Quite a bit of developer information has been published on the upcoming WordPress 5.3 release this past week:

πŸ‘‰πŸ» In WordPress 5.3, the version of Backbone bundled with WordPress will be updated from version 1.3.3 to 1.4.0 with a few noteworthy items for developers.
πŸ‘‰πŸ» A new ability now exists to filter by nested fields in the REST API.
πŸ‘‰πŸ» There is now a “show password” button on the WordPress login screen.
πŸ‘‰πŸ» WordPress 5.3 introduces a new way to manage sizeable images by detecting big images and generating a β€œweb-optimized maximum size” for them. Along with this feature comes a new big_image_size_threshold filter.
πŸ‘‰πŸ» The PHP 5.6 spread operator has been introduced to WordPress in several places.
πŸ‘‰πŸ» The register_meta functions (including register_post_meta) now support the object and array data types.
πŸ‘‰πŸ» New functions exist to add the UGC (user-generated content) attribute to links, and WordPress is adding it to comments. Now wp_rel_nofollow_callback() will be deprecated in favor of more generic callback function, wp_rel_callback().

Jonathan Desrosiers has a breakdown of the changes in PHP 7.4 “that plugin and theme developers need to be aware of and should accommodate in their code.” ⚠️

Dave Whitley outlines a proposal to standardize a type scale for WordPress: “By including other attributes like font weight and line height, we can create a reusable set of predefined styles for design and development.”

Eric Mann notes that “WordPress nonces are, admittedly, not numbers and not used once.” Since they're not “true nonces,” WordPress nonces “fall down horribly” and constitute a “fatal flaw” when developers use them to secure the admin. πŸ”“

Eric says we urgently need “true cryptographic operations,” and there's a possible path to that destination, but it is “incredibly steep.” It will require “a major paradigm shift in WordPress development” β€” and developer education.

I want to also note some comments here from Andrew Nacin on Twitter: “…we shouldn’t have called them nonces. But, time-based, stateless HMAC tokens are just as valid (and commonly used) for CSRF protection. The primary point of these tokens isn’t to prevent a replay attack. Its only point is to guard against CSRF, and it does that well.”

According to a recent post on Google's official security blog, Chrome is being prepared to start blocking all mixed content. As of Chrome 79, the browser “will gradually move to block all mixed content by default.” It will auto-upgrade mixed resources to HTTPS, so sites will continue to work if their sub-resources are already available that way. πŸ”’

Chris Aniszczyk talks about open source gerrymandering by looking at a variety of different open-source and similar platforms to see how they are governed. 🎩

It’s really important to note that there is a difference between open source and open governance, and you should always be skeptical of a project that claims it’s truly open if only one for profit company owns all the assets and control.

Nikki Thomas shares how Modern Tribe tackles project definition with a few pointed questions. First, they ask who the users are, what their needs are, and why these needs exist. A project roadmap follows from the next two questions: “How will we build it? When will we have it done?”

Tobias Günther explains some smart ways for developers to correct their mistakes in Git. 😌

As soon as I heard about WP FeedBack, I was wondering which hosting company would take advantage of it first. The answer came quickly as GoDaddy Pro announced a partnership with them this week. Their members can get WP Feedback for 50% off now.

Advanced Custom Fields version 5.8.5 is now available and contains a handful of bug fixes and improvements to solve various issues.

In a big win for accessibility, the U.S. Supreme Court decided not to hear Domino's Pizza‘s petition on whether its website is accessible. The order to not hear the case keeps in place a January ruling by the 9th U.S. Circuit Court of Appeals which ruled that Domino’s and other retailers must make its online services accessible.

If your website isn't accessible (or you don't know if it is) now is the time to start sitting up in your chair and taking some long-overdue action.

WordCamp US will have a WordPress-themed game show Saturday morning (November 2nd). If you are attending WordCamp US, join the fun and help support the young people who are hosting it. It will be fun! πŸŽ‰

Douglas Kendyson shows how to add Two-Factor Authentication to WordPress with the Nexmo Verify API.

Gilbert Pellegrom takes a look behind the scenes to see how Laravel Valet works and what is going on in the background when you run Valet commands.

Video and Podcast Picks of the Week

πŸ“Ή Here are my latest picks for video watching:

  • If you weren't aware, WooSesh happened for two days this week. The event was live-streamed but WPSessions members will have access to the recordings. I listened to many of the talks and the quality of the talks was again very high.
  • The History of WordPress (in four minutes) was interesting to watch. This was used as part of the opening of WordCamp para Desarrolladores Sevilla 2019.
  • If you are interested in starting a podcast, Bob Dunn has a video walk through of the Seriously Simple Podcasting plugin. Bob also had other great videos if you are thinking about podcasting.

πŸŽ™οΈ Here are some recent podcasts worth listening to:

  • The CodePen podcast covers styles and methods of customer research β€” and how it's been helping influence decisions at CodePen in this episode.
  • It was good to hear from Pippin Williamson again, this time on the Product Business podcast.
  • I enjoyed listening to Chris Lema talk about entrepreneurs and relating some sales tricks and patterns (particularly those used by the resort industry) on an episode of the Pressnomics podcast. 🌴
  • Matt Medeiros talks to Rob Walling about TinySeed, funding for your business, and his views on WordCamps and WordPress.
  • The Ladybug Podcast is back, and I enjoyed this episode about defining design systems and how they can be built. 🐞