Jul 24 2024
How WooCommerce Plans To Boost Developers & Merchants via @sejournal, @martinibuster

WooCommerce announced their roadmap for the future of WooCommerce, emphasizing two-way communication with the developer ecosystem in order to be responsive to their needs which further the goals of improving the experience for developers, merchants and customers.

WooCommerce highlighted seven important areas for innovation and six specific areas that are targeted for enhancements that will improve developer and merchant experience.

1. Stronger WooCommerce And Developer Communication

WooCommerce recently launched a newsletter that seeks to keep developers in the look with the latest WooCommerce news, offering early previews of new features, plus tutorials and other information that will keep the community in the loop.

The announcement explains three benefits of the newsletter:

  1. “Exclusive Insights:
    Gain access to behind-the-scenes knowledge and tips that can elevate your development game.
  2. Latest Content:
    Engage with newly published blog posts and documentation, showcasing our latest releases, resources, advisories, and more.
  3. Feature Updates and Announcements:
    Keep your projects current by receiving the latest updates on new features and essential changes in WooCommerce.”

2. Upgrading The WooCommerce Blog and Documentation

Another area of improvement that relates to communication is to emphasizing the official WooCommerce blog as a reliable source of information that’s important to developers.

WooCommerce is also committing to improving their documentation with more guides, step-by-step tutorials, best practices and also making it easier to navigate and find needed information.

The roadmap explains:

“Our goal is to fill crucial knowledge gaps in areas such as extensibility, block development, and theme customization, empowering developers to start and thrive on our platform.

This is a welcome news for developers. One person commented on X (formerly Twitter):

“Coincidentally, I saw this immediately after reading my developers’ frustrations about the documentation for the new product editor in our internal discussions – so it’s good to see that improving this is on the roadmap.

Specifically, we have several plugins which add functionality to the ‘Edit Product’ screen, so we need to integrate them with the new product editor. My developers are finding this unnecessarily difficult because:

– The developer information about each feature is scattered throughout multiple news articles when it should be collated in one location.

– The links to the GitHub discussions about the new Product Editor in the “Roadmap Insights” articles point to the WooCommerce Product Block Editor discussion category (which doesn’t exist anymore) instead of the new WooCommerce New Product Editor one.

– We’re reluctant to update our plugins that integrate with the variations editor because the hooks and filters required for this extension are currently marked as experimental, so we might have to redo work if they change in future.

– We were expecting to see a timeline for the new product editor in January/February but this still isn’t clear, so we don’t know how heavily to prioritize the changes in our plugins.”

3. Improvements To REST API V3

Improvements to the REST API v3 are a top priority, with a focus on backward compatibility. They are also committing to reducing the backlog of issues and new feature requests plus improving API performance.

They also said they would focus on:

“…upgrading API documentation, error handling, and debugging capabilities.”

4. Improve Feedback Loop on Extensibility

A feedback loop is the communication between WooCommerce and the developers who use it, with the goal of improvement being a collaboration that results in a superior product that better serves developer and merchant needs.

Extensibility refers to the flexibility of WooCommerce to be extended and adapted, which is an important benefit of WooCommerce. Thus, one of the “destinations” in the WooCommerce roadmap is to make sure that it is adaptable and easily molded by developers.

Communication between developers and WooCommerce is a key part of maintaining and improving the extensibility of WooCommerce.

WooCommerce commented:

“As we make new features the default experience, we are working to create space for collaboration with our developer community in order to refine these features, incorporate feedback, and gradually move towards full adoption.

In the past year, we have begun using GitHub Discussions, Developer Office Hours, and other sources of feedback to shape and prioritize extensibility points in particular. This iterative process not only enhances the platform but also strengthens the ecosystem, making WooCommerce a more robust solution for everyone.”

5. WooCommerce Is Committed To A Block-Based Future

WooCommerce committed to a 100% block-based feature development in late 2023 as part of a vision of making WooCommerce easier to use for non-coders. A second motivation is to create a more adaptable shopping platform to build upon. As part of this commitment WooCommerce is signaling that now is the time to stop relying with older solutions like shortcodes and legacy APIs.

The statement read:

“If your solutions are still relying on shortcodes or other legacy APIs, it’s time to embrace blocks and modernize your approach.”

