After over a million downloads of WordPress 2.9 and lots of feedback from all of you, we’re releasing WordPress 2.9.1. This release addresses a handful of minor issues as well as a rather annoying problem where scheduled posts and pingbacks are not processed correctly due to incompatibilities with some hosts. If any of these issues affect you, give 2.9.1 a try. Download 2.9.1 or upgrade automatically from the Tools->Upgrade menu in your blog’s admin area.
|
|||||
|
Rested up from the holidays? I hope so, because the new year has begun and a lot is going to be happening with WordPress in 2010, and you definitely want to be a part of it. Later this week the scope for version 3.0 (featuring the addition of MU functionality to the WordPress codebase) will be decided in the IRC developer chat*, based on feedback provided by users like you. But it’s no fun to live by IRC alone, which is why we love WordCamps. Attending a WordCamp gives you a chance to meet people in your local community who are working with WordPress, as well as core contributors, theme designers, plugin developers, Codex writers, support forum moderators and other WordPress volunteers who’ve made WordPress what it is today. Add this New Year’s Resolution to your 2010 list if it’s not on there already: Attend a WordCamp, meet at least 5 new local people, learn something new, and if you have the chance, buy a drink for someone who’s volunteered their time and expertise to the WordPress open source project. To help you keep your resolution, here is a list of the upcoming WordCamps for the next three months, followed by what I know so far about each one. January 8–9: WordCamp Atlanta NORTH AMERICAJanuary 8–9: WordCamp Atlanta. First WordCamp of the year, and it’s already sold out — twice! They changed to a bigger venue based on demand, from Georgia Tech to the Atlanta campus of Savannah College of Art and Design (SCAD). They’re still letting people onto the waitlist, if you’re interested. A guaranteed way to get in would be to sponsor the event, and they’re taking last-minute sponsors right now. Atlanta will have sessions on Friday evening and all day Saturday. I’ll be opening the Saturday program with WordPress Resolutions: What to Expect in 2010. After a day of design, development and content track sessions, Lead Developer Mark Jaquith will take the closing slot for a Town Hall-style Q&A. The attendee list (follow link, scroll down) includes a number of WordPress core contributors, theme/plugin developers, and support providers as well as proof that Atlanta has a strong WordPress user base. January 23: WordCamp Boston. I think WordCamp Boston is trying to one-up every WordCamp the organizers have been to, including the awesome NYC from November, and it looks like they might succeed. From Doc Searls and David Weinberger as keynote speakers to the multiple-track, unconference and Ignite sessions to the sweet-looking venue and the party plans, this one has got it going on. I credit it in part to the fact that they are one of the few WordCamps to follow the advice of having an organizing team of more than just 2 or 3 people, so the work is better distributed. I see a number of familiar names on the attendee list, but even more that I don’t know, so I’m looking forward to meeting the Boston WordPress community. They’re still selling tickets, so if you’re in the northeast, you should try to make it. I’ll be at this one also, talking about how the merge with MU will affect the WordPress admin (by then we should have started figuring it out!). March 27–28: WordCamp Toronto. The last two Toronto WordCamps have been really good. I heard there would be one in March, but their site right now is just taking emails for notification. I’ve contacted the organizer to see what’s up, and he says the site will likely go live this week. They’re looking for volunteers to help organize this year’s event, so if you’re interested, it would be a great opportunity to get involved. Believe me, volunteering at a WordCamp is one of the best ways to make sure you meet a lot of other attendees. ASIAJanuary 30: WordCamp Indonesia. WordCamp Indonesia will be in Jakarta again this year. I love how they worded the beginning of their sessions page. “Come in, we’ll get you breakfast and coffee, you’ll register, there’ll be networking. It’ll be great.” There will be a single track of sessions, but there are several time slots set aside for ad-hoc discussion and breakout sessions. February 27: WordCamp Fukuoka. WordCamp Fukuoka is just getting its site up, too, so check back periodically a little later for more information. One of their visiting speakers will be Noel Jackson, developer of the Press This bookmarklet as well as themes like P2 and Monotone/Duotone. EUROPEJanuary 30: WordCamp Greece. WordCamp Greece will be held in Thessaloniki, and they expect about 100-150 people to attend.The program includes regular sessions on the usual topics (how-to, programming, SEO, multi-language sites, etc) as well as “QuickRounds,” which will showcase Greek projects based on WordPress. I’m especially intrigued by the “WordPress vs. Expression Engine” session. Whenever people compare different publishing platforms, it’s interesting to see which features they highlight. I hope someone gets video from this one and posts it to the WordCamp section of WordPress.tv. March 6–7: WordCamp Ireland. WordCamp Ireland will be in Kilkenny, and for such a geographically small country, it’s got an impressive list of speakers, including Donncha O Caoimh, lead developer of WordPress MU. The program includes three tracks: Intro, Blogger, and Developer, and I think this will be the first WordCamp I’ve heard of that is deliberately family-friendly, with on-site child care. They’re also going to have a charging station for mobile devices, which is clever. It’s not confirmed yet, but I think I’ll be at this one, too. If you want to attend a WordCamp but don’t know of one near you, check out WordCamp.org for the official list (updated frequently). That’s also where you would start if you wanted to organize a WordCamp in your area. *Developer chats are held Thursdays at 21:00 UTC in the #wordpress-dev channel at irc.freenode.com. Thanks to everyone who tested 2.9.1 Beta 