Jun 27 2024
WordPress Plugins Compromised At The Source via @sejournal, @martinibuster

WordPress.org and Wordfence have published warnings about hackers adding malicious code to plugins at the source, leading to widespread infections via updates.

Five Compromised Plugins… To Date

Typically what happens is that a plugin contains a weakness (a vulnerability) that allows an attacker to compromise individual sites that use that version of a plugin. But these compromises are different because the plugins themselves don’t contain a vulnerability. The attackers are directly injecting malicious code at directly at the source of the plugin, forcing an update which then spreads to all sites that use the plugin.

Wordfence first noticed one plugin that contained malicious code. When they uploaded the details to their database they then discovered four other plugins that were compromised with a similar kind of malicious code. Wordfence immediately notified WordPress about their findings.

Wordfence shared details of the affected plugins:

“Social Warfare 4.4.6.4 – 4.4.7.1
Patched Version: 4.4.7.3

Blaze Widget 2.2.5 – 2.5.2
Patched Version: None

Wrapper Link Element 1.0.2 – 1.0.3
Patched Version: It appears that someone removed the malicious code, however, the latest version is tagged as 1.0.0 which is lower than the infected versions. This means it may be difficult to update to the latest version, so we recommend removing the plugin until a properly tagged version is released.

Contact Form 7 Multi-Step Addon 1.0.4 – 1.0.5
Patched Version: None

Simply Show Hooks 1.2.1
Patched Version None”

WordPress shut down all five plugins directly at the official plugin repository and published a notification at each of the plugin pages that they are closed and unavailable.

Screenshot Of A Delisted WordPress Plugin

The infected plugins generate rogue admin accounts that phones home to a server. The attacked websites are altered with SEO spam links that are added to the footer. Sophisticated malware can be hard to catch because the hackers actively try to hide their code so that, for example, the code looks like a string of numbers, the malicious code is obfuscated. Wordfence noted that this specific malware was not sophisticated and was easy to identify and track.

Wordfence made an observation about this curious quality of the malware:

“The injected malicious code is not very sophisticated or heavily obfuscated and contains comments throughout making it easy to follow. The earliest injection appears to date back to June 21st, 2024, and the threat actor was still actively making updates to plugins as recently as 5 hours ago.”

WordPress Issues Advisory On Compromised Plugins

The WordPress advisory states that attackers are identifying plugin developers that have “committer access” (meaning that they can commit code to the plugin) and then in the next step they used credentials from other data breaches that match with those developers. The hackers use those credentials to directly access the plugin at the code level and inject their malicious code.

WordPress explained:

“On June 23 and 24, 2024, five WordPress.org user accounts were compromised by an attacker trying username and password combinations that had been previously compromised in data breaches on other websites. The attacker used access to these 5 accounts to issue malicious updates to 5 plugins those users had committer access to.

…The affected plugins have had security updates issued by the Plugins Team to protect user security.”

The fault of these compromises apparently lies with the plugin developer security practices. WordPress’ official announcement reminded plugin developers of best practices to use in order to prevent these kinds of compromises from happening.

How To Know If Your Site Is Compromised?

At this point in time there are only five plugins known to be compromised with this specific malicious code. Wordfence said that the hackers create admins with the user names of “Options” or “PluginAuth” so one way to double check if a site is compromised might be to look for any new admin accounts, especially ones with those user names.

Wordfence recommended that affected sites that use any of the five plugins to delete rogue administrator level user accounts and to run a malware scan with the Wordfence plugin and remove the malicious code.

Someone in the comments asked if they should be worried even if they don’t use any of the five plugins”

“Do you think we need to be worried about other plug-in updates? Or was this limited to these 5 plug-ins.”

Chloe Chamberland, the Threat Intelligence Lead at Wordfence responded:

“Hi Elizabeth, at this point it appears to be isolated to just those 5 plugins so I wouldn’t worry too much about other plugin updates. However, out of extra caution, I would recommend reviewing the change-sets of any plugin updates prior to updating them on any sites you run to make sure no malicious code is present.”

Two other commenters noted that they had at least one of the rogue admin accounts on sites that didn’t use any of the five known affected plugins. At this time it’s not known if any other plugins are affected.

Read Wordfence’s advisory and explanation of what is going on:

Supply Chain Attack on WordPress.org Plugins Leads to 5 Maliciously Compromised WordPress Plugins

Read the official WordPress.org announcement:

Keeping Your Plugin Committer Accounts Secure

Featured Image by Shutterstock/Algonga

Ecommerce MGMT 0 Comments
seo enhancements
Jun 25 2024
Getting your hosting into shape and why you need to update unsupported versions of PHP

In this post, we’ll explain why Yoast SEO and our add-ons warn people whose website runs on an older, unsupported, version of PHP to upgrade their PHP version. We’re doing this mainly to improve the security and speed of those websites. To continue doing so, we will no longer support PHP versions 7.2 and 7.3 from November 1st, 2024. Read on to find out why.

PHP? Hosting? What does it all mean?

