To follow up with the React re-licensing, many folks also asked "what about GraphQL". . .well, here we have it! — Jason Bahl
Today we're relicensing the GraphQL specification under the Open Web Foundation Agreement (OWFa) v1.0. We think the OWFa is a great fit for GraphQL because it's designed for collaborative open standards and supported by other well-known companies. The OWFa allows GraphQL to be implemented under a royalty-free basis, and allows other organizations to contribute to the project on reasonable terms. Additionally, our reference implementation GraphQL.js and client-side framework Relay will be relicensed under the MIT license, following the React open source ecosystem's recent change. The GraphQL specification and our open source software around GraphQL have different licenses because the open source projects' license only covers the specific open source projects while the OWFa is meant to cover implementations of the GraphQL specification.
I want to thank everyone for their patience as we worked to arrive at this change. We hope that GraphQL adopting the Open Web Foundation Agreement, and GraphQL.js and Relay adopting the MIT license, will lead to more companies using and improving GraphQL, and pave the way for GraphQL to become a true standard across the web.
(Also published on Medium.)
A post written by the Yoast team with their viewpoints on how the WordPress JS framework debate affects plugins.
In the upcoming weeks, WordPress will choose a UI rendering framework. I’ve heard many claims plugin / theme developers will still be able to use whatever they like, regardless of what WordPress chooses. I think we shouldn’t count on that, nor should we focus on providing interoperability at this point. Instead we should focus first on providing simple, reliable and flexible ways to extend the interface. Let’s make sure plugins can integrate well in the first place. We’re putting the frontend in charge of rendering
Not strictly WordPress related, but something every developer needs to keep in mind: "Engineers are paid to solve problems that increase revenue, decrease costs, increase customer satisfaction, decrease churn."
The most productive engineers I’ve ever worked with aren’t the engineers who pull all-nighters or clock in 80 hour work weeks. Nor are they the engineers who can effortlessly craft an elegant five lines of x86 assembly to succinctly and efficiently solve a problem. They are the engineers who always seem to be solving the right problem in the first place. If the mythical 10x engineer really does exist, it’s the engineer who is 10 times more likely to solve the right problem.
While we might always set out with the best of intentions to solve the right problem as engineers, there are many mistakes we can make that will send us in the wrong direction.
What solving the wrong problem looks like
Imagine you’re working for Silicon Valley’s newest, hottest unicorn start up. Your job is to build the best new to-do product since man first put pen to paper and the bullet point list emerged. The great visionary of the company, the VP of Product, walks up to you and tells you that it’s time. You’re going to build the killer new feature: notifications on your phone to remind you to tackle a task on your to-do list.
The idea comes to you straight away. “Let’s
Greg Schoppe explains why a HTML Comments structure (like used in the new Gutenberg editor) may not be the best approach.
I’ve been getting a lot of traffic recently, due to my detailed critiques of some of the choices being made by the developers of WordPress’s new Gutenberg editor. One point I keep mentioning is the problem with storing post structure as HTML comments. It’s been brought to my attention that I often gloss over this issue with a general dismissal, without detailing why I am so dead set against it. To me, a lot of these issues seem obvious, but to others they might not. I’ve got a unique blend of formal Computer Science training and in-the-trenches work on both Enterprise and OSS projects, that may lend a different viewpoint than most. To that end, I wanted to put out a hyper-focused post, to explain all of the issues I see with the new WP Post Grammar structure.
This one is a relatively basic issue. WP Post Grammar is new, and while it is a formal grammar, it hasn’t undergone real-world testing beyond what is supported by the currently limited API. As soon as Gutenberg is released, people will start abusing it in ways the core team hasn’t expected. With bespoke systems like wpautop and shortcodes, this kind of abuse lead to exposing serious
I like these slides for a talk by Joe Howard on how to build a network within the WordPress community. A lot of practical takeaways in there.
Hey, WordCamp Pittsburgh! Below are the slides for my talk. Please don’t hesitate to give them a share
And, here we have yet another plugin pulled because of malicious code. Is this considered a crisis yet?
I am the original author of SI CAPTCHA for WordPress. This plugin had a new owner in June 2017 with a WP user profile name “fastsecure”. The new owner attempted to put code in several of his newly acquired WordPress plugins that would connect to a 3rd party server he also owned and place spam ads for payday loans and such in the WP posts. The new owner put spam code in versions 3.0.1 and 3.0.2 but it failed to display any spam because he put the code in the secureimage.php file. The malicious code required WordPress libraries to also be loaded to execute. The reason the spam code did not do anything at all is because the secureimage.php file is not included in the WordPress run time environment. The secureimage.php file is included from another file securimage_show.php that loads the captcha image directly from html img src outside of the WordPress run time. The spam code in this plugin was never activated, it would not have corrupted your posts or changed anything in the WordPress database.
