WordPress.org

Make WordPress Core

Recent Updates Toggle Comment Threads | Keyboard Shortcuts

  • George Stephanis 1:07 pm on October 8, 2013 Permalink | Log in to leave a Comment
    Tags: , user testing   

    Omnisearch User Testing 

    Howdy, all!

    Sorry for the delay, been a chaotic week or so. Just got the results of some user testing back thanks to the assistance of @lessbloat.

    View Results: https://www.usertesting.com/videos/dQBRyueQ9EsMAv1OsQrQmg%3d%3d?back=%2Fdashboard%3Fnew_study_id%3D%23study_905321

    Here’s my notes:

    • User remarks that there is no obvious intermediary way to search things. Seems frustrated about having to go from the current page, to the archive page, to search.
    • Unrelated Bug: (possibly due to browser extension?) For some odd reason, when the user selects the search box, it jumps below the list table. Really odd behavior in IE 10.
    • Dislikes native WordPress functionality of the “Search” in the adminbar expanding when selected (native is only on front-end, Omnisearch expands this functionality to admin ui as well) — believes it should be natively expanded. Reiterated several times. Perhaps look at making it drop down a search box on hover (kinda like twentyfourteen does), rather than expanding on click and shifting things about? Unsure.
    • Found Bug: Reply hoverlink in comments list [in omnisearch] doesn’t function properly (missing JS hook).
    • “Overall, I would say that this is a much better tool, much better layout.”

    The user seems very positive, seemed to consider it a great win for usability. Pointed out a few bugs (as noted above — only notable one I caught with Omnisearch itself being the hoverlinks in the Comments to reply didn’t work), which I’m about to patch.

    Our weekly meeting will be as usual, Thursday at 22:00 UTC (6pm Eastern)

     
    • deltafactory 5:41 pm on October 8, 2013 Permalink | Log in to Reply

      I see her point but wonder how an expanded search box would impact layout on narrower screens. Looking good!

    • TimothyBlynJacobs 9:18 pm on October 8, 2013 Permalink | Log in to Reply

      What if instead of having it just be an icon, be an icon and the text “search” maybe that will bring it into the forefront more, but not actually have to have a distracting white on black search box the whole time.

      Curious, how does this work with custom post types?

  • Andrew Nacin 4:48 pm on October 6, 2013 Permalink | Log in to leave a Comment
    Tags:   

    Potential roadmap for multisite: Subdirectories, subdomains, open registration, and domain mapping 

    Following up on the potential roadmap for terms and taxonomy meta, here is a potential roadmap for multisite. This is based on years of discussions among core developers and other contributors, which has taken place on IRC, tickets, blog posts, comment threads, at WordCamps and contributor days, and at last October’s community summit.

    The Current State of Multisite

    Historically, WordPress MU was the “multi-user” version of WordPress. Any user could register their own subdomain, exactly how WordPress.com worked. Most of multisite remains centered around open registration and signups.

    The difficulties of setting up a wildcard DNS led to the introduction of a subdirectory option for new sites, as a fallback. Indeed, the old constant to toggle the subdirectory/subdomain option specifically referenced virtual hosts (VHOST, defined as ‘yes’ or ‘no’, rather than boolean). Wildcard DNS is still checked on setup whenever someone is creating a network with a subdomain.

    In a subdomain setup, the valid domains are quite limited. Subdomains cannot be nested and can only be common characters, and top-level domains cannot use www or ports. When creating a new site in the network admin, it still asks for an email address, and a user with that email will be created if the user doesn’t already exist.

    The paradigm of subdirectories versus subdomains is very restrictive. Over time, many have sought two related but distinct concepts that would diversify the address space used for sites.

    Domain Mapping and Multiple Networks

    Generally, domain mapping is the concept of having a top-level domain, such as example.org, being a site inside of another network, such as example.com. Otherwise, sites on example.com would simply be subdomains or subdirectories — so, blog.example.com and photos.example.com, or example.com/blog and example.com/photos. Either way, if the goal is for example.org to be a site on the same network, something must give.

    By default, WordPress MU has only one network (MU terminology was ‘site’, with sites being ‘blogs’), and constants are put in place during network creation to even avoid querying the wp_site table. Multiple networks are possible, but typically, only one network is desired. The only things “global” to entire multisite installs (rather than just a single network) are must-use plugins (“mu-plugins”) and users. Sites are assigned to a particular network; network-activated plugins and network-enabled themes are distinct only to that network; and each network has its own settings, network admin, and even super administrators (unless defined globally using $super_admins).

    There is no way to even store a globally accessible option accessible by all networks. switch_to_blog() (MU terminology for a site) does not actually toggle the current network ($current_site, per MU), and thus get_site_option() can only return current network information.

    WordPress stores a decent amount of “global” information as meta against a single network, which duplicates efforts. This includes plugin, theme, and core update checks; and user counts. (Site counts are per network.) Multiple networks still rely on a single installation of WordPress and a single wp-content directory.

    Domain mapping should be our primary focus here. It would probably be best if the demand for better support for multiple networks (like a user interface) is reduced through robust domain mapping support.

    On API and Naming

    At some point, we should be able to introduce a get_network_option() function to replace get_site_option(), which could follow context switches and accept a network argument. A network ID of “0″ could be used in wp_sitemeta (network meta) to store truly global cross-network options.

    A larger point on API is that we should not rename API for the sake of renaming API. A lot of functions still use “blog” when they mean sites, or “site” when they mean network, and many remain prefixed with “wpmu”.

    We’ve tried really hard to move toward “network” wherever possible, at the API and UI levels. We long ago stopped introducing “site” things when they mean network as it is just too damn confusing. We haven’t quite made the switch to always going with site over blog at the API level, though we have at the UI level, but that’s just because it is more difficult for “site” to mean two different things, than it is to start using “network”. Either way you, still need to figure out whether a particular reference to “site” means “blog” or “network”, so we might as well use “network” wherever possible and lessen the number of ambiguous “site” instances (especially those that refer to the old MU definition).

    Not renaming these functions is actually key to the evolution of multisite. There are quite a few functions to rename, but doing so without completely replacing their internals and functionality in the process is a huge missed opportunity — it wrongly suggests things have improved while also cutting into our valuable function namespace. Three plus years later, we’re still finding oddities in old MU code, so it makes sense to bide our time and only undergo renames when they let us shed dead weight. The side effect of keeping the barrier to entry high for multisite is not necessarily a bad one — even three years after merge, the product as a whole is still very weak (which is being kind).

    The Path Forward: Supporting Sites at Any URL

    It should be abundantly clear that creating a second network is often overkill and not necessarily desired for many setups. WordPress.org uses them, but it is a mixed bag. Each subdomain is its own network, which are subdirectory setups. It makes a lot of sense for make.wordpress.org to be its own self-contained network, as they share similar characteristics. But other subdomains are typically just a single site.

    But, because of the subdomain/subdirectory paradigm, many use multiple networks to function as domain mapping. The best way to avoid misuse of multiple networks as domain mapping (which, aside from being counter-intuitive, isn’t generally desired) is to introduce proper domain mapping into core. This requires a complete rewrite of ms-settings.php — which takes a URL and figures out which site it should be on.

    Essentially, it should take the entire subdomain and at most one path segment, and query the wp_blogs table to find the associated site. Something like domain = %s AND path IN ('/', '/first-segment/'). From there, the current site can be inferred.

    The reason to search only one path segment is it immediately becomes an issue of caching. We don’t know how many levels are actually supported, which means we don’t know if /2013/02/01/some-blog-post/feed/ is a site, or a post on the main site. Literally any main site URL would thus cause a hit against the blogs table. This is not ideal. Nested sites are of course going to be desired in many situations, and it should be dead-simple for these URLs to be “trapped” via sunrise.php and mapped to a particular site.

    If a network is “small” (less than 10,000 sites per our wp_is_large_network() API), we could potentially query and cache SELECT blog_id, path FROM $wpdb->blogs WHERE domain = %s AND path <> '/' into a single cache key for lookup. Or we could specifically break it down into caching a shortest path, like any paths that start with ‘a’ in one cache key, any paths that start with ‘b’ in another cache key, etc. That way, we can verify that a site exists or not as long as a cache is in place. (The alternative would be to cache individual successes, but then we do a lot of DB queries if we’re unsure whether something is just uncached or isn’t a site — we’d have to cache in the negative too.)