WordPress, (like Yoast SEO), is built in large part in a programming language called PHP. This language, as WordPress itself, has gradually improved over time. Web developers worldwide are enjoying the features that newer versions of PHP have brought. Also, more importantly, everyone worldwide enjoys the increased security these new versions bring. Unfortunately, WordPress developers do not get to join in.

Right now, the minimum PHP required for WordPress is PHP version 7.0. But they recommend using PHP version 7.4 or higher. Compared to WordPress, PHP has a rather aggressive update path. PHP 8.1 will receive security support for another year and a half, but anything older than that will not. As they mention on their website, any release older than that should be upgraded as soon as possible as they may be exposed to unpatched security vulnerabilities.

Why do we care about this?

At Yoast we care about a lot of things, but two things in particular are important in this regard: user happiness and developer happiness. A user is happy when they have a fast, easy-to-install, secure content management system like WordPress to build a site in. A developer is happy when they can use a modern language and tooling to build software.

Security

The most important reason for us to want to increase the minimum requirement is security: older PHP versions, while still actively in use on millions of sites, no longer get security updates.

This security concern is not a theoretical concern. We have seen time and time again that the number one reason sites get hacked is because of outdated software. WordPress has automatic updates for security updates built-in for exactly this reason. Why would we push people to update WordPress and its plugins regularly, but let the PHP version fall behind?

Speed

Another big issue is speed. WordPress is sometimes said to be slow, but it doesn’t have to be slow at all. If it’s running on old versions of PHP however it is, most certainly, slow. This will lose you site visitors and it’s also an important factor in your SEO, so make sure to take this seriously.

Modern programming language

PHP 7.3, which was released in 2018, is no longer a modern language. This makes developers unhappy because they’re missing many great features that a lot of the more recent programming languages have.

This can cause more developers to turn their back on WordPress because it’s moving too slowly. Developing themes or plugins for WordPress, where an old PHP version is required, is a hassle and thus not as much fun. Over time, losing developers can mean missing out on great contributions and other products moving faster, and WordPress will lose market share.

Enhancing performance and security

By supporting only PHP 7.4 and higher, Yoast SEO can implement more modern coding practices, which significantly improve your website’s performance. Faster, more efficient code not only boosts SEO but also contributes to a better user experience and reduces server load, thereby conserving energy.

The update also sets the stage for future developments, including our readiness for the upcoming PHP versions. Staying ahead of technology curves ensures that we can always offer the most up-to-date features without compromising on stability.

What is Yoast going to do?

As we said, the minimum PHP required for WordPress is PHP version 7.0 and they recommend using 7.4 or higher. Yoast will drop support for PHP versions 7.2 and 7.3 from November 2024. Our commitment to providing you with the best possible service means ensuring our software utilizes the most advanced and secure technology available. The phasing out of older PHP versions, much like our earlier updates, will allow us to leverage newer features that enhance plugin performance and site security.

As per WordPress’s official statistics, about 8% of WordPress installations still operate on PHP 7.2 and 7.3. Our data shows an even smaller percentage among our user base. We believe this transition will affect only a minimal number of users but is vital for maintaining high standards of quality and security.

Updating your PHP version

If you’re uncertain about how to upgrade your PHP version, don’t worry—we’ve got you covered. Visit our comprehensive guide on how to update your PHP, complete with resources for numerous hosting services. If your host is not listed, we’ll provide you with a template email to send to your hosting provider, requesting the update.

A huge thank you to all who have already upgraded their PHP versions in anticipation of this change. We are thrilled to journey with you towards a more secure, efficient, and robust web environment. Stay tuned for more updates as we will continue to enhance Yoast SEO to serve you better.

Enrico Battocchi

Enrico is the lead developer of the Plugin team at Yoast and the creator of the Yoast Duplicate Post plugin. He collaborates with other release leads to plan new features and bugfixes for all the Yoast plugins for WordPress.

Avatar of Enrico Battocchi

Coming up next!

Ecommerce MGMT 0 Comments
Jun 20 2024
New Bluehost Agency Partner Program For WordPress Agencies via @sejournal, @martinibuster

Bluehost announced a partner program that’s expressly designed to support WordPress agencies and freelancers that service small-to-medium size businesses (SMBs). The program offers revenue generating opportunities in the form of commissions, exclusive discounts, priority customer service, and other benefits that will help agencies grow their client base and earn more revenue.

Focus On WordPress Websites

Bluehost is an active member of the WordPress community, which includes helping to develop the WordPress core itself by directly sponsoring six WordPress core contributors. Bluehost is well-positioned to offer agencies the products, community, service and revenue generating opportunities that align with the goals of WordPress-based development agencies and freelancers that service SMBs.

A key element of the Agency Partner Program is Bluehost Cloud, a managed WordPress hosting platform that provides a 100% uptime SLA. Bluehost managed WordPress Cloud is designed as a secure high performance solution, which makes it ideal for freelancers and agencies that depend on performant hosting.

Exclusive Benefits for Partner Agencies

Acceptance into the program grants agencies early access to Bluehost’s referral program (commissions), product discounts, learning webinars, access to priority customer support, and membership in an exclusive LinkedIn network.

