Jan 24 2024
WordPress Releases Two Plugins For Speeding Up Webpages via @sejournal, @martinibuster

The WordPress Core Performance Team released two plugins that speed up webpages with new technologies that pre-render URLs before a user clicks on a link and speeds up lazy-loaded images.

WordPress Core Performance Team

The WordPress Core Performance Team is responsible for coordinating with the different WordPress core development teams for the purpose of improving performance and also to work on projects that directly impact improving core WordPress performance.

The initial plan for the Performance Team consisted of:

  • lead the working groups formation
  • coordinate the initial administrative tasks (slack channel, weekly meetings, schedule working groups representative nominations, etc.)
  • create a mission statement for the team
  • coordinate the areas to tackle
  • outline the scope and the roadmap

WordPress Performance Plugins

Some of the performance improvements to WordPress are first tested in plugins before they are subsequently integrated into a future version of WordPress.

Users who download the plugins are able to be the first in the world to use and benefit from the webpage speed improvements and it is expected (hoped) that those who are using the plugins will also provide feedback on their experiences, both positive and negative.

The first and most popular plugin released by the Performance Team is the Performance Lab plugin that features five modules that can be turned on or off depending on user needs.

The current modules of the Performance Lab plugin are:

  • Dominant Color Images:
    Adds support to store the dominant color of newly uploaded images and create a placeholder background of that color.
  • WebP Support Health Check:
    Adds a WebP support check in Site Health status.
  • WebP Uploads:
    Creates WebP versions for new JPEG image uploads if supported by the server.
  • Enqueued Assets Health Check:
    Adds a CSS and JS resource check in Site Health status.
  • Autoloaded Options Health Check:
    Adds a check for autoloaded options in Site Health status

Two New Performance Plugins

The two brand new plugins that were announced today are:

  1. Auto-sizes for Lazy-loaded Images
  2. Speculation Rules

The two plugins improve performance in two different ways which means that they can both be used to gain the most amount of improvements.

New WordPress Auto-Sizes Plugin

Lazy-loading is a performance optimization technique that defers (pauses) the loading of non-critical images to improve page loading times. Images that are necessary for rendering the visible part of the webpage are loaded first while the ones that are not necessary are deferred until the user scrolls and the images are needed.

What this plugin does is integrates a new lazy loading HTML attribute called sizes=”auto” that sets the “sizes” attribute to “auto” for lazy-loaded images using ‘srcset’ and speeds up the downloading for images that will be needed when the user scrolls down the page.

The sizes=”auto” attribute for images is a part of the responsive images specification in HTML, but it is not specifically related to lazy-loading. Instead, the sizes attribute is used with srcset to provide the browser with the image size dimensions needed to display the image at different viewport sizes. The browser is then able to select the most appropriate image source from the srcset.

New WordPress Speculation Rules Plugin

The Speculation Rules plugin leverages the Speculation Rules API in order to download the resources of webpages that a user is likely to request. The Speculation Rules plugin essentially predicts that a page will be requested and will begin pre-rendering the webpage before a user clicks a link.

The official plugin description explains:

“Uses the Speculation Rules API to prerender linked URLs upon hover by default.”

The Speculation Rules API is a feature designed to improve the performance of web browsing by allowing web pages to provide hints to the browser about potential links that a user might click to navigate to a different webpage. The browser can then prefetch or pre-render resources based on the likelihood of a site visitor clicking a link to navigate to a new webpage.

The Mozilla developer page for the Speculation Rules API explains:

“The Speculation Rules API is designed to improve performance for future navigations. It targets document URLs rather than specific resource files, and so makes sense for multi-page applications (MPAs) rather than single-page applications (SPAs).

The Speculation Rules API provides an alternative to the widely-available feature and is designed to supersede the Chrome-only deprecated feature. It provides many improvements over these technologies, along with a more expressive, configurable syntax for specifying which documents should be prefetched or prerendered.”

