Why Cloudup is Not Replacing the WordPress Media Library

CloudUpFeaturedImage2When Automattic acquired Cloudup in 2013, two of the most exciting parts of the announcement was replacing the WordPress media library with Cloudup and the ability to co-edit posts similar to Google Docs. We discussed the concept in early 2014 and readers were concerned about owning their data.

Two years later, the WordPress media library and the visual post editor have received major improvements while integration with Cloudup is non-existent. When Matt Mullenweg was asked about the integration in a recent interview, he responded,

We did a lot of really awesome UI improvements to the editor and did some things we were very excited about, but because we weren’t working on a TinyMCE base, some of the basic editing stuff was really difficult.

The team spent about six months to complete the first 80% of the project then spent a year and a half to reach 85%. Setbacks included a lot of rabbit holes and hidden complexity. The team now works on different things within Automattic that revolve around data.

Zeditor is an Educational Resource

The work completed by the team is open source and available on GitHub. It’s called Zeditor and serves as an educational resource. “We learned a ton through the way we architected the JavaScript and we think it serves as a good model for doing lots of JavaScript projects going forward,” Mullenweg said.

Listen to Mullenweg explain why Cloudup is not replacing the WordPress media library in the following audio clip. Be sure to check out the entire interview where we discuss a variety of other WordPress topics.

The theme review team’s content creation discussion

The WordPress.org theme review team (TRT) has been in the WP news a lot lately, right?

Despite various tall tales, urban legends, personal attacks, and flavorful language being bandied about, we’re all a group of regular ol’, standard-built humans trying to make sure WordPress users have really awesome stuff. Some of us have different model numbers and come with our own set of flaws, but that’s OK. We all have the same goal in mind.

Unfortunately, there’s been a lot of misinformation and even some disinformation going around. I’m not going to beat dead horses. However, I do want to attempt to explain what’s happening with the current “content creation” situation. Maybe I can clear up some things before comment sections on certain blog posts start claiming we formed a secret organization to murder JFK.

What is content creation?

This is something I’ve written about before, such as in my Why custom post types belong in plugins post. In that post, I go on to list a few items that we don’t allow in themes hosted on the WordPress.org theme repository.

Here’s a list of things not allowed:

  • Custom post types.
  • Custom taxonomies.
  • Non-presentational post metadata.
  • Database tables.
  • Shortcodes.
  • Custom comment types.

These are what we call the clear-cut cases. In fact, the automated checker won’t even allow themes to be submitted if it has some of those. These are not the things that we’re discussing. What we’re actually discussing are some gray areas, which I’ll get to in a moment.

Why are you “cracking down” on this now?

We’re actually not cracking down on anything. This is not a witch hunt or anything of that nature. We’re neither hunting down popular themes with upsell versions nor planning world domination. None of us have the time for that sort of thing anyway.

When we spot issues, we attempt to correct those issues and work with theme authors to bring their themes into compliance. We deal with these things on a case-by-case basis because each issue is unique and needs a specific path forward.

When we have confusion, we attempt to discuss and clarify items so that there’s no confusion, or at least less confusion. The guidelines are a bit of a living document, one that must be refreshed from time to time with the blood of developers and reviewers.

That’s what this whole content creation discussion is about. The content creation guideline isn’t being consistently applied by reviewers. Therefore, in the next team meeting we are going to deal with this inconsistency.

The gray areas

Where the team of 100+ humans have been inconsistent is in dealing with gray areas. This inconsistency isn’t fair to theme authors because different reviewers are applying a particular guideline in wildly different ways. It makes sense that we bring some clarity to the situation.

To help understand the discussion a bit more, I’ll leave you with some examples of the types of things we’ll be clarifying. This won’t be an exhaustive list of examples. It’s merely a list to help explain what all this stuff is about.

Example #1: Footer copyright text

Imagine a theme had an editable <textarea> in the theme options to allow you to alter what’s shown in the footer. Is it content? Can it be better handled by something like a text widget?

Personally, I believe this one is pretty easy to figure out. It’s a theme-specific setting that theme users won’t care about when they switch to a different theme in the future. I consider this part of basic theme setup and would say it does not fall under content creation.

Example #2: Portfolio projects

Now, imagine a theme that allows you to create portfolio projects via theme options (or widgets). Remember, we don’t allow a portfolio project post type and consider such a thing plugin territory (one of those clear-cut cases). This isn’t technically a post type. Otherwise, it would’ve never made it past the automatic scan prior to submission. It’s a theme option, but it does the job of a post type.

First, the wp_options table really isn’t meant for this sort of long-form content. Also, in this case, users may want their portfolio projects around when they switch to a different theme. This seems to be a case of a custom post type disguised as a theme option.

Example #3: Profile widget

A profile widget might allow a user to upload an image and write a paragraph or two about themselves. There is a far better method of coding this to auto-pull in a user’s biographical info and avatar, saving them from having to copy/paste info many will have already provided.

However, because the “content” is generally so small, I really don’t care much whether themes are adding widgets like this. I just think there are better ways of coding it that are more portable across themes.

Example #4: Front page content sections

Imagine a theme that allowed you to configure your entire front page. Imagine if you could configure each section with newly-written content or maybe just certain sections.

When does a theme jump over into WordPress core and plugin domain? Where’s the line? Are a few text box sections OK? Is having to write an entire front page’s content via theme options the best way forward? What effect does this have on users?

This is at the heart of the discussion (i.e., not a current decision).

The post The theme review team’s content creation discussion appeared first on Justin Tadlock.

Updates Galore

Just a quick post to let people know about the updates now available for my various books and plugins. Basically the entire month of May was spent on plugin and book updates, so here is a quick summary of what’s new.

Free WordPress Plugins

All of my active WordPress plugins are updated with new features and current with WordPress version 4.2, here is a complete list:

All of these plugins are free and open source; I use them on my own sites and make them available to the WordPress community as a way of giving something back. So THANK YOU to everyone who supports the work I do, either by purchasing my books, making a donation, or tweeting and sharing content on your favorite social-media sites. Your support is appreciated!

Premium WordPress Plugins

In addition to free plugins, I have a growing collection of Premium WordPress plugins:

Both of these plugins are freshly updated and current with WordPress 4.2. Plus, these plugins include free lifetime updates, so no need to fork out more cash every year just to renew the license. And the even better news? Now that I’ve completed this round of book and plugin updates, I have a chance to move forward again and develop some more Pro plugins! I have the perfect one in mind for the hot Summer months :)

Book Updates!

I love to write books, and editing and updating them is almost just as fun. Currently I have four books that are all freshly updated and current with all the latest software:

This round of book updates includes a complete refresh of all hyperlinks (over 2,000 links in total), as well as updated material, revised content, fixed errata, and much more. You can check out a complete list of changes from each book’s homepage. And that reminds me..

Book Sale!

To celebrate this round of updates, all books and combos are on sale at the WP-Tao Bookstore. Save some dough with the following discount code:


Apply during checkout for instant savings ;)

Log Deprecated Calls 1.3

Another update! This one I’m very happy with — I’ve made an improvement that vastly improves the efficiency of the database table.

The original version of the plugin was banged out in an afternoon, and as a result it didn’t make the best use of the database. I’ve always meant to go back and fix this, and now it’s done.

Previously, each deprecated call resulted in a new record in the database. If you left it running for a while, you could end up with quite a large table. In the new version, it looks to see if this same call already exists in the table, and if so, it simply hits a counter on the existing entry. You could now leave this running indefinitely without any database issues (though you probably wouldn’t, as it’s still mainly intended for developers).

I would appreciate bug reports on this plugin. There may be an intermittent bug in setting Options which I can’t seem to duplicate. Thanks.

Go get it! and Enjoy.

© Stephen Rider 2015

This article was originally published at Nerdaphernalia. Planet WordPress is authorized to reproduce WordPress-related entries. If you're reading this at any other web site, the site owner is stealing copyrighted work. Please visit the original page:

Permalink to Log Deprecated Calls 1.3

Feed enhanced by Better Feed from Ozh

Multiple checkbox customizer control

Multiple Checkbox Customizer Control

This post is part of my ongoing series of helping theme authors out with building customizer fields that they need help with. This request comes from Nilambar Sharma.

The specific request was, “Have you developed customizer control for multi checkbox. Say five choices are given and user can select multiple items from there?”

The closest I’ve seen to this is the Multiple Category Control from Theme Foundation. I sat down at the drawing board and got to work on a what I think is a good solution for any set of data using a similar method.

This tutorial will assume that you’re accustomed to working with the Customization API in WordPress core.

Building the control class

Create a new file called control-checkbox-multiple.php. As far as this tutorial is concerned, it’s sitting in the theme root folder. Feel free to put it in a sub-folder and organize how you see fit. Drop the following code into the file.

