Many publishers and developers have been reporting that updating to WordPress 6.4 triggered a fatal error, bringing their websites down. A search for solutions began and within hours developers discovered a bug in the page builder they all used.
Sites Crashing After Updating To 6.4
One of the first reports happened not long after WordPress 6.4, codenamed Shirley, was released.
A post in the private Dynamic WordPress Facebook group alerted members that their WordPress site crashed after updating.
One of the first clues to the problem was that all the crashed sites had the Oxygen page builder installed.
But that wasn’t the only thing users of the Oxygen page builder had in common.
Brenda Malone (LinkedIn profile) discovered that having legacy versions of the default theme, whether they’re installed or not, also caused Oxygen-based sites to crash.
Default themes are the ones that are named like Twenty Twenty One and Twenty Twenty Two.
Even though the old legacy default themes were deactivated, something about their presence while the Oxygen page builder was installed caused the site to crash.
Brenda Malone shared her observation with me:
“It apparently only happens if Oxygen is installed.”
The person who started the discussion in the private group related that he deleted all the older versions of the default theme and the site was restored.
Strange, right?
A solution proposed in the official Oxygen page builder User Group was to activate recovery mode, delete all old legacy themes then install a copy of the newest default theme, Twenty Twenty Four.
Why Did Updating WordPress 6.4 Cause Sites To Crash?
Someone in that Oxygen user group discovered and offered their theory that any active theme was loading their default style CSS, which was could be responsible for the issues.
He related that he deleted the CSS on their “oxygen bare minimum” theme and the problem went away.
As admin in the official Oxygen Facebook group posted that they are looking into what is causing Oxygen sites to crash.
WordPress 6.4, code named Shirley was released, featuring a new default theme with many incremental but important enhancements that taken together make WordPress an easier and more intuitive content management system.
Josepha Haden Chomphosy, Executive Director of WordPress, described WordPress 6.4 best.
She wrote:
“Many of the features and enhancements in WordPress 6.4 fall in the “small but mighty” category.
Along with the adaptable beauty of the Twenty Twenty-Four theme, these updates help content creators and site developers alike save time and effort while delivering the high value, low hassle WordPress experience the world has grown to expect.”
New Default Theme
The latest version of WordPress ships with a new default theme, named Twenty Twenty-Four that contains 35 webpage layouts called patterns.
The thirty five patterns are full-page layouts that can be used to quickly create webpages.
Screenshot Of A Pattern Bundled With Twenty Twenty Four Theme
A new feature for 6.4 is the ability to categorize the patterns with custom names.
Users can create patterns then give them meaningful names that makes it easy to identify them.
Another new patterns feature is a filter that simplifies finding patterns.
These are examples of the small yet important changes, that while incremental together add up to a better experience.
Enhancements To Writing Experience
WordPress 6.4 contains improvements to make writing smoother and without friction.
New keyboard shortcuts and other enhancements that help make it easier to focus on the writing and not on the interface.
A new toolbar interface for navigation, list and quote blocks is attached to the parent block keeps it out of the way yet handy when needed.
The WordPress announcement explained:
“New enhancements ensure your content creation journey is smooth. Find new keyboard shortcuts in List View, smarter list merging, and enhanced control over link settings.
A cohesive toolbar experience for the Navigation, List, and Quote blocks lets you work efficiently with the tooling options you need.”
More New Features
Other features are new design tools, a lightbox functionality for site visitors to click and interact with images, ability to assign custom names to group blocks, new image previews in list view improves finding image blocks, and the ability to import and export patterns for use on other sites.
Developer Features
There are useful features for developers like block hooks.
WordPress describes how they will be useful to developers:
“Block Hooks enables developers to automatically insert dynamic blocks at specific content locations, enriching the extensibility of block themes through plugins.
While considered a developer tool, this feature is geared to respect your preferences and gives you complete control to add, dismiss, and customize auto-inserted blocks to your needs.”