The plugin implementation requires the use of at least Chrome 121. Users that visit a site while using a different browser that does not support the Speculation Rules API won’t be affected in any way, the webpage will render as it normally would.

According to the plugin documentation:

“By default, the plugin is configured to prerender WordPress frontend URLs when the user hovers over a relevant link. This can be customized via the “Speculation Rules” section under Settings > Reading.

A filter can be used to exclude certain URL paths from being eligible for prefetching and prerendering (see FAQ section). Alternatively, you can add the ‘no-prerender’ CSS class to any link ( tag) that should not be prerendered.”

Read more about the new WordPress performance plugins and download them here:

WordPress Auto-sizes for Lazy-loaded Images Plugin

WordPress Speculation Rules Plugin

Featured Image by Shutterstock/Haali

Ecommerce MGMT 0 Comments
Jan 23 2024
WordPress File Manager Plugin Vulnerability Affects +1 Million Websites via @sejournal, @martinibuster

A significant security vulnerability has been identified and patched in the widely used File Manager plugin for WordPress, affecting over 1 million websites. The vulnerability is rated 8.1 out of 10 in severity and could potentially allow unauthenticated attackers to gain access to sensitive information including data contained in site backups.

Unauthenticated Attack Vulnerabilities

What makes this vulnerability a high concern is the fact that a hacker does not need login credentials in order to launch an attack, which is what is meant by the term unauthenticated.

In the context of a WordPress plugin vulnerability, an attacker can gain access to sensitive information without needing to log in or authenticate their identity. This kind of attack exploits a security gap the File Manager plugin referred to as Use of Insufficiently Random Values.

The Common Weakness Enumeration security website describes this kind of vulnerability:

“The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

When product generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information.”

This category of vulnerability is due to a weakness in the File Manager plugin’s backup filename generation algorithm. The algorithm combines a timestamp with a four-digit random number but that amount of randomization is not random enough to keep an attacker from successfully guessing the file names and as a consequence enables attackers to gain access to backup files in configurations where there is no .htaccess file to block access.

Use of Insufficiently Random Values Vulnerability

The Use of Insufficiently Random Values vulnerability type is a flaw in the plugin that relies on generating random and unpredictable file numbers in order to prevent attackers from guessing what a backup file name is. The plugins lack of randomization allows an attacker to figure out the file names and gain access to sensitive information.

Vulnerable Versions Of The Plugin

The security vulnerability is found in all versions up to and including 7.2.1 and was patched in the latest update of the plugin, with the release of version 7.2.2.

The update, as noted in the File Manager WordPress Plugin Changelog Documentation, includes a fix for the security issue. Users of the plugin are strongly advised to consider updating to this latest version to protect their websites from potential exploits.

Read the Wordfence advisory for more information:

File Manager <= 7.2.1 – Sensitive Information Exposure via Backup Filenames

Featured Image by Shutterstock/Perfect_kebab

Ecommerce MGMT 0 Comments
Jan 17 2024
ACF WordPress Plugin Vulnerability Affects Up To 2+ Million Sites via @sejournal, @martinibuster

Advanced Custom Fields (ACF) WordPress plugin with over 2 million installations announced the release of a security update, version 6.2.5 that patches a vulnerability, the severity of which is not known and only limited details were released about the vulnerability.

While it’s not known what kind of exploits are possible or the extent of damage that an attacker could cause, ACF did advise that the vulnerability requires a contributor level access or higher, which to a certain extent makes it more difficult to launch an attack.

ACF 6.2.5 May Introduce Breaking Changes

The security release announcement warned that the changes introduced by the update patch had the potential to cause websites to break and offered instructions on how to debug the changes.

The version 6.2.5 update introduces a significant change in how the ACF shortcode processes and outputs potentially unsafe HTML content. The output will now be escaped, a security process that typically removes unwanted HTML like malicious scripts or malformed HTML so that rendered HTML is secure.

However, this change, while enhancing security, might disrupt sites using the shortcode for rendering complex HTML elements like scripts or iframes.