WooCommerce announced steps they are taking to bridge the transition to a fully block-based development platform:

  • Adding more resources to the WooCommerce Developer Documentation
  • Increased frequency of communication on the WooCommerce blog
  • More posts to introduce new features tutorials for how to use them
  • A renewed focus on creating video tutorials

6. Streamlined onboarding:

WooCommerce is focusing on further simplifying the process of setting up a store and getting online faster. They are also improving the workflow for developers who set up stores for merchants. They said that their experience from simplifying the setup process was an approximately 60% increase in completion rates.

7. Modern Store Customization

Another focus is on being able to integrate the customization options available to WordPress in general but WooCommerce is also looking into creating fully optimized commerce-based themes that are specific to WooCommerce.

They write:

“While we’re ensuring compatibility with all block-based themes in the WordPress ecosystem, we’re also exploring what it would look like to provide our own fully block-based, commerce-optimized theme out of the box.”

Six Specific Areas For Future Improvements

  1. Flexible product management
  2. Optimized order management and fulfillment
  3. Revamping merchant analytics
  4. Accessible stores
  5. Evolving checkout experience
  6. Better integration of order confirmation with summary and shipping information

WooCommerce Roadmap Leans In On Community

The Roadmap outlined by WooCommerce recognizes that the user community is its strength, thus it’s focused on building a stronger product based on what developers need to provide merchants with the ecommerce experience merchants expect. Focusing on creating more documentation and videos shows that WooCommerce is engaging to support the WordPress developer community and intends to remain the leading ecommerce platform.

Read the WooCommerce roadmap announcement:

WooCommerce in 2024 and beyond: Roadmap update

Featured Image by Shutterstock/Luis Molinero

Ecommerce MGMT 0 Comments
Jul 23 2024
WordPress Releases 6.6.1 To Fix Fatal Errors In 6.6 via @sejournal, @martinibuster

A week after releasing the troubled version 6.6, WordPress has released another version that fixes seven major issues including two that caused fatal errors (website crashes), another issue that caused a security plugins to issue false warnings plus several more that created unwanted UI changes.

Fatal Errors In WordPress 6.6

The one issue that got a lot of attention on social media is one that affected users of certain page builders and themes like Divi. The issue, while relatively minor, dramatically changed the look of websites by introducing underlines beneath all links. Some on social media joked that this was a fix and not a bug. While it’s a generally a good user practice to have underlines beneath links, underline aren’t necessary in all links, like in the top-level navigation.

A post on the WordPress.org support forums was the first noticeable indications in social media that something was wrong with WordPress 6.6:

“Updating to 6.6 caused all links to be immediately underlined on a staging divi themed site.”

They outlined a workaround that seemed to alleviate the issue but they were unsure about what the root cause of the problem was.

They then posted:

“But does anyone think this means I still have something wrong with this staging site, or is this a WordPress version update issue, or more likely a divi theme issue I should speak to them about? Also, if anyone is even familiar with expected Rparen error…that I’m just riding with at the moment, that might help. Thanks.”

Divi issued an emergency fix for that their users could apply even though the issue was on the WordPress side, not on the Divi side.

WordPress later acknowledged the bug and reported that they will be issuing a fix in version 6.6.1.

The Other Issues Fixed In 6.6.1

Fatal Error

is_utf8_charset() undefined when called by code in compat.php (causes a fatal error).

A section of code in 6.6 caused a critical issue (fatal error) that prevents the website from functioning normally. It was noticed by users of WP Super Cache. WP Super Cache developed a temporary workaround that consisted of completely disabling the website caching.

Their notation in GitHub stated:

“Disabling the cache removes the error but is far from ideal.”

Php Fatal Error

“PHP Fatal error: Uncaught Error: Object of class WP_Comment could not be converted to string.”

There was a problem with a part of the WordPress code where one part was trying to get the name of the person who left a comment on a post. This part of the program was supposed to receive a number (the comment ID) but sometimes it was getting a more complex piece of information instead (a WP_Comment object) which then triggered a PHP “fatal error.” An analogy might be like trying to fit a square peg into a round hole, it doesn’t work.

This issue was discovered by someone who was using the Divi website builder.