These performance improvements are a sign of how important it is to the core developers that each release steadily improves performance.
Reception By The WordPress Community
The general response by the WordPress community is positive.
Andrew Wilder (LinkedIn profile) of WordPress support company NerdPress.net shared:
“Most of the changes I’m seeing for 6.4 aren’t terribly “sexy” — but there are hundreds of smaller improvements that, collectively, will keep WordPress moving forward nicely, so I’m happy to see the progress being made.
The changes to attachment pages will be a big help for SEO. By default, WordPress creates a separate “attachment page” for every media item, which can create hundreds (or thousands!) of useless, “thin content” pages. We still see clients who have these attachment pages but aren’t using them, or even aware that they exist. Particularly with the Helpful Content Updates recently, getting rid of those can really help improve a site’s overall SEO posture.
This update won’t change any existing sites — especially because some sites, like photography sites, may still want them — but new WordPress installations will have those attachment pages disabled by default.”
Katie Keith (LinkedIn profile), CEO of Barn2 Plugins (a plugin development company) was enthusiastic about this release.
Katie observed:
“I’m delighted that the new Twenty Twenty-Four theme has been released as part of WordPress 6.4 because it’s far superior to the last few years’ default themes.
Like other recent themes, it’s a fully accessible block theme – but this time, it has a clean, generic and modern design which will be suitable for a wide range of personal and business websites.
The new image lightboxes in WordPress 6.4 will be really useful, as so many website visitors expect to be able to click on an image to see a bigger version of it.
In fact I’m surprised that this wasn’t already available!
I was pleased to see that WordPress 6.4 has a new option to mark links as nofollow. Previously, you had to do this by switching to code view and adding the nofollow attribute manually, so having an option for this is much more user-friendly.”
Takeaway
WordPress 6.4 doesn’t contain any big flashy features. But what it does have is a lot of small improvements that together advances WordPress to a significantly better user experience.
While there are reports of conflicts with the Oxygen Visual Page Builder, the overall reaction is positive with much appreciation to the WordPress core team for another great release.
Astra, the makers of the worlds most popular WordPress templates, announced it is investing in LatePoint, one of the most advanced online booking solutions and in the process is advancing WordPress as the go-to platform for businesses.
This move brings the powerful scheduling, booking and payment management capabilities of LatePoint to all users, especially those who use Astra.
What Is LatePoint?
LatePoint is a plugin that manages the entire online booking and appointment scheduling lifecycle.
It integrates with six different payment gateways:
Braintree
Paystack
PayPal
Razorpay
Square
Stripe
LatePoint also automates common workflow actions like sending email and SMS reminders, synchronizing with third party calendars and even automatically creating Zoom meetings.
LatePoint supports signups via Facebook and Google and integrates with Twilio. Businesses can even track performance in the admin dashboard where all the functions are viewable.
Diverse businesses such as online service providers to hair salons can use LatePoint to book appointments, schedule them, send reminders and collect payments in a seamless manner from one plugin.
The Astra announcement also lists these capabilities:
“Client database: Maintains a comprehensive client database, providing quick access to client histories, preferences, and contact information for personalized service.
Customizable booking forms: Tailor booking forms to gather specific information from clients, ensuring that appointments are booked with all necessary details.”
LatePoint Is Part Of A Larger Strategy
The closer one looks at what Astra has quietly been doing the clearer it becomes that they are creating a platform within a platform that enables small businesses to automate various processes in order to compete on the same level as much larger organizations.
For example, Astra is behind another WordPress plugin called SureTriggers.
What SureTriggers does is make it easy for small businesses to create event-driven automations between WordPress plugins as well as with third party SaaS.
SureTriggers offers history logs that show what the automations did between the linked plugins and third party SaaS in order to troubleshoot or keep track of what’s going on.
It supports workplace collaboration for creating automated workflows, supports custom webhooks and APIs.
SureTriggers even offers the ability to delay an action, conditional logic and filters that help create complex automations.