 * Multiple checkbox customize control class.
 * @since  1.0.0
 * @access public
class JT_Customize_Control_Checkbox_Multiple extends WP_Customize_Control {

     * The type of customize control being rendered.
     * @since  1.0.0
     * @access public
     * @var    string
    public $type = 'checkbox-multiple';

     * Enqueue scripts/styles.
     * @since  1.0.0
     * @access public
     * @return void
    public function enqueue() {
        wp_enqueue_script( 'jt-customize-controls', trailingslashit( get_template_directory_uri() ) . 'customize-controls.js', array( 'jquery' ) );

     * Displays the control content.
     * @since  1.0.0
     * @access public
     * @return void
    public function render_content() {

        if ( empty( $this->choices ) )
            return; ?>

        <?php if ( !empty( $this->label ) ) : ?>
            <span class="customize-control-title"><?php echo esc_html( $this->label ); ?></span>
        <?php endif; ?>

        <?php if ( !empty( $this->description ) ) : ?>
            <span class="description customize-control-description"><?php echo $this->description; ?></span>
        <?php endif; ?>

        <?php $multi_values = !is_array( $this->value() ) ? explode( ',', $this->value() ) : $this->value(); ?>

            <?php foreach ( $this->choices as $value => $label ) : ?>

                        <input type="checkbox" value="<?php echo esc_attr( $value ); ?>" <?php checked( in_array( $value, $multi_values ) ); ?> /> 
                        <?php echo esc_html( $label ); ?>

            <?php endforeach; ?>

        <input type="hidden" <?php $this->link(); ?> value="<?php echo esc_attr( implode( ',', $multi_values ) ); ?>" />
    <?php }

There’s a couple of things to note about this class. The first is that I’m utilizing the enqueue() method. If you’re unfamiliar with this control method, it allows you to enqueue scripts/styles when a specific control is used. We’ll be loading a custom customize-controls.js file for this control.

The next thing of note is that there’s a hidden <input> element, which we’ve added the standard $this->link() output to. We’ll be dynamically adding the checkbox input values to this hidden input via JavaScript so that it works with the customizer.

Loading the control class

Assuming you’ve never loaded a control class, you might be surprised if you attempt to simply load the file in your theme. You’ll get a fatal error because the WP_Customize_Control class hasn’t been defined yet.

What I recommend is loading custom control classes early on the customize_register hook like so in your theme’s functions.php file:

add_action( 'customize_register', 'jt_load_customize_controls', 0 );

function jt_load_customize_controls() {

    require_once( trailingslashit( get_template_directory() ) . 'control-checkbox-multiple.php` );

Adding the JavaScript

In the class, we enqueued the customize-controls.js script, so we need to have that file in the theme. In that file, drop this code:

jQuery( document ).ready( function() {

    /* === Checkbox Multiple Control === */

    jQuery( '.customize-control-checkbox-multiple input[type="checkbox"]' ).on(
        function() {

            checkbox_values = jQuery( this ).parents( '.customize-control' ).find( 'input[type="checkbox"]:checked' ).map(
                function() {
                    return this.value;
            ).get().join( ',' );

            jQuery( this ).parents( '.customize-control' ).find( 'input[type="hidden"]' ).val( checkbox_values ).trigger( 'change' );

} ); // jQuery( document ).ready

This bit of jQuery looks to see when a checkbox value has changed. If it has, it adds/removes that value to the hidden input. It also let’s WP know that a setting has changed via .trigger( 'change' ), so that the customizer form can be saved.

Admittedly, I’m not the greatest JS programmer, so please improve upon the code if possible.

Creating the customizer option

This is pretty standard for anyone who’s used the customizer. You need to add a setting and a control. You can use a multiple checkbox control for all sorts of things, such as choosing multiple categories or multiple pages. For the sake of this example, I’ll just have a “favorite fruit” setting to show how things work.

add_action( 'customize_register', 'jt_customize_register' );

function jt_customize_register( $wp_customize ) {

            'default'           => get_theme_mod( 'favorite_fruit', array( 'apple', 'orange' ) ),
            'sanitize_callback' => 'jt_sanitize_favorite_fruit'

        new JT_Customize_Control_Checkbox_Multiple(
                'section' => 'title_tagline',
                'label'   => __( 'Favorite Fruit', 'jt' ),
                'choices' => array(
                    'apple'      => __( 'Apple',      'jt' ),
                    'banana'     => __( 'Banana',     'jt' ),
                    'date'       => __( 'Date',       'jt' ),
                    'orange'     => __( 'Orange',     'jt' ),
                    'watermelon' => __( 'Watermelon', 'jt' )

Sanitizing the data

Because we’re working with multiple values, you can’t simply throw in just any ol’ sanitizing function for the sanitize_callback argument. You’ll need a custom callback function to sanitize the values individually.

Another thing to keep in mind is that because we used a hidden input element in our control, everything is stored as a comma-delineated string of values rather than array. So, we’ll need to turn that back into an array before the value is saved to the database.

We can kill two birds with one stone with a custom sanitize_callback function.

function jt_sanitize_favorite_fruit( $values ) {

    $multi_values = !is_array( $values ) ? explode( ',', $values ) : $values;

    return !empty( $multi_values ) ? array_map( 'sanitize_text_field', $multi_values ) : array();

I’ve used array_map() in the function to run sanitize_text_field() over each value. Don’t just use that because I used it in this tutorial. Use the function most appropriate for the type of data that you’re sanitizing.

The post Multiple checkbox customizer control appeared first on Justin Tadlock.

Business Decisions Impacting Your Customers Could Be Fatal

As a WordPress agency owner running my business and being responsible for dozens of people, my main goal is stability.

Stability in Business

John Lennon once said:

“Life is what happens while you are busy making other plans”

Since life is fragile itself and things change every single minute, the least we could do is stabilize as many variables as possible and take care of the potential problematic areas. That said, stability in business is determined by various factors, such as:

  • Having a steady recurring revenue model – memberships, selling WordPress products, or a backlog of clients for services
  • Working with a reliable team – employees, contractors, trustworthy and capable people available for work
  • Setting up the right work environment – office, equipment, Internet access and everything required for work on a daily basis

Stability includes trust, reliability, delegation, long-term commitment and being able to believe in a technology, partner or an idea so much that you share your business and sensitive data with them knowing that they are safe, while dealing with the rest of your work.

Stability could be interrupted in a many ways that we cannot predict, or at least expect not to happen. Some of those are not crucial, but others are critical. And based on your risk management process, you can prevent some of these depending on how much loss your business will generate in case of an unexpected event.

Stability and Potential Loss

For example, if your Internet at the office is down for an hour every two weeks, you have to assess the damages for your business. If only two people work at the office and most of their work is offline, that may be something that you don’t even notice – and it’s fine.

If this is a call center with 30 people, that means 60 non-billable hours or interrupted calls with serious prospects. Now that’s probably critical.

If Amazon’s or Google’s network was down for an hour every two weeks, people would probably start using eBay and Yahoo much more often which will lead to tens of millions of dollars of damages per month due to the downtime.

As you can see, an interruption in a service may be critical for some, and you should always be aware while working with your customers. My ISP offers a premium plan for VIP customers with a backup line with Internet access if the main one is down, extra gateways, internal DNS servers and so on. That premium service is worth paying for extra for business people.

If your Internet is down for 2h/month and you can break a server in the middle of a deploy, or lose a consulting client paying $300/hour – would you not pay $20-$40 extra for a backup line or switch to another backup ISP, or pay for two providers simultaneously?

Web Development, CMS Stability and WordPress

Coming from the Enterprise world to WordPress was incredibly shocking for me. I was both excited for the opportunity of solving more problems and delivering more projects in a shorter amount of time, and freaked out by the unexpected estimates when it comes to delivering a complex custom plugin or polishing a reliable platform.

Since I was dealing with estimates and project planning at one of the Java companies I worked for, I’ve had 6-figures projects signed for the amount of features that would translate to a $20K – $30K project in the WordPress world.

Now, the amount of work itself was significantly more – for a Java project – but there is another key takeaway:

A project of that size requires months of R&D, validating an idea, and numerous iterations of testing and benchmarks.

Rushing things leads to mistakes. Mistakes cause problems and regressions. And that could affect budgets, data, relations, and overall slam an entire business should that happen in the wrong moment.

But rushing things and underpricing is incredibly common in the WordPress world.

Drupal and WordPress

Dries covered Automattic’s latest acquisition in his post “Why WooMattic is big news for small businesses“. While I believe that a potential WordPress.com vertical with hosted WooCommerce would definitely create opportunities for small business owners (and reduce the waves of Wix and Squarespace users as well), Dries ends with the following comment:

To me, this further accentuates the division of the CMS market with WordPress dominating the small business segment and Drupal further solidifying its position with larger organizations with more complex requirements.

I disagree with his sentiment, but he’s right about one thing: Drupal has a proven place in working with large organizations having complex requirements. Probably the majority of the popular Drupal-based projects fall in that category (unlike 95%+ of the WordPress projects being blogs or 5-page business card websites).

And since I actually like Drupal myself, I would understand if a large corporation picks Drupal instead of WordPress for their project. Let me explain why.

WordPress is dangerous for non-experienced people

That’s right – it is.

You may be a technical expert capable enough to set it up in a safe and scalable way.

But WordPress seems so easy that it makes several things possible:

  • non-technical clients decide to build and operate WordPress websites themselves
  • non-experienced people start to offer professional services
  • non-technical service providers add WordPress to their suite of partners and mess up with the workflow
Clients misconceptions and false expectations

Clients misconceptions and false expectations

In my post Setting the Wrong Example I discuss the vast majority of “WordPress experts” who have no practical knowledge of the technical stack and what happens behind the curtains. The 5-minute install, tools like Softaculous and other quick tutorials make it possible to start in a matter of minutes.