    Domain mapping in core requires two major things. A complete dissolution of the existing subdomain versus subdirectory paradigm, and cross-domain “remote” logins. Remote login requires some juggling to make sure that domain B can make a request over domain A to confirm someone is logged in, and set a cookie if so. Generally this requires that logins occur on an “unmapped” domain (think the main site in a network, typically), but there are numerous ways to set up remote logins. Unfortunately most current implementations in the wild (including on WordPress.com) are fairly messy and can cause redirect loops, race conditions, and other problems. If done poorly, security issues can result. So this must be done with care.

    Dissolving the subdirectory/subdomain paradigm is actually not so bad. We need to stop thinking about a network only consisting of differing subdomains, or only consisting of differing paths. ms-settings.php would need to be rewritten. Site creation and management will need some changes.

    Dealing with URL Conflicts

    Perhaps the greatest change will be addressing the issue of the main site gaining a ‘/blog’ prefix. This is ostensibly to avoid top-level pages on the main site from clashing with sub-sites. With arbitrary domain support (via domain mapping primarily, and secondarily via secondary networks), any site with path ‘/’ can clash with any other site with the same domain but a different path. With multiple path segments (nested sites), any site with path ‘/X/’ can have pages that clash with site ‘/X/Y/’.

    Ultimately, this requires two-way blacklisting. Before a site is created, it must be checked against top-level URLs of the possibly conflicting site. And, before a page is created, it must be checked against sub-sites that already exist. If an ‘/about/’ page already exists on example.com/, an /about/ site cannot be created. But if an example.com/blog/ site already exists, a /blog/ page cannot be created on example.com. This gets complicated quickly, and is a very strong argument for only supporting one path segment in core by default, and allowing plugins to handle these potential conflicts on their own. In most cases, simply ignoring the potential conflicts is going to be sufficient.

    Registration and Open Networks

    Supporting any URL opens up possible problems with registration, even after dealing with unique URLs. The concept of an open network where users can create their own sites was the popular impetus for WordPress MU, but is decidedly not the primary use case for multisite anymore. Most operate closed, trusted networks, where site signups are disabled (and often user signups are disabled as well). In the case of a closed network, the blacklisting is merely to avoid shooting oneself in the foot. In the case of an open registration network, there does still need to be the choice of what, exactly, someone can register for. Even in a world of domain mapping, it should only be expected that “open registration” still only allows for subdomains or subdirectories, just as it does now. So when I am referring to removing that paradigm, I actually mean downsizing it to being a part of open registration only.

    Trusting Users in a Closed Network

    Despite being the narrower use case, the concept of open registration still implicitly dictates a lot of our current situation and “roadmap.” An administrator for a single site is considered wholly untrusted. Because multisite has the concept of a super administrator, there of course some powers that should be reserved for them. I would argue that would include the use of unfiltered HTML, as well as the administration of anything “global” — editing and deleting users; and editing, installing, and updating plugins and themes.

    But, when a network is not designed for “open registration,” there are a number of undue burdens that should be lifted for administrators. Uploadable file types are severely restricted, and the amount they can upload is capped. They cannot activate installed plugins, though there is an option for this. They cannot add users to their sites without knowing their email address (ostensibly to prevent spam), and the user must still go through a “confirmation” process. New sites must go through an “activation” process. They cannot create new users.

    I don’t think WordPress needs to decide that the multisite feature is only geared for closed networks. Rather, a single option — set on install, and controllable via network settings — can control this entire paradigm very effectively. It will then be much easier to consolidate a lot of the signup, activation, and administration funkiness in multisite under this paradigm into an “open network” concept. The “Allow new registrations” setting is roughly analogous, but would largely be superseded by whether a network is open, as well as fine-grained registration controls.

    One use case we should consider is the concept of a closed network and an open network sharing one multi-network multisite installation. For example, wordpress.org may be a closed network, but meetups.wordpress.org may be an open network to enable others to create meetups. And wordcamp.org may also be an “open” network on the same installation, even if individuals can’t create sites. “Open” is thus wider than registration alone.

    Essentially, I am proposing we trust single-site administrators in a closed network to not be spammy, and to be given wide-ranging control of their own sites; but that we do not extend that trust to important areas of security.

    A strong benefit here is that functionality in a closed network starts to more closely resemble a single site rather than the inherent restrictions of an open network. By shifting these paradigms, networks will become easier to manage and more straightforward to use over time. Eventually, closed networks can and should become easier to install — even if multisite never reaches the point where it is the recommended tool for creating a second blog for your cat.

    Moving Forward

    There is not a specific, multiple-release plan for this roadmap. Rather, every step we take should aim to work toward outlined goals. While people may like domain mapping, it doesn’t make sense to bolt it on just yet — a plugin can do that for them perfectly well now. It would be ill-advised to implement it without making WordPress work significantly smoother for other forms of domain and URL management — subdirectory/subdomain installs, domain mapping, and multiple networks. The best approach is one that smartly and carefully balances the needs of users with our long-term objectives.

     
    • Mike Schinkel 7:14 pm on October 6, 2013 Permalink | Log in to Reply

      GREAT overview of the issues related to multisite; bookmarked for much future reference. Thanks for that even though I assume that wasn’t your intention.

      One thing I would add to the list of improve, if it can be done backward-compatibly of course, is to reduce the number of places that duplicate domain/subdirectory information in the database. This currently makes moving a multisite from development -> test -> staging -> production more of a challenge that moving single site can be.

      And yes scripts can be written to automate but it first requires understand what much be written, which is much most complex for Multisite and most people don’t write scripts if they think they are only going to move things infrequently.

  • John James Jacoby 6:48 am on October 8, 2013 Permalink | Log in to Reply

    This is a great write-up, and I agree with it almost completely minus this one point:

    It would probably be best if the demand for better support for multiple networks (like a user interface) is reduced through robust domain mapping support.

    I think the opposite — it would probably be best if the demand for domain mapping is reduced through robust multi-network support.

    I think when a typical site administrator thinks they want domain mapping, what they actually want is a secondary network, with a new domain, new available themes, new network wide plugin control, with the same username and password. The only reason want domain mapping is because it’s the popular answer, not necessarily the correct one.

    We can use WordPress.org, WordCamp.org, BuddyPress.org, and bbPress.org, as great examples, but I think schools with several campuses might be a better one. They’ll all want users with super-admin access to their respective networks, with separate plugins and themes (maybe even separate wp-content directories) but with the same global users.

    Another great example could be a potential WordCamp.org redux. `sf.wordcamp.org` could be a network, `milwaukee.wordcamp.org` could be another, `newyork.wordcamp.org` a third, and the next level subdomains are all sites to their respective networks. Or… we could flip it the other direction and do networks numerically by year (2013.wordcamp.org) and use cities as subdirectories (2013.wordcamp.org/newyork) which allows us to retire complete networks at the end of each calendar year, allows for planning and rethinking the plugins and themes made available each year, etc…

    Conceptually, the architecture of how sites are related to their networks comes down to however themes and plugins will best serve the sites they’re grouped with.

    The only technical reason (I can think of) for literal “domain mapping” to be in core is shared SSL certs and allowing `/wp-admin` URL’s to always point to the unmapped URL. Any other reason(s) why a blog address would need to be mapped, rather than just being set to what it is (like we do now via Network Admin > Edit Site?) Either way, I think we’re in agreement that more useful UI for allowing capable users to set the homeurl/domain to be agnostic to the root domain (not married to any subdomain or subdirectory structure) is ideal, as the current process is less intuitive and more complicated than it needs to be.

