Issue #81
newsletter_banner-02___-05 (1)
MailPoet - Zeplin 2019-10-25 17-00-44

This week in WordPress

DreamHost leak exposes WordPress user data

Whew, where to begin this week. I guess we might as well get this out of the way. Forbes, TechRadar and other media outlets are reporting that a DreamHost mistake led to the leak of an 814 million-record database in April, exposing three years of DreamPress customer and user data.

Covering the story for Forbes, Thomas Brewster reports that cybersecurity researcher Jeremiah Fowler partnered with Website Planet to disclose the leak last week. According to Fowler, the records exposed admin and user information for DreamPress accounts for WordPress installations.

"🚨 The total size of the exposed data was 86.15 GB with 814,709,344 total records with a trove of #WordPress-related data on customers, etc." tweets HackRead.com, quoting from the security news site's report DreamHost hosting firm exposed almost a billion sensitive records.

Abigail Opiah reports for TechRadar that according to DreamHost, only 21 websites were affected, and the only party outside of DreamHost to see the data was a security researcher who worked with the web hosting firm to resolve the issue.

DreamHost's VP of Corporate Communications, Brett Dunst, acknowledged the leak in a post on the hosting company's blog, and says a data warehouse for logs and performance metrics used to test new DreamPress features was inadvertently made publicly viewable for about 12 hours due to an automated misconfiguration of a firewall rule.

WordPress 5.8 release candidate out now

Back to WordPress 5.8 news. The first release candidate is now available and if you can help test it, release coordinator and 10up Open Source Practice Manager, Jeffrey Paul, runs through how to do it. WordPress 5.8 is slated for release on July 20.

On the Make WordPress Core blog, Documentation Lead and freelance WordPress/PHP engineer, Milana Cap, shares Miscellaneous developer-focused changes in WordPress 5.8.

Also on the blog, Yoast-sponsored core contributor and WordPress Themes Team rep Ari Stathopoulos shares Block-styles loading enhancements in WordPress 5.8.

Meanwhile, at WPTavern, Justin Tadlock again deep dives into block patterns and how they will change everything, this time focusing on headers and footers.

Hi hello yes we do WP maintenance

Barrel Roll
For businesses that rely on WordPress.
Once upon a time, on a website on the Internet, something didn’t work. The poor visitor got frustrated and left, never to return again. Alas. We make this tragic tale happen less.

WordPress 5.8 to introduce theme.json, putting themes back in the hands of designers

In other WordPress 5.8 related news, the release will introduce theme.json. On the Make WordPress Core blog, Automattic-sponsored engineer André Maneiro explains it's "a new mechanism to configure the editor that enables a finer-grained control and introduces the first step in managing styles for future WordPress releases."

What does mean exactly? In Theme.json inspires, Extendify's Head of Design Tammie Lister describes theme.json as the "first major theme process change to core in years" that will "put themes back in the hands of designers." "Themes can get back to being just themes and that can only be good for WordPress because that's when they can be beautiful, inspirational and creative," Lister writes.

Meanwhile, Anne McCarthy, the program manager for the FSE outreach experiment, has put out an eighth call for FSE testing. This time, instead of a user-centric call for testing features from the UI, WPTavern's Justin Tadlock says the "new adventure" is all about testing theme.json files, with volunteers being asked to dive into code.

"Easily exploitable" security flaws found in ProfilePress plugin

ProfilePress is back in the spotlight this week after security company Wordfence shared details of "critical" and "easily exploitable" vulnerabilities in the freemium plugin. Threat analyst Chloe Chamberland says the flaws make it possible for an attacker to upload arbitrary files to a vulnerable server and register as an administrator on site even if user registration is disabled. She urges users to update to the latest patched version.

Wordfence Director of Marketing Kathy Zant tweets, "More great research by @infosecchloe. New functionality can always introduce new vulnerabilities. The team at ProfilePress fixed these quickly."

The news will be cold comfort for users of the plugin, formerly known as WP User Avatar. Developer Collins Agbonghama came under fire in May for acquiring the popular plugin and repurposing it as ProfilePress, virtually overnight, and without warning the plugin's 400,000 users.