I am sorry for any inconvenience this has caused. I never expected that this would happen. The plugin was taken off the WordPress repository by WordPress staff until this can be sorted
Matt happy that Facebook took notice and action after Matt said WP wouldn't use React.
I am surprised and excited to see the news that Facebook is going to drop the patent clause that I wrote about last week. They’ve announced that with React 16 the license will just be regular MIT with no patent addition. I applaud Facebook for making this move, and I hope that patent clause use is re-examined across all their open source projects. Our decision to move away from React, based on their previous stance, has sparked a lot of interesting discussions in the WordPress world. Particularly with Gutenberg there may be an approach that allows developers to write Gutenberg blocks (Gutenblocks) in the library of their choice including Preact, Polymer, or Vue, and now React could be an officially-supported option as well.
I want to say thank you to everyone who participated in the discussion thus far, I really appreciate it. The vigorous debate and discussion in the comments here and on Hacker News and Reddit was great for the passion people brought and the opportunity to learn about so many different points of view; it was even better that Facebook was listening.
More widget goodness is coming to WP 4.9 - specifically a gallery widget. There's a lot of different gallery plugins so it's nice to see this being integrated into core now.
In the last major release we introduced Media Widgets for Images, Video, and Audio. Per that dev note: WordPress 4.8 includes media widgets (#32417) for not only images (#39993) but also video (#39994) and audio (#39995), on top of an extensible base for introducing additional media widgets in the future, such as for galleries and playlists.
Now in the upcoming 4.9 release this Gallery widget (#41914) has just landed in trunk in . Just as users can add galleries to their post content they too can add galleries to their sidebars. The media widgets are being developed with Gutenberg in mind, as widgets are essentially proto-blocks. Gutenberg has ported the Categories and Recent Posts widgets as dynamic blocks so that users can add to their posts what was formerly restricted to sidebars. In the same way, the media widgets are allowing for content that was formerly restricted to post content to also be available for addition to widget areas. As Gutenberg matures, widgets are planned to eventually transition over to use blocks, and the widgets for images, video, audio, and galleries will be able to be migrated over at that time. In the mean time, the user should not have to know there
B.J. Keeton goes through Freemius' highlights as he sees them so you can make an educated decision about whether or not it is worth integrating into your WordPress plugin or theme.
Freemius may sound like a background character from Game of Thrones, but alas. Freemius is a WordPress plugin service with a really neat concept: you can sell your plugins and themes through the WordPress dashboard instead of using an external marketplace. You can also collect data about usage, activation, and deactivation that may help development decisions. Give Me Freemium or Give Me Death
It’s should not be surprising that Freemius is aimed at–drumroll, please–freemium apps. (Get it? Freemius…freemium? Hilarious.) Freemium is the catch-all for those apps that have a somehow-limited demo that you get for free and are prompted to upgrade to unlock its full potential.
Freemius’s whole shtick is that it offers free and freemium developers a toolset that not only gives them data on users’ activation and deactivation habits, and software usage and versions, but also has an integrated sales component within the plugin itself.
It’s a pretty neat concept, but does it work? And as a plugin or theme developer, is it worth the integration?
That depends. But I’ll do my best to go through the highlights as I see them so you can make an educated
A really great WordCamp recap post. WordCamp organizers should have a platform to publish these somehow and make them official.
This weekend, WordCamp Nijmegen happened. While having been my eleventh WordCamp in total, and my eighth time as a speaker, it was the first ever city-based WordCamp in the Netherlands. And it was awesome! Thursday: The Day Before
WordCamps usually start quite early in the morning. Since not all attendees of a WordCamp live in the according city, a lot of them—me included—oftentimes schedule their arrival on the day before the first WordCamp day. These days before are a good opportunity to grab dinner and a beer together, and start boost your community adrenaline.
This time, however, I could leave only pretty late in the day. When I finally made it to my hotel, I was too tired—and I nevertheless had to work on my slides anyway. So no pre-event for me this time.
Luckily, this was not the case for everyone, so there did happen some inofficial get-togethers.
Friday: Contributor Day
WordCamp Nijmegen started with a contributor day, and also with a great amount of first-time contributors.
As every so often, I started contributing by looking through my open tickets on Trac. There was one ticket catching my attention that also has a patch since day one—which
In this post we’ve shown you the best tools to track your WordPress site uptime and downtime easily to ensure that it is working regularly.