The other bugs that are fixed didn’t cause websites to crash but they were inconvenient:

Read the full details of WordPress 6.6.1 maintenance release:

WordPress 6.6.1 Maintenance Release

Featured Image by Shutterstock/HBRH

Ecommerce MGMT 0 Comments
Jul 19 2024
WP Engine WordPress Hosting Acquires NitroPack via @sejournal, @martinibuster

Managed WordPress web host WP Engine announced that they are acquiring NitroPack, a leading SaaS website performance optimization solution. The acquisition of of NitroPack by WP Engine demonstrates their continued focus on improving site performance for clients.

NitroPack

NitroPack is a relatively pricey but well regarded site performance solution that has for years been known as a leader. WP Engine and NitroPack formed a partnership in 2023 that would power WP Engine’s PageSpeed Boost product that is offered internally to customers. The NitroPack team will now become integrated within WP Engine this month, July.

There are no immediate plans to change the pricing options for NitroPack so it’s safe to say that it will continue to be a standalone product. WP Engine commented to Search Engine Journal that there will be no immediate changes in services pricing or billing for current NitroPack customers.

“We have no immediate plans to change the pricing options for NitroPack products.

Today NitroPack works with page builders and other hosting providers and that will continue to be available. In the coming months, we will continue to leverage NitroPack to enhance additional functionality to Page Speed Boost for WP Engine’s customers.”

What the acquisition means for WP Engine customers is that WP Engine will continue to leverage NitroPack’s technology to add even more functionalities to their PageSpeed Boost product.

The WP Engine spokesperson said that these new integrations will be coming to WP Engine PageSpeed Boost in a matter of months.

They shared:

“In the coming months, we will continue to leverage NitroPack’s strength to enhance additional functionality to Page Speed Boost.”

Read the official announcement:

WP Engine Acquires NitroPack, Extending Leadership in Managed WordPress Site Performance

Featured Image by Shutterstock/Asier Romero

Ecommerce MGMT 0 Comments
Jul 17 2024
WordPress 6.6: The 6 highlights in this release!

WordPress 6.6 is here and it comes with a suite of new features and improvements. Features that will give you more control over the look of your website, peace of mind when auto-updating plugins, and introduce you to some improved workflows. Here’s a sneak peek into the key highlights of this release.

Page previews in the site editor

The site editor now comes with a visual overview of your pages, also allowing you to preview a page before clicking edit. It creates a very natural workflow and makes working from the site editor easier. Make sure to check it out. You can find the editor under Appearance in the side menu of your WordPress dashboard.

Screenshot of the page overview in the site editor

More control over design

As they’ve done for the past couple of releases, the WordPress team has once again added loads of features that allow WordPress users more freedom in web design. WordPress 6.6 allows for more color palettes and font sets within one theme, making it easier for users to customize their website without compromising overall design and consistency. This feature, although aimed at theme developers, benefits everyone using a block theme.

But this release also comes with the ability to easily set negative margins for blocks, add background images to be used site-wide, section-specific styling, box shadows for our featured images and more.

Override your synced patterns

Are you familiar with synced patterns in WordPress? A synced pattern can be described as a few blocks, grouped together, to be used in different places on a website. To give an example, the image below shows a standard synced pattern that comes with a WordPress theme and it consists of a heading, paragraph, button and image.

WordPress 6.6: example of synced pattern
An example of a synced pattern in WordPress

You can add this pattern to different pages for consistency (and it can save you loads of time). The new feature in WordPress 6.6 now adds the ability to do an ‘override’ of this pattern that allows you to tweak the pattern where needed. You can edit headings, paragraphs, buttons and images blocks to customize the pattern per instance while continuing to use the overall pattern for consistency. Simply go to your synced pattern, click edit, select the block you want to change and go to Advanced in settings to find the override feature.

WordPress 6.6: override function in synced patterns
The override feature while editing a synced pattern

Keep your plugins up to date

A really cool feature in WordPress 6.6 is the optional rollback for your automatically updated plugins. The idea is that you can set your plugins to auto-update without having to worry about any unexpected negative impact. This new feature makes it possible to restore your plugin to the previous version if anything goes wrong. This allows you to keep your plugins updated and improve your security. While also making sure your website keeps working and behaving as it should.

What’s new in the block editor?

