logo-01b@2x copy
Issue #83
MailPoet - Zeplin 2019-10-25 17-00-44

This week in WordPress

Forced security update to patch WooCommerce vulnerability pushed to millions of websites

Automattic has pushed its second forced security update to users of its plugins via WordPress.org in just six weeks after an unspecified critical vulnerability in WooCommerce was disclosed on Tuesday.

Sarah Gooding reports for WPTavern that a security researcher disclosed the vulnerability in WooCommerce through Automattic's HackerOne security program. The vulnerability impacts versions 3.3 to 5.5 of WooCommerce, as well as version 2.5 to 5.5 of the WooCommerce Blocks feature plugin.

In a security announcement on the WooCommerce blog, WooCommerce Head of Engineering Beau Lebens says, "Upon learning about the issue, our team immediately conducted a thorough investigation, audited all related codebases, and created a patch fix for every impacted version (90+ releases) which was deployed automatically to vulnerable stores."

Wordfence Threat Analyst Ram Gall says the vulnerability allows unauthenticated attackers to access arbitrary data in an online store's database in Critical SQL Injection Vulnerability Patched in WooCommerce. In Unauthenticated SQL Injection Vulnerability Discovered in WooCommerce, Pagely Minister of Propaganda Jeff Matson adds "We won't provide specific details, but we can say that the function wc_sanitize_taxonomy_name allowed the vulnerability to happen due to the use of nested urldecode functions." "We have not heard of any public exploits at this time, but out of an abundance of caution we are letting site owners know that they need to update to 5.5.1 thanks!," tweets WooCommerce.

Developers, agencies and web hosts took to Twitter this week to urge WooCommerce users to update if their sites hadn't already auto-updated. "I'm in WooCommerce update hell today, specifically due to many old clients who didn't want a maintenance contract back then, and are now wasting precious time discussing with me why I won't give them the rate I offered back then. Doh... 😇" tweets developer Anne Bovelett.

The security update has been rolled out to all vulnerable WooCommerce stores "even if automatic plugin updates are disabled within WooCommerce or Pagely," clarifies the team at Pagely on Twitter.

The forced security update comes after 78 patched versions of Jetpack were released in June via WordPress.org after a vulnerability was discovered in the plugin's carousel feature. At the time, the forced security update reignited debate about forcing updates on users who have auto-update disabled on their sites.

"Nothing makes store owners happier than discovering when they wake up that their site software was changed without their approval," tweets the team behind calmPress, a fork of WordPress.
Meanwhile, web development agency Callia Webb tweets, "I'm visiting all our clients' sites with WooCommerce to update Woo due to the security vulnerability and allowed myself to get distracted for a few minutes looking at the dogs who are looking for home on @ForeverHoundsUK. Just look at Olive…."
Screen Shot 2021-07-16 at 8.21.42 pm

In other security news

Elsewhere, web host Pagely has published its WordPress Security Updates for June and premium plugin company iThemes has published part two of its WordPress Vulnerability Report for July.

WordPress 5.8 anticipated to ship on Tuesday

"Hey friends WP 5.8 Release Candidate 4 is available for testing! Props @desrosj & @jeffpaul for leading this release so smoothly💫" tweets WHODUNIT CTO and core contributor Jb Audras. He adds, "This is one of the last steps before 5.8 is released so if you find anything weird, please let us know!"

Co-Release Coordinator and 10up Open Source Practice Manager, Jeffrey Paul, says several changes have been made since the third release candidate was made available on July 14, including fixes for the block editor and media. WordPress 5.8 is slated for release on Tuesday.

At WPTavern, Justin Tadlock has published two in-depth articles focusing on two powerful new features of WordPress 5.8: Duotone Filters and the Query Loop block. And over on the Make WordPress Core blog, Automattic-sponsored core contributor Riad Benguella has published a guide to Miscellaneous block editor API additions in WordPress 5.8.

Hi hello yes we do WP maintenance

Barrel Roll
For businesses that rely on WordPress.
What’s better than a WordPress site that’s fast, secure, and up to date? A fast, secure, and updated WordPress website that you don’t have to maintain yourself. We’ve got this. Let's get started.

Google Search snippet for WordPress.org fixed to remove reference to WordPress.com

"Seems like maybe the SEO is not working correctly here....or is it? You decide…" tweeted Sandhills Development Director of Technology & Partner Chris Klosowski, who shared a problem with the way WordPress.org's "Download" page was appearing in Google's Search results snippets when searching for "WordPress." WordPress Executive Director Josepha Haden Chomphosy was quick to respond, tweeting "That doesn't look right to me. Let me do some digging."

WPTavern's Sarah Gooding writes the WordPress Meta team quickly put a solution in place to encourage Google to look somewhere else on the page for the main content. The Meta team also marked the hosting recommendations as exempt from being included in the Search result snippet. Gooding notes that Klosowski's tweet highlighted the "perennial tension that arises from the confusion between WordPress.com and WordPress.org." "The recommended hosting page has always been a contentious bit of real estate on WordPress.org but especially now that hosting companies are also prominently promoted on the Download page," she writes.