    I don’t expect this to be the popular vote, but I’d like for WordPress’s default installation configuration to look something like this:

    • Multisite always, with no additional installation steps like we currently have.
    • Add a column to the global `wp_blogs` table for domain-mapping (though this doesn’t allow multiple domains to be mapped down to 1, or vice-versa.)
    • Subdomain VS Subdirectory decision eliminated completely. (Can we run an automated check to see if wildcard subdomains are supported, and provide user feedback and/or disable the creation of sites with subdomains?)
    • Create a UI for network management, and for moving sites between networks when it’s needed. A global setting/switch would exist to optionally allow users to create new networks the same as they can currently optionally create new sites. Imagine if a prospective WordPress.com VIP could spool up their own network of 30 sites, choose what plugins and themes they want, and assign super-admin capabilities, completely without human intervention. (Devil’s advocate could say if this was a need it, VIP would have built it already; I think that no one knows they want this yet because it currently seems more complicated than it is.
    • The `/users` dashboard could then use a “Networks” page in addition to the existing “Sites” page, along with matching moderation tools for leaving/deleting/delegating responsibilities/etc…

    Cons are:

    • Introducing several new default database tables that may not ever be used
    • Introducing curious users to multisite UI that may not ever actually need it
    • Code bloat from including new network management code in core

    Pros are:

    • Unified WordPress experience (no more single-site/multi-site support)
    • Decreased code complexity overall (not counting backwards compatibility)
    • Plugins can remove multisite abstractions/exclusions and assume all code is always available
    • True multisite/network management in core
    • Avoid misusing domain-mapping for non-mapped-domain configurations
    • Better allow for 1 WordPress instance with global users to power hugely robust networks of sites

    Hopefully this doesn’t stir the pot too much. Not intending to be adversarial, but when we do decide to focus on multi-site again, I believe investing time in multi-network is equally as important.

    • Andrew Nacin 10:29 pm on October 8, 2013 Permalink | Log in to Reply

      I think the opposite — it would probably be best if the demand for domain mapping is reduced through robust multi-network support.

      I think when a typical site administrator thinks they want domain mapping, what they actually want is a secondary network, with a new domain, new available themes, new network wide plugin control, with the same username and password. The only reason want domain mapping is because it’s the popular answer, not necessarily the correct one.

      I agree with most of the points you make, and obviously you have a lot of experience in the area. But, I think multiple networks are far beyond what most use cases dictate. I think there may be some confusion based on the phrasing I was using to describe some concepts.

      Your comment made me realize I need to stop calling it “domain mapping.” This wording stems from the fact that a top-level domain is “mapped” to an existing subdomain or existing subdirectory. (This is at least how it works on WordPress.com and with the popular WPMU Domain Mapping plugin.) I dislike this strongly. I think the dissolution of the subdomain/subdirectory paradigm would mean WordPress core would specifically support arbitrary domains for multisite, versus having one URL for the frontend and a different URL for the backend.

      Again, we’re talking about focusing far more on closed networks, which implies greater control over the domains in use. In an open network context, mapped domains would probably still be preferred that way logins and administration are occurring over a single domain with an SSL certificate. I think this should remain plugin material.

      I didn’t suggest that multiple networks shouldn’t be implemented, only that it should not be a priority. I mean, single networks are still a mess. Also, multiple networks already work pretty well right now, to be honest. It’s everything else that needs a complete rethink and rewrite, which also strikes much more at the very foundation of multisite.

      Ultimately, I want to move away from the thinking that domain mapping is a hack of the subdomain/subdirectory paradigm and that the only way you get arbitrary domains is with multiple networks. We should have true arbitrary domains within a single network, and we should to it well. Then at some point better multiple network support would allow for people to logically group any sites they wanted based on whatever their needs were, based on the needs of shared plugins, super admins, settings, site registration, etc.

      As long as multisite remains based on the open network paradigm, we’re stuck in a land of esoteric restrictions and gotchas. Combined with the general mess that is the multisite codebase (and in some cases UI), this is why the installation process remains deliberately complex. I did write in the post that closed network functionality starts to more closely resemble what people are used to with single sites, which I think is getting to the root of your “multisite always” suggestion.

    • Andrew Nacin 10:37 pm on October 8, 2013 Permalink | Log in to Reply

      What’s the benefit of multiple networks over multiple installations that share a user table? And even sharing the same plugin and theme directories? Once we add support for arbitrary domains within a single network of sites, multiple networks essentially just makes certain things a little easier to administrate and manage.

      I’m not saying there shouldn’t be or isn’t already a benefit, nor am I trying to play (much of a) devil’s advocate. I honestly want to know what the answer is, because that could help shape how we build out multiple network management in the future. There needs to be some kind of value-add, and I’m not sure we’ve discovered one that suggests we need much beyond what we already have.

  • Scott Taylor 8:47 pm on October 4, 2013 Permalink | Log in to leave a Comment
    Tags:   

    Featured Content, 10/4 Update 

    I finally put a bunch of work into the coding of the plugin, and I think it is fairly robust at this point. Whether it makes it into core ( or whether it even should) is up for discussion, but I would like to share what I have.

    First, check out the latest code in trunk here: http://plugins.svn.wordpress.org/wp-featured-content/trunk/

    To guide development, I made the following list of requirements. It should also be easier for people to follow along when we can all agree on an initial set of facts:

    UI

    Wherever possible, existing WP functionality and screens will be used. The user should be able to associate posts with Featured Content theme areas as easy as selecting a category or making a post sticky, but, to be more robust, the user should be able to override certain features of a post when it is displayed as a Featured Item in a theme. Example: different title when featured vs what is displayed for a the full post, different image when in a featured module vs the featured image for the post when displayed in single.php.

    Post Type / Taxonomy

    1. A Featured Item uses the featured_item post type
    2. A featured_item belongs to a Featured Area
    3. Each Featured Area is a term in the featured_area taxonomy
    4. Post types can opt in to featured content by adding featured_area taxonomy support
    5. Themes can opt-in by supporting  ’featured-content’  (the plugin currently brute-forces it)

    Creating / Deleting

    1. Add a post with featured area(s), make sure featured item(s) are created
    2. Trash the post, delete permanently, make sure featured item(s) are deleted
    3. Featured item should not have a title when created, it should inherit from the parent post when empty – view in list tables to verify
    4. If a featured item’s title is edited, it should show that in the list table, unless it is empty
    5. Add a post with a featured area, item is created. Edit post to belong to a featured area, 2nd featured item should be created.
    6. Delete one of the featured items, the other should remain, the post should be linked to only one featured area.

    Transitioning Post Status

    1. Add a post in draft status, make sure featured item is in draft status
    2. Move a post in draft to publish, make sure featured item is moved as well
    3. If a post was created with 2 featured items and one is trashed: if the term is re-linked to the post, the item in the trash should be untrashed, instead of creating a 3rd item

    Trash / Untrash

    1. Trash a post, make sure the featured item(s) are deleted
    2. Untrash a post, make sure the featured item(s) are not created
    3. Trash an existing featured item, make sure post loses tax association
    4. Untrash an existing featured item, make sure post regains tax association
    5. Permanently delete existing featured item, make sure post loses tax association

    Quick Edit

    1. The Taxonomy box for featured items should be present in Quick Edit
    2. All saving logic should fire in AJAX save routine for Quick Edit

    Sorting/Re-ordering

    1. All featured items should be re-orderable via the Re-order items screen
    2. menu_order should be set when items are reordered, only those that change should be sent
    3. When new items are added to a featured area, they should be appended to the end of the list, not the beginning

    Returning Data

    1. By default, featured item contains the post data of the post it belongs to
    2. If any fields have been overridden(post_title, post_excerpt), the post data is a merge of the 2
    3. If the featured item has a featured image, the theme can override by using the property ‘image_id’ to grab the featured image on one of the decorated $posts that is returned when applicable

    Yeah, so that is a mouthful. All of these use-cases are listed in the comments at the top of the plugin file as well. There’s been a lot of discussion about new UI. If someone wants to think way outside of the box and introduce new screens, keep the above in mind.

     
    • Sam Sidler 7:27 pm on October 8, 2013 Permalink | Log in to Reply

      Be sure to tag your posts here with “Feature Content” so those following the tags can keep an eye on your progress. :)

  • Sam Sidler 7:15 pm on September 30, 2013 Permalink | Log in to leave a Comment
    Tags: ,   

    Making preparations for 3.8 

    As mentioned previously, 3.8 development officially opens shortly after 3.7 ships. With the first beta of 3.7 behind us and the final release scheduled for mid-October, it’s time to talk about what’s expected of feature plugins.

    @nacin mentioned at last week’s dev chat that 3.7 will likely branch at the WordCamp Europe contributor day, on October 7. At this point, most core developer focus will be on shipping 3.7. However, feature plugins that want to be considered for 3.8 should be ready by October 14 to give everyone time to review them.

