logo-01b@2x
Issue #47
grey 2
MailPoet logo
yellow 1@2x
orange 2@2x

This week in WordPress

Security update forced on 1+ million websites using Loginizer plugin

The WordPress Security Team took the rare step of pushing a forced security update to over a million sites this week after a dangerous vulnerability was discovered in the popular Loginizer plugin.

Security researcher Slavco Mihajloski disclosed the unauthenticated SQL injection vulnerability, and an XSS vulnerability, in the free plugin, which could have allowed hackers to take over WordPress sites.

Ironically, Loginizer offers WordPress security. The five-star rated free version provides brute force protection. Worryingly, as Slavco highlights in a detailed proof-of-concept on his blog, the plugin had been audited by security companies, including WPSec and Dewhurst Security.

WPTavern's Sarah Gooding reports Loginizer was acquired by Softaculous in July, so the company was able to automatically update WordPress installations with Loginizer installed that had been created using Softaculous. This effort, combined with the WordPress.org updates (89.1% of Loginizer active installations are now running the latest version of the plugin) have ensured a large portion of Loginizer's user base is now safe.

ZDNet security reporter Catalin Cimpanu reports there was a "public backlash" after the forced update, but WPTavern's take that it "took some of the plugin's users by surprise" is a more accurate take on the situation. Several users in the WordPress Support Forums with auto-updates disabled have asked why their versions of Loginizer had been updated without their interventoin, with one user noting it was "Quite strange."

"WordPress can forcibly push updates. As long as the process is robust then I'm all in favour," tweets security specialist Gavin Johnson-Lynn, while WebMatros owner Oliver Nielsen tweets "IMO, the forced security patching of the Loginizer plugin vulnerability is a great thing 👍🏼 Does no harm, and has **prevented** LOTS of harm."

Meanwhile, Strattic co-founder and CEO Miriam Schwab took the opportunity to spruik her product, tweeting: "I think WordPress made the right move by forcing sites to update Loginizer to patched version, even if it's controversial. Loginizer ironically adds extra security to WP login pages. Also, Strattic sites don't even have login pages that need securing…"

Tip us off! 👀 Share your news tips with The Repository anonymously →

Block-based widgets also dropped from WordPress 5.6

The WordPress 5.6 release team has pulled the plug on block-based widgets, reports WPTavern's Justin Tadlock. Only a week ago, release lead and WordPress Executive Director, Josepha Haden, tweeted "There are still some known issues the team is diligently working on, but 'Yes, the block-based widget system will be ready for prime time when WordPress 5.6 lands" in response to Justin's story Are Block-Based Widgets Ready To Land in WordPress 5.6? for WPTavern.

The call comes after the team recently dropped block-based navigation menus from the WordPress 5.6 feature list. Both block-based widgets and navigation menus were originally planned for WordPress 5.5.

As Justin explains, a new widgets admin screen has been in development since January 2019, which was not long after the initial launch of the block editor in WordPress 5.0. For now, the block-based widgets feature has been pushed to WordPress 5.7.

"I think the best feature of 5.6 is going to be that they didn't include half baked underdone features to meet an arbitrary deadline. It takes guts," comments WordPress developer Cameron Jones. "I'd rather have one new feature that works as opposed to 10 that don't. We are talking about shipping a release to millions of production sites after all," adds EggCup Web Design owner Ian Pegg.

In related news, WordPress 5.6 Beta 1 is now available for testing. The final release is on track for release on 8 December.

Google rival MakeStories launches new version of its web stories plugin

MakeStories has launched version 2.0 of its plugin for creating web stories with WordPress. WPTavern's Justin Tadlock says the latest version is like a new plugin launch. While the previous version simply allowed users to connect their sites to MakeStories, the new version lets users build and edit stories directly in the WordPress admin.

The plugin is a rival solution to Google's Web Stories for WordPress plugin, which this week caught Justin's attention after Google updated its content guidelines for the stories format. He says that if you're using the Web Stories for WordPress plugin, you better play by Google's rules.
yellow 2@2x

In other WordPress news...

orange 2@2x

Not subscribed? Join the most conversational weekly email
in the WordPress community!