Tags with a potential for misuse, such as

Ecommerce MGMT 0 Comments
Jan 3 2024
Complianz WordPress GDPR Compliance Plugin Vulnerability via @sejournal, @martinibuster

A popular WordPress plugin for privacy compliance with over 800,000 installations recently patched a stored XSS vulnerability that could allow an attacker to upload malicious scripts for launching attacks against site visitors.

Complianz | GDPR/CCPA Cookie Consent WordPress Plugin

The Complianz plugin for WordPress is a powerful tool that helps website owners comply with privacy regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

The plugin manages multiple facets of user privacy including blocking third-party cookies, managing cookie consent (including per subregion), and managing multiple aspects related to cookie banners.

It’s versatility and usefulness may account for the popularity of the tool which currently has over 800,000 installations.

Complianz Plugin Stored XSS Vulnerability

The Complianz WordPress plugin was discovered to have a stored XSS vulnerability which is a type of vulnerability that allows a user to upload a malicious script directly to the website server. Unlike a reflected XSS that requires a website user to click a link, a stored XSS involves a malicious script stored and served from the target website’s server.

The vulnerability is in the Complianz admin settings which is in the form of a lack of two security functions.

1. Input Sanitization
The plugin lacked sufficient input sanitization and output escaping. Input sanitization is a standard process for checking what’s input into a website, like into a form field, to make sure that what’s input is what’s expected, like a text input as opposed to a script upload.

The official WordPress developer guide describes data sanitization as:

“Sanitizing input is the process of securing/cleaning/filtering input data. Validation is preferred over sanitization because validation is more specific. But when “more specific” isn’t possible, sanitization is the next best thing.”

2. Escaping Output
The plugin lacked Output Escaping which is a security process that removes unwanted data before it gets rendered for a user.

How Serious Is The Vulnerability?

The vulnerability requires the attacker to obtain admin permission levels and higher in order to execute the attack. That may be the reason why this vulnerability is scored 4.4 out of 10, with ten representing the highest level of vulnerability.

The vulnerability only affects specific kinds of installations, too.

According to Wordfence:

“This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

This only affects multi-site installations and installations where unfiltered_html has been disabled.”

Update To Latest Version

The vulnerability affects Complianz versions equal to or less than version 6.5.5. Users are encouraged to update to version 6.5.6 or higher.

Read the Wordfence advisory about the vulnerability:

Complianz | GDPR/CCPA Cookie Consent <= 6.5.5 – Authenticated(Administrator+) Stored Cross-site Scripting via settings

Ecommerce MGMT 0 Comments
Jan 2 2024
WordPress Google Fonts Plugin Vulnerability Affects Up To +300,000 Users via @sejournal, @martinibuster

A vulnerability rated as High was recently patched in a Google Fonts optimization plugin for WordPress, allowing attackers to delete entire directories and upload malicious scripts.

OMGF | GDPR/DSGVO Compliant WordPress Plugin

The plugin, OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy., optimizes the use of Google Fonts to reduce page speed impact and is also GDPR compliant, making it valuable for users in the European Union looking to implement Google Fonts.

Screenshot of Wordfence Vulnerability Rating

WordPress Google Fonts Plugin Vulnerability Affects Up To +300,000 Users

Vulnerability

The vulnerability is particularly concerning because it allows unauthenticated attackers. “Unauthenticated” means that an attacker doesn’t need to be registered on the website or have any level of credentials.

The vulnerability is described as enabling unauthenticated directory deletion and allowing the upload of Cross-Site Scripting (XSS) payloads.

Cross-Site Scripting (XSS) is a type of attack where a malicious script is uploaded to a website server, which can then be used to remotely attack the browsers of any visitors. This can result in accessing a user’s cookies or session information, enabling the attacker to assume the privilege level of that user visiting the site.

The cause of the vulnerability, as identified by Wordfence researchers, is a lack of a capability check – a security feature that checks whether a user has access to a specific feature of a plugin, in this case, an admin-level feature.

