Issue #71
grey 2
yellow 1@2x
orange 2@2x

This week in WordPress

Core contributors take stock of proposed plan to block FLoC

WordPress core developers have resolved to track the status of Google’s FLoC origin trial and decide at a later date if action is needed after a plan to block the proposed replacement for third-party cookies lit up the Make WordPress Core blog this week.

Core contributor Carike (who takes her privacy seriously, we couldn’t track down her real name) published a proposal to treat FLoC like a security concern and push a patch in the next minor release of WordPress. She cites the Electronic Frontier Foundation’s post, Google’s FLoC is a terrible idea, adding, "WordPress powers approximately 41% of the web – and this community can help combat racism, sexism, anti-LGBTQ+ discrimination and discrimination against those with mental illness with a few lines of code."
As Sarah Gooding reports for WPTavern in WordPress Contributors Propose Blocking FLoC in Core, the proposal miscategorized FLoC as a security concern, clouding the issue at hand. It also led to several online publications misreporting that "WordPress" had decided to block FLoC. WordPress co-founder Matt Mullenweg set the record straight on Twitter.
Peter Wilson, an Awesome Motive-sponsored core developer on the WordPress Security Team, says the group has agreed that treating FLoC as a security issue is "inappropriate."

So what is FLoC? As The Verge’s Dieter Bohn explains in Privacy and Ads in Chrome Are About to Become FLoCing Complicated, it’s a proposed browser standard that, in Google’s words, will enable "interest-based advertising on the web" without letting advertisers know your identity.

Software engineer Chris Wiegman and Gravity Forms CEO Carl Hancock are both vocal critics, with Carl tweeting, "WordPress should absolutely do this. The project should be taking an Apple-like stance on privacy when it comes to things like Google’s FLoC tracking."

During Wednesday’s Core Dev Chat on WordPress Slack, Aaron Jorbin, a core committer and Senior Director of Editorial Technology at Penske Media, cautioned a wait-and-see approach. He says WordPress is best off making a decision of "no action" for now.

"FLoC as of right now is in such a small trial that we as a project should continue to monitor it and try to encourage that the final implementation is one that is going to align with us a project, but as of now it doesn’t present any danger to individuals on the web and in fact has the potential to benefit many publishers," Aaron comments. As several people have also pointed out in the comments of the FLoC block proposal, blocking it in WordPress could potentially harm publishers whose main source of revenue is often advertising.

Three Google employees — Michael Kleber (the Chrome Tech Lead for the ads-related APIs), Sam Dutton (Developer Advocate at Google Chrome) and Rowan Merewood (Chrome DevRel for security, privacy, payments, and identity at Google) — also joined Wednesday’s Core Dev Chat, answering questions about how FLoC may be implemented.

The chat concluded with Helen Hou-Sandí, a WordPress lead developer and 10up's Director of Open Source Initiatives, saying she would set up a Trac ticket to track the status of the FLoC trial. She adds, "I have an opinion, but it’s not really relevant at this time, and I think more of us should be comfortable with that idea 🙂"

(Want to know if you’re being FLoCed? Find out with EFF's FLoC ID tool.)

Next steps outlined for merging Full Site Editing with WordPress 5.8

Okay, back to the other big news in WordPress this week. Gutenberg project Technical Project Manager Héctor Prieto has outlined next steps for merging the Gutenberg plugin with WordPress 5.8. He says work-in-progress features that are targeted for inclusion include block theme building, Theme blocks, template editing within the post editor, Widgets Editor and Block Widgets in the Customizer, Persistent List view in the post editor, duotone block supports, and a refactor of the Gallery block.

He adds that "Block themes might arguably represent one of the biggest core theme-building paradigm changes in the last decade. As such, a huge effort is being done to achieve a future-proof, evolvable foundation." Justin Tadlock at WPTavern expands on this in Themes Set Up for a Paradigm Shift, WordPress 5.8 Will Unleash Tools To Make It Happen.

Design and developer Anders Norén, who designed and helped develop the default Twenty Twenty theme, similarly explores what 2021 will mean for the future of WordPress themes in En ny era för WordPress-teman (translated from Swedish: A new era for WordPress themes) for WPSE.

Meanwhile, Anne McCarthy, who’s leading the Full Site Editing Outreach Program shares the Upcoming FSE Outreach Program Schedule. She also speaks to Nathan Wrigley on the WP Tavern Jukebox podcast about How Full Site Editing Will Impact WordPress.

WP Rocket has a new owner

group.ONE, the parent company of web services brand one.com, has acquired WP Media, the company behind WP Rocket and Imagify. In Big News: WP Media Is Joining group.ONE, co-founder and CEO Jean-Baptiste Marchand-Arvier says the entire WP Media team, including its co-founders, will stay together as an independent brand.

In this month’s WP Trends newsletter, Iain Poulson notes: "I’m super excited for the team and impressed by their stellar growth… I’m a little sad that another independent plugin company is getting swept up by a large host. Is this what plugin companies can expect when they reach a certain size?"