This is how SureTriggers describes what it does:
“Easily transfer data between your favourite apps and services like Mailchimp, Gmail, HubSpot, etc. Whatever you need to connect, SureTriggers has you covered.
SureTriggers seamlessly integrates with popular WordPress plugins like Gravity Forms, WooCommerce, Elementor, CartFlows, and many more.
Create multi-step automations that seamlessly execute a sequence of different tasks automatically after a specific event occurs, all customized by you.”
Adding the powerful LatePoint scheduling and appointment capabilities into that mix turns WordPress into a ridiculously capable business platform that makes a small business perform at a level far higher than what was capable as recently as five years ago without spending a significant amount of money.
And it accomplishes all of this at a price that’s in reach of any small business.
Astra Integrates WordPress With Business
Of special interest is how LatePoint will seamlessly integrate with Astra’s SureCart, making Astra a strong competitor to WooCommerce. Astra also offers Spectra, their easy to use page builder that supports both the classic WordPress editor and the newer Gutenberg blocks.
Taken together, what Astra is doing is making WordPress perform like a dedicated business CMS but with all the benefits of the open source WordPress ecosystem.
Astra has quietly become a leader in extending the capabilities of WordPress in a way that increasingly makes WordPress an attractive choice for small businesses.
Their website templates are used by over 2.5 million websites worldwide, which gives them a huge pool of potential users or recommenders of LatePoint.
But what this investment makes clear is that Astra is quickly becoming the go-to solution for WordPress-based businesses as well as creating viable alternatives to private closed-source content management systems.
The Astra announcement makes no secret of their ambition to make WordPress a strong choice for businesses:
“We are excited to share knowledge, implement our ideas, deploy Brainstorm Force processes and work closely with the LatePoint team.
We can’t wait to bring an enterprise-grade, robust, modern, and reliable appointment and booking solution to the small businesses and larger WordPress community.
One thing that I can’t stress enough is we’re a mission driven organization. Everything we do is designed to unlock the power of the internet for small businesses.”
Tight Integration With Astra Products
Another interesting factor to consider is that Astra is promising tighter integration between their templates and all the other plugins they offer, such as the WooCommerce alternative SureCart and SureTriggers.
SureTriggers is an interesting piece of the Astra suite of business related plugins. SureTriggers enables WordPress users to integrate any other tool or plugin in order to create an automated workflow.
It works by connecting WordPress to hundreds of SaaS apps, automates WordPress plugins so they can work together and can even connect your different websites and services so that various tasks are automated.
One-Time Payment Pricing Offered For A Limited Time
Astra announced that they will be offering a lifetime payment deal that provides all the benefits of LatePoint with a single-payment lifetime license.
Astra LatePoint Investment
I hadn’t heard of LatePoint until learning of Astra’s investment in it. After researching what Astra has been doing it seems that they have been pursuing a strategy for making WordPress a strong choice for businesses.
Featured image by Shutterstock/NaMong Productions92
The popular Fluent Forms Contact Form Builder plugin for WordPress, with over 300,000 installations, was discovered to contain a SQL Injection vulnerability that could allow database access to hackers.
Fluent Forms Contact Form Builder
Fluent Forms Contact Form Builder is one of the most popular contact forms for WordPress, with over 300,000 installations.
Its drag-and-drop interface makes creating custom contact forms easy so that users don’t have to learn how to code.
The ability to use the plugin to create virtually any kind of input form makes it a top choice.
Users can leverage the plugin to create subscription forms, payment forms, and forms for creating quizzes.
Plus it integrates with third party applications like MailChimp, Zapier and Slack.
Importantly, it also has a native analytics capability.
This incredible flexibility makes Fluent Forms a top choice because users can accomplish so much with just one plugin.
Input Neutralization
Every plugin that allows site visitors to input data directly into the database, especially contact forms, must process those inputs so that they do not inadvertently allow hackers to input scripts or SQL commands that allows malicious users to make unexpected changes.
