Daily ArchivesSeptember 9, 2021

Twice a year, WordPress’s developers release a beta for the upcoming version of everyone’s favorite content management system. The most recent beta landed in early March, and is ready for testing by WordPress site owners who want to get a preview of the new features and test their plugins and themes before the final release, which is scheduled for April.

Beta testing is a key part of the open source process, and WordPress’s developers are always happy to hear about bugs in the software so they don’t make it into the final release.

I’m sure you already understand this, but it should be noted that it is not a good idea to install the WordPress beta on your production website. Beta software will have bugs, and it’s not ready for live sites. The best way to test is to use a dedicated testing installation of WordPress. We explained one way you can build a local test environment in our article on VagrantPress.

Without further ado, let’s see what’s coming in WordPress 4.5.

Better On Mobile

In the last few years, WordPress has become the perfect content management system for building responsive sites that work brilliantly on both mobile and the desktop. WordPress 4.5 brings a couple of small changes that improve the process of creating sites that are fast and useable across devices of many sizes.

Firstly, the customizer now offers a responsive preview. Users and developers can click on a range of sample device sizes and see how their pages will look. This is great for catching theme changes that break a responsive layout at a particular breakpoint.

The next change isn’t mobile-specific, but it helps us to build mobile-friendly sites: image optimization. Most JPEG images contain data that isn’t really needed. WordPress 4.5 will carry out a series of optimizations on images uploaded to a WordPress site that can potentially reduce image sizes by half.

Better For Bloggers

Blogging is all about writing, and over the last couple of years, WordPress’s writing experience has improved leaps and bounds. WordPress 4.5 is no exception, and it brings a couple of handy enhancements for those of us who spend untold hours in the Visual Editor.

Inline link editing is a simple change that makes writing more pleasant. On WordPress 4.5, when you use the link insertion keyboard shortcut, you’ll be presented with a simple dialogue into which you can enter the link without taking your hands from the keyboard.

The second enhancement is what WordPress calls inline shortcuts, which are essentially a way of bringing Markdown-like features to the visual editor. Inline shortcuts exist already for a variety of formatting, but WordPress 4.5 introduces shortcuts for bold formatting and for marking inline code — both of which are identical to the way it’s done in Markdown.

Better For Developers

WordPress isn’t all about the user, and there are some handy additions for developers too, including selective refresh for the customizer, a new way to add inline scripts (wp_add_inline_script()), and customizable embed templates that let developers create custom displays in their themes.

We host websites that range from solo blogs and small eCommerce stores to huge WordPress publications and Magento stores with stratospheric levels of traffic. We can accommodate such a diverse range of hosting requirements because of the different infrastructure configurations we offer. In this article, I’d like to discuss how we are able to host the biggest, high-traffic sites and keep them performing faster than most hosts dream of.

First, let’s look at how small sites and stores are hosted. The most economical option for low-traffic sites is shared hosting. That means lots of sites are hosted on the same server. The CPUs, memory, and storage are shared between these sites. The physical servers are much more powerful than the average PC, but they’re roughly comparable.

Often, small sites grow into big sites with lots of traffic. These sites don’t work well in a shared hosting environment — they use too many resources. Mid-sized sites are hosted on dedicated servers. All of the server’s resources are available to one site. For all but the largest sites and stores, a dedicated server equipped with our optimizations is enough. But for very large sites, we need to go even bigger than the hugely powerful enterprise-grade server hardware we use.

Servers only get so big. After a certain point, it doesn’t make sense to simply keep upgrading to a bigger server. Sometimes there are no bigger servers, and sometimes a single server isn’t the most efficient option. For sites like these, the best option is a server cluster. That’s just what it sounds like — instead of one server, there are two or more servers. As you might imagine, server clusters can have lots of different configurations, so I’ll discuss one of the most common.

For a high-traffic site to perform well, it should be able to respond quickly to incoming requests from users. Each of those requests can use a lot of memory, sometimes more than is available on a single server. In this case, we could add one or more extra web servers, and move other site-critical functionality like the database server and file server onto separate machines.

