It’s really disheartening to read stories like this coming out of the WordPress community, but kudos to Sarah for speaking out about it. We all need to be more aware of these issues and look for ways to prevent things like this from happening in the future.
All posts in WordPress
Video: I presented on this topic at WordCamp Dayton 2014. It’s very common for developers to customize and extend existing plugins to fit their own needs, which is one of the great advantages of using open-source software. They often do it by making their changes directly to the plugin, though, which creates a security vulnerability and becomes a maintenance… [more]
WordCamp.org now has an RSS feed that announces when new WordCamps are scheduled.
I came across a post on WP Recipes about programmatically logging users in , but it seemed like a flawed approach because it duplicated parts of Core’s internals rather than using the API. So, I can up with my own version:
The video from my presentation on the Model-View-Controller pattern at WordCamp Columbus 2013 is now available on WordPress.tv.
I just released a new plugin into the WordPress.org repository, and am fairly confident that it’s secure, but since it modifies some of the default login behavior, I’d love to get some extra eyeballs on the code. To that end, I’m offering a $150 Amazon.com gift certificate* to anyone who can find a significant vulnerability. By “significant”, I’m talking about… [more]
I just spent awhile tracking down some odd AJAX behavior that was puzzling me, so I thought I’d share the solution. I was working on a plugin to extend P2 and my AJAX requests were always responding with -1. After a lot of digging and some trial-and-error, I figured out that it was happening because I was using P2’s ajaxUrl variable…. [more]
Even though a huge fan of WordPress and have chosen to develop for it exclusively, there are still some big areas where the underlying architecture is out of step with modern development practices. Mike Toppa just wrote a great response to that “Dire State of WordPress” article that’s been going around, where he defends WordPress against some of… [more]
Diaries of a Core Maintainer #6: A Tale of Two Developers makes some insightful points about different approaches towards contributing to open source projects, and how collaboration and social dynamics can play a big role in whether or not the contributions are accepted. It’s written by a Drupal dev, but I’ve seen the same things at work in the WordPress community.
Here’s a thoughtful and insightful post by Jen Mylo on negativity and meanness in online communities .
One of my big pet peeves with WP plugins and themes is that so many of them trigger PHP notices and warnings by failing to check if array indices exist before referencing them, or checking if a file exists before including it, etc. It may seem trivial, but even if you don’t care about the… [more]
Eric Mann and Mika Toppa have been creating a interesting conversation about the use of the Singleton pattern within WordPress plugins. Eric started it with his article in defense of the pattern , and then Mike wrote a thoughtful response . Both make compelling cases for their position, and both avoid the teenage dickery that often accompanies these types of debates. The comments on each… [more]
It’s not possible to create grandchild themes in the same way that you create child themes, but you can use a plugin to dequeue/enqueue stylesheets and scripts, and also override the locations of the main query templates. It’s obviously not the ideal solution, but there are cases where it may be the least-bad one.
In an ideal world you’d never have to fork a plugin, because developers would always make their plugins extensible with hooks , just like WordPress itself does. But unfortunately that’s not usually the case, and it’s sometimes necessary to directly modify a plugin to make it do what you need. In those cases, you want to make sure that the plugin… [more]
I recently spent some time reviewing the WordPress security plugin landscape, since there’ve been some big changes in the past year, and I’ve decided to update some of my standard choices. No single plugin covers all the different requirements, so it’s necessary to use a combination. That can be a problem, though, because the feature-sets… [more]
XML-RPC will be enabled by default in WordPress 3.5, but I personally think that’s a bad idea from a security perspective. A fellow Seattle WP developer, Ben Lobaugh, explains why on the Trac ticket .. Luckily, it’s easy to disable it. Just add this to a plugin: I’ve added that to my security checklist for new installations, and updated my installation skeleton to include… [more]