Full speaker lineup now available for next week's WordFest Live 2021 event

"Here we are! We've reached the end of our #WordFestLive speaker introductions marathon," tweets the team behind WordFest Live, announcing Castos Director of Podcaster Success Matt Medeiros, designer and developer Tracy Apps, Big Orange Heart founder Dan Maby, WP Buffs founder Joe Howard and Liquid Web VP of Product Chris Lema are among the 60+ people who will speak at WordFest Live 2021.

"Risin' and shinin'! Time to reply to a bunch of emails. Hoping to film my @aBigOrangeHeart Wordfest talk video today about building a WP plugin in public (kinda like this tweet, essentially)," tweets Newsletter Glue co-founder Lesley Sim, who is also on the speaker list.

The 24-hour virtual festival of inclusive events for remote workers, which is coming up on June 22 or 23 (depending on your timezone), will feature two stages (aka tracks at in-person conferences) with a mix of talks, panel discussions, workshops, lightning talks and wellness sessions.

Maby has been doing the rounds with WordPress media to promote the conference. "I had a very interesting chat about #wordfestlive with @danmaby. I learned a lot about how WordFest is being organized and how will it look when in person events will be back," tweets WP Owls, while Howard tweets, "New podcast epi out with @danmaby! We got to chat about
@aBigOrangeHeart, WordFest and self care. Definitely worth a listen 👂🏼"

WordFest Live 2021 is free, with all donations going to mental health initiative Big Orange Heart and the well-being of the remote working community around the globe. "Of those registering for #WordFestLive 21% are choosing to give the optional $10 donation to
@aBigOrangeHeart Thank you, this is up from 7% last time around 🧡" tweets Maby.

The Repository is a proud media sponsor of WordFest Live 2021.

Selling subscription WordPress products is a reality today

Building a one-time solution for your WordPress users or clients is all well and good — whether it be a full-blown website or a WordPress theme or plugin. However, there's a limit to how much you can achieve when your business revolves around that model.

When building things like websites, themes, or plugins for WordPress users, it's only natural to package them up the traditional way:
"I'll create the solution you need. You pay me $X for it."

But this one-and-done approach isn't really ideal for WordPress businesses in terms of sustainability or profitability nor is it going to seem very attractive to prospective customers who discover there are more comprehensive done-for-you options out there.

So, how do we solve this problem? Answer: By turning your WordPress business into a valuable subscription solution.

You won't be the first to make this switch, countless other agencies and businesses have already started offering SaaS services. In fact, here at dollie, we completed some market research and found it's a very common business model. These businesses see SaaS as the future – and you should too!

In other WordPress news...

  • Google concluded its Federated Learning of Cohorts (FLoC) origin trial this week and will incorporate community feedback before advancing to further ecosystem testing, reports Sarah Gooding at WPTavern. The trial was part of Google's Privacy Sandbox initiative, a suite of new technologies designed to replace third-party cookies, fingerprinting, and other commonly-used tracking mechanisms. FLoC groups people together based on browsing habits and labels them using machine learning. As Gooding explains, discussion on a proposal for WordPress to block the controversial new technology has stalled in Trac, but may have been premature in the first place if it doesn't end up proceeding to further testing. She notes that proponents of blocking FLoC saw WordPress' support or opposition as critical to the success or failure of FLoC adoption on the web.
  • The team behind Edupack are "basically building the Jetpack for Higher Ed," CEO Blake Bertuccelli tells Justin Tadlock in Edupack Is Tackling Higher Ed With WordPress, Looking for Development Partners at WPTavern. The project launched in November 2020 and has around 20 institutions serving as development partners guiding its roadmap. Edupack offers several features to higher ed, including onboarding, archiving, reporting, branding and content management, and configuration management. Bertuccelli and his team are looking for more advisors to join the eighth round of their monthly braintrust events held via Zoom. The next event is scheduled for July 21, 10 am – 11 am (CDT) and will focus on the questions "How can we enhance WordPress blocks for Higher Ed?"
  • Contributing to open source is better than any college degree, opines Justin Tadlock at WPTavern. "Last week, after writing a new plugin, I was reminded of the free education that the WordPress community has given me over the years," Tadlock writes. "Some of it has been reading documentation. Some from WordPress Stack Exchange answers. Other bits have been studying from those who came before me, building upon their open-source code. All of it was from other people giving something back to our community." "Great take," tweets WordPress co-founder Matt Mullenweg, whose own comments about contributing to open source sparked Tadlock to write the post. Meanwhile, WebDevStudios senior backend engineer Tom McFarlin had a different take, tweeting, "Contributing to Open Source Is ‘Better Than Any College Degree'" <~~ this is a silly title for an article. - there are good points - there are points that are hasty generalizations."
  • "We're ready to ship the first book signed by the Upstairs Community contributors. It feels surreal to see that the stories we published last year are now part of a tiny physical object. WOW! Cheers to the entire squad at @pixelgrade! 👏" tweets Pixel Grade Chief People Officer Oana Filip. In 2020, Filip led the creation of Upstairs, a blog that celebrates the theme company's creative community. Upstairs had its first birthday on July 12.
  • WebOps platform Patheon has raised $100 million from the SoftBank Vision Fund, reports Frederic Lardinois for TechCrunch. Pantheon was founded in 2010 as a WordPress and Drupal hosting service and with this round of funding has reach unicorn status, with a valuation of over $1 billion.
MailPoet - Zeplin 2019-10-25 17-00-44

Not subscribed? Join the most conversational weekly email
in the WordPress community!