it.
By putting all of their efforts into promoting the paid version, the Newsletter Glue team no longer has to help customers who are switching from the free version. The trade-off is that you won’t get as much attention on WordPress.org. It’s a strategy that works for the business right now, but it might not work for other new products without strong marketing.
“I think the default choice should be to be on the [WordPress] repo, unless you have experience marketing a plugin from scratch and a good plan for going to market,” Sim said. “Just make sure that the business part of your plugin is set up right so that it makes sense.”