WordPress 4.5: What’s on your Wishlist?

A few weeks ago, I put out an initial call for volunteers for 4.5.

In the spirit of the much-commented @wonderboymusic 4.4 Wishlist post, I’d like to extend the call a bit more.

• What are you most interested in seeing in WordPress 4.5 — big, or small?
• What are your or your users’ biggest pain points?
• What do you see as the most important UX or performance low-hanging fruit to be solved?

Look forward to hearing from you in the comments!

The WordPress 4.5 kickoff chat will be next Wednesday, January 6, 2016 16:00 UTC-5.

WordPress 4.5: What’s on your Wishlist? by Mike Schroder was originally posted at https://make.wordpress.org/core/2015/12/30/wordpress-4-5-whats-on-your-wishlist/

Have You Seen This List of Resources for Facebook Business Users?

New to Facebook advertising? Here's an awesome list of resources to get you up to speed. http://smallbiztrends.com/2015/12/facebook-business-resources.html

You are likely using Facebook to improve your company's social media presence. And from time to time, there may be more than a few questions about what's available to you or how to use certain features. Luckily, Facebook has published plenty of guides to help. Here's a repository of those resources.

Originally posted at The WP Guy - WordPress Web Design

Video: How to Improve the WordPress Distraction Free Writing Mode

WPBeginner - WordPress Tutorials originally appeared at http://www.youtube.com/watch?v=GHLsqCNMOwc

How Small Businesses Are Using YouTube to Find Customers

More and more businesses are now using YouTube to reach new customers. http://smallbiztrends.com/2015/12/small-businesses-using-youtube.html

One way small businesses using YouTube are finding customers is through creating how-to videos. Another way is using compelling video ads.

Originally posted at The WP Guy - WordPress Web Design

WP REST API: OAuth Plugin Security Update

Hi everyone. This is a quick update on the OAuth 1.0a Server plugin, available on GitHub.

Versions of the OAuth plugin prior to this commit contain a security issue during the authorization flow, regarding signature and nonce checks. Due to the OAuth architecture, it is highly unlikely this can be used to compromise a site or client application; however due to an abundance of caution, we recommend all users update to 0.2.1 immediately. (Pull the latest changes from master.)

Thanks to @bradyvercher for responsible disclosure of this issue via HackerOne.

WP REST API: OAuth Plugin Security Update by Ryan McCue was originally posted at https://make.wordpress.org/core/2015/12/15/wp-rest-api-oauth-plugin-security-update/

Video: How to Make a Resumé Website in WordPress

WPBeginner - WordPress Tutorials originally appeared at http://www.youtube.com/watch?v=R6Kdw-0BEaQ

If you want to prepare for next year's hottest new website technology, dig into…

More on Accelerated Mobile Pages. #AMP

If you want to prepare for next year's hottest new website technology, dig into Accelerated Mobile Pages (AMP) when you have a moment. These videos are… - John Mueller - Google+

Originally posted at The WP Guy - WordPress Web Design

Google search ranking reshuffle may be imminent for mobile content

Google is set to prioritize AMP-optimized pages and sites in mobile search results as early as February 2016. Is your website AMP'ed? http://enterpriseinnovation.net/article/google-search-ranking-reshuffle-may-be-imminent-mobile-content-126545913

Google will begin sending traffic to web pages that are optimized with its Accelerated Mobile Pages (AMP) technology in February 2016.

from http://enterpriseinnovation.net/article/google-search-ranking-reshuffle-may-be-imminent-mobile-content-126545913 in The WP Guy - WordPress Web Design

The New WordPress.com App for Windows Is Here

#Calypso is now available for both the Mac and Windows as a stand-alone app. Now you can control all your #WordPress sites from one app with one login. https://en.blog.wordpress.com/2015/12/09/the-new-wordpress-com-app-for-windows-is-here/

Everything you love about writing and publishing, now in the Start Menu.