It’s simply less common in the Drupal world. Less people claim to be Drupal experts since it’s more technical. Users are generally less inclined to go “on their own”. And it’s a 100% technical area for enterprise platforms and programming languages in that field.

Drupal does not update often

Automatic updates in WordPress help small blogs and small business owners, but they are a bottleneck for serious projects. That’s right, you can disable them with a single line of code, you can host a .svn/.git folder that prevents the updates, or even manage the permissions so that it’s virtually impossible.

But standard users don’t know that. And the fact that you are behind if you don’t update every 3-4 months is a problem.

Drupal issues a new version every few years. The core team is focused on delivering high quality and stability and spends less time dealing with backwards compatibility.

Don’t get me wrong – I’m thrilled when I have to update a WordPress 2.8 site that’s 7 years old to the latest version without regressions. But a short iteration ran by volunteers is risky, and allows for less time for testing and catching edge cases. And some of the latest security issues were caused by an oversight or the lack of enough eyes on a commit – just because everything moves so fast.

And an update is actually not a simple operation. The Core platform is being updated. That happens on different types of servers/hosting plans, running different web servers, MySQL databases or PHP versions. Those stacks are operated by different companies with various restrictions or limitations due to internal software, hardware firewalls, IDS/IPS and more. Also, a standard WordPress install has a theme and a number of plugins, which may be incompatible with the latest release as well.

Nacin gave a great talk on LoopConf that shed some light on the Emoji idiocy that most people (including me) ranted a lot about. Turned out it’s just a facade of a critical security issue, but if you see the video, you’ll find out how many edge cases are there in practice, given the million different combinations of WordPress environments across the world:

With so many steps required at the update workflow errors simply happen. A lot.

Even if they’re not critical issues (Fatal Errors), that’s quite a lot of regressions, and some are hard to catch.

Ryan also stressed on that problem discussing possible dependencies that could be implemented in WordPress – but we’re simply not there yet, and won’t be at least for another year or two.

Drupal’s Repository Is Less Accessible

One of the reasons why non-technical business owners and regular users decide to spin off a WordPress install themselves is that they can actually build SOMETHING that does what they need.

  • They can create an eCommerce store by installing WordPress with WooCommerce.
  • They can set up a membership website with BuddyPress, and find some free (or cheap) extensions in order to make it work.
  • They can find plenty of free themes for both platforms, or buy a pretty cheap theme that looks good.

Again, that’s great in general, since it facilitates the education of millions of people, introducing them to the Internet and provide an opportunity to become a media without initial investment – which is essential for 3rd world countries or other political regimes where “free speech” is a forbidden term.

But it also implies that building a site is a piece of cake. That web designers/developers are thieves, and they ask for a fortune in order to do something that a “user” can do in two hours. And educating your customers becomes a problem.

Especially when websites are hacked, compatibility is seriously affected between plugins, updates break the website and so on. Since everyone can submit a plugin to the WordPress.org repository, as long as it goes through a quick initial review. And there are three or four reviewers available for that market of 38,000 plugins.

Clients cum WordPress Developers

Clients cum WordPress Developers

Drupal has a more restrictive model, where module authors can work with a sandbox first, and apply for a fairly complicated full project approval process. It’s actually quite interesting and well organized, even though it may take several weeks (or months) to get a new project live. But reviewers spend time going over checklists and ensuring that plugins follow the quality standards.

It’s not incredibly different than WordPress.org’s model per se – it just includes more steps, more reviewers, a reviewing program, more public reviews (people applying for reviewers) and a strict process including different things to look at. They don’t rush that much, and have public checklists for both authors and reviewers.

The end result is – less modules are available for the public, but the overall sense of compatibility and security is higher. And that is a key trust factor for serious business clients. Also with major releases every 2-3 years module authors don’t have to spend half of their time dealing with compatibility issues or supporting different WordPress versions.

Dries also mentioned their core architecture which is sometimes more granular and better refined than the one that WordPress provides. Examples are their content types, taxonomies, user permissions and the new Caching API that is more or less state of the art. This serves as a best practice that module developers are required to use, which increases the quality drastically.

There are tons of discussions regarding the Settings API in WordPress and there is a group working on a new version. Right now most developers prefer using their own frameworks or filter a simple options page themselves in order to avoid the hassle and all of the crazy automagic going on. That wouldn’t be the case with simplified, more robust and extensible API, and would increase the security factor for the majority of the plugins in the repository.

Large Organizations Need Reliability

This is one of the reasons why large organizations still use proprietary technologies or enterprise platforms that take years to build. Stability for a large organization may cost billions of dollars.

If a small 5-page business website with 50 views a month is down for an hour a month or even hacked, that’s not a deal breaker. But what does it look like for large brands?

Sony's loss after the security breaches

Sony’s loss after the security breaches

Sony were hacked a few times over the past years. According to a review by Business Insider published in December, “Sony Corp’s movie studio could face tens of millions of dollars in costs from the massive computer hack that hobbled its operations and exposed sensitive data“.

Also, they remind us about the PlayStation breach in 2011 when customer data was stolen:

The tab will be less than the $171 million Sony estimated for the breach of its Playstation Network in 2011

I’m often befuddled when discussing major updates with developers working for large firms. As long as they don’t deal with sensitive clients, they can’t even imagine what could be the impact of a regression, of downtime, not to mention a successful hack attack. It saddens me, but after all it’s not my company they work for.

According to Forbes in 2013, Amazon.com Goes Down, Loses $66,240 Per Minute. If thirty minutes of downtime don’t bother you personally, that equate to $2M for a large organization.

Stability and Changes By WordPress Businesses

That big picture gets messier if we account for the rapid, startup-alike changes and actions by some companies operating a WordPress-driven business or providing services for WordPress clients as well. And unplanned or non-documented changes could cause a fatal issue for a large giant who has decided to trust WordPress for a reliable project.

I already mentioned that stability includes trust and commitment from both parties. Stability is like a marriage – you trust your partner so much that you can live together, they have access to everything sacred to you, and your personal life is more or less defined by that relationship.

Let’s see some potential problems for businesses interested in getting in bed with WordPress.

The WordPress Core

WordPress is an incredible framework that is extremely flexible and allows you to build virtually any type of project. It may not be the right tool for every problem, but it’s possible nevertheless.

An external large organization however may see several problems with WordPress

  • Automatic updates – the part that we discussed above – even when disabled, release cycles add bug fixes and security releases that must be applied immediately and are practically public, revealing the vulnerabilities that have been fixed.
  • Future Plans – the roadmap for WordPress is not clear, and decisions are not taken by a board of influential companies involved with WordPress in the broader definition of the term. If you plan to invest billions in a project over the next 10 years, it’s not clear what sort of major changes would happen in the 30 major releases that are yet to come.
  • Lack of mature high-end marketplace – all of the available themes and plugins for free or at a low cost are not an advantage if they are potentially insecure, not optimized for performance and practically without guaranteed compatibility. The amount of time for reviews and rewriting these and the potential risk of missing a thing may lead to choosing Drupal’s “Lego” model, a custom framework, from scratch or a high cost enterprise platform.

While I don’t argue that these are necessarily valid points and we should turn around everything so that we can server enterprise customers, all of those are valid remarks that I’ve discussed with enterprise customers and owners/managers at companies with tens of thousands of employees.

WordPress Hosting and Environment

WordPress runs on several different stacks and there are thousands of options available for WordPress customers. At least in theory.

I’ve had so many issues with numerous hosts that I can’t even remember. Some of those problems were so ridiculous that installing a LEMP or LAMP stack with a single command in the shell in a barebone $5-$10/m VPS would be ten times more secure, reliable and pretty fast.

Recently I had a CDN provider blocked on one of my hosting accounts. Two of my sites suddenly stop delivering most of the media, the majority of the CSS and JS files weren’t loaded. My uptime monitors didn’t catch that obviously, so the sites were probably ugly as hell for a few hours. That happened twice, no memo or reminder, or any notification that the provider suddenly decided to block a popular CDN provider and stop delivering media.

Speaking of CDN’s, I was unable to see any media on my friend John’s website yesterday – since someone blacklisted Bulgaria. When I travel and I use a mobile SIM card, or a 3G toggle, I often get blocked by dozens of websites as a false positive – a potential “bot”. Some of those websites are in the top 10,000 Alexa websites in the US, and that leads to lost business opportunities for them.

Until recently (if not still) Azure, Microsoft’s hosting, required a few WordPress core files to be edited when installing a WordPress website to Azure. There are still unresolved tickets focused on Azure’s guidelines.

cPanel Hacking Core

George Stephanis recently reported on Twitter that cPanel is editing WordPress Core files. I didn’t believe that at first, until he kept digging and came up with the entire report of the situation.

Long story short, that was the first reply by cPanel:

Are you using the cPAddons tool within the cPanel interface to install & manage WordPress? If so, then yes, we disable the auto-update functionality within the application so the updates can be managed from the cPanel interface itself. The way our cPAddons tool tracks software is not compatible with the way WordPress updates, hence why we disable the auto-updates so we can track it through cPAddons.

So… when the platform that powers 24% of the Internet does something differently than us, let’s hack that for all of our clients and make them run a non-supported customized version that may cause regressions from then on.

