Skip to content

State of the Word 2024, Fake Security Emails, UpdraftPlus Banned 🗞️ January 2024 WordPress News w/ CodeinWP

📆  This is the January 2024 edition of “This Month in WordPress with CodeinWP.” 

Howdy, WordPress fans.

We are back with our latest batch of WordPress news from the past month, which just so happens to be the last WordPress news from 2023.

December is usually a quiet month, which makes sense given that a solid chunk of the WordPress community is enjoying the holidays. However, that doesn’t mean there’s nothing to talk about.

In the biggest news, Matt Mullenweg gave his annual State of the Word address, which includes a recap of what happened in 2023 as well as a preview of what’s to come in 2024.

Beyond that, some malicious actors are impersonating the WordPress Security Team to gain control of people’s sites, UpdraftPlus was briefly suspended from WordPress.org for a somewhat silly reason, and we recapped some of the most interesting articles from 2023.

Without further introduction, let’s get into all the WordPress news from the past month.

January 2024 WordPress News with CodeinWP

State of the Word 2023 on December 11

As I mentioned above, the biggest WordPress news from December is almost always Matt Mullenweg’s State of the Word address, which recaps how WordPress did over the past year and also sets the roadmap for the next year and beyond.

As is normally the case, Matt started with a look back at WordPress in 2023, including some key events and numbers. Most notably, May 27, 2023, marked WordPress’s 20th anniversary, which is pretty impressive.

Matt also detailed some notable accomplishments and launches, such as WordPress Playground, the Twenty Twenty-Four default theme, WordPress’s improvements in scalability, and more.

After covering what already happened, Matt then shifted to a focus on the future, with some thoughts on WordPress in 2024. Here are a few key trends that Matt discussed:

  • Collaboration – 2024 will mark Phase 3 of the Gutenberg project, which is focused on adding collaboration features to the WordPress editor and other areas of WordPress. This part was covered by Matías Ventura, the Lead Architect of the Gutenberg project.
  • Data liberation – it should be easier for people to control and migrate their data between different platforms, websites, and so on. Most notably, to make it as easy as possible for users from other platforms to migrate to WordPress.
  • Learn AI deeply – a few years ago, the advice was to “learn JavaScript deeply.” Now, Matt is adding “learn AI deeply” to that message, along with a look at how some contributors are already playing around with using WordPress and natural language processing to build things.

If you want to check out the full 42-minute address yourself, you can find it here on YouTube.

If you’d rather have someone summarize things for you (in more detail than what I did above), here are some of the better 2023 State of the Word recaps that I found:

State of the Word 2023

Watch out for people impersonating the WordPress Security Team

In case there weren’t already enough people doing scummy stuff on the internet, there’s a new scam going around targeting WordPress site owners.

People have started receiving impersonated emails claiming to be from the “WordPress Team” or the “WordPress Security Team.”

The goal of these emails is to convince site administrators to install a malware-filled plugin on their sites. The malicious actor does this by claiming something like “The WordPress [sic] Security Team has identified a Remote Code Excecution [sic] on your site” and then asking users to install the plugin. It also might reference something like “CVE-2023-45124.

The plugin looks like it comes from WordPress.org, even going so far as to mimic the WordPress.org plugin listing page. However, it’s not the real WordPress.org site. Instead, they try to spoof it by using names like en-gb-wordpress[.]org.

This email is especially tricky because WordPress 6.4.2 (released in early December – more on it below) did fix a Remote Code Execution vulnerability. So these malicious actors are basing their fake emails somewhat on reality.

Moral of the story? Don’t trust anything from someone who spells WordPress as “WordPress.” But more seriously – be on the lookout for emails like this and never install plugins from strangers.

The issue is widespread enough that it was posted on the WordPress.org news blog. You can also find more detailed posts from Patchstack and from Wordfence, both of which include screenshots of the emails and the fake WordPress.org plugin listing page.

WordPress Security Team

You may also be interested in:

Popular UpdraftPlus plugin briefly suspended from WordPress.org

If you’re not familiar with UpdraftPlus, it’s one of the most popular (if not the most popular) WordPress backup plugins in existence. Millions of site owners rely on UpdraftPlus to back up their sites and keep their data safe.

That’s why it’s a big deal that the plugin was temporarily closed on WordPress.org for what seems like some fairly minor issues.

The main problem seems to have been something very basic – UpdraftPlus was adding its own news to the built-in WordPress news widget (that appears in the Dashboard tab in users’ WP Admin dashboards), along with a designator that the news came from UpdraftPlus.

Apparently, this is against the rules at WordPress.org, which led to UpdraftPlus being suspended. This happened even though UpdraftPlus asked for users’ consent to do so and had been adding news for multiple years without issue.

Now, I don’t think the rule itself is bad – I’m fine with plugins not being allowed to insert their own news in the core WordPress news widget.

But given that the issue had nothing to do with security, suspending the plugin seems like a large overreaction when suspending it actually leads to much larger issues for users’ sites.