from https://en.blog.wordpress.com/2015/12/09/the-new-wordpress-com-app-for-windows-is-here/ in The WP Guy - WordPress Web Design

WP Engine Security Breach: Customer Credentials Exposed

If you host your website with WP Engine, you should reset your password. http://wptavern.com/wp-engine-security-breach-customer-credentials-exposed

WP Engine customers received an urgent notification in their inboxes Wednesday evening regarding a security breach. At WP Engine we are committed to providing robust security. We are writing today …

from http://wptavern.com/wp-engine-security-breach-customer-credentials-exposed in The WP Guy - WordPress Web Design

WP REST API: Version 2.0 Beta 9

For the last REST API release of 2015, we bring you: 2.0 Beta 9 “You Don’t Win Friends With Salad”. Download it from the plugin repository or from GitHub.

Should I use 2.0 Beta 9 in production?

This is a great question. I (Daniel) will do my best to answer from my perspective — Ryan, Rachel or Joe may have different opinions.

As many of you may already know, the v1.x branch is essentially deprecated and only maintained for security and major compatibility issues. Even its latest release, v1.2.4, still includes some annoying bugs. The v2.0 Betas introduce aton of new features, functionality, and general improvements. But, there will never be a formal v2.0 plugin release — v2.0 will be endpoint inclusion into WordPress core.

Right now, we’re doing our darned best to get the endpoints into core at the end of January 2016. Between now and then we have at least 74 issues to wade through. Beta 9 includes 32 merged pull requests.

In the interest of feeling confident about the code we’re committing to core, we are and will be making breaking changes in the Betas. Significantly, Beta 10 will remove the core directory, and will be incompatible with WordPress 4.3.

Short answer: you’re welcome to use the Betas in production if you understand the ramifications. When updating, we expect you to read through the changelog and thoroughly test each release with your project. You should probably have test coverage on any custom endpoints you’re writing. And, set aside time to properly debug any issues you uncover and submit pull requests with test coverage.

If you aren’t comfortable with aforementioned ramifications, please refrain from using the v2.0 Betas in production. We do encourage everyone to use them locally, or in staging / test environments, and look forward to your feedback.

Changelog

Here are some highlights:

• Move tags and categories to top-level endpoints. Tags are now accessible at `/wp/v2/tags`, and categories accessible at `/wp/v2/categories`. Post terms reside at `/wp/v2/posts//tags` and `/wp/v2//categories`.
• Return object for requests to `/wp/v2/taxonomies`. This is consistent with `/wp/v2/types` and `/wp/v2/statuses`.
• Remove `rest_get_timezone()`. `json_get_timezone()` was only ever used in v1. This function causes fatals, and shouldn’t be used.
• Rename `register_api_field()` to `register_rest_field()`. Introduces a `register_api_field()` function for backwards compat, which calls `_doing_it_wrong()`. However, `register_api_field()` won’t ever be committed to WordPress core, so you should update your function calls.
• Change taxonomies’ `post_type` argument to `type`. It’s consistent with how we’re exposing post types in the API.
• Sync infrastructure with shipped in WordPress 4.4.
  • `wp-includes/rest-api/rest-functions.php` is removed, and its functions moved into `wp-includes/rest-api.php`.
  • Send nocache headers for REST requests.
  • Fix handling of HEAD requests.
  • Mark `WP_REST_Server::get_raw_data()` as static.
  • Unabbreviate error string.
• Change terms endpoints to use `term_id` not `tt_id`.
• Standardize declaration of `context` param for `GET` requests across controllers. However, we’re still inconsistent in which controllers expose which params. Follow #1845 for further discussion.
• Link types / taxonomies to their collections, and vice versa. Collections link to their type / taxonomy with the `about` relation; types / taxonomies link to their collection with the `item` relation, which is imperfect and may change in the future.

As always, we have a detailed changelog as well as the full set of changes if you’re interested.