As far as I’m concerned, this is being done without the customers’ consent, and it doesn’t even work properly since George found a number of sites running a WordPress version from early 2014. Updates, huh?

These Are Just a Few Examples

That’s not the complete list of things happening around WordPress – I can list at least 20 different community decisions related to WordPress updates, regulations for the WordPress.org repositories, idiocies by hosting vendors, plugin authors intentionally breaking other plugins, ThemeForest themes that include the kitchen sink, development environments with hidden custom updates over a standard technical stack.

All of those lead to one thing: surprises. And surprises are crucial for two reasons:

  1. A non-regulated change may affect business customers and harm their businesses – the CDN example before, the insecure cPanel websites etc.
  2. Once you find a single voluntarily change that affects your business, you can never feel safe anymore. It’s like being robbed on the street – you’ll walk carefully and be afraid in the evening for the next 20 years or more (speaking from experience).

If you believe that this is a “minor thing” and it “doesn’t hurt anyone”, then you’re either completely wrong, or you are intentionally working backwards, helping the devolution of WordPress back to a simple blogging platform for small websites.

Not paying attention to large businesses is irresponsible. Large businesses are the best thing that could happen to a CMS – it builds trust in the CMS, tests the limits of the code in terms of security and scalability, and builds an enterprise infrastructure for scaling projects.

But until we start working together and discussing the potential impact of major business changes, we’ll keep losing potential opportunities by large brands, kick existing successful businesses away from WordPress due to regulations or politics, and keep complaining about cheap clients or low plugin and theme prices.

The post Business Decisions Impacting Your Customers Could Be Fatal appeared first on Mario Peshev on WordPress Development.

Smarter algorithms, smarter defaults

Instead of showing the user an alert that something might not work, maybe we can build a smarter algorithm. Instead of asking the user to make a choice up front, maybe we can set a smart default and see if there is high demand after launch for more customization.

Rebecca Rolfe on the Google Chrome team, interviewed in The Badass Women of Chrome’s Security Team in Refinery29.

(More on making decisions, not options.)

My 10th WordPress.org-aversary

Justin Tadock's WordPress.org profile

Well, today has come and gone by just like any other for the most part. However, I’ve been quietly contemplating the past 10 years of being involved in the WordPress community. It’s been a long, wacky, and exhilarating ride, one that I wouldn’t change for anything in the world.

Here’s a look at some fun firsts over the past 10 years:

By the way, this isn’t my 10-year-WordPress anniversary. That was actually 10 years and 10 days ago when I wrote my first WordPress-powered blog post. That changed everything.

The post My 10th WordPress.org-aversary appeared first on Justin Tadlock.

Log Deprecated Calls v1.2

A new update to my Log Deprecated Calls WordPress plugin.

The newer versions based on Strider Core has had some “teething pains”, for which I apologize; but I believe I’ve worked them out for the most part. Perhaps my primary error was prematurely removing the Strider Core based version from Beta; but this latest should be fully functional.

The primary fix on this one is the settings page — it was not saving properly due to an obscure bug that I fixed by switching to the WordPress Settings API. In the process I may have uncovered a bug in the API, actually. I’ll have to take a closer look to see if it’s really a bug or just a conflict in the way I was using it.

The next pending update is to make more efficient use of the database. Currently I only recommend using the plugin in the short-term while debugging — which you probably do anyways, but if not it can create a very large table. That fix is next on my plate, and then I think I’ll be quite satisfied with what I’ve made here.

It’s a bit odd and — yes — humbling to look at my own code from several years ago. Even just recently I’ve learned some new concepts after reading the excellent book Clean Code — which was almost worth it just for the advice that you make smaller functions and make them each do One Thing Only. It helped in this latest bugfix, as the bug traced back to a function that inappropriately did TWO things. In the process of validating the form before saving it, a function was actually saving the option to the database as soon as it validated — but this was in turn causing the WordPress API to start the validation over again, which saved the setting, which restarted the validation, which saved the setting…. and so on. Once I cleanly separated the act of determining default options from saving default options, the problem was quickly resolved.

The main cause of this is that this plugin has become my main testing ground for the Strider Core framework I’m designing — and in the course of abstracting out some of the repetitive code that goes in all my plugins, some oddities crept in.

© Stephen Rider 2015

This article was originally published at Nerdaphernalia. Planet WordPress is authorized to reproduce WordPress-related entries. If you're reading this at any other web site, the site owner is stealing copyrighted work. Please visit the original page:

Permalink to Log Deprecated Calls v1.2

Feed enhanced by Better Feed from Ozh

Developer in a toy shop

I’m always excited when WordPress adds a new feature. The first thing I do is try to extend it in some way to do something even more awesome. It doesn’t even matter if I have a particular need for the feature. I’m like a kid in a toy shop, playing around with all the new stuff. I’ve always assumed other devs were the same way, but it has been made clear to me that’s not always the case.

The post Developer in a toy shop appeared first on Justin Tadlock.

WordPress.org is Testing International Theme and Plugin Directories


WordPress.org is making strides towards fully localizing the project’s official theme and plugin directories. Dion Hulse posted this morning that he has enabled localized theme directories for all Rosetta sites. For example, the Romanian themes directory is available at: ro.wordpress.org/themes/.

Theme filters, directory sub-navigation, info and download buttons, and other aspects of the details page are all translated. Description and titles are not yet translated, but Hulse says the plan is to add those in the near future.


Those who are interested in helping translate the interface for the localized theme directories are encouraged to visit the meta translation project page. The process for contributing is the same that is used with WordPress’ other Rosetta translations.

Localized plugin directories are being actively tested at /plugins/ and the sites are also available for contributions from translators. Check out ro.wordpress.org/plugins/ to see the Romanian plugin directory as an example.


As the localized theme and plugin directories are new, there are still a few missing pieces and likely a good number of bugs that will need to be resolved. You can help by reporting them on Hulse’s announcement on the make.wordperss.org/polyglots blog or by opening a ticket on meta.trac.

In Matt Mullenweg’s 2014 State of the Word address, he highlighted the importance of internationalization improvements for connecting and growing the global WordPress community. Localized directories for plugins and themes on WordPress.org are part of this larger effort and make the project’s website easier to navigate for non-English speaking users.

In the future, translation of WordPress’ development handbooks, the codex, and other documentation could also play a large part towards inspiring international developers to make more extensions, products for the marketplace, and contributions back to the project. Growing WordPress’ market share outside of English-speaking countries will be facilitated by having all basic WordPress resources available in other languages.

Elegant Design: A Case Study

In the past I’ve discussed elegant UI design on this blog, commenting especially how the best plugin design is to integrate the plugin’s function in a way that the end user would never realize that what they’re doing comes from a plugin at all.  There was a trend in the earlier days of WordPress that plugin developers would all dump their interface screen under the “Plugins” menu in the Admin area, because — duh — it’s a plugin.  No, I argued — that’s exactly wrong.  Does your plugin do something with comments?  Put it under Comments.  Does you plugin affect the appearance of the site?  There’s an Appearance menu for that.  Is it purely a Settings screen?  Great — use the Settings Menu.

Today this seems like pretty basic stuff, and most plugin authors seem to get the idea.  But today I came across a particularly striking contrast between Old plugin design and New, and I thought it was worth mentioning.  The plugins in question are PageMash, by Joel Starnes, (last updated six years ago), and Simple Page Ordering, by Jake Goldman and 10up.

Both of these plugins serve the exact same purpose: they allow you to order your site’s Pages via drag and drop.

First, let’s look at pageMash.

I’ll start with the most obvious element of this plugin: had I not just told you what it does, would you have guessed what a plugin called “pageMash” does from the name?  I wouldn’t have.  This illustrates a quandary in software design — the struggle between giving your product a distinct name, and giving it a name that identifies its purpose.  That could actually serve as an entire post — if not a book.

So let us, for the sake of discussion, assume that the plugin name was well chosen.  The author, however, overused the name throughout the interface.  After activating pageMash, there is a singular addition to the Admin menu: under “Pages”, there is a “pageMash” menu.  Even if that’s a great name for the plugin itself, it is a poor name for a menu item — something that is meant to help users find what they’re looking for.  How about “Page Order” instead?

We click on pageMash, and are taken to a page with the following title: pageMash – pageManagement.  Well, I suppose “page management” does a little better job of telling us what the page does, but even at that point the unorthodox capitalization and spacing looks clunky and unpolished.  It’s a perfect example of an interface designed by a coder, because that type of capitalization and mushing-words-together is commonplace in code.  It even has a name: camelCase.  Programmers commonly use it for variable names and such.  I assume most people reading this know this already, but I don’t assume all my readers are programmers; which really just leads to my next point: camelCase would be perfectly fine, I think, if we could assume that all of the users of the plugin are programmers.  One of my own plugins — Log Deprecated Calls — is really only useable by plugin and theme developers, and probably only used in development environments.  Although I didn’t do it, such geeky conventions would have been a safer bet because of the audience.  But pageMash is exactly the opposite — you can assume the many (or most) users of that plugin are going to be writers and editors.  Not the admin installing the thing, but the people using it day-to-day, are likely to be non-technical “content” people. So this breaks the rule I mentioned previously on multiple levels.  From the menu to the page headers, the interface of pageMash screams “add-on”.  There’s just no way this is a part of WordPress itself.

