The Week in Analysis

WordPress 5.9 Revised Release Schedule

— With an updated release schedule for WordPress 5.9, the new final release is planned for January 25, 2022. Causes for the delay mostly can be pinned on issues related to major features planned for the release, including Full Site Editing. With WordPress 6.0 likely coming out in April, the core team felt this would have been too long for the community to wait if those features were punted. Tonya Mork explains the decision-making process and notes that there were "seasonal considerations" with not enough people available to develop, test, and review critical items in December. magnifying-glass

Remember when WordPress 5.0 launched with Gutenberg? Many people called for a delay then, but Matt pushed forward:

Deadlines are not arbitrary, they’re a promise we make to ourselves and our users that helps us rein in the endless possibilities of things that could be a part of every release.

Gutenberg’s initial release was challenging. The release date pressed volunteers to ship 5.0 before the State of the Word, a high-pressure deadline. Over the next six months, Josepha did a lot of listening, reflection, and communication on the breakdowns that occurred.

More than serving an ecosystem of products, the WordPress project also has to keep in mind its user base and community contributors. What is in their best interest? This time the consensus was to postpone a major release. That’s something everyone can be proud of, for the growth it indicates.

The PHP Foundation

— A number of companies, including Automattic, Laravel, Acquia, Zend, Symfony, and JetBrains, have collectively formed a PHP Foundation. It will be a "non-profit organization whose mission is to ensure the long life and prosperity of the PHP language." This was prompted by the departing of a key PHP contributor Nikita Popov. (Nikita left on good terms but is spending spend significantly less time on PHP.) The idea for a PHP Foundation isn't new. It was brought up earlier this year — with this timely post from Joe Watkins. Joe responded favorably to the new organization after it was announced. He called it "an excellent opportunity for budding internals developers and experienced developers alike.") And now it has been kicked into high gear:
"With the projected donations from all the participating companies so far, we expect to raise about $300,000 per year. JetBrains intends to contribute $100,000 annually... We expect to be able to pay market salaries to PHP core developers. The more we collect, the more developers will be able to work full-time on PHP."
The primary goal of the foundation is to fund PHP development. A temporary administration will be put in place. These people will collaboratively decide who receives funding. The Foundation is looking to fund both part-time and full-time developers. Applications are being accepted now. magnifying-glass

PHP powers 78% of the web, but not many people realize how fragile it is with its reliance on open source maintainers and contributors. Being overwhelmed and experiencing burnout are real dangers to contributors, just as they are in WordPress and other open source communities. I’m glad a PHP Foundation has been put in place and hope it will add some stability. Time will tell what kind of impact this makes, but if there’s confidence to be had it’s that the major members of the Foundation are heavily committed to PHP’s continued success.

— David

GoDaddy Breached – Plaintext Passwords – 1.2M Affected

— Starting with a recently published disclosure on the United States Securities and Exchange Commission (SEC) website, GoDaddy shared with the public and its customers that a data breach occurred with their Managed WordPress customers in September. It appears the breach also affected to tsoHost, Media Temple, 123Reg, Domain Factory, Heart Internet, and Host Europe. GoDaddy said an unauthorized person used a compromised password to gain access to their systems around September 6. GoDaddy said it first discovered the breach last week on November 17. This breach impacts up to 1.2 million WordPress customers — and potentially more sites since customers can and often do have more than one site in their account. The attacker had access to user email addresses and customer numbers plus the original WordPress Admin password that was set at the time of provisioning as well as SSL private keys. Wordfence also notes the sFTP and database usernames and passwords of active customers were accessible to the attacker. This was possible because the "sFTP passwords [were stored] in such a way that the plaintext versions of the passwords could be retrieved, rather than storing salted hashes of these passwords, or providing public key authentication, which are both industry best practices." For now, anyone using GoDaddy’s Managed WordPress hosting should assume their sites have been compromised and change their passwords, enable two-factor authentication where possible, and watch out for odd emails. If you run an ecommerce site, Mark Maunder warns that "you may be required to notify your customers of the breach" depending on regulatory requirements in your jurisdiction.     magnifying-glass

This isn’t something you want to see happen at all, especially on a Black Friday week after a big acquisition you made the week prior. There are likely to be some far-reaching consequences and repercussions here but it’s too soon to tell.

— David

The timing and nature of this attack bring back memories of a similar breach that came to light on Black Friday weekend in 2009 at Media Temple before GoDaddy acquired it. Have hosts become more diligent about security in the past decade? News of big data breaches have become so commonplace they seem less remarkable now. At least disclosures about security failures seem to be more complete and forthcoming once they are detected. But that isn’t much consolation to customers whose sites are hacked.

— Dan

Latest Post Status Feature


This Week at (December 1, 2021)

— Each week we are highlighting the news from that you don't want to miss. If you or your company create products or services that use WordPress, we've got the news you need to know. Be sure to share this resource with your product and project managers. News# WordPress 5.9 Beta 1 announcement. Help Test […]

News for the WordPress Professional

Modern CSS in a Nutshell

Scott Vandehey has what I thought was a good takeaway of modern CSS as of today: "You’d be surprised how much you can do with vanilla CSS nowadays... CSS is much more powerful now than it was even just a few years ago." I especially agree that CSS pre-processors for most might not be needed anymore. magnifying-glass

What I Learned Building a Hybrid Theme

Fränk Klein talks about his observations, struggles, and the lessons he's learned from building "hybrid themes." These themes mix the traditional theming approach with full-site editing features. Frank has a particular issue with the template editor; he considers it "half baked" and does not see a use for block widgets.   magnifying-glass

The Internet is Held Together With Spit and Baling Wire

Brian Krebs describes the internet as being held together by spit and bailing wire. Referring to an attack vector that recently emerged, he ass us to "[i]magine being able to disconnect or redirect Internet traffic destined for some of the world’s biggest companies — just by spoofing an email." The internet can be resilient but also fragile. Who could forget the recent outage that took Facebook, Instagram and WhatsApp offline for the better part of a day — simply because Facebook submitted an erroneous Border Gateway Protocol (BGP) update. magnifying-glass

What Happens When and WordPress Site Loads

John Billion wrote a great gist on Github a few years ago that lists out what happens when a WordPress site loads. It's still mostly accurate. When John was asked last week if it's possible to continuously auto-generate the site load flow outline from source code, John said he doesn't think so:
"The intention isn't to cover every action that fires and every file that loads, just the ones that are of interest to plugin and theme developers and contributors. I think that's best done with manual curation."

Self-Publish Sooner

Alex Ellis wishes that he had self-published sooner and hopes others don't make the same mistake:
"It took until this year to write my first eBook and it now generates revenue while I sleep... A good place to start is with something you've already invested time in — a skill, a project or an approach."
Alex shares his approach if you want to go down a similar path: Identify a topic, find your angle, find a friend — at least someone to proofread your content — and then ship it. magnifying-glass

How to Enable Inner Blocks

Inner Blocks are Gutenberg blocks that allow you to insert additional blocks within another block. Igor Benic walks you through these nested blocks and explains how the CoBlocks Accordion block utilizes them. magnifying-glass

Post Status Announcements

17 Days Since Last Acquisition

November 15, 2021 - LiquidWeb Acquires Modern Tribe

👉 We’ve created a page for WordPress acquisitions going back to 2007. We’d also like to gather major investment data. Help us make this table more complete by adding additional deals, data, and links.

Podcast Picks

Post Status Features

Post Status Analysis

Get Hired
Latest Podcast Episode:

September 27, 2021 - Get Hired #5: Get Involved

Who's Hiring in WordPress?

Place a Job Listing [»]