What’s more, once the plugin was initially suspended, UpdraftPlus was originally not able to be listed again until they fixed other minor issues. It seems like the initial suspension triggered some other checks. Given that the suspension came right before Christmas (December 23), this was obviously a tough time for the UpdraftPlus team to scramble to get things fixed.

Thankfully, saner heads prevailed at some point, and UpdraftPlus was re-listed again shortly after its suspension.

In hindsight, though, I don’t think it makes sense to suspend such an important plugin over such a minor infraction. While I understand the “rules are rules” mindset, more priority should be given to the millions of users whose sites could be negatively affected by the change.

While the UpdraftPlus plugin on their sites would not stop working, it stops them from being able to get updates and also triggers automated alerts in many WordPress security plugins, such as Wordfence. These alerts could mislead users into thinking there was an actual security issue in the UpdraftPlus plugin and affect sites’ backup processes.

For more details about what happened, including a response from the UpdraftPlus developer, you can read this support thread. The thread also includes posts from a number of users who were startled by receiving an alert email from Wordfence.

UpdraftPlus

WordPress 6.4.2 released in early December

While there were no major releases scheduled for December, early December did see the release of WordPress 6.4.2.

WordPress 6.4.2 is a security and maintenance release that fixes a potential Remote Code Execution vulnerability.

Again, the fake WordPress Security Team emails that we mentioned above seem to have been referencing this when talking about a Remote Code Execution vulnerability.

While the vulnerability was not directly exploitable in the core WordPress software, the WordPress Security Team felt that it could be exploited when combined with certain plugins, especially in WordPress multisite installs.

Because this is a security fix, you should update your site as soon as possible (if you haven’t done so already).

For more details, you can check out the WordPress.org release post.

The Theme Review Team proposes clarification/rules on theme onboarding and admin pages

Over the past few months, we’ve shared several updates about the Ollie block theme and its custom onboarding system.

The Ollie theme originally had its own custom onboarding built directly into the theme. However, after a lot of debate with the WordPress.org theme review team (and the WordPress community at large), Ollie eventually had to move the onboarding system out of the theme itself and into a companion plugin.

As a response to this issue (and to just clarify things in general), the WordPress.org theme team has recently proposed new rules and requirements for onboarding in WordPress themes. Some of the proposed rules include blocking the following:

  • Demo imports
  • External calls
  • Tracking/Affiliate links

The goal is to put these rules into effect starting around January 9, 2024. For more details, you can check out this post at WordPress.org. You can also share your thoughts on the proposed rule changes.

WordPress is migrating from Slack to Matrix for contributor chats

For a while now, WordPress contributors have been communicating and working using Slack (after having moved from IRC to Slack in 2014). However, Slack’s closed-source nature never really fit with the open-source values of WordPress.

It was more a marriage of convenience, rather than true love…so to speak.

Recently, several WordPress teams have been experimenting with using the open-source Matrix project to communicate.

In early December, however, contributors moved to more fully move the Making WordPress Slack to Matrix. This started with a bridge between the two. Once more and more of the community has moved from Slack to Matrix, posting on Slack will eventually become more limited, culminating with a complete migration to Matrix some time in 2024.

Here’s a post on WordPress.org about the migration.

If you want to join the chat on Matrix, the team recommends using the pre-configured instance of the Element Web client at https://matrix.wordpress.net.

Improvements to the Jetpack WordPress mobile app

Earlier this year, we shared some news about how some WordPress mobile app features would be moving from the WordPress mobile app to a revamped Jetpack mobile app. Now, the Jetpack WordPress mobile app has gotten a bunch of improvements, including the following:

  • A redesigned screen for the posts and pages lists.
  • A new context menu to simplify the interface.
  • New swipe actions on iOS to share or delete posts quickly.
  • Improved search and filtering on iOS.
  • General refinements to the dashboard interface.
  • Optimized site media on iOS to load previews faster and with less memory usage.

If you’re using the Jetpack plugin and you’d like to interact with your WordPress site via a mobile app, you can try out these features today.

To learn more, check out the release post on WordPress.com.

A look back at the best WordPress articles from 2023

In our WordPress news roundup, we cover timely articles from the past month. However, sometimes it’s interesting to zoom out and take a broader look at things.

If you’re interested in recapping and discovering some of the most interesting WordPress trends from 2023, we just published our roundup of the 40+ most interesting WordPress articles from 2023.

It covers all kinds of fun stuff, from opinion pieces to acquisition posts, product launches, and lots more.

Give it a read and relive some of the biggest stories from the past year!

That sums up our January 2024 WordPress news roundup. Anything we missed?

Don’t forget to join our crash course on speeding up your WordPress site. Learn more below:

 

Layout and presentation by Karol K.

Yay! 🎉 You made it to the end of the article!
Colin Newcomer
Share:

0 Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments

Or start the conversation in our Facebook group for WordPress professionals. Find answers, share tips, and get help from other WordPress experts. Join now (it’s free)!