WP REST API: Version 2.0 Beta 9 by Daniel Bachhuber was originally posted at https://make.wordpress.org/core/2015/12/11/wp-rest-api-version-2-0-beta-9/

Additional labels for custom post types and custom taxonomies

In WordPress 4.3 and 4.4, additional labels have been made available for custom post types and custom taxonomies. These get passed in via the labels argument when using register_post_type() and register_taxonomy().

New post type labels in 4.3:

• featured_image – Overrides the “Featured Image” phrase for this post type. See #19257.
• set_featured_image – Overrides the “Set featured image” phrase for this post type. See #19257.
• remove_featured_image – Overrides the “Remove featured image” phrase for this post type. See #19257.
• use_featured_image – Overrides the “Use as featured image” phrase for this post type. See #19257.

New post type labels in 4.4:

• archives – The post type archive label used in nav menus. Default “Post Archives”. See #16075.
• insert_into_item – Overrides the “Insert into post”/”Insert into page” phrase (used when inserting media into a post). See #33616.
• uploaded_to_this_item – Overrides the “Uploaded to this post”/”Uploaded to this page” phrase (used when viewing media attached to a post). See #33616.
• filter_items_list – Screen reader text for the filter links heading on the post type listing screen. Default “Filter posts list”/”Filter pages list”. See #32147.
• items_list_navigation – Screen reader text for the pagination heading on the post type listing screen. Default “Posts list navigation”/”Pages list navigation”. See #32147.
• items_list – Screen reader text for the items list heading on the post type listing screen. Default “Posts list”/”Pages list”. See #32147.

New taxonomy labels in 4.3:

• no_terms – Used when indicating that there are no terms in the given taxonomy associated with an object. Default “No tags”/”No categories”. See #32150.

New taxonomy labels in 4.4:

• items_list_navigation – Screen reader text for the pagination heading on the term listing screen. Default “Tags list navigation”/”Categories list navigation”. See #32147.
• items_list – Screen reader text for the items list heading on the term listing screen. Default “Tags list”/”Categories list”. See #32147.

See the documentation for get_post_type_labels() and get_taxonomy_labels() for the full list of available labels.

Additional labels for custom post types and custom taxonomies by John Blackbourn was originally posted at https://make.wordpress.org/core/2015/12/11/additional-labels-for-custom-post-types-and-custom-taxonomies/

2FA! 2FA! 2FA!

Howdy, all! I’m back, and we’re getting the Two-Factor Train rolling again!

We had our first meeting yesterday at the usual time (22:00 UTC / 5pm Eastern) in #core-passwords.

https://wordpress.slack.com/archives/core-passwords/p1449784908000119

Following some critical feedback and discussions both at the Community Summit and at WordCamp US, we’re adjusting our focus. Technical feasibility is turning out to be far less of a concern than ensuring we don’t create an undue support burden by users getting locked out and providing a way back in.

Previously, we had been anticipating the primary way to override a loss of their second factor would be either adding a constant or modifying the database records (either directly or via a shell tool such as WP-CLI). However, we have had a number of concerns from assorted interested parties, and the fact of the matter is that it is feeling like too high of a barrier for many WordPress users. As @macmanx (new Forums Team Rep) summarized in our chat yesterday,

I’ll say it this way: We want users to be able to secure their sites with 2FA, not sit back and watch outdated abandoned sites pile up because they locked themselves out and simply give up when when we mention FTP, Database, or SSH.

So, there are several things that have been brought up:

Require a constant in `wp-config.php` to enable 2FA

The idea being that, by adding a constant to wp-config, the user has demonstrated that they know how to use FTP and edit files on their server manually, so if all goes to heck, they have the ability and knowledge to take the constant back out, so they can get back into their site admin.

I feel that this is a bad idea, because it violates many of the WordPress Core Philosophies. It wouldn’t work out of the box, and we’re no longer designing for the majority. It results in us adding not only an option, but an option that’s hard to set.

If we have to hide it behind a constant, I feel that it shouldn’t even be in Core, and would be better left as a plugin.