This latest release comes with a new publish flow in the sidebar of your post or page. It shows the featured image at the top and shows all the other page settings in a list. You can simply click the setting you want to edit and it will give you a pop-up as shown in the screenshot below. It might take you a few seconds (or clicks) to figure out where everything has moved. But it looks very clean and makes everything feel very unified.

WordPress 6.6: new publish flow
Publish flow in WordPress 6.6

Another small and nifty feature I’d like to highlight is the shortcut that you can now use to group blocks together. Select the blocks of your choice and use Ctrl + G on Windows or ⌘ + G on MacOS.

Performance and accessibility

What’s a WordPress release without any performance and accessibility enhancements? Of course, WordPress 6.6 comes with a bunch of them. Performance updates such as a 40% reduction in template loading time in the editor, removing unnecessary WP_Theme_JSON calls and getting rid of lazy loading post embeds. The accessibility improvements have been mainly focused on interaction with blocks and patterns and the data views component that powers the new site editing. Read all about this and more in the WordPress 6.6 release notes.

Read more: WordPress 6.5: The features you want to know about »



Camille Cunningham

Camille is a content specialist at Yoast. As part of the Search team, she enjoys creating content that helps you master SEO.

Avatar of Camille Cunningham

Coming up next!

Ecommerce MGMT 0 Comments
Jul 8 2024
WordPress Nested Pages Plugin High Severity Vulnerability via @sejournal, @martinibuster

The U.S. National Vulnerability Database (NVD) and Wordfence published a security advisory of a high severity Cross Site Request Forgery (CSRF) vulnerability affecting the Nested Pages WordPress plugin affecting up to +100,000 installations. The vulnerability received a Common Vulnerability Scoring System (CVSS) rating of 8.8 on a scale of 1 – 10, with ten representing the highest level severity.

Cross Site Request Forgery (CSRF)

The Cross Site Request Forgery (CSRF) is a type of attack that takes advantage of a security flaw in the Nested Pages plugin that allows unauthenticated attackers to call (execute) PHP files, which are the code level files of WordPress.

There is a missing or incorrect nonce validation, which is a common security feature used in WordPress plugins to secure forms and URLs. A second flaw in the plugin is a missing security feature called sanitization. Sanitization is a method of securing data that’s input or output which is also common to WordPress plugins but in this case is missing.

According to Wordfence:

“This is due to missing or incorrect nonce validation on the ‘settingsPage’ function and missing santization of the ‘tab’ parameter.”

The CSRF attack relies on getting a signed in WordPress user (like an Administrator) to click a link which in turn allows the attacker to complete the attack. This vulnerability is rated 8.8 which makes it a high severity threat. To put that into perspective, a score of 8.9 is a critical level threat which is an even higher level. So at 8.8 it is just short of a critical level threat.

This vulnerability affects all versions of the Nested Pages plugin up to and including version 3.2.7. The developers of the plugin released a security fix in version 3.2.8 and responsibly published the details of the security update in their changelog.

The official changelog documents the security fix:

“Security update addressing CSRF issue in plugin settings”

Read the advisory at Wordfence:

Nested Pages <= 3.2.7 – Cross-Site Request Forgery to Local File Inclusion

Read the advisory at the NVD:

CVE-2024-5943 Detail

Featured Image by Shutterstock/Dean Drobot

Ecommerce MGMT 0 Comments
Jul 1 2024
WordPress Takes Bite Out Of Plugin Attacks via @sejournal, @martinibuster

WordPress announced over the weekend that they were pausing plugin updates and initiating a force reset on plugin author passwords in order to prevent additional website compromises due to the ongoing Supply Chain Attack on WordPress plugins.

Supply Chain Attack

Hackers have been attacking plugins directly at the source using password credentials exposed in previous data breaches (unrelated to WordPress itself). The hackers are looking for compromised credentials used by plugin authors who use the same passwords across multiple websites (including passwords exposed in a previous data breach).

WordPress Takes Action To Block Attacks

Some plugins have been compromised by the WordPress community has rallied to clamp down on further plugin compromises by instituting a forced password reset and encouraging plugin authors to use 2 factor authentication.

WordPress also temporarily blocked all new plugin updates at the source unless they received team approval in order to make sure that a plugin is not being updated with malicious backdoors. By Monday WordPress updated their post to confirm that plugin releases are no longer paused.