An official WordPress developer page for plugin makers says this about capability checking:

“User capabilities are the specific permissions that you assign to each user or to a User role.

For example, Administrators have the “manage_options” capability which allows them to view, edit and save options for the website. Editors on the other hand lack this capability which will prevent them from interacting with options.

These capabilities are then checked at various points within the Admin. Depending on the capabilities assigned to a role; menus, functionality, and other aspects of the WordPress experience may be added or removed.

As you build a plugin, make sure to run your code only when the current user has the necessary capabilities.”

Wordfence describes the cause of the vulnerability:

“…is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting due to a missing capability check on the update_settings() function hooked via admin_init in all versions up to, and including, 5.7.9.”

Wordfence also states that previous updates attempted to close the security gap but considers version 5.7.10 to be the most secure version of the plugin.

Read the Wordfence vulnerability warning:

OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. <= 5.7.9 – Missing Authorization to Unauthenticated Directory Deletion and Cross-Site Scripting

Ecommerce MGMT 0 Comments
Dec 27 2023
WordPress Migration Guides Undermining Divi, Elementor And Wix? via @sejournal, @martinibuster

WordPress is creating guides and tools to help publishers migrate to their block based editor Gutenberg and away from commercial WordPress page builders and private closed source content management systems like Wix.

While it’s understandable that WordPress might want to help publishers and businesses migrate away from Wix, some perceive it as a somewhat controversial move to create a guide to undermine software publishers who are a part of the WordPress ecosystem itself.

WordPress Page Builders

The mission for WordPress has always been to make it easy for publishers and business people to easily create beautiful websites. But that goal has eluded WordPress for years.

Software developers like Elegant Themes (makers of Divi page builder) and Elementor created point and click solutions that enabled users to visually webpage templates using a visual interface that made creating webpages as simple as drawing.

Page builders enabled users to drag and drop text boxes, forms and images in order to create the site visually. These elements can be moved around a page, resized and colored with just a few mouse clicks within an easy to use intuitive interface.

Then WordPress released their Gutenberg Full Site Editor that essentially replicated the visual block-based page builder experience.

Users continued using page builders because Gutenberg initially fell short of the more polished user interfaces of commercial page builders.

But it was only a matter of time before WordPress caught up and that day is just about here as WordPress continues to iteratively make Gutenberg increasingly easy to use.

That’s created an impression with developers that commercial page builders like Divi and Elementor will eventually lose their relevance in the WordPress ecosystem once Gutenberg reaches parity with them.

WordPress appears to be hastening the end of page builders by creating guides and tools for helping users migrate away from commercial page builders so that users can more easily transition to the Gutenberg page full site editor.

Data Liberation Project

WordPress is developing a series of guides and tools to help users migrate to the now mature Gutenberg site builder. It’s not perfect but it’s functional and relatively easy to use.

The future of creating webpages appears to increasingly resemble one in which Gutenberg becomes the default method and the new Data Liberation project seeks to make that day come sooner.

WordPress describes the project:

“This project imagines a more open web where users can seamlessly switch between platforms of their choosing, eradicating the concept of being locked into a system and keeping openness at the forefront.

Moving to and within WordPress should be a one-click easy process as much as possible whether moving from social networks, moving from a page builder to core blocks, or shifting from the classic editor to the block editor.

Rather than each person or organization needing to figure out a migration pathway, the WordPress community is coming together to provide scripts, plugins, and guides for us all to use to bring folks to WordPress.”

A post by the admin of the Dynamic WordPress Facebook Group offered this opinion:

“The “data-liberation” initiative is apparently preparing guides on how to move from various page builders to core Gutenberg.

If Elementor wrote a guide on how to move from core Gutenberg to Elementor, people would likely call foul.”

Some of the members of the group did not see this as problematic and welcomed the migration guides as something useful.