According to the Bluehost announcement:

“By partnering with Bluehost, agencies can now provide their clients with the highest quality customer service, WordPress expertise and some of the most comprehensive hosting products, including Bluehost Cloud, Yoast SEO and eCommerce plug-ins.”

The Bluehost Agency Partner Program offers the resources for WordPress agencies and freelancers to level up their service offerings, generate new revenue streams, and the resources to deliver superior results for their clients. It’s a win-win partnership that may be worth looking into.

Visit the Bluehost Partner Program page:

Early Applications: Introducing the Bluehost Agency Partner Program.

Read the official announcement here:

Bluehost Unlocks New Opportunities For WordPress Agencies

Featured Image by Shutterstock/Shift Drive

Ecommerce MGMT 0 Comments
Jun 12 2024
Vulnerabilities In WooCommerce And Dokan Pro Plugins via @sejournal, @martinibuster

WooCommerce published an advisory about an XSS vulnerability while Wordfence simultaneously advised about a critical vulnerability in a WooCommerce plugin named Dokan Pro. The advisory about Dokan Pro warned that a SQL Injection vulnerability allows unauthenticated attackers to extract sensitive information from a website database.

Dokan Pro WordPress Plugin

The Dokan Pro plugin allows user to transform their WooCommerce website into a multi-vendor marketplace similar to sites like Amazon and Etsy. It currently has over 50,000 installations Plugin versions up to and including 3.10.3 are vulnerable.

According to WordFence, version 3.11.0 represents the fully patched and safest version.

WordPress.org lists the current number of plugin installations of the lite version at over 50,000 and a total all-time number of installations of over 3 million. As of this moment only 30.6% of installations were using the most up to date version, 3.11 which may mean that 69.4% of all Dokan Pro plugins are vulnerable.

Screenshot Of Dokan Plugin Download Statistics

Changelog Doesn’t Show Vulnerability Patch

The changelog is what tells users of a plugin what’s contained in an update. Most plugin and theme makers will publish a clear notice that an update contains a vulnerability patch. According to Wordfence, the vulnerability affects versions up to and including version  3.10.3. But the changelog notation for version 3.10.4 that was released Apr 25, 2024 (which is supposed to be patched) does not show that there’s a patch. It’s possible that the publisher of Dokan Pro and Dokan Lite didn’t want to alert hackers to the critical vulnerability.

Screenshot Of Dokan Pro Changelog

CVSS Score 10

The Common Vulnerability Scoring System (CVSS) is an open standard for assigning a score that represents the severity of a vulnerability. The severity score is based on how exploitable it is, the impact of it, plus supplemental metrics such as safety and urgency which together add up to a total score from least severe (1) to the highest severity (10).

The Dokan Pro plugin received a CVSS score of 10, the highest level severity, which means that any users of the plugin are recommended to take immediate action.

Screenshot Of Dokan Pro Vulnerability Severity Score

Description Of Vulnerability

Dokan Pro was found to contain an Unauthenticated SQL Injection vulnerability. There are authenticated and unauthenticated vulnerabilities. Unauthenticated means that an attacker does not need to acquire user credentials in order to launch an attack. Between the two kinds of vulnerabilities, unauthenticated is the worst case scenario.

A WordPress SQL Injection vulnerability is one in which a plugin or theme allows an attacker to manipulate the database. The database is the heart of every WordPress website, where every password, login names, posts, themes and plugin data. A vulnerability that allows anyone to manipulate the database is considerably severe – this is really bad.

This is how Wordfence describes it:

“The Dokan Pro plugin for WordPress is vulnerable to SQL Injection via the ‘code’ parameter in all versions up to, and including, 3.10.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.”

Recommended Action For Dokan Pro Users

Users of the Dokan Pro plugin are recommended to consider updating their sites as soon as possible. It’s always prudent to test updates before their uploaded live to a website. But due to the severity of this vulnerability, users should consider expediting this update.

WooCommerce published an advisory of a vulnerability that affects versions 8.8.0 and higher. The vulnerability is rated 5.4 which is a medium level threat, and only affects users who have the Order Attribute feature enabled activated. Nevertheless, WooCommerce “strongly” recommends users update as soon as possible to the most current version (as of this writing), WooCommerce 8.9.3.

WooCommerce Cross Site Scripting (XSS) Vulnerability

The type of vulnerability that affects WooCommerce is called Cross Site Scripting (XSS) which is a type of vulnerability that depends on a user (like a WooCommerce store admin) to click a link.

According to WooCommerce:

“This vulnerability could allow for cross-site scripting, a type of attack in which a bad actor manipulates a link to include malicious content (via code such as JavaScript) on a page. This could affect anyone who clicks on the link, including a customer, the merchant, or a store admin.

…We are not aware of any exploits of this vulnerability. The issue was originally found through Automattic’s proactive security research program with HackerOne. Our support teams have received no reports of it being exploited and our engineering team analyses did not reveal it had been exploited.”

Should Web Hosts Be More Proactive?