This particular vulnerability makes the Fluent Forms plugin open to a SQL injection vulnerability which is particularly bad if a hacker is successful in their attempts.
SQL Injection Vulnerability
SQL, which means Structured Query Language, is a language used for interacting with databases.
A SQL query is a command for accessing, changing or organizing data that’s stored in a database.
A database is what contains everything that is used to create a WordPress website, such as passwords, content, themes and plugins.
The database is the heart and brain of a WordPress website.
As a consequence, the ability to arbitrarily “query” a database is an extraordinary level of access that should absolutely not be available to unauthorized users or software outside of the website.
A SQL injection attack is when a malicious attacker is able to use an otherwise legitimate input interface to insert a SQL command that can interact with the database.
The non-profit Open Worldwide Application Security Project (OWASP) describes the devastating consequences of a SQL injection vulnerability:
“SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
SQL Injection is very common with PHP and ASP applications due to the prevalence of older functional interfaces. Due to the nature of programmatic interfaces available, J2EE and ASP.NET applications are less likely to have easily exploited SQL injections.
The severity of SQL Injection attacks is limited by the attacker’s skill and imagination, and to a lesser extent, defense in depth countermeasures, such as low privilege connections to the database server and so on. In general, consider SQL Injection a high impact severity.”
Improper Neutralization
The United States Vulnerability Database (NVD) published an advisory about the vulnerability that described the reason for the vulnerability as from “improper neutralization.”
Neutralization is a reference to a process of making sure that anything that’s input into an application (like a contact form) will be limited to what is expected and will not allow anything other than what is expected.
Proper neutralization of a contact form means that it won’t allow a SQL command.
“Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Contact Form – WPManageNinja LLC Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms fluentform allows SQL Injection.
This issue affects Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms: from n/a through 4.3.25.”
Patchstack security company discovered and reported the vulnerability to the plugin developers.
“This could allow a malicious actor to directly interact with your database, including but not limited to stealing information.
This vulnerability has been fixed in version 5.0.0.”
Although Patchstack’s advisory states that the vulnerability was fixed in Version 5.0.0, there is no indication of a security fix according to the Fluent Form Contact Form Builder changelog, where changes to the software are routinely logged.
This is the Fluent Forms Contact Form Builder changelog entry for version 5.0.0:
“5.0.0 (DATE: JUNE 22, 2023) Revamped UI and better UX
Global Styler Improvement
The new framework for faster response
Fixed issue with repeater field not appearing correctly on PDF
Fixed issue with WPForm Migrator not properly transferring text fields to text input fields withcorrect maximum text length
Fixed issue with entry migration
Fixed number format in PDF files
Fixed radio field label issue
Updated Ajax routes to Rest Routes
Updated filter & action hooks naming convention with older hooks support
Updated translation strings”
It’s possible that one of those entries is the fix. But some plugin developers want to keep security fixes secret, for whatever reason.
Recommendations:
It’s recommended that users of the contact form update their plugin as soon as possible.
Exciting times are ahead for WordPress users! The upcoming WordPress 6.4 update is on the horizon, and it’s bringing some interesting features and enhancements. WordPress 6.4 is planned to be released on November 7th, 2023. So, what can you expect from this release? From a brand-new theme to make your site shine to several blocks that’ll make editing easier, there’s a lot to look forward to. And that’s not all; imagine showing off your images in a whole new light and enjoying a faster, smoother website. Curious? Let’s have a quick look at what’s coming!
Many fixes and performance improvements
First off, WordPress 6.4 isn’t just about new features; it’s also about polishing the existing ones. This update addresses numerous bugs, enhancing overall performance and stability. Whether you’re a developer or a casual user, these tweaks contribute to a smoother, more reliable WordPress experience.
A new default theme: Twenty Twenty-Four
And say hello to a fresh face: the Twenty Twenty-Four theme. This new addition is all about giving your website a clean and modern look. Whether you’re starting fresh or thinking of a makeover, this theme is something to get excited about!