    What does being ready mean? Here’s what will be examined:

    • a strong and well-tested user experience
    • fully-baked design
    • positive feedback from the community
    • core-quality code
    • no major bugs or issues
    • a belief that the feature belongs in WordPress core

    Some of the above is subjective and will vary from feature to feature. If you have questions, look to a lead developer for guidance.

    Of the feature plugins listed, the furthest along are MP6 and global admin search, with Dash not far behind. Plugins in the “feedback” stage should be prepared to answer the question “Why should we include this in core?” As of today, they should prepare their code for core, removing anything unnecessary and making the feature into a patch that can be easily merged with core.

    tl;dr

    • Feature plugins wanting consideration for 3.8 should be ready for presentation and inclusion by October 14.
    • Feature plugins will undergo review shortly after 3.7 ships.
    • Plugins must be ready to merge when the merge window opens.
     
    • Weston Ruter 7:24 pm on September 30, 2013 Permalink | Log in to Reply

      We’ve also been making great strides with the Widgets UI Refresh, specifically with the customizer integration (from my perspective). The plugin project for this is Widget Customizer, and development is happening on GitHub. I’m hoping that we’ll have the remaining issues addressed by October 14th.

      /cc @shaunandrews

      • Bryan Petty 8:06 pm on September 30, 2013 Permalink | Log in to Reply

        Hi Weston, it appears like the widgets team working on this decided to switch the plugin being used for development on this effort entirely just 6 days ago… this shouldn’t happen honestly. If your team has decided on a direction to go in, it should be integrated back into the officially tracked plugin as listed on the core plugin tracking page.

        That aside though, it’s usually a good sign that the plugin is not really “ready for core” when major decisions like that are being made even in the last week here. Nothing new there has had time to be discussed, tested, and generally baked – and it’s really hard to get that feedback when development isn’t even being done on the official plugin where it’s supposed to be.

        • shaunandrews 11:57 pm on September 30, 2013 Permalink | Log in to Reply

          We haven’t switched. We’re developing multiple concepts and testing them simultaneously.

          That being said, I don’t think we have (or will have) “a strong and well tested user experience” by October 14.

        • Weston Ruter 5:28 am on October 1, 2013 Permalink | Log in to Reply

          OK, thanks. I’m obviously over eager. Sorry to jump the gun.

    • Jonatan Santos 8:32 pm on September 30, 2013 Permalink | Log in to Reply

      One point that could be seen would be a button to turn the text to uppercase and minuscule vise versa in menu text editor

      • Mark-k 3:43 am on October 1, 2013 Permalink | Log in to Reply

        As far as I know non latin langs, which are used by more people then latin ones, don’t have uppercase/lowercase distinction, therefor IMO this kind of feature should not be in core

  • Mufasa 4:22 am on October 2, 2013 Permalink | Log in to Reply

    It’d be really great if there was a way to collapse menus in 3.8 (or 3.7). If you look at the following image you can see that in order for me to drag the menu at the bottom to the top I have to do quite a lot of dragging.

    If I could collapse the encyclopedia menu so that I can’t see all those children it would be useable… well if the page didn’t grind to a halt with that many menu items it would ;)

    So I was thinking you could either have a button to collapse them OR when the user starts dragging they close. Which is something we executed in another app and its quite nice to use. I’ve thought the same UI would be nice on the widgets admin page too.

    Thoughts?

    Menu Pain: http://files.kiwijs.org/dan/arghhh.jpg

    • Sam Sidler 5:01 am on October 2, 2013 Permalink | Log in to Reply

      I’d recommend filing a ticket (perhaps there’s already one on file). Fixing that in the way you suggest isn’t something that would be covered by a feature plugin, though there was a (now on-hold) proposal for merging pages and menus.

  • Ryan McCue 2:36 am on September 28, 2013 Permalink | Log in to leave a Comment
    Tags: ,   

    JSON REST API: Version 0.6 and The Future 

    We’ve finally come to the end of Summer of Code, so it’s time for the final GSoC release in this slightly late update (hey, would it be a post by me if not?). This release is mainly a stability release, so there are only minor changes:

    • Huge documentation update – Guides on getting started and extending the API are now available for your perusal
    • Add generic CPT class – Plugins are now encouraged to extend
      WP_JSON_CustomPostType and get free hooking for common actions. This
      removes most of the boilerplate that you needed to write for new CPT-based
      routes and endpoints (#380)
    • Use defined filter priorities for endpoint registration – It’s now easier to
      inject your own endpoints at a defined point
    • Update the schema – Now includes documentation on the Media entity, plus more
      (#264)
    • Add better taxonomy support – You can now query for taxonomies and terms directly. The routes here might seem strange (/posts/types/post/taxonomies/category for example), but the intention is to future-proof them as much as possible (#275)
    • Ensure the JSON URL is relative to the home URL (#375)
    • Check all date formats for If-Unmodified-Since (#378)
    • Register the correct URL for the JS library (#376)
    • Correct the usage of meta links (#379)
    • Add filters for post type and post status data (#380)
    • Separate parent post and parent comment relation (#330)

    The big feature for this final week is a bunch of documentation changes. I’ve created guides and documents on how to use the API, intended for both beginners and experts. I’d especially like to highlight the Getting Started guide, as well as the Extending the API guide for plugin developers. The documentation in the past has been less than fantastic, so I’ve made a concerted effort towards it this week. In addition, I’ve also fixed up all the remaining bugs reported via Trac.

    Now that GSoC’s over, what’s next? The aim with the project is to now move it from a solo project to a team one, and to that end, I’ve been working on assembling a fantastic team to work on the project with, with aim to integrate the API into core in the future. 3.8 time is fast approaching, so we’ve elected to aim for 3.9 as a more realistic target, although the advantage of the Feature as a Plugin method of development is that we’re not locked down here.

    We’re held two meetings so far as a team, and I’ll announce a proper office hours time next week, but I’m also looking to try something new with the organisation of the team. More to come on that in the next team update, but in the meantime, you can check out the internal team discussion site. Anyone looking to get involved in the team is welcome to join as always, but I’d ask that only those serious about working on the project join, as there are a fair few people committed already.

    Thanks to everyone, especially my mentors and Jen, for making this project a joy to work on so far. Here’s hoping we can keep the momentum as we push forward with the project.

     
  • Andrew Nacin 7:38 pm on September 25, 2013 Permalink | Log in to leave a Comment
    Tags: ,   

    Meeting today: Road to WordPress 3.7 Beta 1 

    For the meeting today (starts in ~20 minutes), we need to work on getting to 3.7 Beta 1. I think if all goes well, we can release Beta 1 tonight or tomorrow morning. @dd32 has been doing some incredible work on automatic updates. If you haven’t read his post on them, please do!

    So, there are a few things we need to discuss and make decisions on:

    1. Search results ordered by relevance, #7394. Do we take a chance on this?

    2. Should we begin to require that users supply their current password in order to change their password? #20140.

    3. Should we consider a slightly more conservative different approach to transient garbage collection? We do not want updates to be blamed for breaking sites. #20316. What would this approach look like?

    4. How should individuals be notified via email when it comes to automatic background updates? #10787.

    5. How should individuals be notified their own dashboard that their site will be safe if there is a security release?

    Proposal for points 4 and 5: A green checkmark on about.php and update-core.php will let them know their install is OK and good to go for automatic background updates for security releases. (We can easily verify this without prompting the user.)

    If for some reason we attempt an automatic background update and it fails to complete, then we need to email get_site_option( 'admin_email' ). We need text for this email.

    If they don’t have a green checkmark, we should wait five days, after which we email them reminding them a security release is available. A timestamp five days from the point of release will be pushed via the API. Once that time is crossed, an email will be sent. (For a particularly critical situation, we could shorten the timeframe. For a non-security minor release, we might avoid having an email sent all together). We also need text for this email (which will be a fairly nice email).

    This does not accomplish all of #10787 (“Email administrators that an update is available for core, plugins, and themes”) but it seems to be a good security balance.