Let’s say we now have three web servers. Incoming requests are spread across the servers. Choosing which server to send a specific request to is complex and there are lots of ways of organizing it, but for simplicity’s sake think about sending the requests to each server in turn. Every new request is sent to the next web server. Of course, we need a way to decide which web server will receive each response — that’s the job of the load balancer. Load balancers sit in front of the web servers and send the requests on to them.

Because there is now far more web server capacity, every request can be dealt with in a timely fashion. Requests hit the load balancer, are sent to one of the web servers, which gathers information from the database and file server, and sends the response. If the load adds up to more than three web servers can handle, it’s relatively straightforward to add another web server.

I’ve concentrated on the web server here, but it’s possible to add new database servers, file servers, and load balancers to the cluster as required, that’s part of what makes a cluster so flexible.

Enterprise Magento Clusters and WordPress Clusters, along with our expertise in building high-performance systems for PHP applications like WordPress and Magento, are one of the ways we support some of the biggest publishing and eCommerce ventures.

In spite of the many advances Google has made to its search engine algorithms in the years since Larry Page invented PageRank, inbound links are still central to the way the search giant decides how to rank pages. But all links aren’t equal, and the easiest links to get are also the least valuable — comment links, forum links, and other linking pages where there is little editorial control over the content.

Google has also become much smarter at figuring out whether links are the genuine article: a sincere expression of editorial approval of the content being linked to or simply part of a scheme to manipulate PageRank.

Link schemes and link spam have become increasingly ineffective. And, in the unlikely event that a particular link scheme is effective, it’s only a matter of time before Google figures it out. When it does, all the money invested into building links is lost; a site held aloft in the SERPs on the basis of a link scheme will take a nosedive.

Add that fact to the plethora of other signals that Google uses for ranking, and it might seem that manual link building is dead. In fact, if you pay attention to some parts of the SEO media — never ones to avoid wild speculation and hyperbole — you’d forgiven for believing that link building was a waste of time.

In fact, that’s not true. There is still a place for link building on the modern web. But here’s the thing: if you want to build a sustainable link profile, you’re going have to do it the hard way.

Link Building Today

The first thing you need is great content. Automated volume link building is essentially, if not completely, dead, and the best way to build sustainable links is to create awesome content — i.e. content that people want to link to. Of course, great content on its own isn’t enough. I’m not advocating an “if you build it they will come” approach, because they won’t come if they don’t know about it.

The second factor in effective link building is promotion and outreach. Social media plays a big role in this: the more people see your content, the more will link to it. It’s not that social media links count for much; they don’t. But social media is the best way to get content out to as many people as possible.

In that, social media is simply a very effective promotional tool, but it’s far from being the only promotional tool available to link builders. Let’s say you written the best resource on the web on a particular topic, but you have no incoming links. When you search for the subject of your content on Google, your work is overshadowed by lots of inferior articles. That’s because they have more incoming links (among other factors, but we’ll focus on links).

If your content is the best, why shouldn’t these links point to your site instead of the inferior content? Here’s where the hard work of manual link building comes in. You can use a tool like Majestic.com to discover who is linking to the pages that outrank your content.

Next, research those sites and find out why they are linking to the inferior content. Sometimes the links will be in years-old articles or spam directories, but sometimes the linking pages will be authoritative and useful resources.

Now, the maintainers of those pages want to link to the best content, right? And you’ve written the best content. Find a way to contact them and let them know that you have better content. Your conversion rate for this approach will be low, but the links gained are likely to be a genuine and sincere expression of editorial approval of your content.

You can take this process a step further by finding popular articles on relevant topics for your niche, write better articles, and then carry out the process we’ve discussed.

Link building is far from dead. Automated link building is heading in the direction of the dodo, but the good old-fashioned process of writing and promoting great content is very much alive and kicking.

The code repository for the Custom Content Type Manager plugin in the WordPress Plugin Repository was recently compromised by a malicious user. The plugin was modified so that it contained a backdoor that could be used by the attacker to install further malicious code, create admin users, and steal authentication credentials. This attack is a rare example of a plugin in the official repository becoming a security risk.