Now, I realize I’m being hard on the developer, and I don’t really mean to be.  The plugin’s function — especially for its day — is quite excellent.  You have a list of pages. You drag and drop them into the order you want, and click the “Update” button.  There’s a short paragraph at the top of the page explaining this, and at the bottom of the page is a “Show Further Info” link that expands a longer help text.  It’s pretty straightforward, and it works.  Before this plugin came along, the only means I had to order pages in WordPress was to type numbers into a little blank next to each page in the list.  It was clunky and extremely tacked-on.  PageMash fixed that.

Now lest fast-forward several years.  Just today I discovered 10up’s Simple Page Ordering plugin.  Any guess what they called the menu item?

Trick question.  There isn’t a menu item.  The interface is so cleanly and tightly integrated into WordPress that you’d never guess it was a plugin.  You simply go to the normal Pages admin page, and you can drag and drop the page order right there.  Need help?  It’s integrated into the existing Help tab and the top of the page.  There’s not even a Save button. Drag, drop, done.

I’m reminded of Steve Jobs — arguably one of the greatest UI designers in the history of computing.  He famously hated buttons.  When designing new devices the first iterations always had buttons, and he’d come swooping in and get rid of them.  Think of the iPhone: there’s Power and Home — that’s it.  And it works, because the device is designed so that you can just look at it and figure out how most of it works.  It’s instinctive.

Simple Page Ordering accomplishes this same elegance.  It’s so beautifully designed and coded that there’s literally no interface beyond simply doing the thing.  “Gee… I want to move this page down.”  Click. Done.

I can’t think of a better example of the design principles all programmers should aspire to.

© Stephen Rider 2015

This article was originally published at Nerdaphernalia. Planet WordPress is authorized to reproduce WordPress-related entries. If you're reading this at any other web site, the site owner is stealing copyrighted work. Please visit the original page:

Permalink to Elegant Design: A Case Study

Feed enhanced by Better Feed from Ozh

Log Deprecated Calls plugin 1.1.1

Hi again. Another bugfix update — this time for an error on new installs (didn’t affect people upgrading from an old version).

More to come. Still need to fix a bit of weirdness when saving prefs, but I wanted to get the install fix out ASAP, so here it is.

I hope to get this on the WordPress plugin repository fairly soon, but there’s some weird bit of politics I need to figure out first (which I may get into further on another post.) If it doesn’t end up in the repo, I do have preliminary work going on adding a self-rolled update mechanism that I hope will integrate seamlessly with the built-in WordPress system.

Go get it! …and enjoy.

© Stephen Rider 2015

This article was originally published at Nerdaphernalia. Planet WordPress is authorized to reproduce WordPress-related entries. If you're reading this at any other web site, the site owner is stealing copyrighted work. Please visit the original page:

Permalink to Log Deprecated Calls plugin 1.1.1

Feed enhanced by Better Feed from Ozh

cPanel’s Site Software Addon Disables WordPress Auto Updates

A little more than two months ago, Derek Munson, who goes by the username Drumology2001 published a thread in the WordPress.org support forums. While performing maintenance on several WordPress sites on his virtual private server, Munson discovered a number of them running outdated versions. Versions ranged from 3.9 to 4.1 with at least one site using WordPress 3.9.2.

I’m used to seeing the ‘nag’ at the top of the screen that lets me know there’s a newer version available. I am not seeing that on any of these sites which aren’t on the newest version (4.1.1). When I go to Dashboard > Updates and click ‘Check Again’ to force a manual check, it’s still acting as though everything is up to date when it’s clearly not.

Initially, Munson thought All in One WP Security and Firewall was blocking update notifications. Mbrsolution, the plugin’s main developer, confirmed that it doesn’t block update notifications. After completing a number of troubleshooting techniques suggested by volunteers on the WordPress support forum, Munson installed Wordfence Security, a WordPress security plugin.

One of Wordfence’s noteworthy features is its scanner. It compares clean WordPress core files to those on the server and notifies the user if it detects a difference. Results of the scan shows three files had been changed.


These files were only changed on WordPress sites that were installed using cPanel’s Site Software addon.

WordPress’ update.php file.
function get_core_updates( $options = array() ) { $options = array_merge( array( 'available' => true, 'dismissed' => false ), $options ); $dismissed = get_site_option( 'dismissed_update_core' );

cPanel’s update.php file.
function get_core_updates( $options = array() ) { # cPanel override: Disable all core updates to prevent conflict with cPAddons. return false; $options = array_merge( array( 'available' => true, 'dismissed' => false ), $options );

WordPress’ update-core.php file.
function core_upgrade_preamble() { global $wp_version, $required_php_version, $required_mysql_version; $updates = get_core_updates();

cPanel’s update-core.php file.
function core_upgrade_preamble() { # cPanel override: Do not display the current or the latest version, because we've disabled updates. return; global $wp_version, $required_php_version, $required_mysql_version; $updates = get_core_updates();

WordPress’ class-wp-upgrader.php file.
public function is_disabled() { // Background updates are disabled if you don't want file changes. if ( defined( 'DISALLOW_FILE_MODS' ) && DISALLOW_FILE_MODS ) return true;

cPanel’s class-wp-upgrader.php file.
public function is_disabled() { return true; // Force this functionality to disabled because it is incompatible with cPAddons. // Background updates are disabled if you don't want file changes. if ( defined( 'DISALLOW_FILE_MODS' ) && DISALLOW_FILE_MODS ) return true;

The code added by cPanel disables core WordPress updates, update notifications, and automatic background updates to point releases. Once Munson restored these files to their original version, automatic updates and notifications worked properly.

cPanel and cPAddons

Those who manage dedicated servers or virtual private servers with cPanel have the ability to use cPAddons. According to cPanel documentation, “Addons are applications that work with cPanel to perform functions for your users’ websites. Examples of these applications include bulletin boards, online shopping carts, and blogs.”

Open Dialogue With cPanel

George Stephanis, a WordPress core contributor and lead developer of Jetpack publicly called out cPanel’s actions as a bad practice.

A representative of cPanel saw the tweet and responded that they’d like to receive more information.

Stephanis engaged in a lengthy conversation with cPanel representatives explaining why it’s a bad idea to disable core updates. cPanel disables WordPress’ native update system because it could cause conflicts with cPanel’s Site Software version of WordPress.

We generally release the latest version of WordPress within 1 to 5 days of the latest WordPress update. At a minimum, server administrators are informed each night of all Site Software applications that need updated. It is up to users to configure their notifications within cPanel to receive such updates.

The way our cPAddons tool tracks software is not compatible with the way WordPress updates, hence why we disable the auto-updates so we can track it through cPAddons.

cPanel goes on to explain how updates are handled for software installed using its Site Software cPAddon.

  • Whenever WP releases a maintenance build that addresses security concerns, we react very quickly to get our software updated to be available to customers.
  • By default, we define that software managed/installed through cPAddons is automatically updated when a new update is available.
  • Based on the above information, if the server administrator leaves the defaults enabled, once WP introduces a maintenance release that corrects security concerns and we’ve tested and updated our source for it, customers will receive the release automatically.
  • If the server administrator decides to disable automatic software updates, the end-user and systems administrator will still receive notifications that their installation is out of date accompanied with steps on how to update their application.

By default, software installed by cPanel is configured to update automatically but some of Munson’s sites didn’t update. He also didn’t receive update notifications for those sites. cPanel believes there is something wrong with Munson’s server configuration and pledged to contact him to find out more information.

Based upon what Drumology2001 reported on the forum, it appears something is amiss on that server. We’d love to examine that server to determine why WordPress updates were not available to the user.

Based upon the fuzzy dates used on the forum and compared with our internal records, the 4.1.1 update was available to the Site Software system prior to the initial post. We’ll reach out to him to determine whether there is anything we can do there.

Receptive to Change

The good news is that cPanel is responsive and willing to make any necessary changes to improve the update process. Considering how many webhosting companies offer customers the ability to install WordPress with a one-click installer, it’s important that sites receive updates as soon as possible.

If you installed WordPress through cPanel’s one-click installer, check to make sure your site is running WordPress 4.2.2 which is the latest stable version.

The Benefits of a Good Conference Introduction

Many technical conferences have no speaker introductions or very poor introductions.  “Next up is, um *look at phone* Aaron who will be talking about, um *look at screen* The Next Big Thing”.  While this does serve the benefit of helping people make sure they are in the room they intend to be in, it doesn’t do anything to help the crowd get ready for the talk or help the speaker get ready to deliver a talk.  A good introduction on the other hand gives the speaker ethos.

Ethos is one of three components of persuasion that Aristotle identified in his treatise Rhetoric. Ethos serves as the ethical appeal.  It’s the standing a speaker has.  A good introduction explains not who a speaker is, but why they have the privilege of standing up there and presenting. When you introduce a speaker, you give them credibility. This allows them to immediately focus on logos and to a lesser degree pathos. These are Aristotle’s categories for logical and emotional appeals.

At WordCamp NYC 2014, I introduced Boone Gorges, the keynote speaker.  Let’s breakdown my introduction:

At WordCamp NYC 2010, John James Jacoby introduced our next speaker as a core committer to BuddyPress. Today, I get to introduce him as the lead developer of BuddyPress and our keynote speaker.