As WPTavern's Justin Tadlock reported at the time, Agbonghama turned the simple avatar plugin into a full-fledged membership management plugin. Tadlock said people were using the WordPress.org review system "in the way it was meant to be used," leaving one-star reviews. At the time The Repository was sent to inboxes, ProfilePress has 330 one-star reviews.

Block-based widgets coming to WordPress 5.8

Annnd back to WordPress 5.8 again. Robert Anderson, an Automattic-sponsored JavaScript engineer, shares on the Make WordPress Core blog that there'll be a block-based widgets editor in WordPress 5.8.

Developer and Speckyboy writer Eric Karkovack says the WordPress widgets screen is joining the Gutenberg era. But Justin Tadlock writes in Diving Into WordPress 5.8"s New Widgets Screen for WPTavern that it feels like "a surface-level refresh of a dying system, one that does not always work."

Tadlock goes on to explain: "Block-based widgets are part of the transitional phase between classic WordPress and the future, which centers on a complete site editor. Once the bulk of themes are built atop blocks, the need for widgets will wane. The site editor and block themes do not support the old sidebar system. Instead, users will be able to place blocks anywhere."

WP Engine makes Local Pro free

WP Engine announced this week that Local Pro, the commercial upgrade for its local WordPress development product, is now free for all users, reports Sarah Gooding for WPTavern. Local has gained popularity in recent years due to how easy it makes setting up WordPress development and testing environments. It's currently used by more than 300,000 developers.

"The company may be in a better position to gain customers for its hosting products if they make Local completely free, as the tool was designed to seamlessly connect with WP Engine and Flywheel's hosting," writes Gooding.

The news comes after StudioPress announced in May that the Genesis Framework would be made available for free as part of an upcoming overhaul over the company's themes and marketplace. StudioPress Marketing Director at WP Engine, Chris Garrett, said the changes were aimed at providing more value to Pro Plus customers, improving the way third party theme providers/users were supported, and would allow the company to focus its product and engineering efforts on preparing the Genesis community for Full Site Editing.

StudioPress was originally founded by Brian Gardner in 2007, and acquired by WP Engine in 2018.

Want to make a 5x return on selling hosting as a recurring service to your customers? How dollie enables one company to sell a stable and reliable hosting platform

New customers signing up to your hosting products without your intervention is something that all WordPress agencies work tirelessly to achieve. One bespoke WordPress agency, Lumos Agency, made this a reality overnight by launching white labeled hosting through the dollie platform.

What did dollie give the agency? Automatic site creation, a customer dashboard, reliable backups, and a product they sell for 5 times its cost.
For the bespoke agency from Arizona, it wasn’t just about gaining new recurring revenue streams. It was about being able to keep customers happy with reliable backups, secure hosting, and a person to reach out to if they need help.

dollie’s simplicity sealed the deal. Everything needed to sell hosting is provided out of the box. To sweeten the pot, all of this is sold, billed, and managed directly through WooCommerce subscriptions inside his agency site.

Get the full story on our website. Are you and/or your customers tired of being let down by hosting companies? Learn about making your own today with a 30-day free trial

In other WordPress news...