Highlights of the new theme, image from WordPress
With three different use cases in mind, this theme comes with lots of patterns and templates that help you build pages in a matter of seconds. The use cases that they chose are creating a website as an entrepreneur/small business owner, a photographer/artist, or a writer/blogger. But even if you have a website outside of those use cases, the variety of patterns will most likely offer you a few great options to create engaging and good-looking pages.
A few examples of patterns in the Twenty Twenty-Four theme
Enhancements to blocks
The block editor continues to evolve with improvements that promise a more intuitive building experience. This update introduces background images for group blocks, renaming of group blocks in the list view, and more. These enhancements aim to streamline content creation, allowing you to build rich, dynamic pages and posts with ease.
Users can now also add categories to their block patterns. This is an update to a feature that was added in 6.3, where users can create and save their own block patterns in the editor. Paragraphs, headings, next and previous links and footnotes have a new option for vertical text. This feature has to be enabled by the theme.
Lightbox for images
WordPress 6.4 understands that visuals are at the heart of any good story. With the new lightbox feature, your images can now be viewed in a larger format when people click on the image. Which can help you offer great images without losing too much room and pushing down other content.
Renaming group blocks and more
Organization is key, especially when working with complex page structures. The ability to rename group blocks directly within the list view is a game-changer for site builders, allowing for better management and identification, ultimately leading to a more efficient building process.
Background images for group blocks
Creativity knows no bounds with WordPress 6.4. Now, you can set background images for your group blocks, adding an extra layer of aesthetic appeal to your sections. This feature is perfect for creating visually striking hero sections, banners, or any other segment that needs a touch of creativity.
Adding a background image to a Group block
Attention, developers! Prepare for a slew of tools designed to make your coding life easier. From advanced block hooks to configurable typography controls, WordPress 6.4 is set to boost your development capabilities, offering more flexibility and control in crafting online experiences.
Nofollow link setting
The Advanced link settings has a new option: “Mark as nofollow”. To use the option you first have to add a text block, for example, a paragraph. Add the link via the block toolbar, select the link again, and click on the pen icon to open the options. Next click on the button that says “Advanced” to open the advanced panel, and check the checkbox “Mark as nofollow”.
WordPress 6.4: Coming soon!
WordPress 6.4 is packed with features designed to improve usability, enhance aesthetics, and provide developers with advanced tools. Whether you’re looking to build a more dynamic website or create content effortlessly, the new WordPress is here to make your digital experience better than ever. Like we said, you can expect this update on the 7th of November, so mark that date in your calendar to enjoy all these new features!
Did you know that Yoast has its very own WordPress core team? This group of experts helps make WordPress better. They fix problems, suggest new features, and work with people from all over the world to make the platform easier and more enjoyable for everyone. It’s part of Yoast’s promise to build a stronger, user-friendly internet together!
Iris Guelen is Yoast’s Content Lead. She loves to write and is responsible for Yoast’s content strategy. Making sure you get top-notch content through articles, email, social media, video, and more!
The popular LiteSpeed WordPress plugin patched a vulnerability that compromised over 4 million websites, allowing hackers to upload malicious scripts.
LiteSpeed was notified of the vulnerability two months ago on August 14th and released a patch in October.
Cross-Site Scripting (XSS) Vulnerability
Wordfence discovered a Cross-Site Scripting (XSS) vulnerability in the LiteSpeed plugin, the most popular WordPress caching plugin in the world.
XSS vulnerabilities are generally a type that takes advantage of a lack of a security process called data sanitization and escaping.
Sanitization is a technique that filters what kind of files can be uploaded via a legitimate input, like on a contact form.
In the specific LiteSpeed vulnerability, the implementation of a shortcode functionality allowed a malicious hacker to upload scripts they otherwise would not be able to had the proper security protocols of sanitization/escaping data been in place.
“Escaping output is the process of securing output data by stripping out unwanted data, like malformed HTML or script tags.