The Custom Content Type Manager plugin, which is now safe, allows users to create custom post types. The plugin itself is genuinely useful and relatively popular, with over 10,000 installations listed on the repository. Users who installed or updated to to the compromised version (0.9.8.8 ) of this plugin, including via automatic updates, are vulnerable and should immediately update the plugin to the most recent version, which has been patched to remove the malicious code. If you think your site is vulnerable or compromised, you may want to take a look at Sucuri’s excellent guide to finding the malicious files and mitigating the vulnerability.

Usually when we hear about WordPress plugins with vulnerabilities, they are pirate plugins deliberately altered to contain malicious code or plugins from the repository that contain accidental vulnerabilities — run-of-the-mill bugs caused by coding errors. In this case, we have a plugin in the official repository that was compromised because a malicious user was able to have himself added as an official developer in the plugin’s Subversion repository. The attacker — apparently a rogue WordPress freelancer using the handle wooranker — was given permission to make changes to the code of the plugin, and used that opportunity to add a backdoor. The initial backdoor could then be used to add further malicious code to WordPress sites, including code that allowed wooranker to steal authentication data such as passwords and usernames, and to create admin user accounts.

The malicious code has now been removed from the plugin and the WordPress team has deleted the wooranker user.

Should WordPress users be worried about installing plugins from the official repository?

For the most part, no. The vast majority of attempts to get malware onto the repository are caught early. This is a serious lapse, caused in part by the huge volume of plugins on the repository and one malicious user getting lucky. There are millions of lines of code in many thousands of plugins — vetting and verifying all of them is impossible. As Sucuri point out, plugins are as trustworthy as their developers, and for the most part, the contributors to the WordPress Plugin Repository are genuine honest developers. Historically, the plugin repository has proven to be safe. The vulnerability was caught and removed quite quickly, and although it’s regrettable that it was allowed into the repository in the first place, it was dealt with swiftly.

JavaScript is about to enter the WordPress world in a big way. WordPress theme and plugin developers have always used JavaScript, of course — it’s an essential part of the web developer’s toolbox. But with the introduction of a JSON REST API and Matt Mullenweg’s suggestion that WordPress developers should learn Javascript (deeply), we’re likely to see a huge number of theme and plugin developers taking advantage of JavaScript to build new and exciting integrations with WordPress — the WordPress Mac App is just the start of what’s possible.

Many of the developers who take advantage of the ability to create front-end applications for WordPress, including themes, will build their projects using a JavaScript framework. JavaScript frameworks come in all shapes and sizes, from full Model-View-Controller frameworks that can power single-page web apps of significant complexity, to simpler helper libraries that make it easier to manage and display data on the client.

I’d like to quickly introduce three of the most prominent JavaScript frameworks and provide examples of how innovative developers are using them to build WordPress integrations using the REST API.

Angular

Angular is the big beast in the JavaScript framework world. It’s a full-powered MVC framework sponsored by Google and used on many of Google’s sites as well as a lot of other large-scale enterprise sites. Angular is a great choice for building single-page web applications, and while there’s nothing stopping you using it for WordPress themes and integrations, it might be overkill if all you want to do is pull data from the WordPress API to populate pages. Angular also has the steepest learning curve of any of the frameworks we’re looking at today.

Yoren Chang has written a useful guide to the basics of using Angular in WordPress theme development, and a set of more in-depth articles about Angular and the WordPress API.

React

React, which was created by Facebook, is a much simpler project than Angular. It’s been described as the V in MVC and is essentially concerned with managing the display of data on the front-end and building interactive user interfaces. Whether you think of that as a good thing depends on the complexity of the application you want to build on top of WordPress and whether you’d rather do server or client-side rendering.

For simpler integrations with the REST API, React is probably a better choice than Angular. React is particularly notable for its use of the Virtual DOM — changes made to the view are made to a Virtual DOM and the actual DOM is only updated once those changes are completed. The result is a fast and fluid user experience.

Take a look at the React homepage for some examples of React code. Kelly Dwan has created a simple WordPress recipe theme using React, the GitHub repo of which is a great way to learn about how React can be used with the WordPress API.

Backbone

Backbone is a full MVC framework, but it’s both smaller and less complex than Angular. Backbone doesn’t have the buzz of the other solutions I’ve discussed, but it’s has been used on some serious online services, including Twitter, Pinterest, and Disqus.