1. We’re following that up with Release Candidate 1. RC1 contains a few more fixes, bringing the number of fixed tickets up to 23. If you are already running Beta 1, visit Tools->Upgrade in your blog’s admin to get RC1. You can also download the RC1 package and install manually. If all goes well, 2.9.1 will be here soon. Merry Christmas! One of the things that was discussed at the core commit team meetup was release scope (and scope creep). Now that 2.9 is out and it’s time to start thinking about 3.0, we think it would be appropriate to stop and take a breath before diving in, and make a plan in advance. What winds up happening is that during each release cycle a few new features are selected for inclusion, but then right up until feature freeze (and/or beta cycle), people keep adding feature requests, patches for enhancements, and ongoing bug reports. This means each release winds up getting pushed out later than planned, and with so many things going in per release, it becomes harder to catch new bugs. The as-long-as-we’re-not-in-freeze-yet model isn’t working. People wind up waiting months longer for new features they want, like Trash and Image Editing, because we’re still adding other things and then we need to test them all. If we kept the releases smaller feature-wise, we could push out the new stuff sooner (3 releases per year is the goal) and have more focused beta testing, making the releases themselves better. It’s hard, because everyone has their pet features and fixes, and if there’s a patch, why not get it in this release rather than waiting? Sometimes people complain that a patch has been waiting to be committed for weeks or months, but what no one ever seems to bring up is that sometimes patches introduce new bugs, and the more we add at once, the harder it is to keep it all well-tested on various platforms, in different hosting environments, etc. So. What’s our proposal? We take a page from the world of project management and we make a project plan before we jump into the dev cycle. We let everyone propose features and enhancements, and we choose a limited number to include in 3.0 (in this case we need to be especially stringent, because the merge of WordPress and WordPress MU will automatically mean a lot of work) and set a realistic release date that we stick to. We create a tentative set of features for the next two releases, to be re-evaluated at the beginning of the next cycle, so that people know the community is committed to certain features, as opposed to the vague “future release” label we now use for everything not included in the current version. We fix bugs that are reproducible and affect a large number of users before focusing on edge case bugs or bugs that haven’t been well-described or reproduced. We stop diverting our attention from agreed-upon goals when a “squeaky wheel” decides we should all be focused on something else. There are always things that pop up unexpectedly, but we need to do a better job of restraining ourselves when it comes to trying to sneak things into the current release (I include myself in this, of course…as a UX person I always wish we could do everything all at once!). As an open source project, we accomplish more when we work together than we do following individual agendas, and we need to keep our project focused on commonly-agreed-upon goals instead of following tangents whenever a community member starts to take us on one, regardless of whether it’s to follow a cool idea that everyone loves or a suggestion based on a personal agenda, and regardless of whether it’s a newbie who doesn’t know any better or a frequent contributor or committer who has a strong opinion and a loud voice (so to speak). The issue here is that it’s easy to get distracted, so we need to create a structure that will help us keep moving forward instead of getting sidetracked. We need to keep Trac clean for the current dev cycle so that it includes confirmed features and bug reports, and all new feature suggestions go into a different milestone. We think it’s at least worth a try. When we re-start the weekly IRC dev chats in 2010, the first meeting will be to talk about the scope of 3.0. When we’ve got a general agreement about what will be included, we’ll create the appropriate Trac tickets, and punt tickets for non-3.0 feature requests/enhancements to a future release so we can stay focused. New bug reports will still come in to the current milestone. It’s going to be hard. There are at least a dozen new features that I feel like we’ve pushed back multiple times that I’d like to see in core, but for this experiment, I’m just going to keep reminding myself, “You can do that with a plugin!” Sound off on the features you would like to see in version 3.0. Unfortunately, the recent 2.9 release triggered a bug in certain versions of PHP’s curl extension. With these versions of curl, scheduled posts and pingbacks are not processed correctly. To fix this problem as well as a handful of other, lesser issues, we are quickly releasing 2.9.1, the first maintenance release of the 2.9 line. Help us get 2.9.1 ready to go by testing 2.9.1 Beta 1. The easiest way to test Beta 1 is to install the WordPress Beta Tester plugin, elect to get on the point release development track, and then perform an automatic upgrade via the Tools->Upgrade menu. You can also download the Beta 1 package and install manually. Fourteen tickets have been fixed in 2.9.1 Beta 1. Since the curl problem and a couple of other problems are dependent on specific hosting configurations, any and all testing help is greatly appreciated. I want to make you mine, all the time… oh wait. Hello. I’m here on behalf of the entire WordPress development team and community to announce the immediate availability of WordPress version 2.9 “Carmen” named in honor of magical jazz vocalist Carmen McRae (whom we’ve added to our Last.fm WP release station). You can upgrade easily from your Dashboard by going to Tools > Upgrade, or you can download from WordPress.org. The coolest new stuff from a user point of view is:
2.9 provides the smoothest ride yet because of a number of improvements under the hood and more subtle improvements you’ll begin to appreciate once you’ve been around the block a few times. Here’s just a sampling:
All of this and more is reflected in the over 500 tickets, bugs, and enhancements that WP developers in this release cycle. This release included code from over 140 contributors, here’s everyone we were able to identify: aaroncampbell (Aaron Campbell), abackstrom (Adam Backstrom), aldenta (John Ford), alexkingorg (Alex King), [amilanov], antonylesuisse (Antony Lesuisse), apeatling (Andy Peatling), apokalyptik (Demitrious Kelly), arena (André Renaut), batmoo (Mohammad Jangda), Ben Dunkle, BenBE1987, Benjamin Flesch, bookchiq (Sarah Lewis), brianwhite, c0nstruct, caesarsgrunt (Caesar Schinas), CalebKniffen (Caleb Kniffen), chrisbliss18, chrisscott (Chris Scott), christoph179, coffee2code (Scott Reilly), [cross country flight], Curioso, davecpage (Dave Page), dcole07 (Dan Cole), dd32 (Dion Hulse), demetris (Δημήτρης Κίκιζας), Denis-de-Bernardy, dj-wp, dwright, eddieringle (Eddie Ringle), error (Michael Hampton), ewestp, fabifott, filosofo (Austin Matzko), greenshady (Justin Tadlock), gsnedders/link92 (Geoffrey Sneddon), hailin (Hailin Wu), hakre, hanilovesme, Harald Nesland, harrym, holizz (Tom Adams), ikonst, jacobsantos (Jacob Santos), janeforshort (Jane Wells), jamescollins (James Collins), jdub (Jeff Waugh), jeff_ (Jean-François “Jeff” VIAL), jeremyclarke (Jeremy Clarke), JeremyVisser (Jeremy Visser), jikamens, jmulley, Joern_W, johanee (Johan Eenfeldt), johnbillion (John Blackbourn), johnjamesjacoby (John James Jacoby), johnjosephbachir (John Joseph Bachir), JonathanRogers, joostdevalk (Joost de Valk), Jose Carlos Norte, josephscott (Joseph Scott), junsuijin, kevinB (Kevin Behrens), kometbomb, lilyfan (IKEDA Yuriko), [lostinlafayette], madhyde, MattyRob, mdawaffe (Michael Adams), Mittineague, miqrogroove, morfiusx, mrmist (David McFarlane), mtdewvirus (Nick Momrik), mysz, nacin (Andrew Nacin), nanochrome, nao (Naoko McCracken), nathanrice (Nathan Rice), nbachiyski (Николай Бачийски), niallkennedy (Niall Kennedy), nickohrn (Nick Ohrn), ninjaWR (Ryan Murphy), noel (Noël Jackson), Otto42 (Samuel Wood), pairg, peaceablewhale (Franklin Tse), prettyboymp (Michael Pretty), ProDevStudio, ramiy, redsweater (Daniel Jalkut), ruslany, sambauers (Sam Bauers), scribu, Sewar, Simek, simonwheatley (Simon Wheatley), sirzooro (Daniel Frużyński), sivel (Matt Martz), skeltoac (Andy Skelton), snakefoot, stephanreiter (Stephan Reiter), strider72 (Stephen Rider), taco1991, takayukister (Takayuki Miyoshi), tellyworth, tenpura, usermrpapa, utkarsh, Viper007Bond, vladimir_kolesnikov (Vladimir Kolesnikov), VoxPelli (Pelle Wessman), [voyou1], wahgnube, waltervos, westonruter (Weston Ruter), wnorris (Will Norris), xenlab (Eric Marden), yoavf (Yoav Farhi). Wowza! 2.9 has been an exciting development cycle, and I must say it has whetted our appetite for 3.0, which is coming next (probably this spring) and will include at the very least the merge of MU with the WordPress core, and a new default theme. We can’t wait to start working on it. But first, some Carmen McRae tunes and a beer. Join us! (After you upgrade, of course!) To get started, here’s a short video from the meetup discussing some of the topics and 2.9. In the opening pan, you’ll see (L-R) Andrew Ozz, Mark Jaquith, Jane Wells, Peter Westwood, and Ryan Boren, followed by Matt Mullenweg as the first person talking. Tip: go full-screen in HD to feel like you were there. Last week, I posted about the fact that Trac would be quiet for a few days while the core commit team met in person for the first time to talk about some goals for WordPress in the coming year. That prediction wound up being a little inaccurate, as having everyone together inspired a Trac sprint to get us closer to shipping 2.9. As of this morning there are only 11 tickets left against the 2.9 milestone. Yay! I’m sensing a Release Candidate in the near future. I’d planned to write a summary post to encapsulate the discussions we had over our 3 day meetup, but to be honest, all-day (and night) every-day meetings creates a ton of things to summarize, and the post would be a novella. So instead of one long post, I’m going to split it up into a series and post a summary of the discussion on one or two topics per day until I’ve posted them all. Think of it like a WordPress advent calendar. For today’s post, enjoy the video above and I’ll list the topics we covered to give you an idea of what will be included in the upcoming summary posts. Topics: Direction for the coming year(s), canonical plugins, social i18n for plugins, plugin salvage (like UDRP for abandoned plugins), WordPress/MU merge, default themes, CMS functionality (custom taxonomies, types, statuses, queries), cross-content taxonomy, media functions and UI, community “levels” based on activity, defining scope of releases, site menu management, communications within the community, lessons learned from past releases, mentorship programs, Trac issues, wordpress.org redesign, documentation, community code of conduct. You can see why I didn’t want to try to cram it all into one post, right? Just to make sure it’s clear in everyone’s minds, I want to reiterate that these discussions were just that: discussions. They were not secret meetings ending in hard and fast decisions. The idea was to 1) get the core commit team on the same page in order to improve workflow efficiency and communication, and 2) come out of the meetup with a long list of things we know we want to work on in the coming year, and from there to work with the broader community to determine priorities/strategies before starting the work of getting it all done. As I finish off 2009 by posting summaries of the meetup conversations, I hope you’ll all plan to start 2010 with enthusiastic participation in one or more of the projects that will take these conservations from concept to reality. There have been a lot of references to “canonical plugins” over the past year, especially at WordCamps by Matt, but we haven’t really posted anything official about the idea, nor have we really made much progress beyond discussions about how awesome it would be to have canonical plugins and how good it would be for the community. But what are canonical plugins, you ask? Well, that’s one of the many things the core commit team has