The WordPress announcement on the forced password reset:

“We have begun to force reset passwords for all plugin authors, as well as other users whose information was found by security researchers in data breaches. This will affect some users’ ability to interact with WordPress.org or perform commits until their password is reset.

You will receive an email from the Plugin Directory when it is time for you to reset your password. There is no need to take action before you’re notified.”

A discussion in the comments section between a WordPress community member and the author of the announcement revealed that WordPress did not directly contact plugin authors who were identified as using “recycled” passwords because there was evidence that the list of users found in the data breach list whose credentials were in fact safe (false positives). WordPress also discovered that some accounts that were assumed to be safe were in fact compromised (false negatives). That is what led to to the current action of forcing password resets.

Francisco Torres of WordPress answered:

“You’re right that specifically reaching out to those individuals mentioning that their data has been found in data breaches will make them even more sensitive, but unfortunately as I’ve already mentioned that might be inaccurate for some users and there will be others that are missing. What we’ve done since the beginning of this issue is to individually notify those users that we’re certain have been compromised.”

Read the official WordPress announcement:

Password Reset Required for Plugin Authors

Featured Image by Shutterstock/Aleutie

Ecommerce MGMT 0 Comments
Jun 28 2024
WordPress Plugin Supply Chain Attacks Escalate via @sejournal, @martinibuster

WordPress plugins continue to be under attack by hackers using stolen credentials (from other data breaches) to gain direct access to plugin code.  What makes these attacks of particular concern is that these supply chain attacks can sneak in because the compromise appears to users as plugins with a normal update.

Supply Chain Attack

The most common vulnerability is when a software flaw allows an attacker to inject malicious code or to launch some other kind of attack, the flaw is in the code. But a supply chain attack is when the software itself or a component of that software (like a third party script used within the software) is directly altered with malicious code. This creates the situation where the software itself is delivering the malicious files.

The United States Cybersecurity and Infrastructure Security Agency (CISA) defines a supply chain attack (PDF):

“A software supply chain attack occurs when a cyber threat actor infiltrates a software vendor’s network and employs malicious code to compromise the software before the vendor sends it to their customers. The compromised software then compromises the customer’s data or system.

Newly acquired software may be compromised from the outset, or a compromise may occur through other means like a patch or hotfix. In these cases, the compromise still occurs prior to the patch or hotfix entering the customer’s network. These types of attacks affect all users of the compromised software and can have widespread consequences for government, critical infrastructure, and private sector software customers.”

For this specific attack on WordPress plugins, the attackers are using stolen password credentials to gain access to developer accounts that have direct access to plugin code to add malicious code to the plugins in order to create administrator level user accounts at every website that uses the compromised WordPress plugins.

Today, Wordfence announced that additional WordPress plugins have been identified as having been compromised. It may very well be the case that there will be more plugins that are or will be compromised. So it’s good to understand what is going on and to be proactive about protecting sites under your control.

More WordPress Plugins Attacked

Wordfence issued an advisory that more plugins were compromised, including a highly popular podcasting plugin called PowerPress Podcasting plugin by Blubrry.

These are the newly discovered compromised plugins announced by Wordfence:

  • WP Server Health Stats (wp-server-stats): 1.7.6
    Patched Version: 1.7.8
    10,000 active installations
  • Ad Invalid Click Protector (AICP) (ad-invalid-click-protector): 1.2.9
    Patched Version: 1.2.10
    30,000+ active installations
  • PowerPress Podcasting plugin by Blubrry (powerpress): 11.9.3 – 11.9.4
    Patched Version: 11.9.6
    40,000+ active installations
  • Latest Infection – Seo Optimized Images (seo-optimized-images): 2.1.2
    Patched Version: 2.1.4
    10,000+ active installations
  • Latest Infection – Pods – Custom Content Types and Fields (pods): 3.2.2
    Patched Version: No patched version needed currently.
    100,000+ active installations
  • Latest Infection – Twenty20 Image Before-After (twenty20): 1.6.2, 1.6.3, 1.5.4
    Patched Version: No patched version needed currently.
    20,000+ active installations

These are the first group of compromised plugins:

  • Social Warfare
  • Blaze Widget
  • Wrapper Link Element
  • Contact Form 7 Multi-Step Addon
  • Simply Show Hooks

More information about the WordPress Plugin Supply Chain Attack here.