  • BuddyPress 9.0 is scheduled for a short development cycle to ship block-based widgets ahead of WordPress 5.8, is Sarah Gooding's aptly titled headline at WPTavern. The release will be specifically targeted at getting BuddyPress core widgets ready for WordPress 5.8's new block widgets experience. BuddyPress 8.0 is slated for release on July 16.
  • WooCommerce Payments is now available for stores in the U.K., Ireland, Australia, New Zealand, and Canada, in addition to the U.S, shares Clara Lee, Director of Product Marketing (WooCommerce) at Automattic. WooCommerce launched the native WooCommerce Payments feature, powered by Stripe, for U.S. stores in May 2020. As Romain Dillet reminds TechCrunch readers, store owners previously had to use extensions to enable payments options on their websites, including those provided by Stripe, Amazon Pay, Square and PayPal, among others.
  • Helen Hou-Sandí, an OG WordPress lead developer, celebrated the 10th anniversary of her first reported ticket on Trac last week. In A Decade of Contributing to WordPress, she writes, "I have been fortunate to be a part of and grow with the WordPress community in the decade since. Not only have I grown from Web Engineer to Director of Open Source Initiatives at 10up, but also in that time, I’ve gone from being a first-time contributor to one of a handful of WordPress lead developers." Hou-Sandí is currently the Core Tech Lead for the WordPress 5.8 release.
  • The second instalment of WordFest Live is coming up on July 23. Similar to last year's successful virtual event, it will feature 48 sessions over 24 hours, including Q&As, talks, workshops, and opportunities to connect with other WordPress people. Big Orange Heart is the organisation behind the event. With the ever-growing number of remote workers, founder Dan Maby says the charity is seeing an increase in people from the global community openly acknowledging they are experiencing mental health issues linked to isolation. "Big Orange Heart recognizes the challenges, not only for those trying to run their own businesses but anyone working from home who encounters related activities that can contribute to the onset of mental ill-health," Maby says. Through in-person events, training, mentorship, support services and coaching, Big Orange Heart tackles these issues by employing four Health Hubs: Skills Health, Business Health, Physical Health, and Mental Health, all equally important to support a well-balanced member of the WordPress community. Registrations are now open for WordFest Live, and attendees are encouraged to donate to Big Orange Heart.
  • From the current state of the WordPress economy to the future of headless WordPress, innovation, ingenuity, and inspiration were on display at WP Engine's Summit/2021 event on June 24, shares WP Engine editor Riley Cullen. Cullen says it was the hosting company's most attended event to date, with thousands of attendees from around the world, and sessions covering everything from security and performance to agency growth and eCommerce integrations. All Summit/2021 sessions are now available to watch on-demand.
  • "It's been 3 weeks now since we wrapped #WordSesh 2021. It was an absolute blast, and now it's time to share some of the stats with everyone. Hope you enjoy these!," tweet the folks at WordSesh, kicking off a thread filled with stats. The three-day event, held from May 25-27, had 3,650 attendees and featured 29 speakers across 21 sessions, 6 in-depth workshops and 27 hours of new content. Surprisingly, 30% of attendees started using WordPress for the first time this year. "The data and infographic, and the fact that you're targeting new users is a big deal to sponsors (and potential sponsors ;-) ). Nice work! WordCamps should pay attention," tweets Impress.org partner and COO Matt Cromwell.
  • The Gatsby WP Themes project has launched a new marketplace for developers who are building WordPress-powered sites with Gatsby on the frontend, reports Sarah Gooding for WPTavern. Originally founded by Zac Gordon and Alexandra Spalato, the commercial venture is now primarily managed by Spalato and Paulina Hetman. The team's first project involved porting the Twenty Twenty default WordPress theme to a Gatsby WP Theme. They are now focused on creating commercial themes targeted at developers and agencies who can use them to save time when building clients' sites.
  • "What happened today at WPMRR? 👀 #WordPress peeps can join in here…" tweets WP Buffs founder and CEO Joe Howard, who launched a new WPMRR community this week ahead of the 2021 WPMRR Virtual Summit on September 21-23. The social media-style community site provides information on the upcoming summit, AMAs, opportunities to socialize (e.g. lounge and introductions) and get help (e.g. challenges and mental health), and threads for discussions about running a business.
  • Rounding off this issue, yes, there was some acquisition news this week. Aaron Edwards and Joshua Dailey, the co-founders behind Infinite Uploads, have acquired Big File Uploads (formerly Tuxedo Big File Uploads), a plugin created by developer Trevor Anderson that makes it easier to increase the max upload size on a WordPress installation. In an announcement on the Infinite Uploads blog, the team says Big File Uploads will remain a standalone plugin on the WordPress.org repository. While the plugin's interface has been updated to reflect its new owners' branding, there are no plans to make a premium or pro version of the plugin, and development will continue based on user feedback. "Big File Uploads just crossed 40,000+ active installs! When we pushed v2.0 just 48 hrs ago, we knew it was a winner, but we never expected such an amazing response. 🙃 Thank you to everyone that has tried it and given feedback," tweets the Infinite Uploads team.
MailPoet - Zeplin 2019-10-25 17-00-44

Not subscribed? Join the most conversational weekly email
in the WordPress community!