been talking about over the past few days, and everyone agrees that we need to prioritize this aspect of the project sooner rather than later. So, here’s a super high-level description of how we’re currently thinking about canonical plugins, which we’d like to use to initiate some focused community discussion on the topic. Canonical plugins would be plugins that are community developed (multiple developers, not just one person) and address the most popular functionality requests with superlative execution. These plugins would be GPL and live in the WordPress.org repo, and would be developed in close connection with WordPress core. There would be a very strong relationship between core and these plugins that ensured that a) the plugin code would be secure and the best possible example of coding standards, and b) that new versions of WordPress would be tested against these plugins prior to release to ensure compatibility. There would be a screen within the Plugins section of the WordPress admin to feature these canonical plugins as a kind of Editor’s Choice or Verified guarantee. These plugins would be a true extension of core WordPress in terms of compatibility, security and support. In order to have a system like this, each canonical plugin’s development community would probably need similar infrastructure to WordPress itself, including things like Trac, mailing lists, support forums, etc. These things will be worked out within the development community over the coming months, but in the meantime, we really need a better name for this. Many people have no idea what canon/canonical means (clearly, they are not Dr. Who fans!), and having to define the word distracts from discussing the core ideas behind the concept. So, we thought we’d do a community poll to see what people think we should call canonical plugins. We brainstormed a few dozen ideas yesterday and whittled it down to our top handful. Based on the definition of canonical plugins given above, which of these terms do you think best describes them? I’m including a short description of our thoughts on each. Standard - Implies that these are the standard by which all other plugins should be judged, as well as the idea of them being the default plugins. Cast your vote in the poll below to have your opinion considered during the decision-making process. And if you can think of a word that we haven’t listed here that you think is better, please submit it in the poll! The poll will remain open until 11:59pm UTC Thursday, December 10, 2009.
Version beta-2 of WordPress 2.9 is ready for your testing pleasure. You can download it or use the WordPress Beta Tester plugin and auto-upgrade a test installation. See all changes since beta 1. Thanksgiving was last week, and I thought about doing a post to thank the people who contribute to Wordpress core, since this is a group of people I’m thankful for on a daily basis. I started a draft, and then realized that with 2.9 in beta, we’ll have a release announcement sometime in the next few weeks (barring unforeseen complications, etc), and all the core contributors will be thanked then. Though I think it’s worth giving thanks every day for the people who make WordPress possible, I don’t like to clutter up anyone’s feed readers with repetitive posts, so I decided to wait until today for my post, and to focus solely on the other group I’d planned to include: support forum volunteers. Forum volunteers don’t get a lot of flashy attention. There aren’t flame wars about whether or not the support forums should be commercial instead of free and community-run. There generally aren’t big arguments and debates over whose point of view is the right one. What the forums do have is amazing volunteers who give their time to help other WordPress users and developers learn. People who only know a little answer easy questions that maybe they’ve only recently learned the answers to themselves. People with more expert skills help troubleshoot larger issues. If someone offers advice that could be better, others will add their solutions to the mix. Of all the WordPress users I’ve met in person, not one person got started without visiting the forums. In many cases, people turn to the forums even before the Codex. In the support forums, I see a lot of what is best about our community, and almost none of that which is not.* Without further ado, here’s my thank you to the volunteers who make the support forums work. Without them, we would be less than what we are today. I’m listing people by their Wordpress.org usernames, since that’s how you see them in the forums. Official WordPress.org Support Forum Moderators These are the people who’ve officially got your back and have been active in the past few months. See them at a WordCamp? Buy them a beer! Otto42, jeremyclark13, MichaelH, samboll, Chris_K. MichaelH suggested we also recognize Moshu, Podz, Kafkaesqui for past meritorious service. The Honor Roll Most active volunteers, nominated by more than one official moderator for recognition (for the reasons given): Generally active volunteers, nominated by official moderators for recognition: Some newcomers who’ve been getting active: And an additional shoutout to plugin authors who take an active role in moderating threads regarding their plugins, again nominated by official moderators for recognition: One more time, a huge THANK YOU to everyone who contributes to the support forums at WordPress.org. As we close out 2009 and get closer to 2010, it would be great for us to start thinking about some ways we could make it easier/more rewarding for people to be involved in the forums and other aspects of the open source project. I’ve started a forum thread to discuss some ideas with the thought that we can try a couple after the holidays and see what takes. * I say almost because let’s face it, we all get caught in the traps of trolls sometimes, and patience can be hard to keep when someone is a jerk. So a reminder to all who use the forums: be nice to the people who are trying to help you! P.S. While I’m at it, here’s another tip/request. Search the forums for your problem before posting; if it’s already been answered before (often more than once), you’re kind of wasting people’s time by posting it