This week in WordPress

Security update forced on 1+ million websites using Loginizer plugin

The WordPress Security Team took the rare step of pushing a forced security update to over a million sites this week after a dangerous vulnerability was discovered in the popular Loginizer plugin.

Security researcher Slavco Mihajloski disclosed the unauthenticated SQL injection vulnerability, and an XSS vulnerability, in the free plugin, which could have allowed hackers to take over WordPress sites.

Ironically, Loginizer offers WordPress security. The five-star rated free version provides brute force protection. Worryingly, as Slavco highlights in a detailed proof-of-concept on his blog, the plugin had been audited by security companies, including WPSec and Dewhurst Security.

WPTavern's Sarah Gooding reports Loginizer was acquired by Softaculous in July, so the company was able to automatically update WordPress installations with Loginizer installed that had been created using Softaculous. This effort, combined with the WordPress.org updates (89.1% of Loginizer active installations are now running the latest version of the plugin) have ensured a large portion of Loginizer's user base is now safe.

ZDNet security reporter Catalin Cimpanu reports there was a "public backlash" after the forced update, but WPTavern's take that it "took some of the plugin's users by surprise" is a more accurate take on the situation. Several users in the WordPress Support Forums with auto-updates disabled have asked why their versions of Loginizer had been updated without their interventoin, with one user noting it was "Quite strange."

"WordPress can forcibly push updates. As long as the process is robust then I'm all in favour," tweets security specialist Gavin Johnson-Lynn, while WebMatros owner Oliver Nielsen tweets "IMO, the forced security patching of the Loginizer plugin vulnerability is a great thing 👍🏼 Does no harm, and has **prevented** LOTS of harm."

Meanwhile, Strattic co-founder and CEO Miriam Schwab took the opportunity to spruik her product, tweeting: "I think WordPress made the right move by forcing sites to update Loginizer to patched version, even if it's controversial. Loginizer ironically adds extra security to WP login pages. Also, Strattic sites don't even have login pages that need securing…"

Tip us off! 👀 Share your news tips with The Repository anonymously →

Block-based widgets also dropped from WordPress 5.6

The WordPress 5.6 release team has pulled the plug on block-based widgets, reports WPTavern's Justin Tadlock. Only a week ago, release lead and WordPress Executive Director, Josepha Haden, tweeted "There are still some known issues the team is diligently working on, but 'Yes, the block-based widget system will be ready for prime time when WordPress 5.6 lands" in response to Justin's story Are Block-Based Widgets Ready To Land in WordPress 5.6? for WPTavern.

The call comes after the team recently dropped block-based navigation menus from the WordPress 5.6 feature list. Both block-based widgets and navigation menus were originally planned for WordPress 5.5.

As Justin explains, a new widgets admin screen has been in development since January 2019, which was not long after the initial launch of the block editor in WordPress 5.0. For now, the block-based widgets feature has been pushed to WordPress 5.7.

"I think the best feature of 5.6 is going to be that they didn't include half baked underdone features to meet an arbitrary deadline. It takes guts," comments WordPress developer Cameron Jones. "I'd rather have one new feature that works as opposed to 10 that don't. We are talking about shipping a release to millions of production sites after all," adds EggCup Web Design owner Ian Pegg.

In related news, WordPress 5.6 Beta 1 is now available for testing. The final release is on track for release on 8 December.

Google rival MakeStories launches new version of its web stories plugin

MakeStories has launched version 2.0 of its plugin for creating web stories with WordPress. WPTavern's Justin Tadlock says the latest version is like a new plugin launch. While the previous version simply allowed users to connect their sites to MakeStories, the new version lets users build and edit stories directly in the WordPress admin.

The plugin is a rival solution to Google's Web Stories for WordPress plugin, which this week caught Justin's attention after Google updated its content guidelines for the stories format. He says that if you're using the Web Stories for WordPress plugin, you better play by Google's rules.

In other WordPress news...

– Past Twenty default WordPress themes are getting new block patterns, reports Justin Tadlock. Mel Choyce-Dwan, the Default Theme Design Lead for WordPress 5.6, opened 10 tickets about two months ago with the intention of bringing new block features to all of the 10 past default themes. "It is a lofty goal that could breathe some new life into old work from the previous decade," Justin says.
– Gutenberg 9.2 is out and it's the final release to make it into WordPress 5.6 Beta. New features in this version include support for video subtitles, the ability to transform multiple selected blocks into a Columns block, and background patterns in Cover blocks, writes WordPress 5.6 Editor Tech Lead Isabel Brison, who's an Automattic JavaScript Engineer.
– WPMU DEV is celebrating 1,000 editions of The WhiP, its puntastic newsletter, with a t-shirt giveaway. Fun fact: Rae Morey who writes The Repository (editor: hello!) started The WhiP back in 2014. It's great to see it still going strong! "I've enjoyed the @wpmudev techie puns since the beginning of the newsletter. 'You had me at "hello world"' is certainly my favorite of the T-shirt bunch. #WhiP1000" tweets Doug Smith, co-founder of Simply Charlotte Mason.
– Meanwhile, Sarah Gooding writes that WooCommerce is testing a new Instagram shopping checkout feature for its Facebook for WooCommerce plugin. The free extension is used on more than 900,000 websites and will provide the bridge for store owners who want to take advantage of Instagram's market during a time when the pandemic has heavily skewed consumer behavior towards online shopping.
– Awesome Motive has acquired popular web push notification platform PushEngage and its entire team, including founder Ravi Trivedi. Awesome Motive founder and CEO Syed Balkhi says over 10,000+ customers in 150+ countries use the platform to reliably send over 9 billion notifications each month.

Not subscribed? Join the most conversational weekly email
in the WordPress community!

SUBSCRIBE →

SHARE THIS ISSUE IN A TWEET →

Unsubscribe | Manage subscription

A weekly newsletter for the WordPress community by Words by Birds and MailPoet.
Thanks to Laura Nelson who proofreads each issue and the friendly folks at Kinsta, our awesome web hosting sponsor.