The official WordPress Data Liberation page contains the following guides:

  • Squarespace to WordPress
  • Tumblr to WordPress
  • HTML to WordPress
  • RSS to WordPress
  • Wix to WordPress
  • Drupal to WordPress
  • Blogger to WordPress
  • WordPress Site to Another WordPress Site

The official GitHub page for the guides contains the following migration tools:

  • Figma to Blocks
  • Divi to Blocks
  • Classic Editor to Blocks

The official GitHub page contains the following additional migration guides currently under development:

  • avada-to-core-blocks.md
  • contentful-to-wordpress.md
  • divi-to-core-blocks.md
  • elementor-to-core-blocks.md
  • kadence-to-core-blocks.md
  • wpbakery-to-core-blocks.md

Is it right for WordPress to make it easier for users to migrate away from commercial page builders? In some sense it’s always seemed to be inevitable that Gutenberg would challenge and eventually replace commercial solutions.

Page builders have not done much to innovate beyond the simple drag and drop innovation. But some builders like Breakdance continue to publish useful tools for developers to create beautiful and fast performing websites.

Featured Image by Shutterstock/alekseiveprev

Ecommerce MGMT 0 Comments
Dec 20 2023
What is a slug and how to optimize it?

When we talk about SEO for WordPress, we often talk about creating the right slug for a page. Of course, we’re not talking about the slimy creature that eats your plants. So, what is this ‘slug’ then? And why should you optimize it? In this post, we’ll explain all you need to know about it.

Having an orange or red traffic light for the ‘keyphrase in slug‘ check in Yoast SEO? Here’s what that check does and how to turn that light green.

Table of contents

What is a slug?

A slug is the part of a URL that identifies a particular page on a website in an easy-to-read form. In other words, it’s the part of the URL that explains the page’s content.

For this article, for example, the URL is https://yoast.com/slug, and the slug simply is ‘slug’.

How to edit a URL slug

In WordPress, the slug is the part of your URL that you can edit when writing or editing a post. Editing it in WordPress looks like this:

Note that this only works with the right permalink settings. You can edit the permalink settings in WordPress through Settings > Permalinks. We recommend choosing an option in which the URL contains relevant words, as this provides users and search engines with more information about the page than an ID or parameter would.

The WordPress Permalink Settings controls

Note: don’t just change your permalink settings once your site is already online. This could cause all kinds of trouble.

There are two ways to edit a slug in Shopify: You can either use Shopify’s ‘Search engine listing preview’ function, or you can use the Google Preview tool in Yoast SEO for Shopify instead.

To edit a slug using the built-in Shopify function, you’ll first need to click on ‘Edit website SEO’ to open the Search engine listing preview options. From there, you can easily adjust your slug as necessary. Note: Shopify calls the slug the ‘handle’ instead, but it’s exactly the same thing!

Search engine listing preview in Yoast

Alternatively, if you’re editing your Shopify page with Yoast SEO, all you need to do is open the Google preview in the Yoast SEO sidebar and you’ll see a field to enter a new slug:

Enter new slug in URL preview

Why are URL slugs important for SEO?

Writing a good slug for your page or post can positively affect your SEO. It allows you to do the following things:

1. Include your keyword

Why? Because the slug is one of the indicators Google uses to determine what a page is about. So change your slug, and make sure that it includes words you really want to rank for.

2. Create user-friendly URL slugs

Picture a results page: you’ll see many different URLs about a certain topic, right? So you need to make sure your slug is in line with what people expect to see.

For example, our main article on WordPress SEO has the URL yoast.com/wordpress-seo, which is very on point. People are a lot more likely to click on that, than on yoast.com/?p=607, even though that’s the URL that WordPress creates by default.

Find out more about creating SEO-friendly URLs »

What does the keyphrase in slug assessment in Yoast SEO do?

Your article or page should have an easy-to-remember, focused and SEO-friendly URL. That’s why, to improve your URL, the Yoast SEO plugin checks how you’ve fitted in your main focus keyphrase and makes suggestions to improve it.