again without trying the previous solutions first. Please respect the time of the volunteers by searching first (and mention in your post what you’ve already tried). I was very excited last week to learn that WordPress has been awarded the Overall Best Open Source CMS Award in the 2009 Open Source CMS Awards. This is a landmark for us, as it is the first time we’ve won this award, and it marks a shift in the public perception of WordPress, from blog software to full-featured CMS. No small contest, the Open Source CMS Awards received over 12,000 nominations and more than 23,000 votes across five categories. As Hiro Nakamura said when he first bent time and space to land in Times Square: “Yatta!” In addition to winning in the Overall Best Open Source CMS category, WordPress was named first runner-up in the Best Open Source PHP CMS category. This is significant because we weren’t even in the top 5 last year, and now we’re #2, ahead of Joomla! As is stated on the Award site, “WordPress made its way into the top five for the first time. The fact that it was outranked by Drupal by a very slight margin indicates how popular it has become with users as well as developers over the past year.” Every day thousands of new people are embracing WordPress to power not just their blogs but entire sites and communities without compromising on usability or scalability (as would be the case with a legacy CMS). Every member of the WordPress community, from core developer to beginning user, should be proud to be part of this momentum: congratulations to us all! WordCamp NYC was last weekend, and it was crazy awesome to have so many WordPress users and developers together in one place (final numbers to come, but looks like over 700). One of my favorite moments was right at the end, when someone suggested getting a picture of the core contributors (I’d asked them all to stand so people could applaud them when we were doing the closing remarks). Some of them were camera shy and kept out of the happysnap, but here’s a handful of the people who make WordPress what it is.
2.8.6 fixes two security problems that can be exploited by registered, logged in users who have posting privileges. If you have untrusted authors on your blog, upgrading to 2.8.6 is recommended. The first problem is an XSS vulnerability in Press This discovered by Benjamin Flesch. The second problem, discovered by Dawid Golunski, is an issue with sanitizing uploaded file names that can be exploited in certain Apache configurations. Thanks to Benjamin and Dawid for finding and reporting these. Just in case anyone forgot, the first of the November bug hunts for version 2.9 is now in progress, and will last another day. If you’ve got a dev environment set up, please consider pitching in to run some tests and help get us closer to the 2.9 milestone release. As we near completion of the 2.9 milestone, it’s that time of dev cycle again, when we ask all you community developers who’ve been putting off contributing to core to dust off your dev environments and help us get closer to being release-ready. How? Bug hunts! Yes, that time-honored tradition (in the time of WordPress, anyway) of everyone pitching in to test patches and report the results, working on solutions to major bugs, and helping to clear out Trac has come around again, and we’re scheduling not one, but two bug hunts over the next couple of weeks to ensure that everyone has enough time to prepare and participate. #1 – The first bug hunt of 2.9 will be Thursday through Saturday, November 5-7, 2009. This should give people a few days to plan for it, upgrade their dev environments if they haven’t been following trunk, and figure out how to allot their time. We’re stretching over both weekdays and weekend to try and accommodate everyone’s schedule. #2 - The second bug hunt will be a week later, Saturday through Monday, November 14-16, 2009. This should make it possible for anyone who needs more than a week to set some time aside to participate. This bug hunt will coincide with WordCamp NYC, where a special Hacker Room will be set aside for people to go and work on 2.9 bug tickets alongside regular core contributors including Mark Jaquith and Matt Martz (sivel from IRC). The GoalsTest, test, test existing patches! You can see all tickets with patches that need testing by checking this report. When you’ve tested a patch, report your results in the ticket comments, so core committers can see how the patch is faring. Fix known bugs! You can see the bugs that need patches by checking this report. Look for the ones that seem that they’ll affect the most people or have the biggest impact by being fixed. Edge case bugs should be lower priority. Report new bugs! As you’re testing out the development version, if you come across a bug, search trac to see if someone has reported it yet. If so, add a comment with your experience to the ticket so we’ll know it’s affecting more than one person. If no ticket exists yet, create one. Core committers will be around (in the #wordpress-dev channel at irc.freenode.com) both weekends to review patches that have been thoroughly tested, answer questions as needed, and give feedback on patches that need more work before being commit-worthy. If you’ve never participated in a WordPress bug hunt before, but you’d like to get involved, we’d love to have you join us! To prepare, you’ll want to set up a test environment, start using the current development version/maybe install the beta testing plugin, join us in the #wordpress-dev IRC channel, and read up on automated testing. The number one reason people give us for not upgrading to the latest version of WordPress is fear that their plugins won’t be compatible. As part of our continuing efforts to make WordPress core, plugin, and theme upgrades as painless as possible, Michael Adams developed and launched a beta of a new “Compatibility” feature in the plugin directory, powered by your votes. When viewing a plugin in the directory, select a WordPress version and a plugin version from the drop-downs. If there has been feedback about this WordPress / plugin version combination, we’ll show you what percentage of responses marked that combination as compatible vs how many marked it as incompatible.