For developers who want to dip a toe into building JavaScript integrations, Backbone is worth looking at because there’s already a Backbone client for the REST API, and there is a version of the Underscore WordPress starter theme that has Backbone integrated with it. Reading _s_backbone’s code is a useful way to learn how to use the WordPress API and Backbone to implement common theme features like infinite scrolling and navigations menus.

I’ve just looked at three examples of JavaScript frameworks here. There are many more that could be used to build Javascript-based themes and applications for WordPress, but hopefully the pointers I’ve given you here are a good place to start.

There’s no shortage of monetization options for WordPress site owners. They range from affiliate marketing to digital sales and a lot in between, but advertising remains the single most popular way to generate money from WordPress content. AdWords is by far the most popular advertising network for self-hosted WordPress sites, but Automattic, the company behind WordPress.com and the Jetpack plugin, has brought a new advertising option to the market — one that was previously only available on WordPress.com.

To clear up an obvious source of confusion, WordAds and AdWords are not the same thing. AdWords is Google’s immensely popular advertising product. WordAds is a similar — although less feature-rich — advertising product that was designed specifically for WordPress sites running on Automattic’s platform. WordPress.com offers free and paid hosting for WordPress sites. It’s less flexible than self-hosting — fewer monetization options and limits on plugin installations — and offers a more restrictive environment, which is why most businesses and serious publishers choose a self-hosted platform like Hostdedi’.

Over the last few months, Automattic has been making some features that were only available to users of the WordPress.com platform available to the much larger WordPress.org (self-hosted) userbase. Towards the end of last year, they opened up the Calypso admin interface, and this year is starting in a similar fashion with WordAds.

To use WordAds, WordPress.org users must have both the Jetpack plugin collection and the AdControl plugin installed. While in theory any WordPress site can use WordAds, in practice self-hosted WordPress users will have to apply and be accepted onto the program. Automattic isn’t completely clear about who it will accept, but one of the conditions is that a site is deemed to have sufficient traffic. The company doesn’t specify exactly how much traffic, but it’s thought to be in the region of at least several thousand unique views a month.

Is WordAds worth considering for your WordPress site?

Most self-hosted WordPress users value the independence that self-hosting brings. They take the excellent WordPress open source content management system, choose a host that knows how to make the most of it, and thereby gain complete control over their publishing platform. For users who value this level of independence, there are many better and more flexible options than WordAds.

WordAds requires that site owners install a pair of plugins, one of which, Jetpack, brings an enormous amount of new code along with it. It also requires that site owners have a WordPress.com account and control their WordAds advertising through Automattic’s Calypso web interface. For small-scale publishers and independent bloggers, WordAds is a quick and easy way to make some money from their content, but they will have little control over the advertising that’s displayed, just as WordPress.com free users have little control.

WordAds is a good solution for some, but for most self-hosted WordPress users, more advanced options may be preferable.

The plugin ecosystem is one of WordPress’ major strengths. The free repository contains plugins that meet almost any need a WordPress site owner might have, and there is a thriving market for premium plugins. Without its diverse selection of plugins, it’s doubtful that WordPress would have achieved the astonishing popularity it enjoys today, but not all plugins are equally great and inexperienced WordPress users need some guidance when it comes to finding and choosing the right plugins for their site.

Don’t get me wrong, there are thousands of high-quality plugins created by dedicated developers available to WordPress site owners, but there are also lots of badly coded, out-of-date, and downright dangerous plugins out there.

Finding The Right WordPress Plugins

The Free Plugin Repository

Your first port of call should always be the WordPress Plugin Repository. The vast majority of high-quality free plugins are can be found there, but it doesn’t follow that every plugin in the repository is worth having. You can be sure that they don’t contain malware, but a presence in the WordPress repository doesn’t guarantee much else, so you will need to sanity check plugins before installing them.

Fortunately, most of the information you need is on the plugin pages.