A screenshot of the Yoast SEO analysis with the Keyphrase in slug assessment

How to optimize your slug in WordPress

What do you need to think of when crafting the right slug for your post or page? Let’s go over the six steps of optimizing it in WordPress:

  1. Include your focus keyphrase

    This is probably a no-brainer, but your focus keyphrase should always be in the slug. This will immediately make it clear to your audience what your page is about.

    If you keyphrase isn’t in the slug, the SEO analysis in the Yoast plugin will show you this message:

    A screenshot of the keyphrase assessment with an orange bullet

  2. Think about function words

    The slug that’s generated by default may include function words like “a”, “the” and “and”. In some cases, you might need those to clarify what your page is about. Usually, however, you can leave them out.

    You can read more about this in our WordPress SEO article.

  3. Add focus

    You shouldn’t just filter out any unnecessary function words, but every word you don’t need. In the case of this post, WordPress automatically created the slug “what-is-a-slug-and-how-to-optimize-it” (based upon the permalink settings in WordPress). That’s quite long, so we manually reduced it to “slug”. However, you should make sure your slug still makes sense!

    And remember: You can use a slug only once, so use it for the right page. For example, if we want to write another (but different) post about slugs in the future, then we can’t (re)use this slug.

  4. Keep it short and descriptive

    As we’ve said before, the URL of your page is sometimes shown in Google search results, and may therefore influence whether your audience decides to click your snippet. So, you don’t have a lot of room to play with. So think carefully about the specific words you want to include.

    In addition, be careful with adding dates and such to your URL. These instantly tell your audience when your content was originally published.

  5. Use lowercase letters only

    Try to use only lowercase letters in your slug. If you don’t, in some cases, you might accidentally create duplicate content by mixing uppercase and lowercase letters.

  6. Remember that URL slugs should be permanent

    Changing URLs can be bad for SEO, and bad for users – even if you use a redirect manager to make sure that people get to the right place. So when you’re choosing your slug, make sure it’s still going to make sense years from now.



Cindy Paul

Cindy is a content manager at Yoast. She writes and optimizes blog posts, and enjoys writing content that will help people create better content for their site and users.

Avatar of Cindy Paul

WordPress for beginners series

Coming up next!

Ecommerce MGMT 0 Comments
Dec 20 2023
WordPress Shares Core Web Vitals In 2023 And Impact On Web via @sejournal, @kristileilani

In 2023, the WordPress community witnessed a significant milestone in website performance, with Core Web Vitals (CWV) showing significant improvements for both mobile and desktop users.

This article delves into the specifics of these improvements, exploring their implications and the evolving landscape of web performance within the WordPress ecosystem.

What Are Core Web Vitals?

Core Web Vitals are a set of specific metrics designed to measure the quality of user experience on web pages. This set of metrics is also a confirmed ranking factor for Google Search.

As part of Google’s broader Web Vitals initiative, the metrics focus on loading performance, interactivity, and visual stability. They apply to all web pages and are important for site owners to measure and optimize.

There are three key metrics within CWV:

  • Largest Contentful Paint (LCP) evaluates loading performance. A good user experience is indicated when the LCP occurs within 2.5 seconds of when the page starts loading.
  • First Input Delay (FID) measures the interactivity of a page. For a good user experience, the FID should be 100 milliseconds or less.
  • Cumulative Layout Shift (CLS) assesses the visual stability of a page. A good user experience is maintained if the page has a CLS of 0.1 or less.

These metrics are designed to be measurable in real-world scenarios, reflecting critical aspects of user experience.

In addition to these, there are other vital metrics:

  • Time to First Byte (TTFB) and First Contentful Paint (FCP) are key aspects of the loading experience and help diagnose issues with LCP.
  • Total Blocking Time (TBT) is important for diagnosing potential interactivity issues impacting FID.

While important, they are not part of the Core Web Vitals set because they are either not field-measurable or do not directly reflect a user-centric outcome.

WordPress Core Web Vitals Improve In 2023

WordPress CWV improved substantially in 2023.