This process helps secure your data prior to rendering it for the end user.”
This specific vulnerability requires that the hacker first obtain contributor level permissions in order to carry out the attack, which makes carrying out the attack more complicated than other kinds of threats that are unauthenticated (require no permission level).
According to Wordfence:
“This makes it possible for threat actors to carry out stored XSS attacks. Once a script is injected into a page or post, it will execute each time a user accesses the affected page.
While this vulnerability does require that a trusted contributor account is compromised, or a user be able to register as a contributor, successful threat actors could steal sensitive information, manipulate site content, inject administrative users, edit files, or redirect users to malicious websites which are all severe consequences.”
Which Versions of LiteSpeed Plugin Are Vulnerable?
Versions 5.6 or less of the LiteSpeed Cache plugin are vulnerable to the XSS attack.
Users of the LiteSpeed Cache are encouraged to update their plugin as soon as possible to the latest version, 5.7 which was released on October 10, 2023.
Read the Wordfence bulletin on the LiteSpeed XSS vulnerability:
WordPress 6.4, releasing on November 7th, is packed with over 100 improvements to site performance which promises to make this release one of the most important ones to get right away.
This new release continues the solid upward performance trend which to date has nearly doubled the average core web vitals performance in the two years since the proposal to create a WordPress Performance Team in 2021.
WordPress at the time acknowledged that performance of the core CMS itself was the responsibility of WordPress.
In a short period of time the team launched the Performance Lab plugin and began steadily making itself a part of every change made to WordPress, making sure that the changes don’t introduce bloat or performance bottlenecks.
Their efforts have been incredibly successful, visible in the performance metrics of actual WordPress sites recorded on the HTTPArchive Core Web Vitals Technology Report.
The facts speak for themselves:
Speed Improvements In WordPress Are A Priority
A relatively recent discussion at WordPress.org illustrates that performance is a top priority for virtually every component of WordPress under development.
For example, the default theme (TwentyTwentyFour) that is bundled in the next version of WordPress (6.4), was discovered to perform 70% worse than the previous theme (TwentyTwentyThree).
They benchmarked the home page and a single page between the previous default theme, TwentyTwentyThree (TT3) and TwentyTwentyFour (TT4).
WordPress tested for Largest Contentful Paint (LCP), a Core Web Vitals metric that measures how long it takes to load a webpage and when the user can see the largest block of text or image on the page.
They also used Time to First Byte (TTFB) and LCP together to measures how fast the site is to deliver the first “byte” of data to the browser and how long it takes for the browser to render the markup. This test reveals inefficiencies in the markup.
Here is the summary of the TwentyTwentyFour (TT4) performance testing:
“For the home page:
Overall load time (LCP) is 58.8% slower.
Client-side performance (LCP-TTFB) is 93.5% slower.
Server-Timing (wp-total) is 71.8% slower.
For the singular post:
Overall load time (LCP) is 3.9% slower.
Client-side performance (LCP-TTFB) is 40.1% faster.
Server-Timing (wp-total) is 42.3% slower.”
The reason TT4 was slower is because TT3 was more stripped down and made to be extended.
Nevertheless, leaving out the additions to TT4 was not an option.
The two themes we are comparing don’t play in the same league.
TT3 was streamlined and made to be extended, while TT4 is full-featured and tries to make extensive use of the site editor tools.
This doesn’t mean that the data extracted is not valid.
In fact, it definitely shows us what an actual use case versus a base theme looks like.
As you mentioned, TT4 is not adding any features in itself; it’s merely using patterns and adding a few block styles, so anything we find here to fix is liable to benefit every single block theme that’s out there, not just TT4, which I think it’s fantastic.”
At one point during the performance work, the WordPress core contributors managed to obtain a 7.67% faster loading time with the new default theme, better than the previous theme.
It’s important to zoom out and put this project into perspective: TwentyTwentyFour (TT4)4 contains important functionality that TT3 does not.