If you log in, you’ll be able to help us gather this information! Just select a WordPress version / plugin version combination and click the “Works” or the “Broken” button. Please note that this shouldn’t be used to report minor issues with a plugin. You should mark a plugin as “Broken” only if its core functionality is truly broken when run on the specified WordPress version.
Right now we’re just in information gathering mode. So get out there and vote! Don’t just vote on broken plugins… cast a “Works” vote for every plugin that works on the version of WordPress you are using. This can help improve the signal-to-noise ratio in our data and prevent a few mistaken “Broken” votes from weighing too heavily. For developers, we’re now including this data in our API. The
If the API knows which version of WordPress you are using (for example, if you are making this query using the Eventually, we’d like to gather this compatibility feedback from within WordPress, allowing you to vote directly from your plugins admin screen. The ultimate goal is to use this information to inform you of plugin incompatibilities with a new version of WordPress during the upgrade process. For that to be useful we need a large set of high quality compatibility data. Start voting! As you know over the past couple of months we have been working on the new features for WordPress 2.9. We have also been working on trying to make WordPress as secure as possible and during this process we have identified a number of security hardening changes that we thought we worth back-porting to the 2.8 branch so as to get these improvements out there and making all your sites as secure as possible. The headline changes in this release are:
We would recommend that all sites are upgraded to this new version of WordPress so as to ensure that you have the best available protection. If you think your site may have been hit by one of the recent exploits and you would like to make sure that you have cleared out all traces of the exploit then we would recommend that you take a look at the WordPress Exploit Scanner. This is a plugin which searches the files on your website, and the posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual filenames. You can read more about this plugin here – “WordPress Exploit Scanner“ We have been hard at work now for a few months on the new features that will be coming in WordPress 2.9, and we are nearing the time when the first beta version will be available. We’ll need your help with beta testing the new features and ironing out any bugs. There are a number of different ways in which you can get involved in the testing process, and there are options to suit people of all different skill sets. First of all, you can join the wp-testers mailing list to keep up to date with the testing progress and to discuss things with the other testers. Secondly, you can head over to the Trac ticketing system and either create tickets for bugs you find or use some of the useful searches to look for patches that need testing or that need someone to try and reproduce the issue. During the beta phase we are going to focus on the stabilization of the new features and the removal of existing bugs which are well-understood and have easily testable solutions. During this process we will not be adding any more enhancements so as to ensure that the focus is on making the 2.9 release as bug-free as possible. We will also try and have a few special bug hunt days where one or more experienced WordPress developers will be available to help people track down issues and get patches committed to fix bugs. To make is as easy as possible for you to get a beta testing install up and running we have put together a small WordPress plugin which makes it really easy to convert a test install of the latest release version of WordPress into a beta test install of the next up and coming release. The plugin is called WordPress Beta Tester and is available to download from WordPress Extend or can be installed using the built-in plugin installer. Please make sure you to only install this plugin on a test site, as we don’t recommend running beta versions on your normal live sites in case anything goes wrong. You can read more about the plugin in “Making it easy to be a WordPress Tester” We are aiming to release the first beta version of 2.9 around the end of October, once we have put the finishing touches on the new features, and then we switch to full on beta testing mode and your help and feedback will be very much appreciated. During the beta program will push out new builds for automated upgrades regularly and once we feel that a suitable level of stability has been achieves we will release a release candidate, and we hope to be able to make the final release 2.9 build available in either late November or early December. A stitch in time saves nine. I couldn’t sew my way out of a bag, but it’s true advice for bloggers as well — a little bit of work on an upgrade now saves a lot of work fixing something later. Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts. The tactics are new, but the strategy is not. Where this particular worm messes up is in the “clean up” phase: it doesn’t hide itself well and the blogger notices that all his links are broken, which causes him to dig deeper and notice the extent of the damage. Where worms of old would do childish things like defacing your site, the new ones are silent and invisible, so you only notice them when they screw up (as this one did) or your site gets removed from Google for having spam and malware on it. I’m talking about this not to scare you, but to highlight that this is something that has happened before, and that will more than likely happen again. A stitch in time saves nine. Upgrading is a known quantity of work, and one that the WordPress community has tried its darndest to make as easy as possible with one-click upgrades. Fixing a hacked blog, on the other hand, is quite hard. Upgrading is taking your vitamins; fixing a hack is open heart surgery. (This is true of cost, as