For a little over 2 years now, I have been posting monthly updates internally at WooThemes and now at Automattic in which I give a wrap-up of all the significant news from the WordPress community for the past month. This has been a great way for people too be kept up to date about what’s happening around them, as well as for me to personally keep abreast of developments in all areas of the WordPress project.
After much coaxing from quite a few people, I thought I’d start posting these updates on my own blog too, so that others can also benefit from them. The updates include news from the past month, as well as a smattering of comments from myself showing my own opinions about it all.
So, with all that in mind – here’s February’s update…
February hasn’t really been a very busy month in terms of WordPress community news, There are one or two significant stories, but this past month has been largely quiet with only a few interesting headlines. That’s not to say it’s not worth staying up to date on them, so read on to find out what’s been happening in the WordPress community over the last few weeks…
WordPress is insecure!!!!!!11!!11!!one!
WordPress 4.7.2 was released at the end of January a little later than expected, and the delay was due to an important security fix that had recently been disclosed. The details of this security fix were not included in the original release post as the details of the issue put any sites that did not update at risk of attack. Instead, the details were disclosed 1 week after the release in order to give site owners and hosts enough time to update their installations to v4.7.2. The security issue related to the recently introduced REST API and, essentially, allowed unauthenticated users to gain administrative privileges. The way the issue was disclosed by Sucuri was great and the fact that it was silently fixed was equally respectable, however a number of people still took issue with the fact that it happened at all.
WP Tavern wrote about the patch and the comments on their post are as fun/discouraging to read as always. They do, however, explain a few of the frustrations that people have with the issue. The concerns seem to be based around the fact that the REST API was to blame, and that the issue was disclosed too soon, before many people had a chance to update. In my opinion, both of those concerns are unfounded (the REST API is critical to the progress of WordPress, and WordPress’ auto-updates mitigate the update time issue for most users). What this does highlight though, is the fact that no matter how hard the WordPress core team works on building a reliable and secure platform, there will always be a section of the community that will hold a deep mistrust of anything that they do – this is unfortunate, but there’s not a whole lot that can be done about it.
For some further reading on this, I would suggest having a look through Mika Epstein’s post titled A Case for REST API.
Update Signing and WordPress
In other security-related news, a WordPress user and PHP security contributor named Scott Arciszewski wrote an impassioned post about how the WordPress core team is ignoring a glaring security issue by not digitally signing updates as they are released (he since deleted the post, but the internet never forgets and you can read it courtesy of the Internet Archive’s Wayback Machine). In his post, Scott explains why he feels update signing is so important and also how he has written and adapted a cryptography library for PHP and WordPress that is ready to be added to core.
While he made some really good points about the feature, his delivery was decidedly negative and aggressive, even ending with a call to
#StopMullware (in reference to Matt Mullenweg‘s name of course).
Despite the way in which his post was written, Matt wrote a well-reasoned response post in which he explains clearly what update signing is, why it is valuable, and why it is not a priority for the WordPress security team right now. The gist of his reasoning is that the types of attacks that update signing will prevent have never actually happened and fixing real threats instead of hypothetical ones is a far more valuable use of the core team’s time – something that I certainly agree with.
Community Summit sign-up and topic requests
The annual-ish WordPress Community Summit is happening in Paris on 13 & 14 June this year (right before WordCamp Europe). While the Summit attendees list includes members of each of the contributor teams, there are also a number of spots kept open for people who may not be on one of the teams, but have valuable insight and skills that the teams could use. In order to get as many of those people involved in the Summit, there is a public form for topic suggestions, which comes with the added option of suggesting an individual from the community who should attend the Summit in order to discuss the submitted topic. This is a great way to get as many people involved in this event as possible and I encourage you to submit any topic you feel is relevant.
Connected to this, the Summit organising team announced the Travel Assistance Programme in order to help people get to the Summit so that they can be involved in the discussions – this is a great way to further the global involvement of people in the WordPress project who would otherwise not be able to attend.
- The Google+ Community for the WordPress Android app beta testers is being closed down. Nothing about the app will change and contributions are always welcome on GitHub and Slack.
- Reaktiv Studios published Locomotive – a library and plugin that gives a reliable and consistent way to handle batch processing in WordPress (something I would have loved to have had access to while working on Sensei).
- 10up released a library of front-end components for WordPress – a valuable resource for sure.
Any relevant stories that I missed? Any interesting articles from the past month that you feel are worth reading? Link them up in the comments!