I am establishing him as someone with a history at the event and as someone with a prominent place in the community.

During the intervening four years, he has become a full time freelance developer, released dozens of free plugins to the WordPress community and has spent thousands of unpaid hours doing development work contributing to open source software projects.

Boone’s talk was going to focus on contributions to WordPress and the role that freelance developers have in the creation of WordPress. By mentioning his work as a full time freelancer and his contributions to the WordPress project, he can be seen right away as someone who knows about the topic. He has lived it.

He has accomplished all of this while also finishing 46th in 2014 National Crossword Tournament.

I knew that one thing Boone would mention was that he had been in the room this address was before, so I helped him establish this by mentioning his excellent placement in the National Crossword Tournament.

He secretly wishes that he has a masters degree in philosophy. He also grew up in Wisconsin, which is known more for its cheese and beer than the semi-pro football team that plays in Green Bay.

Boone isn’t just a developer, he is a person and someone who has studied philosophy. He also likes a bad football team 😀.

Please join me in welcoming our keynote speaker, Boone Gorges.

I create the expectation with the audience that we are beginning.  That I am leaving so they should cheer.

If you are planning a conference, you should spend some time thinking about the introductions.  If you don’t know the speaker well enough, perhaps you can ask them to write a first draft.  If you don’t know why the speaker is going to be getting up there, perhaps you should ask yourself why they are speaking at your event.

The most awesomesauce WordPress theme business

I know what you’re thinking. OMG, not another long, boring list of “influential” people made by a theme author, wagging it while patting some buddies on the back.

I’m not going to do that. Those lists are not unique, having little more to offer that the guy who wrote the same post last week.

Really. I wouldn’t try to deceive you.

This post is about theme businesses that are awesomesauce. And, I’m going to narrow it down to a list of one.

So, what is this single theme business that is more awesomesauce than all the other theme businesses?

Theme Hybrid

Screenshot of ThemeHybrid.com themes page

What makes Theme Hybrid such a badass theme business?

Because I said so. Boom!

Really, it’s because we have a vibrant community of users and developers, standards-based philosophy, focus on education, and cool shit. Theme Hybrid also happens to be one of the oldest- and longest-running theme businesses around. Also, there’s plugins and themes; both are 100% $free to download.

The post The most awesomesauce WordPress theme business appeared first on Justin Tadlock.

My First WordPress Meetup

Macbook, a pen and notebook, and a smartphone

I was so scared the first time I attended a WordPress meetup. After working on a project for nearly a month, I was stuck and had no idea where to turn. Many of us have been there, especially when we are starting out. I needed help if I wanted to go farther. My friend Cory Miller has quoted an african proverb about this: “If you want to go fast, go alone. If you want to go far, go together.”  I had gone fast, but I needed some help to go farther.

Before my first meetup I was an idler in the #wordpress IRC channel and didn’t feel like I belonged. I’d like to say that attending that day changed everything, but to be honest, nothing changed for a while. I went because I was stuck and I had a question.  At the end, during open Q&A, I asked a question that likely wasn’t very clear as it didn’t elicit many responses, but was told that I should post on the wp-hackers mailing list with it. I went home and did just that.

Attending that first meetup made it easier to attend the next month and the month after that.  Soon, attending the meetups become normal for me and I looked forward to seeing Devin, Michael, Kathleen, and the rest of the regulars.  I had found my way into a community.

Looking back on my journey with WordPress, I can’t help but be thankful that on that April day I decided to go far.

Test Drive For Plugins and Themes is Not Popular Enough

The pricing dilemma with WordPress themes and plugins is a critical problem, mostly due to the widespread race to the bottom. Unfortunately, people don’t understand the magnitude of a problem until they are personally involved and affected by the consequences.

Discussing Business With Developers

Business owners and Developers working together

Business owners and Developers working together

That’s on of the reasons why I often have a hard time discussing business with developers working on a payroll for large companies. Part of them are not interested, nor involved with the actual business processes, or don’t really care where do money come from. After all, that’s why CEOs, sales reps, marketing folks and everyone else are hired, right? Sadly, that’s not a cost that freelancers and small agencies (up to 5 folks) can usually afford, which is practically the majority of our community.

There are exceptions of course, but that scenario is applicable in any problem of the industry, with the majority of the folks who don’t spend their spare time brainstorming about global problems around them.

There’s nothing wrong with those who have no experience in the complete business cycle of building and growing a business, selling products and services and everything else that building a profitable business requires. But I don’t appreciate it when folks are strongly opinionated on processes and demand changes that affect the vast majority of the users of a platform or a service.

There are plenty of use cases regarding companies implementing changes that users didn’t ask for, or need. Syed shared his personal experience in his latest talk “Perfection is a Curse” when he spent months on features that drastically reduced his visits and increased the bounce rate. Foursquare ignored their users when they split their app into a listing engine and Swarm, a simple and fairly useless check-in app. Now they’re resurrecting the badges and mayorships since they lost a large number of users and key employees as well.

In fact Chris nailed it with a simple tweet last week:

Onboarding Process For Customers

Most theme and plugin shops employ a simple revenue strategy – selling copies of their products, either one-off, with an annual subscription or regular support fees. It’s a good deal, but there’s one major problem: how to convince your customers that your product is worth using?

Selling products is a fair deal when your users know that it will work for them.
Click To Tweet

That’s where SaaS businesses jump right in – introducing a freemium model with a limited free service, or a free trial for their usage. The key thing here is the control.

It’s easy to restrict users from accessing your self-hosted product. They don’t have physical access to your servers, and can’t alter your code either. As an owner to a SaaS solution, you can always kick users out if needed, deactivate their accounts, update their platform and so on. It’s easy like that, even if someone gets unauthorized access to your product for some reason.

What most plugin and theme authors forget is that users are not necessarily convinced that a given product is a good fit for their business.

My team is generally independent when it comes to off-the-shelf themes or plugins. The majority of our work is custom WordPress development, and it includes building platforms from scratch and creating custom themes when needed. We are able to design a clear flow tailored to our customers’ needs, and don’t spend a lot of time looking for existing solutions to use (other than a limited list of trusted libraries or plugins that we integrate almost everywhere).

But occasionally I build sites for friends. And when I do that myself, I discuss the process with them and let them know that we’ll use an existing theme if that’s a free work, and will follow a simple and straight-forward process for bootstrapping their business – and once they grow and become profitable, we can discuss a custom solution that boosts their business accordingly.

And last time I did my due diligence on premium themes, membership plugins and other available solutions, I got stuck with making them work as I expected.

Some themes listed the homepage as a static front-page template. Others had theme options. One of the themes listed the latest posts in a category.

Some had header images or sliders  as a custom post type, others had theme options for that and a subset of those listed featured images from posts. The flow with some of those themes was incompatible with my business case, and I could not use them in that scenario – even if the demo looks great.

WordPress Theme Demos and Dummy Data

My friend Justin shared his concerns while looking for a premium theme for one of his projects:

I felt the same way during my research and I completely agree that it’s a major problem in most theme markets.

In fact, even though I use a WooThemes theme on my blog here and we have integrated some of their themes for our clients, I spent 2 hours with one of their themes trying to make the header work. This was the first thing on my list and I was completely unable to make it work properly and look like the demo without writing additional 60-80 lines of custom CSS.

They also had a TimThumb option in their Theme Options panel which was frightening and their featured header layover was displaying under my header image.

I have a developer account with them and I was able to try several themes before giving up, but the end result was: I couldn’t set a single header image with some text in the center, no matter what I did, despite of the theme demo they presented.

And even if I was able to do that, I had no clue how will the theme accommodate my copy. And whether I can fine tune it in a way that makes sense for my friends’ business.

I often find it easier to add a div with three columns for services instead of using some of their shortcodes, templates, blocks or whatever.

The Music Theme Nightmare


I had another client who was in love with the demo of a ThemeForest theme. We all know what’s the average code quality there and I wasn’t thrilled, but it was a good client of mine with a noble cause that I was willing to support, so I went with it. One of our junior developers spent 12 hours trying to make it work as per the demo – even with their demo data importer. I went on spending 5 extra hours fixing critical code issues and applying fairly minor changes.

The header had approximately 1200 lines of custom PHP code on top of it, most of that was not used in the majority of the templates.

They had 6 different sliders, all of them included by default, regardless of the fact that a single slider could be activated at a time. The landing page called close to 8,000 lines of code in order to generate a few blocks, and the available HTML markup consisted of 500-600 lines of HTML code. Adding a single div or paragraph somewhere required editing some core theme functionality, in some of their includes.

I also did a case study in our office on Avada – one of the top three selling themes on ThemeForest ever – discussing at least 20 different problems with terrible code in the majority of the templates. But regardless of my opinion, the theme was sold 132,000 times as I’m writing this article, and clients are often thrilled with the end results.

Large Premium WordPress Plugins

After my talk at WordCamp Belgrade last month I had several discussions with local power users and developers. One of them shared his concerns about the membership industry, and the available membership plugins in particular. The key comment though was:

How would I know whether this will work for my site if I don’t try it out first?

Some of these plugins cost hundreds of dollars. Which is fine if that’s what you need, and you’re certain that it would do the work.