well.) 2.8.4, the current version of WordPress, is immune to this worm. (So was the release before this one.) If you’ve been thinking about upgrading but haven’t gotten around to it yet, now would be a really good time. If you’ve already upgraded your blogs, maybe check out the blogs of your friends or that you read and see if they need any help. A stitch in time saves nine. Whenever a worm makes the rounds, everyone becomes a security expert and peddles one of three types of advice: snake oil, Club solutions, or real solutions. Snake oil you’ll be able to spot right away because it’s easy. Hide the WordPress version, they say, and you’ll be fine. Uh, duh, the worm writers thought of that. Where their 1.0 might have checked for version numbers, 2.0 just tests capabilities, version number be damned. The second type of advice is Club solutions; to illustrate, I’ll quote from Mark Pilgrim’s excellent essay on spam 7 years ago, before WordPress even existed:
Club blog security solutions can be simple (like an .htaccess file) or incredibly complex (like two-factor authentication), and they can work, especially for known exploits. Club solutions can be useful, like using a strong or complex password for your login — no one would recommend against that. (Another club solution is switching to less-used software on the assumption or more like the software’s claim that it’s perfect and more secure. This is why BeOS is more secure than Linux, ahem.) In the car world, if someone figured out how to teleport entire cars to chop shops, The Club wouldn’t be so useful anymore. Luckily for manufacturers of The Club, this hasn’t happened. Online and in the software world, though, the equivalent happens almost daily. There is only one real solution. The only thing that I can promise will keep your blog secure today and in the future is upgrading. WordPress is a community of hundreds of people that read the code every day, audit it, update it, and care enough about keeping your blog safe that we do things like release updates weeks apart from each other even though it makes us look bad, because updating is going to keep your blog safe from the bad guys. I’m not clairvoyant and I can’t predict what schemes spammers, hackers, crackers, and tricksters will come up with with in the future to harm your blog, but I do know for certain that as long as WordPress is around we’ll do everything in our power to make sure the software is safe. We’ve already made upgrading core and plugins a one-click procedure. If we find something broken, we’ll release a fix. Please upgrade, it’s the only way we can help each other. Yesterday a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying. We fixed this problem last night and have been testing the fixes and looking for other problems since then. Version 2.8.4 which fixes all known problems is now available for download and is highly recommended for all users of WordPress. Every now and then I see someone ask in the dev channel how they can meet up with other local WordPress developers. We’re thinking about ways to make WordPress.org more of a resource to facilitate local connections, but in the meantime, I thought it might be helpful to publicize some upcoming WordCamps, the weekend conferences organized by local communities to talk about all things WordPress. WordCamp New Zealand: Wellington, New Zealand, August 8-9, 2009 WordCamp Huntsville: Huntsville, Alabama, USA, August 15–16, 2009 WordCamp Los Angeles: Los Angeles, California, USA, September 12, 2009 WordCamp Philippines: Makati City, Philippines, September 19, 2009 WordCamp Portland: Portland, Oregon, USA, September 19-20, 2009 (Last year’s PDX WordCamp was awesome, IMO.) WordCamp Seattle: Seattle, Washington, USA, September 26, 2009 WordCamp Birmingham: Birmingham, Alabama, USA, September 26-27, 2009 WordCamp Netherlands: Utrecht, Netherlands, October 31, 2009 WordCamp NYC: New York, New York, USA, November 14-15, 2009 (Logo contest in progress!) WordCamp Mexico: Mexico City, Mexico, November 20, 2009 If any of these are within a reasonable distance to you, consider attending. WordCamps are a great way to meet other WordPress users, find collaborators, and expand your t-shirt collection*. I know I’ll be hitting at least a few of these; WordCamps are also a great way to get user feedback to take into consideration while we’re making decisions about what to include in core. You can always find an up-to-date list of upcoming WordCamps at WordCamp Central. You can also try searching for WordPress groups at Meetup.com to find more regular monthly gatherings in your area. *Most WordCamps include an event t-shirt in the registration fee. Unfortunately, I missed some places when fixing the privilege escalation issues for 2.8.1. Luckily, the entire WordPress community has our backs. Several folks in the community dug deeper and discovered areas that were overlooked. With their help, the remaining issues are fixed in 2.8.3. Since this is a security release, upgrading is highly recommended. Download 2.8.3, or upgrade automatically from your admin. The WordPress team had initially committed to maintaining the WordPress 2.0.x legacy branch until 2010. Unfortunately, we bit off more than we could chew—the 2.0.x branch is now retired and deprecated, a few months shy of 2010. Many of the security improvements to the new versions of WordPress in the last couple of years were complete reworks of how various systems were handled. Porting those changes to the 2.0.x branch would have been a monumental task and could have introduced instability or new bugs. We had to make hard decisions between stability and merging in the latest security enhancements. Additionally, far fewer people stayed on the 2.0.x branch than we anticipated. I take that as a testament to the new features in WordPress and perhaps even more the features offered by plugins, many of which don’t support older versions of WordPress! I’m disappointed that we weren’t able to keep the branch maintained until 2010, but since one of the big reasons for that failure was the massive scope of our security improvements for the newer versions of WordPress, 2.0.x doesn’t die in vain! WordPress 2.8.2 fixes an XSS vulnerability. Comment author URLs were not fully sanitized when displayed in the admin. This could be exploited to redirect you away from the admin to another site. Download 2.8.2 or automatically upgrade from the Tools->Upgrade page of your blog’s admin. 2.8.1 is nigh. Release Candidate 1 is our last stop before the final release. Please download RC1, review the changes made since beta 2, and have a look at all of the tickets fixed in 2.8.1. Thanks for testing WordPress. |