    ***

    My target is Beta 2 early next week, and Release Candidate 1 as early as next Friday. Here is our current progress on tickets:

    • There are no more enhancements or feature requests open on the 3.7 milestone.
    • There are under 20 tasks remaining for 3.7. Many of these are near completion. These need to be cleared by Beta 2.
    • There are 150 bugs open on the 3.7 milestone. We need to reduce this number to about 75 by Friday, and to zero by the end of next week. As in, these need to be cleared by RC1.

    We’ll likely branch 3.7 at the WordCamp Europe contributor day on October 7, which means anything that is punted out of 3.7 can still make it into 3.8 starting in just two short weeks from now. A reminder, this is a very short release cycle, and 3.8 is just a few months away and begins in earnest very soon. Here is what our philosophies document says about fast, agile release cycles with crisp deadlines:

    The more frequent and regular releases are, the less important it is for any particular feature to be in this release. If it doesn’t make it for this one, it’ll just be a few months before the next one. When releases become unpredictable or few and far between, there’s more pressure to try and squeeze in that one more thing because it’s going to be so long before the next one. Delay begets delay.

    If we’re not confident that three weeks is long enough for something to properly soak in trunk, let’s not be afraid to wait until 3.8.

     
    • Hassan 2:05 pm on September 26, 2013 Permalink | Log in to Reply

      Perhaps not really important, but why specifically five days before sending the reminder email? Any significance? Or just a “reasonable” random number?

  • Shapeshifter 3 5:39 pm on September 27, 2013 Permalink | Log in to Reply

    Has this release been postponed for a while?

  • Mattias Tengblad 7:13 pm on September 27, 2013 Permalink | Log in to Reply

    Please provide at least pot files for the language teams

  • Scott Taylor 7:38 pm on September 24, 2013 Permalink | Log in to leave a Comment
    Tags: ,   

    Featured Content Update 

    Sorry for no meeting this week, it’s been busy at my j.o.b. In addition to the weekly IRC meeting, we now have a Skype conversation going. Add me as a contact on Skype if you want to join in. My Skype username and Trac username are the same.

    The plugin is in the repo:
    http://plugins.svn.wordpress.org/wp-featured-content/trunk/

    Last week, I made a screen to sort featured items within their respective areas. The logic to save the order when sorting still needs to be hashed out.

    Currently, one person is doing the coding (me). This is not ideal, and I could use help. There have been a bunch of mockups, but I don’t currently have time to build a prototype for all of them. If would like to help with coding, please let me know in the comments.

     
    • notaternet 8:35 pm on September 24, 2013 Permalink | Log in to Reply

      Hello, I would love to help with the coding.
      I have just added you to skype.

    • Robert Dall 8:58 pm on September 24, 2013 Permalink | Log in to Reply

      I am working on the UI today… Regardless of my work scheduled…

    • Robert Dall 1:41 am on September 25, 2013 Permalink | Log in to Reply

      The Feature Content Mockups

      Introduction

      My proposed UI for the Featured content is based on the fact that we have already set a lot of the variables up in the content. We already have a field for: The Content, The Excerpt and the Featured Image all in the post editor. So using this to our advantage we only need to tell the featured content what why want in the plugin.

      What Twenty Fourteen did was to call a featured image, the except, categories and put all of that on the front page. This was a great for this one theme. But what if we wanted the full content or only the title and the excerpt?

      First we need to create a featured content area. This can be done in the featured content main screen (also available in the drop down from the main menu on the left)

      Then we need to tell WordPress which posts it will be part of. We can one of two ways.

      1. We hit the Feature this content check mark box in the post editor window and that then shows a drop down of all featured content area’s available. (Which was suggested by Tammie Lister) We should also have the ability much like the tags and the categories to create a new featured content block from with in the post editor.
      – But this could be problemattic if we want to add multiple posts to a featured content area that have already been created.

      2. We can also select the featured content in bulk from the edit posts screen using the bulk actions. We could then assign which posts or pages we want added to the post format. ( I still need some feedback or am fuzzy on how this would actually work but we should have the ability to bulk add / remove from the edit post screen imho. )

      Ok now we can decide what to call in the featured content area. I have learnt that WordPress development is more about Design Decisions rather then Design Choices but to create different featured content we need to give those choices to the user.

      In this example we have the Bread Feature Content. Which we can then choose what featured content we want via check boxes. (I am still looking for a better word then everything)

      • If people wanted to add only a title and the featured image that is available to them. If they want the title and the content area also available.

      • I haven’t added tags and categories because those don’t exsist for pages in my example. But they could easly be shown for posts.

      • If we want add a description like we do for categories / tags that would be an easy add on.

      • Like the WordPress menus / widgets we just drag and drop what post we want in what order.

      • A short code would then be created and put into any page or post you desired (Although I am not sold on the short code solution I don’t know how we would implement different featured content blocks)

    • Scott Taylor 5:05 pm on September 25, 2013 Permalink | Log in to Reply

      Your mockup completely ignores the overrides, which we have discussed ad nauseum, and was in the first iteration of the plugin.

      • Robert Dall 5:51 pm on September 25, 2013 Permalink | Log in to Reply

        Hi Scott

        A little confusion on my part here. In the last meeting you told us to download the latest version of the plugin and install it and get familiar with it. I did that. There is no reference to the overrides that you spoke of already in the plugin. I made some mockups on integration of how I though the latest version of plugin would integrate best into the WordPress core.

        I also couldn’t find reference to the word overrides in the #WordPress-core-plugins or the channel.

      • Robert Dall 6:23 pm on September 25, 2013 Permalink | Log in to Reply

        I wasn’t able to accomplish the interaction of the “overrides” you speak of in the plugin.

        All I get is:

        This is meta box to display fields, etc about the featured post that does exist.

        I can edit my mockups… But with out seeing this functionally it would be a guess on my part as to how it operates…

  • Dion Hulse 3:35 am on September 24, 2013 Permalink | Log in to leave a Comment
    Tags: ,   

    Automatic Core Updates, an update 

    Over the last few weeks I’ve been working on bringing Automatic Core Updates to WordPress 3.7 through #22704, Up until now it’s been disabled in trunk while development in progress – today however, that all changes.

    As of [25598] WordPress 3.7+ installs will begin updating themselves without the need of user input every time a new security release has been released, or in the case of all us development users, it’ll update daily to the latest nightly if possible.

    Automatic Updates are unattended, and by default, will only update WordPress to security releases (for example, from 3.7 to 3.7.1, but not from 3.7.1 to 3.8). Great lengths will be taken to ensure that no site will break as the result of an Automatic update.

    Note: Filter and constant names may change pending feedback and discussion.

    In order for Automatic Updates to be enabled, there are a few simple requirements:

    1. If the install uses FTP for updates (and prompts for credentials), automatic updates are disabled
    2. If the install is running as a SVN or GIT checkout, automatic updates are disabled
    3. If the constants DISALLOW_FILE_MODS or AUTOMATIC_UPDATER_DISABLED are defined, automatic updates are disabled
    4. If the constant WP_AUTO_UPDATE_CORE is defined as false, automatic updates are disabled
    5. Your WordPress install also needs to be able to contact WordPress.org over HTTPS connections, so your PHP install also needs OpenSSL installed and working
    6. Wp-Cron needs to be operational, if for some reason cron fails to work for your install, Automatic Updates will also be unavailable

    We’ve also been working on a bunch of related features to make updates even more bulletproof than before, including HTTP, Filesystem, and File verification enhancements, amongst many other things.

    How do I test it?

    If you’d like to test this out, the simplest way is to simply create a new non-svn checkout of trunk and visit the site regularly to make the cron task run.
    If you’d like to test this out, and you’re running SVN/GIT, you can use add_filter( 'auto_upgrade_ignore_checkout_status', '__return_true' ); in a mu-plugin to make it ignore the checkout status, note, that you’ll lose any modifications you’ve made to core files.

    After each update, you’ll receive an email with a summary of the actions taken, which will let you know if the upgrade completed, or encountered any problems – the emails are still a work in progress, the email currently in trunk is designed for developers, and may not be the same in the final release.

    I don’t like the sound of this, How do I turn it off?

    1. If you’re using a deployment system that uses SVN or GIT, it’s disabled by default
    2. The simplest way to disable it is to add define( 'AUTOMATIC_UPDATER_DISABLED', true ); to your wp-config.php file
    3. You can also make use of the auto_upgrader_disabled, or, auto_upgrade_core filters

    Are there any more hidden features?