But paying thousands of dollars for all of the available membership plugins in order to identify the right fit for your project is just wasting money. It’s hardly a reasonable investment. Not to mention the trial and error phase of trying to make each of them work for your case, and failing after a few days.

That’s not the only group of plugins that require that due diligence. What about form builders? Gallery plugins? There are plenty of solutions out there that would theoretically work, but would they work for your case?

Test Drive Is Not Too Popular

What really freaks me out is when users download themes from torrents and other warez websites. Most of those pirated versions are actually injected with plenty of vulnerable scripts that would bring down their website or server, or even steal sensitive data.

It’s simply a no-no.

Sandbox for Toolset

Sandbox for Toolset


But what’s their alternative? Buying a hundred themes and trying to make at least one of them work on their website?

Admin screenshots provided on ThemeForest and other theme shops are not necessarily helpful. The lack or availability of an option doesn’t mean that it would work properly.

Some potential problems here are:

  • How would the media be interpret if the ratio is different than the recommended?
  • What would happen with some custom copy on specific resolutions?
  • What happens if I swap two blocks of data on the landing page?

However, giving away free themes hoping that customers would pay for them is risky. Pippin did that with Affiliate WP and it was a good move, but the target audience there was a bit different. Most licensing extensions and other API key trackers could be disabled with a line of two of code, since we’re open source.

One of my favorite CMS related websites is OpenSource CMS. They provide demo websites for their visitors where users can play with the admin, enter some copy, try the core features and see how it works. This is a great way to provide access to your code base without giving away the code.

We have implemented that approach for two of the themes that we were selling 5 years ago, and customers were thrilled. Some plugin vendors also provide demo sites for their users – a sandbox.

While this is not a 100% complete solution that guarantees that a plugin or a theme will play well with the rest of your environment, it’s a great way to showcase your work and give a limited trial to your users without asking for initial investment that may not be a good fit for them. It’s way better than “30-day money back guarantee” or anything else on the market.

So my advice to all theme and plugin authors is: set up a demo server with your theme or plugin and let your prospects play with it. Wipe out the data on a daily basis, or add some limitations so that your demo doesn’t get hacked. But let them spend some time with your product, decide whether it’s a good fit and become happy customers paying for a product that they need, and will solve their problems.

The post Test Drive For Plugins and Themes is Not Popular Enough appeared first on Mario Peshev on WordPress Development.

Update to “Log Deprecated Calls” plugin

I’ve released an update to my Log Deprecated Calls plugin for WordPress. This is the original plugin for plugin and theme developers to help you identify outdated functions you might be calling from WordPress.

Version 1.1 is out now. Note this is not (yet) in the WP repository, so it’s a manual upgrade. Fixed a couple bugs, including one that actually stopped the plugin from working somewhere between its last update and now — so if you use this, it’s an important update.

Go get it! And enjoy.

© Stephen Rider 2015

This article was originally published at Nerdaphernalia. Planet WordPress is authorized to reproduce WordPress-related entries. If you're reading this at any other web site, the site owner is stealing copyrighted work. Please visit the original page:

Permalink to Update to “Log Deprecated Calls” plugin

Feed enhanced by Better Feed from Ozh

Genericons Example File is Unsafe

If you use Genericons in your plugin, please exclude the example.html (which is no longer included in the Genericons package itself).

The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file. To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it. Reported by Robert Abela of Netsparker.

See the full release notes: https://wordpress.org/news/2015/05/wordpress-4-2-2/

Customizer: How to save image (media) data

A couple of weeks ago, the WordPress.org Theme Review Team (TRT) announced that we’d be requiring theme options to go through the customizer rather than custom settings screens. I wrote the post explaining the details of our settings guideline change.

In that post, I volunteered my coding services for building custom controls for anyone who asked. Unfortunately, not many took me up on that offer. However, Kadence Themes stepped up with a few requests.

Example Customizer Image Control

Specifically, one item they asked for was a “media field that holds an array so width, height and attachment id are stored.”

Technically, that’s not a customizer control. That deals with customizer settings. However, I thought it was an awesome idea because WordPress would normally only store the media URL. There are times when you need more information.

In this tutorial, I’m just focusing on saving image data, but you can extend it to work with other media types as well.


At this point, I’ll assume you’re a theme developer who has worked with the Customizer API and understand how controls and settings work.

You need to know where and how to integrate customizer code into your theme. That’s a whole other tutorial that’s been covered ad nauseum around the Web. This is a high-level theme customizer tutorial, so I’m mostly just sharing code rather than explaining the details.

Creating a custom setting class

There’s very little that has been written on extending the WP_Customize_Setting class. This is actually my first time doing it, so it’s possible I get things wrong. You can learn from my mistakes if I do.

Here’s the class we’ll need for saving image data:

 * Custom class for saving media data in an array. Only supports the 'theme_mod' type.
 * @author     Justin Tadlock <justin@justintadlock.com>
 * @copyright  Copyright (c) 2015, Justin Tadlock
 * @link       http://themehybrid.com/hybrid-core
 * @license    http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
class JT_Customize_Setting_Image_Data extends WP_Customize_Setting {

     * Overwrites the `update()` method so we can save some extra data.
    protected function update( $value ) {

        if ( $value ) {

            $post_id = attachment_url_to_postid( $value );

            if ( $post_id ) {

                $image = wp_get_attachment_image_src( $post_id );

                if ( $image ) {

                    /* Set up a custom array of data to save. */
                    $data = array(
                        'url'    => esc_url_raw( $image[0] ),
                        'width'  => absint( $image[1] ),
                        'height' => absint( $image[2] ),
                        'id'     => absint( $post_id )

                    set_theme_mod( "{$this->id_data[ 'base' ]}_data", $data );

        /* No media? Remove the data mod. */
        if ( empty( $value ) || empty( $post_id ) || empty( $image ) )
            remove_theme_mod( "{$this->id_data[ 'base' ]}_data" );

        /* Let's send this back up and let the parent class do its thing. */
        return parent::update( $value );

This is very basic and only makes use of the theme_mod type of setting. You can build upon that if you wish.

Adding the setting and control

This step works like setting up any other customizer settings and controls. For this, I’m just sticking a core WP image control in the title_tagline section and tying it to our setting.

The important bit is adding the setting. Note how I reference JT_Customize_Setting_Image_Data so that we can utilize our custom setting class.


add_action( 'customize_register', 'jt_customize_register' );

function jt_customize_register( $wp_customize ) {

        new JT_Customize_Setting_Image_Data(
            array( 'default' => get_theme_mod( 'example_image', '' ) )

        new WP_Customize_Image_Control(
                'label'       => esc_html__( 'Example Image', 'example-textdomain' ),
                'section'     => 'title_tagline',
                'settings'    => 'example_image'

Getting the theme settings

OK, so we’ve got the customizer part set up, but we still need to be able to get the data. You’ll notice that I added the example_image setting above. That will have the image URL. However, you can also access the data via the example_image_data setting.

Here’s some examples:

// String: Image URL
$url = get_theme_mod( 'example_image' );

// array( 'url' => $url, 'width' => $width, 'height' => $height, 'id' => $attachment_id )
$data = get_theme_mod( 'example_image_data' );


After studying how this was handled in core (check header image customizer stuff), I noticed that there are many methods to actually doing this. I was mostly looking for an easy, reusable route to getting image/media data. I also thought it’d be a good time to experiment with a custom setting class. I’d certainly be happy to look at alternative solutions.

Update: For example, you could certainly hook into customize_save_{$setting_id} and handle this on a per-setting basis.

Also, my offer of helping out with customizer controls still stands for folks who want to take me up on that.

The post Customizer: How to save image (media) data appeared first on Justin Tadlock.

I’m speaking at WordCamp Europe 2015

Avatars of the eight WordCamp Europe Speakers Announced today
Along with Tenko Nikolov, Silvan Hagen, Wouter Groenewold , Juliette Reinders Folmer, Eric Mann , Daniel Pataki , Bryce Adams who all were announced today as speakers at WordCamp Europe 2015

We have another group of speakers to introduce you to today. They come from across the WordPress community and around the world. We hope you’re as excited as we are about seeing them in Seville in just a few months!

Source: Welcome to another group of WordCamp Europe speakers | WordCamp Europe 2015

I’m excited to be heading to Seville this June to present at WordCamp Europe.  This is going to be my first time presenting to the European WordPress community.  I’m hoping to meet a number of people I’ve never met and also to hear about all the exciting things other people are working on.

Reporting Plugin Issues

Note: I’ll be using Hello Dolly as my example ‘bad’ plugin for this post. It’s fine and not (to my knowledge) vulnerable.

There are a few reasons people report plugins but the main two are as follows:

  • Guideline violations
  • Security vulnerabilities

If you report a plugin, you can make everyone’s life easier if you do the following:

Verify that it’s still applicable

Before you do anything, check if the exploit is on the latest version of the code or not. If it’s not, we may not do anything about it, depending on how popular the plugin is.

Use a good subject line

“Plugin Vulnerability” is actually not good at all. “Plugin Vulnerability in Hello Dolly – 0 Day” is great.

Send it in plain text

SupportPress is a simple creature. It doesn’t like your fancy fonts and inline images. Attachments are fine, but we cannot read your ‘Replies in-line in red’ so just keep it simple.