Web developer and search marketing expert Adam J. Humphreys, Of Making 8, inc. (LinkedIn profile), feels that web hosts should be more proactive about patching critical vulnerabilities, even though that may cause some sites to lose functionality if there’s a conflict with some other plugin or theme in use.

Adam observed:

“The deeper issue is the fact that WordPress remains without auto updates and a constant vulnerability which is the illusion their sites are safe. Most core updates are not performed by hosts and almost every single host doesn’t perform any plugin updates even if they do them until a core update is performed. Then there is the fact most premium plugin updates will often not perform automatically. Many of which contain critical security patches.”

I asked if he meant a push update, where an update is forced onto a website.

“Correct, many hosts will not perform updates until a WordPress core update. Softaculous engineers confirmed this for me. WPEngine which claims fully managed updates doesn’t do it on the frequency to patch in a timely fashion for said plugins. WordPress without ongoing management is a vulnerability and yet half of all websites are made with it. This is an oversight by WordPress that should be addressed, in my opinion.”

Read more at Wordfence:

Dokan Pro <= 3.10.3 – Unauthenticated SQL Injection

Read the official WooCommerce vulnerability documentation:

WooCommerce Updated to Address Cross-site Scripting Vulnerability

Featured Image by Shutterstock/New Africa

Ecommerce MGMT 0 Comments
Jun 7 2024
Bluehost Launches AI WordPress Website Creator via @sejournal, @martinibuster

Bluehost launched an AI Website Creator that enables users to quickly create professional websites, an evolution of the click and build website builder that makes it easy for anyone to create a WordPress website and benefit from the power and freedom of the open source community.

The importance of what this means for businesses and agencies cannot be overstated because it allows agencies to scale WordPress site creation and puts the ability to create professional WordPress sites within reach of virtually everyone.

Point And Click Website Creation

Bluehost offers an easy website building experience that provides the ease of point and click site creation with the freedom of a the WordPress open source content management system. The heart of this system is called WonderSuite.

WonderSuite is comprised of multiple components, such as a user interface that walks a user through the site creation process with a series of questions that are used as part of the site creation process. There is also a library of patterns, templates, and an easy to configure shopping cart, essentially all the building blocks for creating a site and doing business online quickly and easily.

The new AI Website Creator functionality is the newest addition to the WonderSuite site builder.

AI Website Builder

An AI website builder is the natural evolution of the point and click site creation process. Rather than moving a cursor around on a screen the new way to build a website is with an AI that acts as a designer that responds to what a user’s website needs are.

The AI asks questions and starts building the website using open source WordPress components and plugins. Fonts, professional color schemes, and plugins are all installed as needed, completely automatically. Users can also save custom generated options for future use which should be helpful for agencies that need to scale client website creation.

Ed Jay, President of Newfold Digital, the parent company of Bluehost, commented:

“Efficiency and ease are what WordPress entrepreneurs and professionals need and our team at Bluehost is dedicated to deliver these essentials to all WordPress users across the globe. With AI Website Creator, any user can rely on the Bluehost AI engine to create their personalized website in just minutes. After answering a few simple questions, our AI algorithm leverages our industry leading WordPress experience, features and technology, including all aspects of WonderSuite, to anticipate the website’s needs and ensure high quality outcomes.

The AI Website Creator presents users with multiple fully functional, tailored and customizable website options that provide a powerful but flexible path forward. It even generates images and content aligned with the user’s brief input, expediting the website off the ground and ready for launch.”

Future Of Website Creation

Bluehost’s innovative AI site creator represents the future of how businesses get online and how entrepreneurs who service clients can streamline site creation and scale their business with WordPress.

Read more about Bluehost’s new AI Website Creator:

WordPress made wonderful with AI

Featured Image by Shutterstock/Simple Line

Ecommerce MGMT 0 Comments
Jun 6 2024
Automattic For Agencies: A New Way To Monetize WordPress via @sejournal, @martinibuster

Automattic, the company behind WordPress.com, Jetpack, WooCommerce and more, have announced a new program to woo Agencies into their ecosystem of products with more ways to earn revenue.

This new program could be seen as putting Automattic into direct competition with closed source systems like Wix and Duda but there are clear differences between all three products and services.

Automattic For Agencies

Automattic for Agencies brings together multiple Automattic products into a single service with a dashboard for managing multiple client sites and billing. The program offers a unified locations for managing client sites as well as discounted pricing and revenue sharing opportunities. Aside from the benefits of streamlining the program also offers technical support across all of the Automattic products that are a part of the program. Lastly the program offers agencies managed security and performance improvements.

According to the announcement:

“We worry about site performance and security so you don’t have to. When you connect your sites to the Automattic for Agencies dashboard, you’ll receive instant notifications about updates and alerts, so your sites stay problem-free and your clients stay happy.”

Revenue Share And Discounts

Agencies can now earn a revenue share of the Automattic products used by clients. For example, agencies can earn a 50% revenue share on Jetpack product referrals, including renewals. As part of the program Jetpack also offers discounts on licenses, starting at 10% off for five licenses and to as high as 50% off for 100 licenses.