(yes, I know Multisite runs this way, but there are other reasons that was merged into core)

Require multiple providers being enabled

The idea here being that if the user has two, there is less likelihood of getting locked out as they’d have a backup. However, for myself, I can’t tell you how many times I’ve downloaded backup codes and promptly lost them. Or how many times my phone has been destroyed (washing machines and phones shouldn’t be friends). There’s still a lot of opportunity for things to go wrong, especially on the scale of powering a quarter of the web. Edge cases become commonplace.

Send Text Messages

No can do, this would require a third-party server to send them through, and that’s plugin territory.

Leave Emailed Codes as an always-available fallback

This, I feel is our best option.

There are some concerns regarding the large percentage of WordPress sites that are on servers that can’t send email (as high as 25% by some guesstimates I’ve heard floated), so we’d need to send a code and make sure it gets received before turning on the actual two-factor login prompt.

While it doesn’t provide the best security (if someone breaks into your email address, they could both reset your password and get the incoming authentication code), it is 1) no worse than the status quo, 2) not our responsibility to keep secure, and 3) if they’ve broken into your email, you probably have bigger concerns.

We can certainly include a filter for methods to disable / add from plugins, and so if someone wants to disable email manually, they totes can. By explicitly disabling the Core security feature, they’re then demonstrating that they know enough to fix it if it goes wrong.

In the end, my feelings were largely best summed up by @michael-arestad, describing the two ways of balancing ease of use versus airtight security:

Ease-of-use: core potential
Airtight security: plugin town

And we can always ship the plugin ourselves to let folks disable Email, but that feels like if it were in wp-admin that we’d be giving them just enough rope to hang themselves.

===

Now, none of this is finalized, so if you disagree, please voice your concerns in the comment section below. I’m hoping that we’ll get enough discussion that we’ll be able to confidently make a final decision on what path we’re taking at next week’s meeting — which will be on Thursday at 5pm Eastern / 22:00 UTC in #core-passwords

2FA! 2FA! 2FA! by George Stephanis was originally posted at https://make.wordpress.org/core/2015/12/11/2fa-2fa-2fa/

December 10 Meeting Summary and 4.5 Call for Volunteers

We gathered together after the marvelous release of 4.4. Many congrats to @wonderboymusic, his deputies @sergeybiryukov and @ocean90, and all contributors who helped out! See the full transcript for the entire chat.

On 4.4

• Post-mortem is planned for Wednesday, December 16, 2015 16:00 UTC-5
• We walked through incoming tickets. The biggest issue mentioned was #34939, which affects Jetpack video in some cases.

What’s Next?
@helen is building a product design team that is kicking off shortly. I’m excited about this — it’s an opportunity to really step up our game in the UX space. She’ll be building out a few projects and calling for volunteers on make/design, so watch there if you’re interested in getting involved.

Officially, 4.5 doesn’t kick off until early January, but I’d like to start off with a ready-to-go set of teams. The time between now and then is also great for preparing feature plugins that you’re interested in seeing merged.

4.5 Call for Volunteers
Currently looking for those interested in:

• Being a Release Backup/Deputy
• Contributing to Week in Core Summary Posts
• Working on a particular development focus or feature

If you’re interested in contributing in any of these areas/roles, please leave a comment! Feel free to ping me in the Make WordPress Slack (@mike) if you have any questions on these roles.

December 10 Meeting Summary and 4.5 Call for Volunteers by Mike Schroder was originally posted at https://make.wordpress.org/core/2015/12/11/dec-10-meeting-summary-and-4-5-call-for-volunteers/

Welcome the 4.5 class of committers!

As announced in the State of the Word this year at WordCamp US by @matt, there are seven new committers to introduce.

Many of you have seen Michael Arestad‘s (@michaelarestad) design and front-end development contributions over the last couple of years, notably with the redesign of Press This in WordPress 4.2. His numerous, high quality contributions are a welcome addition to core. I personally am looking forward to his work on markup and styling, having relied heavily on his judgment for quite some time now.