What To Do If Using A Compromised Plugin

Some of the plugins have been updated to fix the problem, but not all of them. Regardless of whether the compromised plugin has been patched to remove the malicious code and the developer password updated, site owners should check their database to make sure there are no rogue admin accounts that have been added to the WordPress website.

The attack creates administrator accounts with the user names of “Options” or “PluginAuth” so those are the user names to watch for. However, it’s probably a good idea to look for any new admin level user accounts that are unrecognized in case the attack has evolved and the hackers are using different administrator accounts.

Site owners that use the Wordfence free or Pro version of the Wordfence WordPress security plugin are notified if there’s a discovery of a compromised plugin. Pro level users of the plugin receive malware signatures for immediately detecting infected plugins.

The official Wordfence warning announcement about these new infected plugins advises:

“If you have any of these plugins installed, you should consider your installation compromised and immediately go into incident response mode. We recommend checking your WordPress administrative user accounts and deleting any that are unauthorized, along with running a complete malware scan with the Wordfence plugin or Wordfence CLI and removing any malicious code.

Wordfence Premium, Care, and Response users, as well as paid Wordfence CLI users, have malware signatures to detect this malware. Wordfence free users will receive the same detection after a 30 day delay on July 25th, 2024. If you are running a malicious version of one of the plugins, you will be notified by the Wordfence Vulnerability Scanner that you have a vulnerability on your site and you should update the plugin where available or remove it as soon as possible.”

Read more:

WordPress Plugins Compromised At The Source – Supply Chain Attack

3 More Plugins Infected in WordPress.org Supply Chain Attack Due to Compromised Developer Passwords

Featured Image by Shutterstock/Moksha Labs

Ecommerce MGMT 0 Comments
Jun 27 2024
WordPress Plugins Compromised At The Source via @sejournal, @martinibuster

WordPress.org and Wordfence have published warnings about hackers adding malicious code to plugins at the source, leading to widespread infections via updates.

Five Compromised Plugins… To Date

Typically what happens is that a plugin contains a weakness (a vulnerability) that allows an attacker to compromise individual sites that use that version of a plugin. But these compromises are different because the plugins themselves don’t contain a vulnerability. The attackers are directly injecting malicious code at directly at the source of the plugin, forcing an update which then spreads to all sites that use the plugin.

Wordfence first noticed one plugin that contained malicious code. When they uploaded the details to their database they then discovered four other plugins that were compromised with a similar kind of malicious code. Wordfence immediately notified WordPress about their findings.

Wordfence shared details of the affected plugins:

“Social Warfare 4.4.6.4 – 4.4.7.1
Patched Version: 4.4.7.3

Blaze Widget 2.2.5 – 2.5.2
Patched Version: None

Wrapper Link Element 1.0.2 – 1.0.3
Patched Version: It appears that someone removed the malicious code, however, the latest version is tagged as 1.0.0 which is lower than the infected versions. This means it may be difficult to update to the latest version, so we recommend removing the plugin until a properly tagged version is released.

Contact Form 7 Multi-Step Addon 1.0.4 – 1.0.5
Patched Version: None

Simply Show Hooks 1.2.1
Patched Version None”

WordPress shut down all five plugins directly at the official plugin repository and published a notification at each of the plugin pages that they are closed and unavailable.

Screenshot Of A Delisted WordPress Plugin

The infected plugins generate rogue admin accounts that phones home to a server. The attacked websites are altered with SEO spam links that are added to the footer. Sophisticated malware can be hard to catch because the hackers actively try to hide their code so that, for example, the code looks like a string of numbers, the malicious code is obfuscated. Wordfence noted that this specific malware was not sophisticated and was easy to identify and track.

Wordfence made an observation about this curious quality of the malware:

“The injected malicious code is not very sophisticated or heavily obfuscated and contains comments throughout making it easy to follow. The earliest injection appears to date back to June 21st, 2024, and the threat actor was still actively making updates to plugins as recently as 5 hours ago.”

WordPress Issues Advisory On Compromised Plugins

The WordPress advisory states that attackers are identifying plugin developers that have “committer access” (meaning that they can commit code to the plugin) and then in the next step they used credentials from other data breaches that match with those developers. The hackers use those credentials to directly access the plugin at the code level and inject their malicious code.