As part of the new program there are similar benefits for agencies that build or manage WooCommerce sites, with discounted agency pricing and a referral program

WordPress.com, the managed WordPress hosting subsidiary of Automattic, is offering a 20% revenue share on new subscriptions and a 50% share on migrations from other hosts.

A tweet from WordPress.com described the new program:

“Agencies, we’ve got some news for you!

Our new referral program is live, and as a referrer of http://WordPress.com’s services, your agency will receive a 20% revenue share on new subscriptions and 50% on new migrations to http://WordPress.com from other hosting providers.”

New Directory For Agencies

A forthcoming benefit of the Autommatic For Agencies program is a business directory that lists agencies that are a part of the program. The benefit of the directory is presumably that it may lead to business referrals to the agencies.

The Jetpack announcement describes the new directory:

“Gain heightened visibility through multiple directory listings across Automattic’s business units. This increased exposure creates more opportunities for potential clients to find and engage with your services, helping you grow your agency’s reach and reputation.”

The WooCommerce announcement describes the directory like this:

“Expand your reach
Increase your visibility with partner directory listings across multiple Automattic brands.”

Automattic Affiliate Program

The Automattic for Agencies announcement follows the rollout of a separate affiliate program which offers up to 100% referral bonus for affiliates who refer new hosting clients, with a limit of $300 payout per item, and up to 50% referral bonus for Jetpack plugin subscriptions. The program has a 30 day cookie conversion period which provides affiliates the opportunity to earn referral bonuses on any additional sales within a 30 day period.

Read more about the new program:

Live the Suite Life With Automattic For Agencies

Featured Image by Shutterstock/Volodymyr TVERDOKHLIB

Ecommerce MGMT 0 Comments
May 30 2024
WordPress Playground – A New Tool You Need To Try Right Now via @sejournal, @martinibuster

WordPress has been releasing innovative tools that helps users accomplish their goals and become more proficient users. One of the newest tools is called Playground, a tool that is designed to make a WordPress site instantly available for testing, learning and building.

Background On WordPress Playground

Playground is a tool that runs in your browser.

The official WordPress documentation for Playground suggests these uses:

  • Try a block, a theme, or a plugin
  • Build an entire site, save it, host it
  • Test your plugin with many specific WordPress and PHP versions
  • Embed a real, interactive WordPress site in your tutorial or course
  • Showcase a plugin or theme on your website
  • Build a native app running WordPress and put it in App Store
  • Preview pull requests from your repository

There is also a WordPress Plugin available, Playground By WordPress Contributors, that enables a user to clone their site to a private in-browser Playground version.

The WordPress plugin allows a user to create an exact website copy within a Playground instance, from which a user can do things like test a plugin or theme. Any changes made to the Playground instance do not affect the actual website. The cloned site is not uploaded to any cloud service, all the data remains private, residing within a user’s web browser, where it stays until the browser tab is closed.

Interview: Adam Zieliński, WordPress Playground Architect @ Automattic

I interviewed Adam Zieliński, the WordPress Playground Architect at Automattic, to learn more about what Playground is and how it can be useful for developers and regular users of WordPress.

The first thing I wanted to know is, what is Playground and why should anyone use it, what should people expect from it?

Adam Zieliński:

“Playground is WordPress in a single click. There are no tedious setup steps, webhosts account, or technical talk.

Playground is not the site at playground.wordpress.net. It is the groundbreaking technology that makes that site possible and also powers a new generation of interactive, single-click WordPress tools. There are interactive tutorials, QA (Quality Assurance) workflows, “try before you buy” previewers for plugins, collaboration tools, contribution workflows and so much more.

Here are two examples:

The site at playground.wordpress.net doubles as a QA tool – you can try the upcoming WordPress release, test your plugin or theme with five other plugins and then see how it performs on different WordPress and PHP versions. It proved useful for sourcing feedback during the WordPress 6.5 release cycle, the Font library call for testing, and more.

As a WordPress plugin, Playground can clone your existing WordPress site, including all content, plugins, and themes, inside a private Playground instance. This gives you a way of testing changes, new plugins, or updates before pushing them live and without needing a separate hosting.

The next example is a bit more technical but I’ll still go with it. Playground can be embedded on websites. There are companies out there showcasing a live version of their plugin or theme using a live WordPress Playground site embedded inside their actual site. That’s highly useful for their future customers – even if they have no clue about what Playground is.”

I followed up with a question asking how he would describe Playground to someone who uses WordPress but doesn’t dabble in the development part.

Adam Zieliński:

“Playground is a version of WordPress that runs directly on your device, not on a webhost. You can open Playground on your phone, turn off the internet, and continue using it.”

I next asked if it’s useful for migrating to a new template or testing plugin updates.

Adam Zieliński:

“Absolutely. You can clone your site using the Playground WordPress plugin and try the new template or the updated plugin there first without risking breaking your production site. That plugin also adds a “preview now” button to the plugins search in wp-admin so you can “try them on” before committing to installing one on your live site.”