    This is WordPress we’re talking about, of course there’s a bunch more that it can do!

    1. If you’re using a non-English install, this will also automatically update any plugin/theme Language Packs which are installed, hopefully resulting in a better i18n experience, See #18200 for more information on Language packs, there’ll be a follow up post in the near future explaining how and when Language packs will work
    2. Plugin & Theme Updates! – You can hook into the 'auto_upgrade_plugin' or 'auto_upgrade_theme' filters to enable auto-updates of one, or many plugins/themes note: Plugin/Theme updates will not be enabled by default in WordPress 3.7
    3. By default, Core Auto-Updates will only apply to WordPress Security & nightly releases, that is, from 3.7.0 to 3.7.1, 3.7.1 will not automatically update to 3.8.0 – This can however be changed,  you can simply add define( 'WP_AUTO_UPDATE_CORE', true ); to your wp-config.php file and it’ll happen automatically!

    What can I do to help?

    Please test it out and report any bugs you find! Triggering automatic updates can be a little bit difficult since it currently relies upon a twice daily cron job, so the easiest way is to just create a new nightly install and visit the site once a day to cause the cron to be initiated, If you’re game to run it on a production site, please be aware that WordPress will go into Maintenance mode during the upgrade.

    You can also head over to Trac and check out report/48, which is a temporary 3.7 report containing anything related to automatic updates and Language packs (more on that in a few days)

     
    • Joseph Scott 3:43 am on September 24, 2013 Permalink | Log in to Reply

      One small thing: AUTOMATIC_UPDATER_DISABLED is an odd constant name. I thought at one point we were going to stop using negative options.

      I would have expected something more like define( 'AUTOMATIC_UPDATER', false ); instead.

      • Dion Hulse 3:47 am on September 24, 2013 Permalink | Log in to Reply

        That constant was actually inherited from the Automatic Updater plugin. The WP_AUTO_UPDATE_CORE constant is the best one to use to disable core updates, but that doesn’t affect Languages, Plugins, or, Themes.

        I should’ve mentioned it above, but Constants and Hooks are not finalised and probably will change before final release, so feel free to head over to #22704 to give some feedback

      • Franz Josef Kaiser 9:55 am on September 24, 2013 Permalink | Log in to Reply

        Just some thoughts: AUTOMATIC_UPDATER_DISABLED really isn’t the best naming decision. Hope that changes to something that’s telling more precisely what exactly will or won’t be updated if that is set to true. I’d also prefer to get all the WP constants prefixed with WP_. Even ABSPATH isn’t a unique constant in PHP world and can cause conflicts.

        Another thing that would be nice is to have an argument on the filters: Theme or (mu-)plugin name. So authors can exclude their plugins or themes from updates as easy as possible – think about alpha or beta releases and testing candidates.

        • Dion Hulse 10:29 am on September 24, 2013 Permalink | Log in to Reply

          All of the filters pass a) What it is (core, plugin, theme, language), and b) the details about the update + slug, upon re-checking, there are a few that don’t pass as much context as they could (‘auto_upgrade_ignore_checkout_status’ is the first one i noticed) which I’ll get updated.

          This post didn’t actually cover all of the filters included either, there’s a bunch more in there at almost every logic statement, you can even opt-out of receiving a summary email after the upgrade is completed. Closer to release time once all filters/constants are locked down with their naming, we’ll update a codex page, or make a post, or something :)

          I’ll get a list of filters / constants up on the Trac ticket tomorrow and let a discussion evolve over naming from there.

    • Shapeshifter 3 4:02 am on September 24, 2013 Permalink | Log in to Reply

      Howdy,

      I’m been using this plugin from Gary Pendergast: http://wordpress.org/plugins/automatic-updater/ for the past week or so, and really like it.

      Should I now uninstall it, to prevent conflict or duplication of code?

      Will I still have the options to turn on/off updating of themes and/or plugins?

      Will the plugin be discontinued?

      • Dion Hulse 4:07 am on September 24, 2013 Permalink | Log in to Reply

        There should be no conflict between core and the plugin, that being said, the plugin is mostly superseded. @pento will be able to let you know the future of the plugin, I suspect it may end up as a UI for the core features rather than implementing them itself though.

        There are no built in options in core to enable automatic updating of Themes / Plugins at present, only filters (Which i’ve been using for all my testing). A plugin can easily enable it as needed.

        To enable Automatic Updating of Plugins and themes, I use this code in a mu-plugin:

        // Upgrade Plugins and Themes
        add_filter( 'auto_upgrade_plugin', '__return_true' );
        add_filter( 'auto_upgrade_theme', '__return_true' );

        • Gary Pendergast 3:20 pm on September 24, 2013 Permalink | Log in to Reply

          As @dd32 suggested, the plugin will live on as a wp-admin UI for the update options, and perhaps some advanced options, too.

          If you’re comfortable using @dd32‘s mu-plugin, there’s no need to keep Automatic Updater installed.

          • Trifon 9:06 pm on September 24, 2013 Permalink | Log in to Reply

            If the plugin will stay to provide a UI for the function, I’ll stick to using that in favour of the trimmed down mu version.

    • lgladdy 7:05 am on September 24, 2013 Permalink | Log in to Reply

      In production installs for clients, we use DISABLE_FILE_MODS to stop them being able to break things too much.

      is there a way to enable automatic security upgrades, but keep the user from doing anything manually?

      • Dion Hulse 7:24 am on September 24, 2013 Permalink | Log in to Reply

        For the record, I accidentally referred to DISALLOW_FILE_MODS as DISABLE_FILE_MODS in the post (and the code), both are now corrected.

        However, at present there isn’t a way to have both the constant defined, and allow the automatic updates.
        DISALLOW_FILE_MODS is designed for a scenario where WordPress is being used in a Deployment environment, in that environment you don’t want any file modifications to take place to core files, as such, it disables all updates (+notifications), plugin/theme installs, and plugin/theme editors.

        Disabling Plugin updates is potentially worse than not having core updated, although both need to be kept up to date, plugins are also often exploited due to vulnerabilities.

        If you just want to disable the Plugin/Theme editors, and leave updates/installations alone, you can use the DISALLOW_FILE_EDIT constant instead, if you want to get rid of all user-facing update notifications, prevent installations, etc, then you can also make a custom User Role which lacks the capability to perform those actions.

        Also worth noting, #25219 which aims to re-enable Update notifications (but not updates) for users who have DISALLOW_FILE_MODS defined.

        • RicaNeaga 7:27 am on September 24, 2013 Permalink | Log in to Reply

          Why should users be forced to look into the code for this? Of course it’s easy to add, but still… why not an option in the settings? Something like ”Enable Automatic Updates? True (default) / False” :)

          • Knut Sparhell 9:07 am on September 24, 2013 Permalink | Log in to Reply

            1. Users are not forced to look into the code. There will be plugins for this, even the current Automatic Updater will probably let you disable minor core updates.

            2. Decisions, not options principle How should a user decide what is the best and/or safest option? Displaying this as an option says there is a risk of some kind to let it stay on. WordPress would have to express a warning not to disable this, so then, why is it there?

            3. Introducing an option defeats the whole point of this enhancement. The enhancement was not just to add a new option, but to automatically do minor updates, since they are most security related.

            If, and when, WordPress enables Core Major as an automatic update, such option can be discussed again. Core Major may introduce new features than can alter plugin or theme functionality, so this may not be desired.

            But my idea, if and when Core Major is offered, and the next major is in RC, WordPress will ask the user if he is ready to upgrade automatically when released? (Y/N). This answer will be valid for one major release at time.

            If and when WordPress is offering automatic updates to theme and plugins, this could be as an option for each plugin or theme, eanbled by the plugin/theme author.

            For now, Core Minor is the target, without an UI option to turn it off.

            • RicaNeaga 8:03 pm on September 24, 2013 Permalink

              Ok, now I understand. Thank you for the explanation. :)

    • Simon Wheatley 8:28 am on September 24, 2013 Permalink | Log in to Reply

      I hope you at least considered using `define( ‘UPDATE_ALL_THE_THINGS’, true );`? :)

      • Dion Hulse 8:37 am on September 24, 2013 Permalink | Log in to Reply

        During initial patches, the Cron callback actually was wp_auto_upgrader_upgrade_all_the_things :)

        Still considering a constant by that name to enable Plugin+Theme+Core Major release updates though :)

        • Knut Sparhell 8:44 am on September 24, 2013 Permalink | Log in to Reply

          Please don’t. Enabling updates other than Core Minor should remain plugin territory (filters) in 3.7, even if core is able to perform the actual updates.