Link to the plugin


Yes, it’s that easy. Put the URL on it’s own line, no punctuation around it, for maximum compatibility. With over 35k plugins, and a lot with similar names, don’t assume, link.

If the plugin is not hosted on WordPress.org, I’m sorry, but there’s nothing we can do, so please don’t bother reporting it to us. We have no power there.

Explain the problem succinctly

Keep it simple.

“Hello Dolly has an XSS vulnerability” or “The Author of Hello Dolly is calling people names in the forums” or “Hello Dolly puts a link back to casino sites in your footer.”

Think of your intro like a tweet. Boil it down to the absolutely basic ‘this is what’s wrong.’

Keep the details clear

If someone’s acting up in the forums, link to the forum threads.

If you know that on line 53, the plugin has a vulnerability (or a link back to that casino site), then you can actually link right to that line: https://plugins.trac.wordpress.org/browser/hello-dolly/tags/1.6/hello.php#L53

We love that. If you don’t have that line, it’s okay. Tell us exactly what you see. “When I activate the plugin using theme X, I see a link to a casino site by my ‘powered by WordPress’ link.” Perfect. Now we know where to look when we test.

Show us how to exploit it

Don’t ask us ‘Can I send you an exploit?’ Just send us all the information. If the exploit’s already up online, like on Secunia, link us to it.

If you know exactly how to exploit it, tell us with a walk through. If the walkthrough involves a lot of weird code, you may want to consider using a PDF.

We’re going to take that information and, often, pass it on directly to the developers.

Tell us if you want them to have your contact info

We default to not passing it on, out of privacy, so “If the developer needs more help, I can be reached at…” is nice. Even “You can give the developer my information so they can credit me…”

We’re probably not going to follow up with you

We love the report, we review them, but we’re not going to loop you back in and tell you everything that’s going on for one very simple reason. We don’t have the time. If you told us to give the dev your contact info, then we did, but we don’t have any way to promise they will, and we don’t have the time to play middle management.

Emailing us over and over asking for status gets your emails deleted. It’s not personal, it’s seriously a time issue. We’re nothing more than gatekeepers, we are not a security company and we’re not equipped for keeping everyone up to date. We don’t have an administrative assistant to handle that. We work with the developer to fix the issue and we work with the .org team to see if we need to force update the plugin, and that takes a lot of time.

We don’t do bounties

This is a little interesting but basically we’re not going to pay you. A lot of people ask for ‘credit’ so they can ‘earn’ a bounty, and that’s cool, but we’re not going to report that for you. We don’t have the time, again. Generally if you say you want a bounty, we give your info to the plugin dev, though, so they do know you’re interested.

How do you report?

You can report plugins by emailing plugins@wordpress.org

That’s it :) Thanks!

What’s new with the Customizer

Been a while since I wrote something. Let’s talk about some of the new stuff available in the Customizer.

Forget about some of part two

First, back in part two, I had a bit about Surfacing the Customizer. That bit is outdated now, WordPress does this for you in later versions. So, yeah, skip that.

Shiny new thing: Panels

Okay, so Panels aren’t that new. They were added in WordPress 4.0. Basically, they’re sliding containers for sections. Having trouble fitting all your settings on the screen? Group the various sections up into Panels. Panels show up as an item in the main list, and when you click the arrow next to them, the whole list glides off screen to show only those sections.

So, now we have four things: Panels, Sections, Controls, and Settings.

  • Panels group Sections together
  • Sections contain Controls
  • Controls are what the user changes
  • Settings define what the Controls change

Creating a panel is easy:

$wp_customize->add_panel( 'some_panel', array(
	'title' => 'Panel 1',
	'description' => 'This is a description of this panel',
	'priority' => 10,
) );

Adding a section to that panel is just as easy:

$wp_customize->add_section( 'themedemo_panel_settings', array(
	'title' => 'More Stuff',
	'priority' => 10,
	'panel'	=> 'some_panel',
) );

All that’s new is a panel setting to tell the section to go into that panel. Simple.

Active Callbacks

One of the problems with the Customizer was that it displayed settings and showed them changing on the site to your right, but the site being displayed is the actual site. Meaning that you can navigate on it. Sometimes, the controls being shown don’t necessarily apply to the actual site that you’re seeing.

Example: If you have a control to change the color of something in the sidebar, but then are looking at a page which has no sidebar, then you have no visual feedback to tell you what the change looks like.

To fix this, “active callbacks” are used.

The active_callback is simply a new parameter that you can pass into Panels, Sections, or Controls. It can contain the name of a function, and that function will be called when the page changes. The function should return true or false (or equivalent) to indicate whether or not the element of the customizer should be shown for that page.

So, if you have a whole Panel that only make sense when the user is looking at Front Page of the site (and not an individual post), then you can do this:

$wp_customize->add_panel( 'front_page_panel', array(
	'title' => 'Front Page Stuff',
	'description' => 'Stuff that you can change about the Front Page',
	'priority' => 10,
	'active_callback' => 'is_front_page',
) );

And voila, when the user is not looking at the front page, the panel simply disappears.

You can use any of the normal WordPress Template Tags for this, or write your own function if you want to be more specific about it.

If you do need to write your own callback function, note that the function receives the object in question when it’s called. So, if you attach an active_callback to a Panel, your function will get a argument of the WP_Customize_Panel object in question passed to it. Sections get WP_Customize_Section and such. You can use the information in these to decide whether the panel (or whatever) should be shown for that page.

So, how do we use that object? Well, you can use this to make whether certain controls show or not dependent on the values of other settings. All the various items you can use this on have a link back to the main WP_Customize_Manager. That class has a get_setting function, which you can use to determine what to do.

So, let’s make a control that causes other controls to appear, dependent on a setting.

First, let’s make a simple radio selection control:

$wp_customize->add_setting( 'demo_radio_control', array(
	'default'        => 'a',
) );

$wp_customize->add_control( 'demo_radio_control', array(
    'label'      => 'radio_control',
    'section'    => 'themedemo_panel_settings',
    'settings'   => 'demo_radio_control',
    'type'       => 'radio',
    'choices'    => array(
	'a' => 'Choice A',
	'b' => 'Choice B',
) );

Now, we need to make two other controls, one for each choice. You can actually make as many as you like, we’ll keep it simple.

First, the control for choice A. Let’s make it a simple text control.

$wp_customize->add_setting( 'choice_a_text', array(
	'default' => '',
) );

$wp_customize->add_control( 'choice_a_text', array(
    'label'      => 'Choice A: ',
    'section'    => 'themedemo_panel_settings',
    'type'       => 'text',
    'active_callback' => 'choice_a_callback',
) );

We’ll need that callback function to detect if choice A is selected in the radio control, and return true if it is, and false otherwise. Like so:

function choice_a_callback( $control ) {
	if ( $control->manager->get_setting('demo_radio_control')->value() == 'a' ) {
		return true;
	} else {
		return false;

You can simplify that if you like, I spelled it out with an if statement so as to be clear as to what is happening.


Now for choice B, let’s make it display a color control instead:

$wp_customize->add_setting( 'choice_b_color', array(
	'default' => '#123456',
) );

$wp_customize->add_control( new WP_Customize_Color_Control( $wp_customize, 'choice_b_color', array(
	'label'   => 'Choice B',
	'section' => 'themedemo_panel_settings',
	'settings'   => 'choice_b_color',
	'active_callback' => 'choice_b_callback',
) ) );

And its callback:

function choice_b_callback( $control ) {
	if ( $control->manager->get_setting('demo_radio_control')->value() == 'b' ) {
		return true;
	} else {
		return false;

Now, note that the callbacks are very similar. Seems like repeated code, doesn’t it? Well, it is, but remember that the $control here is the whole WP_Customize_Control object. We can use the same callback and simply check which control is calling it here instead.

function choice_callback( $control ) {
	$radio_setting = $control->manager->get_setting('demo_radio_control')->value();
	$control_id = $control->id;
	if ( $control_id == 'choice_a_text'  && $radio_setting == 'a' ) return true;
	if ( $control_id == 'choice_b_color' && $radio_setting == 'b' ) return true;
	return false;

So, instead of using two different callbacks, we just point our controls to this callback, which figures out what should show up for which setting. I’m sure you can simplify this further, depending on your particular needs.

One more thing: Customizing the Customizer

Not everybody likes the style of the Customizer. Maybe it clashes with your theme. Maybe you just want to tweak it a bit. Maybe you dislike that gray background color, and a more soothing blue would go better for your theme.

add_action( 'customize_controls_enqueue_scripts', 'themedemo_customizer_style');
function themedemo_customizer_style() {
	wp_add_inline_style( 'customize-controls', '.wp-full-overlay-sidebar { background: #abcdef }');

Or maybe you don’t think the Customizer area is wide enough… be careful with this one though, consider mobile users as well.

add_action( 'customize_controls_enqueue_scripts', 'themedemo_customizer_style');
function themedemo_customizer_style() {
	wp_add_inline_style( 'customize-controls', '.wp-full-overlay-sidebar { width: 400px } .wp-full-overlay.expanded { margin-left: 400px } ');

You can enqueue whole extra CSS files instead, if you like. Or, if you have special needs for javascript in some of your controls, and there’s libraries necessary to implement them, then you can enqueue those libraries here as well.