Zieliński next recommended the following resources to view and read more about Playground:

WordPress Playground: the ultimate learning, testing, & teaching tool for WordPress

How to use WordPress Playground for interactive demos

How to start using WordPress Playground

Does Playground help regular WordPress users become familiar with developing sites themselves, is it a hands-on way to learn how to use WordPress?

Adam Zieliński:

“Playground makes a great learning tool. You can just hop on playground.wordpress.net and start exploring WordPress, whether that means creating your first post or installing fifteen plugins and building an entire site.

The experience is very self-guided today, which is useful in classes, workshops and meetups where an instructor can give you directions.

We’re also exploring an interactive and guided tutorials. Imagine visiting WordPress.org, clicking on, say, “I want to build my first WordPress site”, and getting clear directions and an interactive WordPress site to work on. That’s what we’re building towards.

And this doesn’t have to be a distant future. Anyone can start creating these interactive learning experiences today with the Playground Block – it’s a single-click way of embedding Playground in your WordPress content. You can play with that block right now if go to the plugin page and by click the Live Preview button. Oh, and that live preview? It’s also powered by WordPress Playground!”

Is Playground compatible with popular WordPress website builders?

Adam Zieliński:

“I haven’t tested Divi. Elementor mostly works, although there’s a technical issue in the onboarding flow that needs to be fixed in Elementor fix before it’s fully functional.”

Playground has a feature called Blueprints, configuration setting files. I asked Adam how he would describe Blueprints and how is it useful to users.

Adam Zieliński:

Blueprints are guidelines for Playground on how to create the WordPress site for you.

Blueprints are also like puzzle pieces. In fact, at WCEU 2024, you’ll build real WordPress sites with physical puzzle pieces. We’ve printed puzzle pieces representing site configuration steps like installing a plugin or changing the site name and attendees will be able to collect and scan them with an app that will load Playground with the configuration (Blueprint) they put together.

See also: What are Blueprints, and what can you do with them?

About the usefulness of Blueprints – there are two sides to that. You can either use a Playground site created based on an existing Blueprint, or you can create a new Blueprint.

If you just want to enjoy Playground-based tools, you don’t even need to know what Blueprints are. All you’ll experience is a button that opens a WordPress site preconfigured to do anything at all. It could help you test a theme, contribute a documentation page, or even build a slide deck and export it to PDF.

If you want to build new Blueprints, today you need to get your hands dirty and write some JSON code. Blueprints 101 and Technical Introduction to Playground will walk you through the steps and you can also preview the examples in the Blueprints Gallery. It’s worth noting we’re working on a visual tool where you’ll be able to just assemble these steps like puzzle pieces without any coding knowledge.”

Is this a way to create a site and then save or share the demo?

Adam Zieliński:

“Yes! Playground sites are temporary by default but there’s many ways to save and share them. On playground.wordpress.net there’s a settings button where you can tell Playground to save your site in your web browser. Once you do that and refresh the page, you’ll return right to your site. You can also synchronize the site with a directory on your computer and all the Playground changes will show up there. Then you can also export your site as a zip file or to GitHub.

There are two ways of sharing a site with others.

The first one, is to create a Blueprint – so write down all the step by step instructions for Playground to recreate that site. You could then include that Blueprint in a link and share it with the world.

Blueprints are powerful but not always convenient, so there’s also a second way. A Playground site can be exported as a zip file. You can host that zip file, for example on GitHub, and create a Playground link to load it.”

Someone from the WordPress developer community passed this question along:

“Site builders often have one or more “starter sites”, which seem to squarely line up with blueprints, though they usually include premium themes and plugins. Drupal has “Distributions,” which are basically pre-configured starter sites often with a niche focus.

Imagine a preconfigured install of core, a theme, a membership plugin, and payment setup (waiting for gateway API keys). If you want a membership site then just install this and start adding content. Or a preconfigured help desk system and so on.

So, I’m wondering if the vision is that Blueprints will provide something similar?”

Adam Zieliński:

“Blueprints enable just that. Live previews in the WordPress plugin directory are an example – every time you get an identical site pre-configured for a particular plugin. It always installs a fresh WordPress and the latest versions of all the co-existing plugins and themes. You can prepare a Blueprint for your particular setup and work with it in the browser, or you can also use the Playground CLI tool to work with these starter sites on your local computer. We’re building a PHP library to enable webhosts to support Blueprints – template sites may then become a common feature in the WordPress hosting landscape.”

WordPress Playground

A playground is a place that is designed for and encourages activities. That’s exactly what WordPress Playground is about. Anyone who uses WordPress should give Playground a try or at the very least become familiar with it because knowledge broadens perspectives, aids in problem solving, and makes one a more effective competitor and business person.

Featured Image by Shutterstock/Leszek Czerwonka

Ecommerce MGMT 0 Comments
May 29 2024
WordPress Releases Way To Build Sites On A Windows Desktop via @sejournal, @martinibuster

Last month WordPress released a way to create or test WordPress sites on the desktop but the app was limited to Apple Mac devices. This month WordPress announces that WordPress Studio is now available for Microsoft Windows.

