📆 This is the August 2023 edition of “This Month in WordPress with CodeinWP.”
Hey, WordPress fans.
We hope you had a great July and that, if you’re in the USA, you didn’t have any unfortunate incidents with fireworks. 🎆
Now that the month has officially come to a close, we are back with all of the latest WordPress news and events from the past month.
So – what happened last month?
First off, we got a look at the betas and release candidates for WordPress 6.3, so you should have a good idea of what the next major release will look like when it lands in August.
Beyond that, there were several vulnerabilities discovered in popular plugins, as well as some debate/controversy over WordCamp Dhaka and the WordPress.org recommended hosts page (which just removed SiteGround).
Let’s get to all the news from the past month…
August 2023 WordPress News with CodeinWP
WordCamp Dhaka canceled over corporate influence concerns
WordCamp Dhaka (Bangladesh) had originally been scheduled for August 5th 2023. However, in early July, the event was canceled.
While a cancellation itself isn’t a huge news story, the reason for it makes things a little more interesting.
The event was canceled due to concerns about corporate influence affecting the event and decision-making processes.
In an incident report published on make.wordpress.org, the Community Team said the following as to the exact reason:
“…there were observable actions from local community members to influence decisions that would benefit specific individuals or companies. When this influence did not immediately lead to their desired results, the individuals aimed to undermine the organizing process and event success.”
Fair enough. But what made things a little murkier and generated a lot of discussion is that the Community Team chose to not publicly share the name of the company that was attempting to influence the event.
This led to a lot of discussion in the comments of that make.wordpress.org post, with people sharing persuasive thoughts on both sides of the discussion.
Personally, I think that transparency is important, and it’s valuable to know the name of the company (even if the names of individuals involved are kept private), especially if the evidence was so persuasive as to cancel the event completely.
But at the same time, I do understand the reasoning behind the decision to withhold all names.
If you want to learn more, WP Tavern also has a post on the subject, including some more comments from individuals in the WordPress community.
Vulnerabilities in several major WordPress plugins
July saw the discovery of vulnerabilities in several large plugins. All of these vulnerabilities have since been patched, but it’s important to keep up with the news and make sure you’re using the latest versions on your sites.
Let’s start at the beginning and work through them chronologically by their disclosure times…
We begin in late June, when WPScan researchers discovered a vulnerability in the Ultimate Member plugin that was being actively exploited by malicious actors.
Ultimate Member promptly released version 2.6.4 to fix the issue. However, researchers found that malicious actors could still circumvent the patched version. On July 3, Ultimate Member was able to fully fix the problem in version 2.6.7. If you’re not using at least Ultimate Member 2.6.7, you should update immediately to protect your sites.
Next up – on July 6, Calvin Alkan disclosed a vulnerability in MalCare (which also affected BlogVault and WPRemote, because those plugins used the same code). MalCare fixed the issue two days later on July 8.
If you’re not using the latest versions of MalCare, BlogVault, and WPRemote, you should update it immediately. There is no evidence that the vulnerability was being actively exploited, though.
A few days later, there was a vulnerability discovered in the popular All-In-One Security plugin. The plugin was discovered to be storing user passwords from login attempts as plain text in the security audit log.
This meant that site admins could see the plaintext passwords of other WordPress users on their sites. While this didn’t really affect WordPress itself (because the admin already has the ability to change users’ passwords), it does mean that a malicious admin could use those credentials to try to access other sites where the users might have accounts.
The All-In-One Security team fixed this issue in version 5.2.0, which was released on July 10.
Lastly, on July 25, Patchstack disclosed multiple high severity security vulnerabilities in the popular Ninja Forms plugin. The vulnerabilities were discovered on June 22 and Ninja Forms had patched them on July 4.
There is no evidence that these vulnerabilities were being actively exploited at the time of their discovery. However, if you’re not using at least Ninja Forms 3.6.26, you should update immediately to protect your site.
You may also be interested in:
- 40+ Best WordPress Articles of 2023! Our Take On the Most Interesting and Excellent Stories of the Year
- WordPress.org Redesigns, Jetpack Stats Pricing, Woo Rebranding 🗞️ May 2024 WordPress News w/ WPShout
- A Look at the WordPress Media Experiments Plugin in an Interview With Pascal Birchler
WordPress 6.3 betas and release candidates are out
In July, we saw WordPress 6.3 move through its beta and release candidate schedule to prepare for its eventual release on August 8, 2023.
The process started with the release of Beta 1 on June 27, followed by Beta 2 (June 28), Beta 3 (July 3), and Beta 4 (July 11).
On July 18, we got the first release candidate, with the second coming on July 25.
If you haven’t had a chance to play with any of the betas or release candidate versions, WordPress 6.3 brings a number of new features and enhancements, almost all of which are focused on the Site Editor (as has been the case for most of the recent releases).
While a lot of these seem like real improvements, it does make WordPress feel a bit stagnant if your site is one of the many sites that is not using a theme that’s compatible with the Site Editor (which is most popular themes at this point).
If you’re not using the Site Editor, you will still get a few improvements to the general Block Editor experience, including the following:
- A new Footnote option that you can select from the toolbar of a Paragraph block (and potentially other blocks).