WordPress Shares Core Web Vitals In 2023 And Impact On WebScreenshot from WordPress, December 2023

The mobile CWV passing rate has increased by 8.13%, rising from 28.31% to 36.44%.

Similarly, the desktop CWV passing rate improved by 8.25%, moving from 32.55% to 40.80%.

This improvement is significant, considering the base values from which these percentages increased.

In relative terms, the new passing rates are approximately 29% higher than the previous ones on mobile and 25% higher on desktop.

This progress outstrips the improvements made in the previous year, where mobile CWV improved by 6.99% and desktop by 6.25%.

A line chart illustrates the gradual improvement of WordPress’s mobile CWV passing rate over the year, with a slight dip between March and April 2023 due to a change in the Largest Contentful Paint (LCP) algorithm calculation.

CWV Metrics For Mobile

The improvement in individual CWV metrics on mobile platforms is noteworthy.

WordPress Shares Core Web Vitals In 2023 And Impact On WebScreenshot from WordPress, December 2023

The mobile LCP passing rate rose by 8.89%, the CLS passing rate by 4.22%, and the FID passing rate by 0.87%.

LCP experienced the largest increase, aligning with the WordPress performance team’s focus on this metric, considering it had the lowest base passing rate.

Despite a modest increase in FID, its already high passing rate makes this less concerning.

The TTFB rate, while not a Core Web Vital metric, is integral to LCP and received attention in 2023.

WordPress Shares Core Web Vitals In 2023 And Impact On WebScreenshot from WordPress, December 2023

The mobile TTFB passing rate improved by 3.10%, and the desktop rate by 3.53%.

Impact Of WordPress 2023 Releases

The release of WordPress versions 6.2, 6.3, and 6.4 focused on improvements in load time performance, particularly impacting LCP and TTFB metrics.

For each version, data was compiled comparing sites before and after updating to the new version.

This approach, though not a strict A/B comparison, helped reduce noise and provide clearer insights.

For instance, the release of WordPress 6.2 showed a 0.01% improvement in mobile LCP and 0.65% in mobile TTFB.

WordPress Shares Core Web Vitals In 2023 And Impact On WebScreenshot from WordPress, December 2023

Version 6.3 brought more significant improvements, with a 4.72% increase in mobile LCP.

WordPress Shares Core Web Vitals In 2023 And Impact On WebScreenshot from WordPress, December 2023

The release of WordPress 6.4 also contributed to the improvements, albeit more modestly.

WordPress Shares Core Web Vitals In 2023 And Impact On WebScreenshot from WordPress, December 2023

How WordPress Core Web Vitals Impact The Web

WordPress’s high usage rate means its performance has a substantial effect on the overall web.

WordPress Shares Core Web Vitals In 2023 And Impact On WebScreenshot from WordPress, December 2023

In 2023, WordPress’s improvement in CWV passing rates exceeded those of non-WordPress sites.

For example, the mobile CWV passing rate for non-WordPress sites improved by 3.68%, compared to WordPress’s 8.13%. This demonstrates WordPress’s significant role in enhancing web performance.

Interaction To Next Paint Arrives In March 2024

Looking forward to 2024, WordPress faces new challenges and opportunities.

One major change is the replacement of the FID metric with Interaction to Next Paint (INP).

INP is a more comprehensive measure of interactivity, and its introduction is expected to lower overall CWV passing rates.

WordPress Shares Core Web Vitals In 2023 And Impact On WebScreenshot from WordPress, December 2023

The WordPress performance team is considering this in their planning for 2024, inviting community contributions to their roadmap.

Next Steps

As a marketing professional, it is essential to stay current with the latest developments in Core Web Vitals, considering the implications for website performance and SEO.

With the upcoming shift to INP in 2024, it’s vital to prepare for these changes and consider how they might affect your website’s performance metrics.

Given this change, WordPress developers and site owners should start focusing on optimizing for INP. Prioritizing INP means optimizing your site to ensure that it responds quickly and smoothly to user interactions.

Another suggestion was to explore more ways to improve TTFB.