There is no denying the fact that WordPress is an amazing CMS that lets you create even more amazing websites to help you materialize your online presence. With the amount of ease of operation offered, WordPress is a dream come true for all the non-technical website owners because they have been empowered to take care of things on their own with the least help from professionals.
However, there are still certain aspects that need to be analyzed and monitored so that your website performs well throughout its span of operation. This would require an understanding of some technical elements that determine the success of your WordPress site i.e. your site’s “Uptime” and “Downtime”.
Let’s dig deeper to understand more about these crucial factors.
The choice of your web hosting service will largely determine the uptime of your website.
For people new to this concept, Uptime is the duration of time when the website is operational, up and running without any or least instances of the website going offline.
Most of the web hosting service providers ensure 99% uptime for their websites. If your website is capable of portraying maximum uptime,
Post on WP Tavern which covers the recent news that Facebook will re-license React . The Gutenberg devs and Automattic probably are extremely happy about this, though it seems the WP community rather prefers Vue.js for core. :-)
Facebook has announced its intentions to re-license React, Jest, Flow, and Immutable.js under the MIT license. React community members began rallying around a petition to re-license React after the Apache Software Foundation (ASF) added Facebook’s BSD+Patents license to its Category X list of disallowed licenses for Apache PMC members. Facebook’s engineering directors officially denied the request in mid-August, citing the burden of meritless patent litigation as the reason for keeping the patents clause. Facebook moved forward on this decision in full recognition that it might lose some React community members as a consequence. Many open source project maintainers began to look for alternatives. In a surprising move, Matt Mullenweg announced that WordPress would also be parting ways with React and planned to remove it from the upcoming Gutenberg editor.
Mullenweg’s decision to drop React from consideration for WordPress was likely an influential factor in Facebook’s eventual about-face on the topic of re-licensing the project. Facebook’s announcement on Friday acknowledges that the company failed to convince the open source community of the benefits of
Holly Molly! React is back in the business. WordPress did that? Not sure! It's 3 AM and I am super excited about this! What about you!
Next week, we are going to relicense our open source projects React, Jest, Flow, and Immutable.js under the MIT license. We're relicensing these projects because React is the foundation of a broad ecosystem of open source software for the web, and we don't want to hold back forward progress for nontechnical reasons. This decision comes after several weeks of disappointment and uncertainty for our community. Although we still believe our BSD + Patents license provides some benefits to users of our projects, we acknowledge that we failed to decisively convince this community.
In the wake of uncertainty about our license, we know that many teams went through the process of selecting an alternative library to React. We're sorry for the churn. We don't expect to win these teams back by making this change, but we do want to leave the door open. Friendly cooperation and competition in this space pushes us all forward, and we want to participate fully.
This shift naturally raises questions about the rest of Facebook's open source projects. Many of our popular projects will keep the BSD + Patents license for now. We're evaluating those projects' licenses too, but each project is different and
A non-technical tutorial on how to build a WordPress Multilingual Site quick and easy with TranslatePress WordPress Plugin.
Reaching an international audience or a diverse community that speaks multiple languages is now available to almost any type of business and can have a positive impact on your website traffic and revenue. The first step required is to add multilingual functionality. “I Increased My Search Traffic by 47% from Translating My Blog into 82 Languages” – Neil Patel
It’s also worth mentioning that there’s been an increase in websites translated in more languages, in the last period of time. Build With comes with an interesting graphic explaining the Multilingual trends.
Businesses that should have a multilingual site
Firstly, let’s make a short roundup of some international businesses that would need a multilingual site:
Tourism agencies & Hotels
Companies that are doing or extending their business on international markets
Companies active in a country with more than one language, such as Canada (English, French)
Types of translation available
As my colleague explained some time ago, “WordPress in more languages can be anything between a slight annoyance to a real problem that can stop your project halfway”. The WordPress platform still doesn’t
BLOG POST: My brain dump at 4 AM about everything React under MIT License and why I am supporting it.
Facebook just announced that they are relicensing React under MIT license and I think this is huge for so many reasons. “Next week, we are going to relicense our open source projects React, Jest, Flow, and Immutable.js under the MIT license. We’re relicensing these projects because React is the foundation of a broad ecosystem of open source software for the web, and we don’t want to hold back forward progress for nontechnical reasons.
This decision comes after several weeks of disappointment and uncertainty for our community. Although we still believe our BSD + Patents license provides some benefits to users of our projects, we acknowledge that we failed to decisively convince this community.