          • Dion Hulse 9:06 am on September 24, 2013 Permalink | Log in to Reply

            Curiously, Why do you see a Constant as being worse, than a user installing a plugin or using a filter?
            A plugin could simply define the constant, which would effectively be the same thing.

            Honestly though, we’re trying to avoid constants like this, instead relying upon filters, so Update-it-all is better suited to a plugin at this point.

            • Knut Sparhell 9:14 am on September 24, 2013 Permalink

              Mostly because, as you say, it’s better to let a plugin add filters than constants.

              And a constant makes it tempting for more (end) users to alter their wp-config.php to add yet another constant, when what they would need is a UI so they can see what extras are enabled.

              Constants in wp-config.php, if any, should be a thing for developers.

            • Knut Sparhell 9:21 am on September 24, 2013 Permalink

              Last sentence of my previous comment should be:

              Constants in wp-config.php, if any, should be a thing for developers having to restrict things for the site (but restrictions should also go into mu-plugins, when possible).

    • Knut Sparhell 9:48 am on September 24, 2013 Permalink | Log in to Reply

      This implementation looks to be even better than I hoped for. This is great! WordPress may proudly announce this new enhancement (not feature) for 3.7. From now on, when a serious vulnerability is discovered, WordPress may patch millions of sites in a few hours, making WordPress a far more robust platform and a real “set-it-an-forget-it” platform. This is the way WordPress is actually used by millions, while WordPress, until 3.7, haven’t really supported this approach and still remaining a safe platform.

      WordPress used to come with a warning, you MUST check for updates, but this is widely ignored. May site owners don’t visit their admin area (log in) for many months, as they may be satisfied with quite static “home page” type of site. And if they go into admin, they don’t dare to change anything if they are not completely sure that there is no side effect. So they leave without updating, just to be sure they didn’t do anything wrong, anything at all. Their site “works”, and that’s all they care about for now, not knowing their site may be vulnerable to attacks.

      From 3.7 there will also be possible to update the previous major release, if I understand it correctly. (After 3.8 is released, sites still on 3.7 may receive critical updates, if the lead committers decides this should be done?)

      I just wonder, what is the priority when both WP_AUTO_UPDATE_CORE and AUTOMATIC_UPDATER_DISABLED are true? I guess AUTOMATIC_UPDATER_DISABLED will decide, correct?

      • Dion Hulse 10:09 am on September 24, 2013 Permalink | Log in to Reply

        From now on, when a serious vulnerability is discovered, WordPress may patch millions of sites in a few hours, making WordPress a far more robust platform and a real “set-it-an-forget-it” platform.

        That’s one of the hopes, We also have the ability to control when an auto-update is released, for example, 3.7.1 might be announced/released as normal, and the auto-update would roll out 12 hours later if there’s been no reported injuries from the update – Not that there are often dramatic issues with security releases, which is why we’re confident we can launch with that.

        From 3.7 there will also be possible to update the previous major release, if I understand it correctly. (After 3.8 is released, sites still on 3.7 may receive critical updates, if the lead committers decides this should be done?)

        Whenever possible, WordPress has attempted to keep the previous branch up to date.
        For example, when 3.6 was released, the 3.5 SVN branch was “up to date” security wise, There’s stuff in the 3.5 branch that was never released as a 3.5.3.
        We could’ve released it the same day as we released 3.6, but there was no need to.. WordPress would just prompt users to update to 3.6 completely skipping over it. Many people who run large WordPress networks are aware of that and will pull in the branch updates while they continue to test the next major release.
        Come 3.8 though, as you realise, that can change, we can continue to patch 3.7.x and have users benefit from it. There’d probably be a cut off for back ports of security updates (ie. when 3.9 is released, 3.7 would stop getting security updates or something like that) but that isn’t something that’s been discussed yet.

        I just wonder, what is the priority when both WP_AUTO_UPDATE_CORE and AUTOMATIC_UPDATER_DISABLED are true?

        You’re right, the Disabled status will prevail, In the case of the Disabled constants, as soon as it’s hit, it stops even considering doing something, it’s a big red sign that says “Don’t do anything” – It’s really a kill switch.
        WP_AUTO_UPDATE_CORE (along with the filters which act upon it) is really just a preference if the upgrader isn’t disabled

        • Ian Dunn 4:14 pm on September 24, 2013 Permalink | Log in to Reply

          We also have the ability to control when an auto-update is released, for example, 3.7.1 might be announced/released as normal, and the auto-update would roll out 12 hours later if there’s been no reported injuries from the update

          …or maybe 12 hours earlier? That’d give us a little jump on anyone looking to exploit the vulnerability between the time it’s announced and the time the auto-update happens. Having a 12 hour window where a vulnerability is known-but-not-patched makes me uncomfortable, and lately I’ve been patching my installs within ~60 minutes of the new tag hitting the repo.

          Obviously attackers could setup a script to e-mail/SMS themselves when the SVN repo gets a new tag, but not all of them will, so it might help a little.

          • Dion Hulse 3:29 am on September 25, 2013 Permalink | Log in to Reply

            A 12-hour window would still be better than the several days/weeks that many people don’t update their installs at present.

            The timeframe was simply a example, there’d be no reason it couldn’t be made available at the same time as an official release if the core developers were confident in it.

        • Milan Dinić 9:29 pm on September 25, 2013 Permalink | Log in to Reply

          From now on, when a serious vulnerability is discovered, WordPress may patch millions of sites in a few hours, making WordPress a far more robust platform and a real “set-it-an-forget-it” platform.

          But will .org servers survive this? :)

    • Marcus 10:03 am on September 24, 2013 Permalink | Log in to Reply

      Very nice feature, great work Dion!

      There’s so many ‘static’ sites out there that get created and forgotten (I actually stumbled across a 3.1 site only yesterday!), this is perfect for those situations.

      Whilst the idea of doing this to business-critical sites somewhat makes me feel uneasy (mostly due to the fact that unecessary problems like plugin/theme jQuery incompatibilities with newer library updates), this’ll make the web a slightly safer place overall!

      • Dion Hulse 10:23 am on September 24, 2013 Permalink | Log in to Reply

        mostly due to the fact that unecessary problems like plugin/theme jQuery incompatibilities with newer library updates

        The good news is, such libraries would rarely be updated in a point release, It would only be if there was a particularly bad cross-site-scripting vulnerability or similar in the Javascript library which would cause it to be done – and even then, we’d not update to the latest version of the library, we’d simply update to a compatible security release (ie. 1.7.0 to 1.7.1).
        WordPress’s backwards-compatibility mantra also means there’s very rarely a break in compatibility, and if there is, it’ll be in a major release with a LOT of thought put in to it, and every possible alternative considered.

        • Knut Sparhell 1:01 pm on September 24, 2013 Permalink | Log in to Reply

          This not just good news, is part of the foundation of WordPress release policy: Point releases should only fix what’s needs to be fixed this way, that is security and regression. No stuffing in all the latest and greatest of external libraries, even how well tested. Minimal to no risk of breaking compatibility with whatever. Everything that does not have the purpose of making the branch more stable will have to wait to the next main release. This has always been the policy, as far back as I know.

          Even core hacks will probably survive, as the updates are incremental on file basis. Right?

          I hope the sceptics, the “no-automatic-updates” people, reads and understands this policy, and the main reasoning behind this enhancement. And then, if still sceptic, just see how easy they can avoid the whole thing by a introducing some constant, or, even better, installing a simple plugin.

    • Andrew Nacin 1:59 pm on September 24, 2013 Permalink | Log in to Reply

      Just adding something here: It will be against the policy of the plugin and theme directories for a plugin or theme to forcibly update themselves using the filters outlined here.

      • Knut Sparhell 2:28 pm on September 24, 2013 Permalink | Log in to Reply

        Seriously?

        So “Automatic Updater” will not comply with the policy? It auto updates itself. Will it be ok to auto update other themes or plugins, except itself? Can’t believe this.