|||||
|
Copyright © 2010 VicLovan.com NEWS - All Rights Reserved Site last updated 2010/03/10 @ 10:30 pm |
|||||
Just a heads up that Trac commits will be pretty low over the next couple of days, as all the core committers are in Orlando: Matt, Ryan, Andrew, Peter and Mark. We all came for WordCamp Orlando (fun!) and are staying a couple of extra days to discuss the vision for WordPress in the coming year, the merge, canonical plugins, the WordPress.org site, community stuff, and all the other things that are important but that we never seem to have time to address. Since when things like this come up in the IRC dev chat or in various forums there’s inevitably a point at which someone says, “We really need to have [insert a core committer name here] here to make a decision,” we thought it would make sense to get together and figure out where everyone stands on all these ideas so that we can move forward a little more efficiently. Also, not all the committers had met in person before (and I’d never met Andrew or Peter), so it’s also a chance for us to just get to know each other a little. Watch this space around Tuesday or Wednesday for a post summarizing the things we’ve discussed, and the beginning of planning for how members of community can get involved in (or spearhead) the things that interest them.
Upcoming WordCamps
There are six WordCamps coming up before the end of the year, and since I like to make sure people know about it when there’s a WordCamp near them, here’s the list, with some personal commentary thrown in. If you just want the list without my asides, check out the full schedule at WordCamp.org.
WordCamp Phoenix is first up, on November 13. I’d planned on attending this one myself before they changed the date (it was originally scheduled for the 7th), but will sadly have to miss it as it conflicts with WordCamp NYC. If you, like me, can’t make it to Phoenix, be sure to check their web site for information on the live stream they’re planning to provide. If it’s anywhere near the quality of the stream from Portland or Seattle earlier this fall, it’ll be just like being there, but without a t-shirt to show for it (and theirs has stripes, so if you’re local, you should go!). My only consolation in missing this WordCamp is that I’ve seen about half of the speakers before. If you’re going, don’t miss the session by John Hawkins on Building a WordPress Plugin; it got me to write my first plugin in Portland! Matt‘ll be there, will you?
WordCamp Victoria is next, on November 14. This is another one I’d love to go to, but can’t because it’s at the same time as New York’s. I would especially have liked to go because it looks like the speakers are all local, and I haven’t seen any of them speak before. Occasionally WordCamps lose a little of the local feeling by focusing on visiting speakers, so it’s nice to see so many Vancouverites on the list. They’ll have a Blogger track and a Technical track running concurrently, so there should a little something for everyone. No word on a live stream, but hopefully they’ll be able to catch some of the presentations on video and post them to WordPress.tv after the event.
WordCamp Bangkok is scheduled for November 15. I have to admit that the first thing that catches my eye on their agenda is “WordPress Band.” I’ve known WordCamps to have people performing songs before, but a whole band? Might be a first. I hope they’ll post the video to WordPress.tv, too.
WordCamp New York City is the same weekend as the previous three, on November 14-15. In the interest of full disclosure, I need to tell you that I’m one of the organizers of WordCamp NYC, so my informative comment about it here may be a little biased.
That said, we have over 50 confirmed speakers (both local and visiting), and 2 full days of content in 8 — count ‘em, 8 — tracks. Newbies get a free year of hosting and walked through setting up a WordPress blog in workshop format, while the other tracks have specialized content for Bloggers, CMS Users, Beginning Developers, Advanced Developers, Academic Users, people interested in MU/BuddyPress, and the Open Source Community. Did I mention the theme and plugin contest? Or the awesome shirts? How about the Genius Bar, or the Hacker Room? The additional Unconference sessions? If you’re anywhere near NYC that weekend (and with the Acela, that’s anywhere from Boston to D.C.), you should definitely come. I’ll be there, Matt’ll be there, lead developer Mark Jaquith will be there, lead developer of BuddyPress Andy Peatling will be there, and too many other WordPress luminaries and locals to mention. If we hit 800 registrations by November 12, I’m baking cookies for everyone.
WordCamp Peru will be on November 28 in Lima. I was checking out their topics list, and it looks like they’re planning to cover all the usual topics around blog administration, security, increasing traffic, and integration with social media sites. No speaker list yet, but if you’re in Peru, it looks like this will be a nice gathering of WordPress users, and they’re hoping to have around 100 people attend.
WordCamp Orlando is the last of the year, on December 5. They haven’t published a speaker list or schedule yet, but I know Matt will be there, Mark Jaquith will be there, and I will be there. I know some other awesome core contributors are planning to come, but I don’t want to jinx anything, so if you’re curious, come see for yourself. Plus, Florida in December!