In the wake of uncertainty about our license, we know that many teams went through the process of selecting an alternative library to React. We’re sorry for the churn. We don’t expect to win these teams back by making this change, but we do want to leave the door open. Friendly cooperation and competition in this space pushes us all forward, and we want to participate fully.
This shift naturally raises questions about the rest of Facebook’s open source projects.
I'm leaving the freelance life and going full time with a WordPress product. Follow along and keep me accountable :)
If not now, then when? Today is the day I start working full time on my own product!
90 days until Christmas
What are you doing to make the most of the time left?
I'm going full time at @WPDispensary starting today
— Robert DeVore (@deviorobert) September 26, 2017
I’m officially taking the dive to start putting 100% of my waking efforts into the WP Dispensary menu management plugin.
For those of you who may not be aware of WP Dispensary yet, its a WordPress marijuana menu plugin I built back in November 2015.
When I first built it, it was just an idea with not much behind it. I actually cringe looking back at version 1.0 of the plugin.
BUTTTTTTTTT …. in the last two years I’ve built an accompanying theme for it, a couple of free add-on’s and 6 commercial extensions, and pushed over a dozen new updates to the WP Dispensary plugin itself.
It’s come a long way since it’s humble beginnings as a side project that had no real direction in the beginning.
In the beginning of 2017, I made it a point to begin to do less, better.
This is just the next step in that process.
Taking the plunge
To be completely honest, I’m scared as fuck to be betting
The search for a JS framework for WordPress continues. Sarah Gooding reports on discussions regarding a JS framework neutral option that would allow developers to use the framework of their choice.
“I’m really not joking when I say that this decision doesn’t matter, even for people contributing to Gutenberg,” Pendergast said. “In #2463, the library is treated entirely as a utility library, much like we use lodash, for example. It performs a handful of tasks, and it can be relatively easily pulled out and replaced with something entirely different, with no
Once again, another plugin has been purchased from the original owner, and the new owner has dropped malicious code into it. The plugin has been pulled from the repo, but as usual, if you are using this plugin, you won't be notified that it is f*#ked up! Hope you see this and delete it if you use it.
I am the original author of Fast Secure Contact Form. This plugin had a new owner in June 2017 with a WP user profile name “fastsecure”. The new owner attempted to put code in several of his newly acquired WordPress plugins that would connect to a 3rd party server he also owned and place spam ads for payday loans and such in the WP posts. The new owner put spam code in versions 4.0.52 4.0.53 4.0.54 and 4.0.55 but it failed to display any spam because he put the code in the secureimage.php file. The malicious code required WordPress libraries to also be loaded to execute. The reason the spam code did not do anything at all is because the secureimage.php file is not included in the WordPress run time environment. The secureimage.php file is included from another file securimage_show.php that loads the captcha image directly from html img src outside of the WordPress run time. The spam code in this plugin was never activated, it would not have corrupted your posts or changed anything in the WordPress database. I am sorry for any inconvenience this has caused. The plugin was taken off the WordPress repository by WordPress staff until this can be sorted out. Perhaps a new version
I did some digging during the weekend to see if a setup with WordPress and Apache is vulnerable to the Optionsbleed vulnerability
During the weekend our CTO Jonas Lejon has been doing some research into the most recent Apache vulnerability named Optionsbleed. The Optionsbleed vulnerability is a bug in the Apache webserver and makes it possible for an attacker to read remote webserver memory such as session cookies, password etc. The Apache is a very common webserver according to w3techs:
Apache is used by 48.9% of all the websites whose web server we know
In our lab we set up a Apache webserver, installed WordPress and added the following line to .htaccess:
<Limit GET POST PUT REQUEST WPSCANS MPUT OKASDOAKSDOKASDIJ 12U1UH2OIEJ12OPEJOI IDJAIOSDJIOjd>
Allow from all
The above lines would probably trigger the vulnerability since the Limit-line contains some spelling errors.
With the following command line I was monitoring the Allow-header output to see if it returned something odd:
while true; do curl -sI -X OPTIONS http://hostname.dev/readme.html|grep "Allow:";sleep 0.1; done
Then I started to do different Admin-related tasks such as login, logout and uploading. And sometimes I would se different data showing up in the curl-request such as:
Allow: GET,HEAD,POST,,sync-upload.php HTTP/1.1,HEAD,OPTIONS,,HEAD
Ionut tells the whole story of how the company retreats started, why they're doing them, what they're doing during the retreat, what the value is, and more.