WordPress explained:

“On June 23 and 24, 2024, five WordPress.org user accounts were compromised by an attacker trying username and password combinations that had been previously compromised in data breaches on other websites. The attacker used access to these 5 accounts to issue malicious updates to 5 plugins those users had committer access to.

…The affected plugins have had security updates issued by the Plugins Team to protect user security.”

The fault of these compromises apparently lies with the plugin developer security practices. WordPress’ official announcement reminded plugin developers of best practices to use in order to prevent these kinds of compromises from happening.

How To Know If Your Site Is Compromised?

At this point in time there are only five plugins known to be compromised with this specific malicious code. Wordfence said that the hackers create admins with the user names of “Options” or “PluginAuth” so one way to double check if a site is compromised might be to look for any new admin accounts, especially ones with those user names.

Wordfence recommended that affected sites that use any of the five plugins to delete rogue administrator level user accounts and to run a malware scan with the Wordfence plugin and remove the malicious code.

Someone in the comments asked if they should be worried even if they don’t use any of the five plugins”

“Do you think we need to be worried about other plug-in updates? Or was this limited to these 5 plug-ins.”

Chloe Chamberland, the Threat Intelligence Lead at Wordfence responded:

“Hi Elizabeth, at this point it appears to be isolated to just those 5 plugins so I wouldn’t worry too much about other plugin updates. However, out of extra caution, I would recommend reviewing the change-sets of any plugin updates prior to updating them on any sites you run to make sure no malicious code is present.”

Two other commenters noted that they had at least one of the rogue admin accounts on sites that didn’t use any of the five known affected plugins. At this time it’s not known if any other plugins are affected.

Read Wordfence’s advisory and explanation of what is going on:

Supply Chain Attack on WordPress.org Plugins Leads to 5 Maliciously Compromised WordPress Plugins

Read the official WordPress.org announcement:

Keeping Your Plugin Committer Accounts Secure

Featured Image by Shutterstock/Algonga

Ecommerce MGMT 0 Comments
seo enhancements
Jun 25 2024
Getting your hosting into shape and why you need to update unsupported versions of PHP

In this post, we’ll explain why Yoast SEO and our add-ons warn people whose website runs on an older, unsupported, version of PHP to upgrade their PHP version. We’re doing this mainly to improve the security and speed of those websites. To continue doing so, we will no longer support PHP versions 7.2 and 7.3 from November 1st, 2024. Read on to find out why.

PHP? Hosting? What does it all mean?

WordPress, (like Yoast SEO), is built in large part in a programming language called PHP. This language, as WordPress itself, has gradually improved over time. Web developers worldwide are enjoying the features that newer versions of PHP have brought. Also, more importantly, everyone worldwide enjoys the increased security these new versions bring. Unfortunately, WordPress developers do not get to join in.

Right now, the minimum PHP required for WordPress is PHP version 7.0. But they recommend using PHP version 7.4 or higher. Compared to WordPress, PHP has a rather aggressive update path. PHP 8.1 will receive security support for another year and a half, but anything older than that will not. As they mention on their website, any release older than that should be upgraded as soon as possible as they may be exposed to unpatched security vulnerabilities.

Why do we care about this?

At Yoast we care about a lot of things, but two things in particular are important in this regard: user happiness and developer happiness. A user is happy when they have a fast, easy-to-install, secure content management system like WordPress to build a site in. A developer is happy when they can use a modern language and tooling to build software.

Security

The most important reason for us to want to increase the minimum requirement is security: older PHP versions, while still actively in use on millions of sites, no longer get security updates.

This security concern is not a theoretical concern. We have seen time and time again that the number one reason sites get hacked is because of outdated software. WordPress has automatic updates for security updates built-in for exactly this reason. Why would we push people to update WordPress and its plugins regularly, but let the PHP version fall behind?

Speed

Another big issue is speed. WordPress is sometimes said to be slow, but it doesn’t have to be slow at all. If it’s running on old versions of PHP however it is, most certainly, slow. This will lose you site visitors and it’s also an important factor in your SEO, so make sure to take this seriously.