"Nice to see a French WP success story. WP Rocket’s been acquired by European company Group.One. Way to go crew! It’s so awesome to see non-US things going on with WordPress," tweets James Giroux, Gravity Forms’ Community Experience Manager.

In One.com owner snaps up WordPress experts WP Media, TechRadar’s Mayank Sharma says it’s group.ONE’s second acquisition of a WordPress-focused company following its purchase of Finnish web hosting company Zoner last year.

Security white paper reveals plugins and themes are behind 95% of vulnerabilities

More than 95% of WordPress-related security vulnerabilities originate from third-party code, according to Patchstack’s Security vulnerabilities of WordPress ecosystem in 2020 whitepaper.

According to the report, released this week, 582 unique vulnerabilities were identified in 2020. Twenty-two security issues were found in core, 82 in themes and 478 in plugins. Patchstack founder and CEO Oliver Slid says the vulnerabilities were found in plugins and themes that had a total active installation count of 70 million.

Shawn Hooper, Director of IT at Actionable, tweets, "Not a surprise that the majority of issues are from 3rd party extensions. The WP core security team does a great job at staying on top of issues."

In other security news, WPScan and Wordfence are warning anyone using the Kaswara Modern WPBakery Page Builder Addons Plugin to remove it immediately. Wordfence threat analyst Chloe Chamberland says hackers are actively exploiting a critical zero-day vulnerability in the plugin, which is estimated to be installed on around 10,000 websites.

According to WPScan, the plugin author has been "unresponsive" to both "Robin Goodfellow", who anonymously reported the issue, and Envato, whose marketplace CodeCanyon had been hosting the plugin, which has since been taken down.

Wordfence is also urging Redirection for Contact Form 7 users to update to the latest version after its Threat Intelligence team recently disclosed several vulnerabilities in the free plugin. The plugin has over 200,000 active installations.

Meanwhile, Widespread Attacks Continue Targeting Vulnerabilities in The Plus Addons for Elementor Pro, according to Wordfence threat analyst Ram Gall. He says the security company has blocked over 14 million attacks targeting privilege escalation vulnerabilities in The Plus Addons for Elementor Pro on over 75% of sites reporting attacks to the security company in the 10 days to April 19.

Lastly: iThemes has published part three of its WordPress Vulnerability Report for April 2021.

New ebook from Strattic: Your Comprehensive Guide to Static Headless WordPress

Brought to you by Strattic
We all adore WordPress for its ease of use. But even we can't deny that the effort of making WordPress fast, secure and reliable can be frustrating.

Static headless websites — the latest trend in modern web development — are effortlessly fast, highly secure and super scalable, all of which can be incredibly hard to achieve with classic WordPress. The exciting news is that the benefits of static and headless can be applied to WordPress too!
A promotional image displaying a copy of Strattic's Comprehensive Guide to Static Headless WordPress and a button to download now.
Since static headless WordPress is so new, there are a lot of questions about it. So we at Strattic put together an in-depth ebook that explains:
  • Why static headless websites are so powerful
  • Benefits and challenges of adopting static and headless technologies
  • Tools and solutions available for deploying static headless websites
  • Overview of the options available for deploying static headless WP
Download now: Your Comprehensive Guide to Static Headless WordPress.
yellow 2@2x

In other WordPress news...

  • Iain Poulson, who publishes WP Trends and runs Plugin Rank, shares his insights on how to find Opportunities in the WordPress Ecosystem with Jakob Greenfeld of Opportunities.so. While the ecosystem is crowded and becoming more professional, he suggests looking at how trends can be imported into WordPress, focusing on plugins and not themes, and creating a plugin that solves a problem you’re really passionate about or acquiring an existing plugin.
  • We are in a state of climate emergency, and creating a sustainable internet is just one action that we can and must take, Wholegrain Digital co-founder Vineeta Greenwood tells Wired’s Delle Chan. In Your website is killing the planet, Vineeta says one of the most effective ways to reduce a website’s carbon footprint is to switch to a green web host whose operations are powered by renewable energy, while limiting the number of images used on pages is another simple way to reduce emissions. The London-based WordPress agency has published a Website Carbon Calculator for estimating a website’s webpages’ carbon footprint.
  • The Jetpack team at Automattic has been quietly testing a new plugin called Jetpack Boost, which addresses website owners’ performance and SEO concerns, reports Sarah Gooding at WPTavern. It’s a separate plugin under the Jetpack brand and doesn’t require Jetpack core to work. Version 1.0 was released this week. Automattic engineer Nauris Pūķis, who worked on the project, tells WPTavern one of the reasons the plugin was created was to help users "get their web vitals up and make the web a better place." Google recently announced that Core Web Vitals will become ranking signals as of May 2021.
  • Support for Internet Explorer 11 will be officially removed in WordPress 5.8, according to Bluehost-sponsored core contributor Jonathan Desrosiers in his IE 11 Support Phase Out Plan on the Make WordPress Core blog. "Farewell, IE11 😎" tweets WordPress Core Team rep and Whodunit CTO Jb Audras.
orange 2@2x

Not subscribed? Join the most conversational weekly email
in the WordPress community!