You should pay attention to the following information:

• Has the plugin been updated recently? Half of the plugins in the repository haven’t been updated in the last two years. Old plugins may have numerous problems, including unpatched security vulnerabilities and incompatibilities with recent versions of WordPress. If the plugin doesn’t appear to be actively maintained, find an alternative.
• Is it compatible with your version of WordPress? As WordPress Core is updated, its API and other functionality that plugins rely on may change, creating incompatibilities. If the plugin is lagging behind your version of WordPress by a minor release, it might not cause obvious problems, but it’s probably better to wait until it’s updated.
• Does it have positive ratings and reviews? Plugins in the repository often have star ratings and reviews attached. Pay attention to what other users are saying.
• Is it popular? This isn’t always a good measure, but if a plugin has been in the repository for several months and only three people have installed it, be wary. With a huge userbase popularity is a good heuristic unless the plugin in question serves a very narrow niche.

Plugins Outside Of The Repository

Premium plugins are available from various marketplaces and direct from developers. Outside of the repository, you have almost no protection, so you should be especially careful about what you install.

Make sure that the plugin developer is trustworthy; check out reviews of their plugins and the support services they offer.

Avoid pirate plugins like the plague — they frequently contain malware. If you find a premium plugin offered for free, you take a big risk installing it. Hackers love to have WordPress users install their malware for them, and pirate premium plugins are a great Trojan Horse. This issue is complicated somewhat because most premium plugins are published under the General Public Licence, which makes it legal for third-parties to take the plugins and redistribute them for free, and some developers are making a “legitimate” business out of this process. It’s a controversial practice, and unless you know what you’re doing, it’s best to get plugins from their developer.

That said, I don’t want you to be discouraged from using premium plugins. Developers like Pippin Williamson, the team at Elegant Themes, and thousands of other solo and team WordPress plugin and theme developers are a vital part of the WordPress world and they do great work. Just take sensible precautions to obtain premium themes from reputable sources.

The WordPress community is a wonderful source of powerful tools to enhance your WordPress site. If you exercise a little caution and discretion, you will have no trouble finding the plugins and functionality you need.

WordPress Global Translation Day, which aims to increase awareness and participation in the effort to make WordPress available in as many languages as possible, will take place on the April 24th 2016.

WordPress is a truly global phenomenon. Tens of millions of people from all over the world rely on WordPress to communicate, to express themselves, and to run their business. In ten years, WordPress has grown from a niche blogging engine to a near-ubiquitous platform that gives a voice to anyone who wants to publish and maintain control of their content.

Because WordPress is an international phenomenon, it has to be translated into over a hundred languages. From Afrikaans to Yoruba via Breton, Cebuano, Dzongkha, Khmer, Mongolian, and around 140 other languages, dialects, and regional variations, hundreds of volunteers work to make WordPress useable by people in every country on Earth. As you can imagine, it’s a herculean effort — every new string added to the WordPress interface must be echoed in as many tongues as possible.

Managing the translation of WordPress is the job of Translate WordPress, who are organizing the WordPress Global Translation Day to attract the attention of potential contributors and to educate them about how WordPress translation works.

The goal of WordPress Global Translation Day is to increase the number of multilingual contributors, make headway on outstanding translations, and to add more translation editors to the project’s translation teams.

Over the course of 24 hours, WordPress Translate will live-stream video introductions that explain how volunteers can best contribute to WordPress’ translation efforts. They’ll also be organizing a number of local translation contributor days that interested people can attend, and remote translation days for those who can’t attend in person.

If you’re interested in contributing to WordPress Translation, head over to the project’s page, where you’ll see a list of languages. WordPress Translation is broken down by language and sub-projects, and it’s very easy to contribute if you have the language chops.

Don’t worry if you have no technical knowledge about how WordPress works, or if you aren’t a professional translator. The translation process uses the excellent GlotPress tool, which makes it easy to find strings that need translating and enter the language equivalents.

You can find everything you need to know about translating WordPress and using GlotPress in the Translator’s Handbook.

WordPress is big business, but it’s also an open source project that encourages contributions from the wider WordPress community. Any competent developer can contribute code. But what if you know nothing at all about programming and still want to help out? Many people want to give back to a community that has given so much to the web over the last decade.