- A new Details block that lets you implement accordion sections (great for FAQ sections).
- Better controls for padding and margin.
- An option to choose an aspect ratio for an image to more easily adjust image sizes while maintaining the aspect ratio.
- An option to create a new page when inserting a link.
There are also some less visible changes, such as adding defer and async support to the WP Scripts API and improving how WordPress loads its emoji script.
WordPress 6.3 to drop support for PHP 5
While WordPress 6.3 will add lots of new features and enhancements, we also think it’s newsworthy to draw your attention to one other key change in the release – WordPress 6.3 will officially drop support for all versions of PHP 5, including PHP 5.6.
Now, I have no idea why anyone is still using PHP 5.6, given that it stopped receiving security updates all the way back at the end of 2018. Plus, newer versions of PHP also offer much better performance, which will help you speed up your site’s load times.
But despite that, the official WordPress.org statistics page indicates that 3.8% of WordPress sites are still running on PHP 5.6 (with smaller numbers in even lower versions).
So – if your site makes up part of that 3.8%, it’s probably time to get with the times and update your PHP version.
In WordPress 6.3, the minimum supported version will be PHP 7.0, but the recommended version is at least PHP 7.4.
However, PHP 7.4 is also no longer receiving security fixes, so you might want to go to at least PHP 8.0 if possible. PHP 8.0 will continue to receive security fixes through the end of 2023.
If you’re not sure how any of this works, Themeisle has a guide on how to check your site/server’s PHP version and update it if needed.
WordPress mulls revamping the admin UI
While the WordPress admin interface is functional enough, it’s starting to show its age a bit, especially since it hasn’t changed much in a long time.
What’s more, plugin and theme developers can sometimes struggle to work within the admin interface, which can cause them to create their own designs instead of using WordPress conventions (and it also causes all kinds of issues for notifications).
However, that might be changing in the future. On July 12, Matias Ventura posted about plans to revamp the admin UI as part of Phase 3 of the Gutenberg project.
All of this planning is still at a very early stage and it will certainly be an ambitious effort. However, it is great to see movement on what I think is a very important part of creating a better WordPress experience for casual users.
Beyond Matias’s post itself, there’s also a very active comments section with lots of thoughts and opinions from well-known WordPress folks.
Audioeye (an accessibility overlay) sues Adrian Roselli, an accessibility expert
This one bit of news isn’t WordPress-specific, but it is relevant because accessibility is an important part of WordPress and a lot of WordPress sites use the Audioeye plugin.
If you’re not familiar with Audioeye, it’s a service that aims to offer an easy way for businesses to implement accessibility on their sites (and comply with accessibility-related laws like the ADA).
However, a lot of accessibility experts, including Adrian Roselli, have criticized accessibility overlays, like Audioeye (and accessiBe, a similar service), for not being a good way to implement true website accessibility.
In response, Audioeye has filed a lawsuit against Roselli – a lawsuit that the Law Office of Lainey Feingold dubbed a “SLAPP suit,” AKA a Strategic Lawsuit Against Public Participation.
Here’s a great Last Week Tonight segment on SLAPP Suits.
If you’re interested in more discussion on this, PostStatus has a great roundup of the issue.
While on the subject of accessibility overlays, I also noticed that accessiBe, a similar service, seems to have had its WordPress.org plugin listing suspended on July 24, 2023. I’m not sure why that is, or whether it will come back after the full review.
More discussion/concerns over recommended hosts on WordPress.org
For a very long time now, WordPress.org has recommended three WordPress hosts – Bluehost, DreamHost, and SiteGround (along with WordPress.com, though it’s positioned differently).
Recently, SiteGround was removed from the page, leaving Bluehost and DreamHost as the only recommendations for self-hosted WordPress hosting.
This removal has revived long-held concerns over the transparency of the page.
Despite the page saying that “We’ll be looking at this list several times a year, so keep an eye out for us re-opening the survey for hosts to submit themselves for inclusion,” the page has pretty much never changed its recommendations (until the removal of SiteGround).
I believe the last shakeup of the page happened back in 2016, which is ages in a regularly evolving hosting space.
Given that the page is likely worth many millions of dollars each year, people naturally wonder why those hosts are the only recommendations, despite there being many other excellent WordPress hosts out there.
There are also concerns about potential conflicts of interest, such as Automattic raising money from Endurance International Group (which was the company behind Bluehost before it rebranded to Newfold Digital).
To fix this, there may be a new survey in 2023 to collect more recent data. There was also a survey back in 2016.
Contributors are also discussing other options, such as “Project Bedrock,” which would create a directory of all WordPress hosts that meet certain requirements.
Whatever ends up happening, it would be great to have more transparency and insight into why some hosts are recommended while others aren’t.
If you want to learn more, WP Tavern has a great roundup of the relevant details, and there’s also some discussion in the comments section of that post.
That sums up our August 2023 WordPress news roundup. Anything we missed?
…
Don’t forget to join our crash course on speeding up your WordPress site. Learn more below:
Layout and presentation by Karol K.