Modern programming language

PHP 7.3, which was released in 2018, is no longer a modern language. This makes developers unhappy because they’re missing many great features that a lot of the more recent programming languages have.

This can cause more developers to turn their back on WordPress because it’s moving too slowly. Developing themes or plugins for WordPress, where an old PHP version is required, is a hassle and thus not as much fun. Over time, losing developers can mean missing out on great contributions and other products moving faster, and WordPress will lose market share.

Enhancing performance and security

By supporting only PHP 7.4 and higher, Yoast SEO can implement more modern coding practices, which significantly improve your website’s performance. Faster, more efficient code not only boosts SEO but also contributes to a better user experience and reduces server load, thereby conserving energy.

The update also sets the stage for future developments, including our readiness for the upcoming PHP versions. Staying ahead of technology curves ensures that we can always offer the most up-to-date features without compromising on stability.

What is Yoast going to do?

As we said, the minimum PHP required for WordPress is PHP version 7.0 and they recommend using 7.4 or higher. Yoast will drop support for PHP versions 7.2 and 7.3 from November 2024. Our commitment to providing you with the best possible service means ensuring our software utilizes the most advanced and secure technology available. The phasing out of older PHP versions, much like our earlier updates, will allow us to leverage newer features that enhance plugin performance and site security.

As per WordPress’s official statistics, about 8% of WordPress installations still operate on PHP 7.2 and 7.3. Our data shows an even smaller percentage among our user base. We believe this transition will affect only a minimal number of users but is vital for maintaining high standards of quality and security.

Updating your PHP version

If you’re uncertain about how to upgrade your PHP version, don’t worry—we’ve got you covered. Visit our comprehensive guide on how to update your PHP, complete with resources for numerous hosting services. If your host is not listed, we’ll provide you with a template email to send to your hosting provider, requesting the update.

A huge thank you to all who have already upgraded their PHP versions in anticipation of this change. We are thrilled to journey with you towards a more secure, efficient, and robust web environment. Stay tuned for more updates as we will continue to enhance Yoast SEO to serve you better.

Enrico Battocchi

Enrico is the lead developer of the Plugin team at Yoast and the creator of the Yoast Duplicate Post plugin. He collaborates with other release leads to plan new features and bugfixes for all the Yoast plugins for WordPress.

Avatar of Enrico Battocchi

Coming up next!

Ecommerce MGMT 0 Comments
Jun 20 2024
New Bluehost Agency Partner Program For WordPress Agencies via @sejournal, @martinibuster

Bluehost announced a partner program that’s expressly designed to support WordPress agencies and freelancers that service small-to-medium size businesses (SMBs). The program offers revenue generating opportunities in the form of commissions, exclusive discounts, priority customer service, and other benefits that will help agencies grow their client base and earn more revenue.

Focus On WordPress Websites

Bluehost is an active member of the WordPress community, which includes helping to develop the WordPress core itself by directly sponsoring six WordPress core contributors. Bluehost is well-positioned to offer agencies the products, community, service and revenue generating opportunities that align with the goals of WordPress-based development agencies and freelancers that service SMBs.

A key element of the Agency Partner Program is Bluehost Cloud, a managed WordPress hosting platform that provides a 100% uptime SLA. Bluehost managed WordPress Cloud is designed as a secure high performance solution, which makes it ideal for freelancers and agencies that depend on performant hosting.

Exclusive Benefits for Partner Agencies

Acceptance into the program grants agencies early access to Bluehost’s referral program (commissions), product discounts, learning webinars, access to priority customer support, and membership in an exclusive LinkedIn network.

According to the Bluehost announcement:

“By partnering with Bluehost, agencies can now provide their clients with the highest quality customer service, WordPress expertise and some of the most comprehensive hosting products, including Bluehost Cloud, Yoast SEO and eCommerce plug-ins.”

The Bluehost Agency Partner Program offers the resources for WordPress agencies and freelancers to level up their service offerings, generate new revenue streams, and the resources to deliver superior results for their clients. It’s a win-win partnership that may be worth looking into.

Visit the Bluehost Partner Program page:

Early Applications: Introducing the Bluehost Agency Partner Program.

Read the official announcement here:

Bluehost Unlocks New Opportunities For WordPress Agencies

Featured Image by Shutterstock/Shift Drive

Ecommerce MGMT 0 Comments