Welcome to the 31st edition of the monthly transparency report (for August 2017). This series is all about sharing what’s been going on in the company from an organizational and business point of view. Click here to see the previous reports. I want to touch upon a lot of things in this report, so here’s a quick TOC just to keep things organized (and in case you’re not interested in all of it, which is fine):
1. On being transparent | 2. Why you need company retreats | 3. Working from home and the problems with it | 4. The value in vacation days for all team members | 5. How we’re improving team management and performance | 6. Auto-renewals and how they’ve been working for us | 7. Conferences coming up – let’s meet!
Overall, we experiment quite a lot as an organization. We try to learn from other business in the same niche and outside of it, and then fit new methods and approaches into our own workflows, mission, etc. Sometimes, this leads to reinventing the wheel (unfortunately), but, other times, it leads to innovation and making our work a lot easier and effective on a daily basis.
Below, I want to share a couple of such things that we tried
A security release but also containing 6 maintenance fixes. Get your upgrade a-going people!
WordPress 4.8.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.8.1 and earlier are affected by these security issues:
$wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Slavco
A cross-site scripting (XSS) vulnerability was discovered in the oEmbed discovery. Reported by xknown of the WordPress Security Team.
A cross-site scripting (XSS) vulnerability was discovered in the visual editor. Reported by Rodolfo Assis (@brutelogic) of Sucuri Security.
A path traversal vulnerability was discovered in the file unzipping code. Reported by Alex Chapman (noxrnet).
A cross-site scripting (XSS) vulnerability was discovered in the plugin editor. Reported by 陈瑞琦 (Chen Ruiqi).
An open redirect was discovered on the user and term edit screens. Reported by Yasin Soliman (ysx).
A path traversal vulnerability was discovered in the customizer. Reported by Weston Ruter of the
A new core gallery widget is planned to ship with WordPress 4.9.
The Core Media Widgets feature plugin introduced a gallery widget in the 0.2.0 release this week. WordPress 4.8 added the new audio, image, and video widgets from this feature plugin. The gallery widget is targeted for merge into the upcoming WordPress 4.9 release. In testing the new feature I found it to be a simple, straightforward implementation of a gallery widget that could easily replace many plugins that are currently filling this need for users. The option to edit or replace a gallery is immediately available and users can easily rearrange or randomize the images included.
On the frontend the gallery displays neatly in a thumbnail grid. I was able to change the number of columns while editing the gallery, but the preview in the admin did not match the the way the gallery looks on the frontend. The number of columns is correct on the frontend but not in the admin preview. This might cause some confusion for users if it isn’t fixed before landing in core. Contributors to the plugin are looking at this issue.
Overall, the implementation is user-friendly and similar to adding galleries in posts and pages. However, the widget could still use some testing, especially with different
Evan You shares couple of reasons why Vue.js could be a good fit for the WordPress core.
After last week’s news that WordPress is abandoning React due to its unfavorable patents clause, the discussion regarding the selection of a new framework is heating up again. As Vue is once again among the leading contenders, I reached out to Vue.js creator Evan You to get his perspective on the possibility of WordPress adopting the framework. “Yes, I had a conversation with the WordPress team mostly answering questions they had about Vue,” You said. “The discussion happened before Matt’s announcement of moving away from React. It was mostly intended for filling the team in with the state of Vue and there was no particular conclusion made from it.
“To be honest, I got the feeling that the team had already decided to go with React and simply wanted to explore other options before they make the final call. I was a bit surprised by Matt’s post, but also understand the concerns behind that decision. I think React is a technically sound choice, and the whole patent issue is unfortunate.”
Vue is back in the mix alongside Preact.js and other libraries WordPress core contributors are considering adopting. You has been active in the comments on
Matt Mullenweg announces that they are dropping development with React.
Big companies like to bury unpleasant news on Fridays: A few weeks ago, Facebook announced they have decided to dig in on their patent clause addition to the React license, even after Apache had said it’s no longer allowed for Apache.org projects. In their words, removing the patent clause would "increase the amount of time and money we have to spend fighting meritless lawsuits." I'm not judging Facebook or saying they're wrong, it's not my place. They have decided it's right for them — it's their work and they can decide to license it however they wish. I appreciate that they've made their intentions going forward clear.
A few years ago, Automattic used React as the basis for the ground-up rewrite of WordPress.com we called Calypso, I believe it's one of the larger React-based open source projects. As our general counsel wrote, we made the decision that we'd never run into the patent issue. That is still true today as it was then, and overall, we’ve been really happy with React. More recently, the WordPress community started to use React for Gutenberg, the largest core project we've taken on in many years. People's experience with React and the size of the