So making TT4 perform absolutely better than TT3 was probably never going to happen because one default theme is more complex than the other.
Nevertheless, they were able to narrow the home page performance difference from 71.8% slower to only 10% slower.
The single page performance went from 42.3% slower to only 11.7% slower.
“I am very excited to report that most (if not all) of the server-side performance concerns have been addressed, via additional general performance fixes that landed in core…
What the WordPress developers did next was search for a solution so that they could ship a better default theme that included important functionality but still performed well.
Given how much richer the content and layout of TT4 is compared to TT3, this is a major accomplishment, and there is no need to worry about the remaining performance difference due to that.”
Over 100 Performance Improvements
WordPress 6.4 contains over 100 performance improvements.
“WordPress 6.4 will include more than 100 performance-related updates, including improvements to template loading performance for Block Themes and Classic Themes, usage of the new script loading strategies “defer” and “async” in core, blocks, and themes, and new functions to optimize the use of autoloaded options.”
The following is an overview of the performance improvements to look forward to when WP 6.4 is released in early November.
Script Loading Strategies To Improve Performance
An overview of new script loading changes to WordPress 6.4 reveals updates to the use of defer and async attributes in “frontend scripts in core and bundled themes” which will speed up all WordPress websites.
They also changed how scripts with the “defer” attribute are loaded. The defer attribute tells the browser not to execute a script until the browser has finished downloading the entire webpage is loaded, at which point the script can then start to run.
What they did was to move scripts with the defer attribute that were in the footer area up to the head section, which speeds up how fast they are executed.
WordPress 6.4 No Longer Creates Attachment Pages
This is an important change to WordPress that relates to SEO as well as performance, an improvement suggested by founder of Yoast, Joost de Valk (@jdevalk).
Every previous version of WordPress created a standalone page for any media that was uploaded.
So if you uploaded an image for a webpage, WordPress would also create a standalone webpage for that image, all by itself.
Yoast SEO has a feature that turns that off by default which stops WordPress from creating thousands of thin content pages consisting of images.
“WordPress creates attachment pages by default for every attachment uploaded.
On the *vast* majority of sites, these attachment pages are useless.
They do however exist, and get crawled, and sometimes even rank in search results, leading to bad results for users and site owners.
I want to propose we get rid of them.”
This behavior is fixed in WordPress version 6.4.
Improvements to Template Loading
These are changes to how templates are loaded and relate to the problems discovered with the TwentyTwentyFour default theme, which they solved by:
Introducing new caching
Removal of unnecessary checks for whether a theme file exists
Removed repeated file lookups related to themes (makes WordPress faster)
Added modern performance improvements to sites still using older themes so that they benefit from lazy loading, async decoding and fetch priority
Image Loading Optimization for WordPress 6.4
This is an improvement to how images and iframes are loaded, specifically with reference to loading attributes like “lazy loading” and “fetchpriority” which optimize how images and iframes are loading, increasing webpage performance.
New Autoload Options Functions
WordPress 6.4 will ship with new options functions that allow plugin developers to control which options are automatically loaded.
This will speed up WordPress sites because it will reduce unnecessarily loading options which in turn slows server performance.
Prevent Redundant Style Codes
This is a change to how styles are loaded. Styles are code that tell the browser what a website should look like in turns of colors, spacing, font sizes, etc.
This improvement offers third party developers the ability to manage how styles are loaded in order to prevent redundant code from loading.
Reducing redundant code, especially by third party developers, is a huge win for performance.
Object Caching Improvements
WordPress 6.4 includes performance enhancements to Object Caching.
The Object Cache is where data used for creating webpages are stored so that the website doesn’t have to repeatedly fetch resources from the database.
It’s like if a cook needs a salt shaker, they put the salt on a counter within reach instead of having to walk to the cabinet, get the salt, use it and then return the salt back to the cabinet.