This may include optimizing hosting environments, using caching strategies, or adjusting content delivery networks, rather than just focusing on the server response time within the WordPress core.

Featured image: Primakov/Shutterstock

Ecommerce MGMT 0 Comments
Dec 11 2023
WordPress Starter Templates AI – Build A Site In 60 Seconds via @sejournal, @martinibuster

Astra Starter Templates by Brainstorm Force, with over one million active installations, announced the integration of the ZipWP AI website builder that enables users to create entire websites, including content and images.

With over 280 customizable website templates that helps users quickly create professional-looking websites, it’s one of the most popular templates in the world with over one million active installations.

Creating websites with templates and page builders like Elementor and Beaver Builder, still required a modest learning curve.

The integration of ZipWP into the WPAstra Starter Templates solves that problem in a way that brings the simplicity of closed-source web design to the open source WordPress ecosystem.

ZipWP is a website builder that uses artificial intelligence to help users rapidly create functional WordPress websites with no coding or technical knowledge required.

The standalone version of ZipWP handles everything from installation and design to even creating the content for a fully configured website, including the images.

ZipWP claims that the AI can create an entire website in sixty seconds.

Screenshot of ZipWP Website

ZipWP

Both the standalone version and the version that’s integrated into the WPAstra Starter Templates offers features like automated website design, website content, and drag-and-drop webpage customization in a simple way that makes creating a website accessible to users of all technical levels.

The purpose isn’t necessarily to replace to web designers as it’s also useful for agencies that wish to scale their web design services while retaining total control and benefiting from the open source WordPress environment.

That means that the entire WordPress ecosystem of plugins are available for customizing websites created with the ZipWP functionality.

Users hoping to take advantage of the ZipWP functionality will have to register for an account with ZipWP.

ZipWP offers both free and premium tiers.

The free version allows users to create up to three websites per month. The premium version allows the creation of ten websites per day and other benefits for the price of $399/year.

According to the WPAstra changelog announcement:

“It will require connecting the user to their ZipWP account and providing their business details, after which it will generate content + images for patterns and pages based on the specified business details.”

Read the WPAstra changelog:

Starter Templates 3.5.2 : All new AI based Template Kit library

Learn more about ZipWP AI Website Builder

Ecommerce MGMT 0 Comments
Dec 6 2023
WordPress Releases Version 6.4.2 For Critical Vulnerability via @sejournal, @martinibuster

WordPress has released version 6.4.2 that contains a patch for a critical severity vulnerability that could allow attackers to execute PHP code on the site and potentially lead to a full site takeover.

The vulnerability was traced back to a feature introduced in WordPress 6.4 that was meant to improve HTML parsing in the block editor.

The issue is not present in earlier versions of WordPress and it only affects versions 6.4 and 6.4.1.

An official WordPress announcement describes the vulnerability:

“A Remote Code Execution vulnerability that is not directly exploitable in core, however the security team feels that there is a potential for high severity when combined with some plugins, especially in multisite installs.”

According to an advisory published by Wordfence:

“Since an attacker able to exploit an Object Injection vulnerability would have full control over the on_destroy and bookmark_name properties, they can use this to execute arbitrary code on the site to easily gain full control.

While WordPress Core currently does not have any known object injection vulnerabilities, they are rampant in other plugins and themes. The presence of an easy-to-exploit POP chain in WordPress core substantially increases the danger level of any Object Injection vulnerability.”

Object Injection Vulnerability

Wordfence advises that Object Injection vulnerabilities are not easy to exploit. Nonetheless they are recommending that users of WordPress update the latest versions.

WordPress itself advises that users update their sites immediately.

Read the official WordPress announcement:

WordPress 6.4.2 Maintenance & Security Release

Read the Wordfence advisory:

PSA: Critical POP Chain Allowing Remote Code Execution Patched in WordPress 6.4.2

Featured Image by Shutterstock/Nikulina Tatiana

Ecommerce MGMT 0 Comments