WordPress 4.4 adds a new embed feature to WordPress, making it an oEmbed provider for the first time. Work on this new feature was done in a large part by Pascal Birchler (@swissspidy), who has been doing great work for the past few releases. Pascal’s clear communication and thorough support of the flow mindset are things we can all be inspired by.

Rachel Baker (@rachelbaker) is the co-lead of the REST API, a Comments component maintainer, and a major contributor to WordPress 4.4. Her work has made it possible for sites around the world to utilize the REST API, making WordPress a great application platform. Look for more of these contributions as the REST API iterates within core.

Likewise, Joe Hoyle (@joehoyle) is a major contributor to the REST API. As we prepare to commit the REST API endpoints in an upcoming WordPress release, there will be more and more to come from both him and Rachel.

As a Media component maintainer and a long-time contributor across many components and features, Mike Schroder (@mikeschroder) helped shepherd the responsive images feature plugin into core for WordPress 4.4. He was also a backup release lead for WordPress 3.9.

Throughout the WordPress admin interface, everywhere you look you’ll see the work of Mel Choyce (@melchoyce). Her design and experience contributions are long-standing and have benefited the entire ecosystem. As one of the maintainers of the Dashicons project, the icons you interact with daily are a big part of her contributions, as well as themes available in the WordPress.org Theme Directory.

Eric Andrew Lewis (@ericlewis) has been contributing in various forms for many years, exploring lesser-known areas, documenting them, and challenging assumptions. Most recently, you may have seen his work as a Media component maintainer or with the shiny updates feature in WordPress 4.2.

Additionally, Ella Van Dorpe (@iseulde), Konstantin Obenland (@obenland), Weston Ruter (@westonruter), Tammie Lister (@karmatosed), Andrea Fercia, (@afercia) and Ryan McCue (@rmccue [that’s one M, two C’s]) have all had their guest commit renewed.

Please join me in welcoming this great set of new committers!

Welcome the 4.5 class of committers! by Helen Hou-Sandi was originally posted at https://make.wordpress.org/core/2015/12/09/welcome-the-4-5-class-of-committers/

Announcing the release leads for 2016

As announced during the State of the Word this year, we have a brand new selection of release leads for 2016.

Previously a backup release lead for WordPress 3.7 and long time contributor, Mike Schroder (@mikeschroder) will kick off the year as the release lead for WordPress 4.5.

Following WordPress 4.5, Dominik Schilling (@ocean90) will be the release lead for WordPress 4.6. Dominik has been a core committer for a couple of years now and was a backup release lead for WordPress 4.4.

Finally, closing out the year, Matt Mullenweg (@matt) will put on his release lead hat and lead WordPress 4.7. Matt previously led the WordPress 3.8 release.

Each of these release leads need your help! Every release is made by hundreds of contributors over many months, not just by its release lead. Additionally, every release lead needs a backup lead or two to help ensure the release moves forward at a solid pace. These backup release leads get great training for the real deal, as they often become future release leads (see both Mike and Dominik above!).

Are you interested in being a backup release lead? Just comment here to let Mike, Dominik, and Matt know.

Announcing the release leads for 2016 by Helen Hou-Sandi was originally posted at https://make.wordpress.org/core/2015/12/09/announcing-the-release-leads-for-2016/

Example Domain

New post with link for testing IFTTT syndication from Facebook. The link: http://example.com

This domain is established to be used for illustrative examples in documents. You may use this domain in examples without prior coordination or asking for permission.

from http://example.com/ in The WP Guy - WordPress Web Design

Responsive images coming to WordPress 4.4 "Clifford"

Great news! Responsive images will be baked in to WordPress 4.4 "Clifford".

WordPress will now automatically creates several sizes of each image that you upload to the media library. Using the 'srcset' attribute, browsers can now choose to display the most appropriate size and ignore the others— saving bandwidth and speeding up page load times in the process.

More...