According to WordPress, Microsoft Windows users account for over 25% of WordPress developers. But it’s possible that non-developers who use WordPress for their websites may account for many more people who use WordPress and would like to learn how to create with it.

WordPress Studio is an easy to use development platform that will help developers who use Microsoft Windows as well as non-developers who want to learn how to use WordPress without messing anything up on a live website.

The official WordPress announcement explained:

“We recently launched Studio, our free and open source local WordPress development environment, for MacOS, and we’re happy to share that the Windows version of Studio is now available!

As a reminder, we’ve built Studio to be the fastest and simplest way to build WordPress sites locally.”

Local WordPress Development

Local development is a way to work on a website from the desktop (local) as opposed to working on the site on a webhost. There are many reasons to work on a website locally, with convenience being at the top of the list. Working on a website directly on a desktop environment makes it unlikely for a mistake that could cause the site to go public and causing unintended ranking consequences for the actual site that’s live on the web, which is a second reason why local development is popular.

A third reason for local development is that it’s cheaper, faster and for those with less development skills, it’s generally easier than creating an online testing site for the purpose of testing new plugins to verify they won’t break a site or simply for creating a demo site for sharing with a client or a team.

Until now, the downside of local development is that many of the most popular local development platforms have a steep learning curve which is inconvenient for publishers and SMBs who don’t have the time to devote to learning yet another skill. I know about the learning curve because I’ve used a few local development platforms in the past.

WordPress Studio

WordPress has now released a solution to the problem of local WordPress development that’s specific to WordPress and makes it easier for WordPress users to test, develop and learn how to become more comfortable with WordPress. It’s easy to break a WordPress site and until now there was never an easy way to test WordPress plugins without additional expense or to just plain old learn how to use WordPress.

WordPress lists the following benefits:

  • Demo sites
    Forget Ngrok-like tunnels—share interactive snapshots of your local sites with clients or colleagues, powered by WordPress.com.
  • Superfast WordPress installation
    Regardless of how many sites you’re working on, you can create unlimited local sites in Studio.
  • Dependency-free building
    Build lightweight and reliable local WordPress sites, powered by WordPress Playground, without the hassle of Docker, NGINX, Apache, or MySQL.
  • One-click admin
    Spend less time wrangling passwords—open WP Admin for each site with just one click.
  • Open your site anywhere
    Develop your sites your way. Open your site’s code in your favorite IDE, CLI, or file browser to fit your workflow.
  • Built by the biggest contributor to WordPress core
    With 109 active contributors, we know WordPress inside and out.

Create And Share A Demo Site

One of the fantastic features of WordPress Studio is the ability to share your demo sites with others on your team or with clients, to get feedback and iteratively improve the website. A user first needs to create a WordPress.com account and connect the local Studio desktop app to the WordPress account. Users are able to host five demo sites for free on a temporary domain (WP.build). Free demo sites last for 7 days after the last update to the demo site so if you need it to stay longer just update the demo site.

All demo sites can be manually deleted from the hosted demo and also on the desktop.

Screenshot Of How To Delete A Website In Studio

Support For Exporting A Theme

The WordPress Studio local development environment has the functionality for exporting a theme. Users can create a theme on their desktop environment and then select to export the theme. The Studio app will export the theme as a zip file which can then be uploaded to a live site (or a staging environment) online.

Full instructions on how to use Studio is available on WordPress.com. Judging by the instructions, using Studio appears to be a lot easier to use compared to other local development solutions that in general are made to accommodate a wide range of websites, not just WordPress sites. The learning curve appears to be relatively gentle compared to other local development environments.

Read more about the Windows version of WordPress Studio:

Studio: Now Available for Windows

Download a Windows or Mac version of Studio, both versions are free:

Build Fast, Ship Faster with Studio

Ecommerce MGMT 0 Comments
May 28 2024
New WordPress Plugin Solves Site Navigation Problem via @sejournal, @martinibuster

Joost de Valk, the creator of Yoast SEO plugin, has created a new (and free) plugin for solving a site architecture problem that can silently diminish a website’s ability to rank.

Site Architecture

Site architecture is an important SEO factor because a well-organized website with clear navigation helps users quickly get to the content and products they’re looking for. Along the way it also helps Google find the most important pages and rank them.

The normal and common sense way to organize a website is by topic categories. While some newbie-SEOs believe that organizing a site by topic is an SEO strategy, it’s really just plain old common sense. Organizing a site by topic categories organizes a site in a way that makes it easy to drill-down and find specific things.

Tags: Contextual Site Navigation

Another way to organize a website is through contextual navigation. Contextual navigation is a way to offer a site visitor links to more webpages that are relevant to the webpage and to their interests in the moment. The way to provide a contextual link is through the concept of Tags. Tags are strongly relevant links to content that site visitors may find interesting.

For example, if someone is on a webpage about a new song by a pop star they may in that moment may be interested in reading more articles about that singer. A publisher can create a tag which links to a page that collects every article about that specific pop singer. Ordinarily it doesn’t make sense to create an entire category for hundreds of musical artists because that would defeat the purpose of a hierarchical site navigation (which is to make it easy to find content).