In this article, I’d like to take a look at how non-coders can do their bit to improve WordPress and contribute to the WordPress community.

Translation

A project as large as WordPress generates lots of text both within the application and as part of its associated documentation. WordPress is used all over the world, which means all of that content has to be translated into dozens of languages.

If you have the ability to translate content, getting started is quite straightforward. Visit the WordPress Translation site, create a WordPress account, and start suggestion translations.

Beta Testing And Reporting Bugs

WordPress versions go through several public development releases before their final release. Beta and release candidate versions are intended to give WordPress testers time to spot any bugs that might need fixing. Many testers are developers who comb through the code looking for mistakes, but anyone can install and test development versions and look for problems.

The easiest way to get the beta version of WordPress is with the WordPress Beta Tester plugin: you install in on a WordPress installation — not the one you use for your production site — and it’ll be upgraded to the beta.

Any problems you find can be reported to WordPress via the WordPress Bug Tracker. Before you submit a bug report, be sure to read the reporting guidelines.

Support Other WordPress Users

If you use WordPress, you’ve probably taken advantage of the oceans of free support content created by bloggers, volunteers, and other WordPress users. One of the best ways to contribute to WordPress is to help other users in the same way you were helped.

There are several ways you can go about contributing. You might consider writing blog posts detailing your solutions to the problems you encounter with WordPress. Or you might join the WordPress Support Forums and start answering questions. You don’t need to be a WordPress master to help because people of all abilities ask questions on the support forums.

Contribute To The Documentation

If you’re a skilled WordPress user, consider contributing to the official documentation. The WordPress Codex is a wiki, and anyone can edit it — although edits have to be approved.

Even if you aren’t all that knowledgeable about WordPress, you can help out with copy editing and typo hunting. WordPress publishes a useful guide to contributing to the Codex.

Community Organizing

WordPress has a community numbering many thousands of people who often come together for meetings and conventions. If you’re good at event organizing, you might consider creating your own WordPress event or getting involved with an existing event near where you live.

WordPress has a couple of main hubs for event organization: WordCamps and Meetups. WordCamps are conferences, and meetups are more casual events where local WordPress users gather regularly to talk about their favorite content management system. Starting your own WordCamp or Meetup or helping with an event in your area are great ways to contribute to WordPress and meet like-minded people.

We WordPress users owe a debt of gratitude to the developers who have made it possible to build wonderful websites, but we shouldn’t forget the writers, translators, testers, and community organizers that have helped made WordPress the vibrant community it is today. Even if you’re not a coder, you can contribute too.

Alarmbell is an open source Magento extension for monitoring and notifying users of changes to a Magento store’s admin user accounts.

A Magento eCommerce site is a high-value target for online criminals. Although credit card data is usually safe even if an attacker gains access to a Magento store’s server or the Magento installation itself, criminals may be able to access user information, place fake orders, or infect the store with malware that will then infect shoppers who visit.

Although the vulnerability that an attacker uses to compromise a Magento store is unpredictable, what the attacker does once he or she has access is predictable. In the majority of cases, the attacker will attempt to create a new admin user account. Admin users have almost complete control over a Magento store — they can view information in the database and they can install extensions (and therefore malware).

Alarmbell is a new open source extension, developed by Hostdedi’ engineers, that will log and send notifications whenever a new admin user is created. Alarmbell will log the IP and account information for any attempt to make changes to admin users, including the creation of admin users, their deletion, and their modification.

We built Alarmbell so that it works with your organization. Alarmbell offers fully configurable notification emails so that the right people are notified about any changes to a store’s admin users immediately.

As a company, Hostdedi believes in giving back to the Magento community. Much of what we do extends and enhances the work of that community, and we’re happy to contribute to making it a safer place for eCommerce retailers.

Alarmbell is hosted on Github. If you want to fork Alarmbell, feel free. We’re happy to consider pull requests from members of the Magento developer community.

Alarmbell is just the most recent open source extension from Hostdedi. We also built the enormously popular Turpentine extension, which improves the integration between Magento and the Varnish web accelerator.

Last year, in partnership with Human Element, we released Sentry, a two-factor authentication extension for Magento that enabled Magento users to increase the security of the their stores.