        • Gary Pendergast 3:23 pm on September 24, 2013 Permalink | Log in to Reply

          It doesn’t specifically update itself, and it doesn’t force the update – it only updates itself when you enable updates for all plugins.

          I’ll be releasing an update soon that uses the core automatic upgrade routines, so it will quite literally be a wp-admin checkbox for the core functionality.

        • Ipstenu (Mika Epstein) 3:44 pm on September 24, 2013 Permalink | Log in to Reply

          No, the plugin is complying with our policy. It’s automating the update process for everyone, not ‘just’ itself. I know it sounds like hair-splitting, but this is clearly not ‘a plugin that only updates itself’ and instead is ‘a plugin that automates updates.’

          We’ve had ‘em before, like the old WP plugin that would let you update WP inside WP (before that was in core), and they’ve always been allowed :) What isn’t would be if, say, Akismet automatically updated itself, and ONLY itself, when it had a new version.

          • Knut Sparhell 11:43 pm on September 24, 2013 Permalink | Log in to Reply

            Thanks for the clarification. I still think this rule is silly, though. I can see the need for rules that stops plugins from silently and forcefully take away some control the admin expects to have. But a plugin, that in its description says it will update itself, I would consider creative, whatever method used. Anyway, this “aside” discussion should probably be taken elsewhere.

    • Ipstenu (Mika Epstein) 3:46 pm on September 24, 2013 Permalink | Log in to Reply

      If the install uses FTP for updates (and prompts for credentials), automatic updates are disabled

      My install uses FTP for updates, but I have an FTP userID and password in my wp-config. So am I right in assuming this will work as expected and update me?

    • George Stephanis 4:38 pm on September 24, 2013 Permalink | Log in to Reply

      Love it.

      I personally won’t be using it, but for folks that it’d be useful for:

      https://github.com/georgestephanis/update-control

      It adds in tickboxes to the Settings > General for folks that need to be able to specify them manually through the UI.

      It’s already submitted for consideration on the plugin repo, it’s open to pull requests or changes wherever.

    • Sebastien 6:00 pm on September 24, 2013 Permalink | Log in to Reply

      This is an interesting feature. I will add this to the custom config setup in the next update for my WordPress Online Installer, WPSetup.

    • Mike Schinkel 6:11 pm on September 24, 2013 Permalink | Log in to Reply

      +1 for disabling updates when using SVN and Git.
      -1 for omitting the same check for Hg/Mercurial.

  • aronwp 4:11 pm on September 26, 2013 Permalink | Log in to Reply

    Ok, I was all for the automattic core upgrades after finding out it would not be major WordPress releases since people say that minor releases don’t break anything. Yesterday I upgraded a site to 3.6.1 from 3.6 and the site broke. (i had a backup so no big deal) but if this would have been an automattic update on a production environment the client would of been real mad. (this guy is not a happy camper) The site broke due to a plugin that worked fine on 3.6 but not on 3.6.1. It’s a woocommerce gravity forms product addon extension and here is the change log.

    “2013.09.12 – version 2.4.6
    * Fix: Remove wp_get_referer() in constructor for compatibility with WordPress 3.6.1 load order. ”

    This proves that anyone saying that a minor release cant break a website is dead wrong. Don’t get me wrong. I would love automattic upgrades but it’s not ready for mainstream yet. At least not that I can see.

    Aron

  • Ryan Hellyer 8:59 pm on September 26, 2013 Permalink | Log in to Reply

    This is a truly awesome addition to WordPress. Thanks to all of those who assisted with hammering out the plan and implementing it.

  • kevinjohngallagher 1:42 am on September 27, 2013 Permalink | Log in to Reply

    Friends,
    Shockingly I have an issue, but I think we can clear it up.

    As of [25598] WordPress 3.7+ installs will begin updating themselves without the need of user input every time a new security release has been released

    Although not a fan of automatic updating, I can understand the desire to implement it (the horse has bolted, so I’m not complaining). My challenge is the definition of “SECURITY RELEASE”. That’s not the same as x.1 release.

    In fact, every x.1 and x.2 release WordPress has had since 2.6 has included more than security fixes (bug fixes, functionality, small things that have been worked on, and presentation changes). If we limit this updating to SECURITY releases, then I’ll crawl back into my cave – but that is not something we’ve done so far.

    3.6.1, for example, had 22 code changes, of which 4 of them were presentation changes. Don’t get me wrong, bug fixes are great, but fixing a presentation bug for TinyMCE in iOS5 only… not security!!
    (http://core.trac.wordpress.org/changeset/25187)

    To stress, I think the code developed here is incredible, and it’s an awesome step forward. But I feel that the processes behind it are taking a very very huge leap without notice or in-depth edge-case planning.

    • Have we solved the process problem before the coding one?
    • Are we tagging security releases AND updates as separate minor releases?
    • Are we prepared to not release bugs we’ve fixed until the next major version?

    I’ve looked for the answers to these questions, and I can’t find them.

  • BC 7:56 am on October 8, 2013 Permalink | Log in to Reply

    Personally I think this is a bad idea and should be switched off by default – sure have a button in the admin panel that lets people choose – but don’t take this responsibility without being sure what it means.

    Why? Mostly trust. I don’t trust you to stop at only pushing security updates. I definitely don’t trust you not to break my sites with an upgrade. You will break it eventually (as you have each time for a subset of sites) and I want to be three when it happens. Finally I absolutely do not trust that you are more clever than a world full of evil hackers who are surely rubbing their hands with glee at the prospect of being able to automatically push their trash to millions of websites in a few hours after just one hack.

    This is the widest reaching change WP has ever made IMO and you are taking a big reputational risk that it will work first time all the time. You are removing choice and responsibility from admins and taking that yourself. I predict headline-grabbing failure at some point and lawsuits in your future. That bit about taking backups before upgrading you always tell people in the upgrade notes, for example, how are you doing that? When it doesn’t work how will you put it back as it was?

    As for auto-updating themes and plugins; that way madness lies. Madness with pitchforks and burning.

    I will add the constants to switch this off before I even upgrade to 3.7 and it will forever stay that way.

  • Kat Hagan 1:47 pm on September 23, 2013 Permalink | Log in to leave a Comment
    Tags: ,   

    Post By Email: OPW is over! 

    I can hardly believe it, but my summer internship is drawing to a close.

    This week, I released version 1.0.4 of the Post By Email plugin, comprised of minor bugfixes, tests, and documentation as I prepped the project for its evaluation phase.  I’ve added quite a bit of info to the readme page, including better installation and configuration instructions.

    Those of you following along on Trac may have noticed that I’ve kind of run out of tasks.  :)

    Today is the official end of the OPW and GSoC programs, so I’ll be taking a short break from development work during the evaluation period.  But this isn’t goodbye!  I definitely plan to stick around and continue working on and supporting this project in the future — so keep those bug reports coming!

    I do want to take a second to thank all of you for being here for me as I learned the ins and outs of WordPress this summer.  I feel really good about where this project landed, and I know it’s because I had so many amazing resources every step of the way.  So, to everyone who left me comments, answered my questions on IRC or Twitter, reviewed my code, tested, reported bugs, offered suggestions, spoke at WCSF, or even just edited a Codex page or wrote a quick tutorial now and then: THANK YOU.  It really made the difference in those moments when I felt frustrated or overwhelmed.

    I don’t know exactly what the future holds, but I do know that I love being a part of WordPress, and I’m excited to continue working with y’all.  Let’s keep in touch.  :)

     
  • Lance Willett 11:10 pm on September 20, 2013 Permalink | Log in to leave a Comment
    Tags: , ,   

    Twenty Fourteen project update 

    We’re continuing regular office hours on Tuesdays and Thursdays at Tuesday 17 UTC) as well as general “Bundled Themes” bug scrubs, Fridays at 18 UTC.

    Done since last time:

    • Accent color theme option added: #25220
    • Added a “Contributor” page: #24863
    • Lots of layout and style fixes
    • Fixing how Genericons are loaded: #25085

    In progress:

     
  • c
    compose new post
    j
    next post/next comment
    k
    previous post/previous comment
    r
    reply
    e
    edit
    o
    show/hide comments
    t
    go to top
    l
    go to login
    h
    show/hide help
    shift + esc
    cancel