Tags solve the problem of making it easy to navigate to more content that one site visitor is specifically interested in at that moment. It’s contextually relevant navigation.

Too Many Good Things Isn’t Always Good

Creating a long-range plan for organizing a website can be undone by time as a website grows and trends wane. An artist that was trending several years ago may have dropped out of favor (as they often do) and people lose interest. But those tags remain, linking to content that isn’t important anymore, defeating the purpose of internal site navigation, which is to link to the most important content.

Joost de Valk researched a (very small) sample of WordPress sites and discovered that about two thirds of the websites contained overlapping tags, multiple tags linking to the same content while also generating thin content pages, which are webpages with little value.

A blog post sharing his findings noted:

“Tags are not used correctly in WordPress. Approximately two-thirds of WordPress websites using tags are using (way) too many tags. This has significant consequences for a site’s chances in the search engines – especially if the site is large. WordPress websites use too many tags, often forget to display them on their site, and the tag pages do not contain any unique content.”

The sample size was small and a reasonable argument can be made that his findings aren’t representative of most WordPress sites. But the fact remains that websites can be burdened by overlapping and outdated tags.

Here are the three main tag navigation problems that Joost identified:

1. Too Many Tags
He found that some publishers add a tag to an article with the expectation that they will add more articles to that tags when those articles are written which in many cases doesn’t happen, resulting in tags that link to just a few articles, sometimes only to one article.

2. Some Themes Are Missing The Tag Functionality
The next issue happens when websites upgrade to a new theme (or a new version of a theme) that doesn’t have the tag functionality. This creates orphaned tag pages, pages that site visitors can’t reach because the links to those tag pages are missing. But because those pages still exist the search engines will find them through the autogenerated XML sitemaps.

3. Tag Pages Can Become Thin Content
The third issue is that many publishers don’t take the time to add meaningful content to tag pages, they’re just pages of links with article excerpts that are also reproduced on category pages.

Use Fewer Tags

This is where Joost de Valk’s new WordPress plugin comes in handy. What it does is to automatically remove tags that aren’t linking to enough pages, which helps to normalize internal linking. This new plugin is called, The Fewer Tags WordPress Plugin. There’s a free version and a paid Pro version.

The free version of the plugin works automatically to remove all tag pages that contain less than ten posts, which can be adjusted to remove pages with five posts or less.

Added functionality of the Pro version allows greater control over tag management so that a publisher can merge tag pages, automatically create redirects or send a 404 Page Not Found server response.

These are the list of benefits for the Pro version:

  • “Merge & delete unneeded tag pages quickly & easily.
  • Creates redirects for removed tag pages on the fly, in your SEO plugin of choice.
  • Includes an online course in which Joost explains what you should do!
  • Fix a site’s tag issues long-term!
  • Uninstall the plugin when you’re done!”

Where To Download Fewer Tags Plugin

The free version of the plugin can be downloaded here:

Fewer Tags Free By Joost de Valk

Read more about the Pro version here.

Featured Image by Shutterstock/Simple Line

Ecommerce MGMT 0 Comments
May 22 2024
WP Rocket WordPress Plugin Now Optimizes LCP Core Web Vitals Metric via @sejournal, @martinibuster

WP Rocket, the WordPress page speed performance plugin, just announced the release of a new version that will help publishers optimize for Largest Contentful Paint (LCP), an important Core Web Vitals metric.

Large Contentful Paint (LCP)

LCP is a page speed metric that’s designed to show how fast it takes for a user to perceive that the page is loaded and read to be interacted with. This metric measures the time it takes for the main content elements has fully loaded. This gives an idea of how usable a webpage is. The faster the LCP the better the user experience will be.

WP Rocket 3.16

WP Rocket is a caching plugin that helps a site perform faster. The way page caching generally works is that the website will store frequently accessed webpages and resources so that when someone visits the page the website doesn’t have to fetch the data from the database, which takes time, but instead will serve the webpage from the cache. This is super important when a website has a lot of site visitors because that can use a lot of server resources to fetch and build the same website over and over for every visitor.

The lastest version of WP Rocket (3.16) now contains Automatic LCP optimization, which means that it will optimize the on-page elements from the main content so that they are served first thereby raising the LCP scores and providing a better user experience.

Because it’s automatic there’s really nothing to fiddle around with or fine tune.

According to WP Rocket:

  • Automatic LCP Optimization: Optimizes the Largest Contentful Paint, a critical metric for website speed, automatically enhancing overall PageSpeed scores.
  • Smart Management of Above-the-Fold Images: Automatically detects and prioritizes critical above-the-fold images, loading them immediately to improve user experience and performance metrics.

All new functionalities operate seamlessly in the background, requiring no direct intervention from the user. Upon installing or upgrading to WP Rocket 3.16, these optimizations are automatically enabled, though customization options remain accessible for those who prefer manual control.”

Read the official announcement:

WP Rocket 3.16: Improving LCP and PageSpeed Score Automatically

Featured Image by Shutterstock/ICONMAN66

Ecommerce MGMT 0 Comments