The official WordPress announcement for this improvement explains:
“In WordPress 6.4, the Performance team has introduced several enhancements centered around object caching, leading to better handling of filters, reduced database queries, and improved overall system efficiency.”
Improved overall system efficiency sounds like a recipe for success!
The takeaway here is that performance is a key ingredient in creating the WordPress core. The effects of those improvements are reflected not just in the core CMS but also across themes and plugins, with some improvements applying to sites using older themes and WordPress versions.
Those improvements are reflected in the data at HTTPArchive which show a steady upwards track record of improvement that continues with the release of WordPress 6.4, currently scheduled for November 7, 2023.
Jetpack WordPress plugin by Automattic released an updated version that expands on AI-based features and the ability to earn more from email subscriptions.
Jetpack WordPress Plugin 12.7
Jetpack is a modular all-in-one plugin that brings virtually every important functionality that a website or business may need.
Because it’s modular a user only needs to select which functionality they need and keep the unwanted ones turned off.
There are free and paid versions that are available as bundles, depending on your need.
For example, there’s a security bundle and a complete bundle, but users can select only the functions that they need.
The AI part of the plugin is available as a standalone app in a free version for a limited try and the paid one for $8.33/month (billed yearly).
The Jetpack AI assistant currently assists with a wide range of content creation tasks, it really is like having an assistant that can quickly get things done.
Aside from content it can also create forms, comparison tables, and lists.
The update to Jetpack adds an article excerpt feature that automatically summarizes the article and creates an article excerpt for it.
There are additional improvements to the AI assistant in how prompts are generated and the addition of more languages.
Newsletter Subscription Tiers
Jetpack also updated their newsletter functionality by adding multiple paid newsletter subscriber tiers.
Blogroll Is Back!
For those who miss the blogroll, it’s back. It’s a great way to link out to websites that your site visitors may enjoy.
Of course, be careful to not use it for organized reciprocal linking, that seems to be making a comeback in the recipe blog niche.
One Click Social Sharing
The other useful upgrade was the added one-click social sharing function that automatically formats the share.
Jetpack Plugins Available In Multiple Configurations
Jetpack plugins are available in free and standalone premium versions, plus bundles that cost less than buying them separately.
WordPress announced it was publishing a maintenance and security release that patches multiple vulnerabilities including one that could lead to a full site takeover.
Maintenance and Security Release WordPress 6.3.2
WordPress 6.3.2 delivers 41 bug fixes but more importantly it ships with patches for eight vulnerabilities.
The following eight vulnerabilities were recently discovered and patched:
A vulnerability in the WordPress core that allows arbitrary shortcode execution
Potential disclosure of user email addresses by unauthenticated hackers using
Remote code execution POP Chains vulnerability
Cross-site scripting (XSS) vulnerability in the post link navigation block
Leaked comment visibility on private posts
Reflected cross-site scripting (XSS) vulnerability in the application passwords screen
Cross-site scripting (XSS) vulnerability in the footnotes block
Cache poisoning Denial of Service (DoS) vulnerability
Some of the vulnerabilities are due to insufficient input sanitization, which means that data that is submitted isn’t filtering out malicious inputs.
The official WordPress developer page for input sanitization informs:
“Untrusted data comes from many sources (users, third party sites, even your own database!) and all of it needs to be checked before it’s used.
Sanitizing input is the process of securing/cleaning/filtering input data.
Validation is preferred over sanitization because validation is more specific.
But when ‘more specific’ isn’t possible, sanitization is the next best thing.”
All of the vulnerabilities are rated as medium severity, including patches for five medium severity issues.
An advisory about the current security release posted by Wordfence notes that at least one of the vulnerabilities contained the potential for a full site takeover.
WordPress advises all users to verify that their WordPress installations are updated to the very latest version, WordPress version 6.3.2.
According to the official WordPress announcement:
“Because this is a security release, it is recommended that you update your sites immediately.
Backports are also available for other major WordPress releases, 4.1 and later.”
Read the official WordPress security release announcement:
