Gutenberg users are requesting an easy way to add a nofollow attribute to links in the block editor. Users can currently toggle a setting to designate a link to open in a new tab, but a similarly user-friendly option for adding a nofollow attribute is not yet available.
Requests have come in across multiple issues on GitHub, as well as in the WordPress Gutenberg Editor group on Facebook. For example, one blogger asked for advice today after not finding any Gutenberg-compatible nofollow plugins:
Has anyone found an easy way to add a nofollow attribute to links using Gutenberg other than editing the HTML for every single link?
I used to have a checkbox for nofollow plugin but it seems that none of the plugins I’ve found are compatible with Gutenberg.
As a blogger, I need to add nofollows often to remain compliant with FTC requirements for sponsored/affiliate links.
Others requesting the feature in issues filed on the Gutenberg repository are looking for an easier way to make their links compliant with Google and other major search engines’ requests that marketers add nofollow to links that are part of an endorsement or commercial relationship.
“On behalf of the hundreds of thousands, if not millions, of people who make money with their website with affiliate programs and sponsored content: please, make it easy for us to add the nofollow rel attribute to a link,” Renee Dobbs requested in her first ever issue opened on Github.
“I honestly don’t know why it isn’t a part of WordPress core. Every WordPress commercial I see lately is about having your business on WordPress, yet WP is making it difficult for business owners to be compliant with Google’s guidelines on paid/affiliate links. We shouldn’t have to add yet another plugin to handle something so basic and widely used. Just have a checkbox or similar (like open to new window) to add the nofollow rel attribute for a link.”
Gutenberg contributors have worked on a couple different solutions for getting this feature added to the editor. Alexander Botteram, a developer at Yoast, opened a PR that adds a new “nofollow” toggle setting to the core link modal. Gutenberg phase 2 lead Riad Benguella recommended this as a first step towards making links more extensible.
The PR is still undergoing review but it looks like a promising solution with the UI that users are requesting.
Would you like to write for WP Tavern? We are always accepting guest posts from the community and are looking for new contributors. Get in touch with us and let’s discuss your ideas.
The Joomla World Conference in London, planned for November 2019, has been cancelled. Joomla’s Board of Directors announced the cancellation at the end of July, citing the updated October 31, 2019, Brexit deadline as the primary reason:
Last week the new UK Prime Minister, Boris Johnson has been elected with a mandate to ensure Brexit happens on 31st October, even if that means without any form of deal with the EU.
Sadly, for an international conference planned for the weeks after Brexit, there is considerable doubt and uncertainty around travel requirements to the UK and what (if any) visas may be required. This coupled with the huge workload already on the limited resources of the community with Joomla 4 at an advanced development stage, the Board has very reluctantly taken the decision to postpone JWC2019 to some date yet to be announced.
The directors did not want to risk international attendees purchasing travel not being able to attend. They are issuing refunds for tickets already purchased.
WordCamp London, which has traditionally been held in early April or late March, is also not exempt from Brexit-related planning challenges. The lingering uncertainty bleeds into other aspects of planning, such as recruiting sponsors and speakers.
“The uncertainty that Brexit brings when trying to organize an international conference adds huge pressures to the organizing team, creates many additional logistical problems for sponsors, and creates uncertainty for volunteers and attendees,” WordCamp London organizer Dan Maby said. He and co-lead Barbara Saul are currently in the early stages of planning the 2020 event. They faced similar issues this year with the original Brexit date set for March 29, 2019.
“The WordCamp was planned just one week after this date,” Maby said. “As an organizing team we faced unanswerable questions from the outset. We planned to develop a dedicated team within the organizers to support questions, but we soon realized this wasn’t possible because even at governmental level the answers to questions we had were not answered.”
Since WordCamps are designed to be focused on the local communities where they are produced, Maby and his team adopted a mindset that they would send a message by keeping the 2019 camp running as planned: “Let’s do our small part in demonstrating that the UK is open for international business.” The event ended up selling out of both tickets and sponsor packages. Although WordCamp London historically attracts an international audience, the marketing team for the 2019 event focused heavily on the local community.
Maby said it saddened him to read that Joomla World Conference 2019 has been postponed due to Brexit and that he empathizes with their team.
“We’re in early discussions regarding WordCamp London 2020 and considering delivering the event later in the year,” he said. “Part of the reason is to allow the unknown of Brexit to start to settle.”
With a lack of definitive information about who will need visas and how Brexit will affect international travelers, Maybe said his team is still mostly in dark. The biggest complication is not knowing if sponsors or attendees will be able to legally enter the country. This makes planning a budget and selling sponsorship packages and tickets more tricky. WordCamp London co-leads have yet to put the application in but are eying September 2020 for the next event.
“We are investigating September as a potential alternative,” Maby said. “We’ll be 11 months post-Brexit (if it happens in October) so we will hopefully have a better idea of what to communicate to attendees, volunteers, and sponsors traveling into the UK. It also sits well between the European and US regional WordCamps.”
Would you like to write for WP Tavern? We are always accepting guest posts from the community and are looking for new contributors. Get in touch with us and let’s discuss your ideas.
WP Tavern is hiring full-time writers. We are looking for reporters with the ability to write WordPress news every day, covering a wide range of topics, including (but not limited to) Gutenberg, core development, community, open source software, plugin and theme ecosystems, Tumblr, developer trends, and the open web.
The position requires the ability to discern the immediacy of stories that need to be told, attention to accuracy, and the ability to cultivate sources. Applicants must have a commitment to serve the public interest and remain impervious to a constant barrage of companies wanting to influence the press. A deep knowledge of the WordPress ecosystem is helpful for this position.
WP Tavern is, by reputation, WordPress’ newspaper of record. We are looking for writers who can approach this community with a critical and unbiased point of view, preserving the independent and provocative spirit of the Tavern. Interested applicants should use the contact form to get in touch, and be prepared to submit at least three writing samples for consideration.
For five days next week, from August 19-23, the inaugural event of The Great WP Virtual Summit will be taking place.
Conceived by South African based WordPress developer Anchen le Roux, the summit aims to bring together experts from various fields within the WordPress ecosystem to share their knowledge over the five days
I reached out to Le Roux, to find out why she came up with the idea of the summit, and what her goals are for the event.
“Being an organiser of WordCamp Johannesburg for the last few years, I’ve been very aware of how only a small number of people are actually able to attend an event like WordCamp.
Obviously there are a lot of reasons, but for the most part travelling, accommodation, and other logistical items seemed to be the biggest hindrance.”
Being based at the tip of Africa, Le Roux also realized that many other African countries don’t even have a WordCamp, and started wondering what she could do to bring WordCamp to them. The idea for the summit was born.
“I’m hoping an online summit can introduce aspects of WordPress, and being part of the WordPress community, to those living in areas where it’s not easily accessible. It’s also my hope that this will plant a seed with folks, to start their own local communities around WordPress, and ultimately lead to more local WordCamps.”
Anchen is hoping to recreate some of the atmosphere and energy that takes place at a local WordCamp, at this online event.
“I know nothing can substitute for the in-person experience of a WordCamp but I’m trusting that some bits of what makes WordCamps awesome can be recreated in what we do. I’m hoping for this to be the first of many. This first one is very much an experiment but I’m anticipating for it to grow into something that more people can be involved in.“
I asked Le Roux what she hopes attendees will take away from the event.
“Firstly, the goal is to allow folks to learn from top authorities in the WordPress realm on a variety of topics. We have four different tracks catering to all types of WordPress users. Topics range from branding and design, development, and running your business with WordPress, to running a WordPress agency or being a WP freelancer.
Above and beyond that, I’m hoping that folks who are new to the community, or are operating on the fringes of our community, are encouraged to become a bigger part of the WordPress community, by giving them the opportunity to chat with other community members, ask questions and/or share ideas.
We have 20+ experts over 5 days, who will teach you strategies you can use to both improve and scale your WordPress business, no matter which stage you’re at, or what type of user you are.”
Would you like to write for WP Tavern? We are always accepting guest posts from the community and are looking for new contributors. Get in touch with us and let’s discuss your ideas.
Automattic has acquiredZero BS CRM, a free plugin with more than 30 commercial extensions that provide deeper integrations with third-party services. Zero BS was co-founded by a two-person team that includes Mike Stott and Woody Hayday. The team marketed the plugin as a “no-nonsense CRM” and have been operating it with a successful subscription-based model for bundles of extensions.
With just 1,000 active installs on WordPress.org, Zero BS was not previously a very well-known plugin but it caught Automattic’s attention based on the strength of the product.
“Automattic reached out to us after being a happy customer,” Stott said. Former Automattic executive John Maeda had used Zero BS CRM and recommended it to the company. Stott said the main appeal for the acquisition was “strong advocacy of the product.”
It started with a support ticket Zero BS CRM received from a user, asking about Mail Campaigns and how best to set up sequences for customers.
“What we didn’t realize was this user was linked to Automattic, and was becoming a strong advocate for our product within the company,” Stott said. “What followed was a series of conversations with leaders from different parts of Automattic.”
Talks regarding the deal began in February and carried on at WordCamp Europe 2019 in Berlin.
Jetpack CRM is a Strong Consideration for Rebranding
Zero BS CRM will be rebranded as the team comes under the Automattic umbrella. The original name was somewhat polarizing in that potential customers either loved it or hated it.
Although the product’s founders have built extensions that connect WooCommerce stores to a CRM, Stott said the acquisition was not driven by Zero BS’s potential use with WooCommerce specifically.
“Variants will fit in well to Woo, Jetpack, as well as serving the standalone market,” Stott said. “If our users outgrow us, we will want to help them find the next step (similar to the Basecamp model).”
Yahoo Finance is reporting that Automattic will be rebranding the product as “Jetpack CRM,” but Stott said that has not been confirmed yet. He said Jetpack CRM is “the favorite so far internally but still open to discussion.” This may be a strong indication of what Automattic intends to do with the product.
Stott said they are not looking to compete against the likes of Salesforce or Hubspot but rather are focused on providing the basic concepts of a CRM – “knowing who your customers are, getting leads, and helping businesses grow.”
The Entrepreneur bundle is Zero BS’s most popular pricing plan, which includes all of the extensions and priority support for $17 per month, billed yearly. It accounts for approximately 75% of the company’s ARR. Stott said they do not have plans to stop the subscription model and will continue with their current pricing.
“We had planned to increase the price with v3.0 because with the updates and mail campaigns we felt we weren’t charging enough for the product,” Stott said. “But we’ve also found a good price point and Automattic didn’t want to change what was already working price wise.”
Next on the roadmap the team plans one of their most requested features: smart inbox linked to CRM data. They are aiming to release version 3.0 in September.
“I’m excited to reach more customers and just keep on building to help people and SMBs achieve the best they can,” Stott said.
Would you like to write for WP Tavern? We are always accepting guest posts from the community and are looking for new contributors. Get in touch with us and let’s discuss your ideas.
Major accessibility improvements are the headline feature of this week’s Gutenberg plugin release. Version 6.3 introduces new Navigation and Editor modes to address long-standing problems navigating the block UI with a screen reader. The editor is now loaded in Navigation mode by default. Riad Benguella described it as “an important milestone in terms of accessibility of the editor” and explained how it works:
It allows you to move from block to block using a single Tab press. You can also use the arrow keys to navigate between blocks. Once you reach the block you want to edit, you can enter the Edit Mode by hitting the Enter key. The Escape key allows you to move back to the Navigation Mode.
These modes are still early in their development and will require more testing.
At WordCamp US 2018 in Nashville, Accessibility Team contributor Amanda Rush gave me a demonstration of what it is like to navigate Gutenberg with a screen reader. Using the editor was painfully difficult for even the simplest tasks, such as setting a title and writing paragraph content.
Since that time, the Gutenberg and Accessibility teams have made great strides towards improving this experience. The new interaction flow in the Navigation mode is one example of their progress. The teams have also worked together to tackle a collection of 84 issues that Tenon created on GitHub in May, based on the findings in WPCampus’ Gutenberg Accessibility Audit. To date, 54 of those issues, many of which were related to screen reader accessibility, have been resolved and marked as closed.
Other notable updates in Gutenberg 6.3 include support for text alignments in table block columns, border color support for the separator block, and improvements to the BlockPreview component, which allow developers to preview blocks in any context. Check out the release post for the full list of all the changes in 6.3.
Would you like to write for WP Tavern? We are always accepting guest posts from the community and are looking for new contributors. Get in touch with us and let’s discuss your ideas.
After several months of discussion, WordPress.org’s Theme Review Team has decided to discontinue the Trusted Authors (TA) Program that launched in April 2018. The program, which was controversial from its inception, allowed certain authors to bypass the normal theme review queue after demonstrating an ability to submit themes with fewer than three issues. Trusted Author theme submissions went to their own dedicated queue that was handled by team leads.
The objective of the program was to streamline the review process and lessen the burden on reviewers. When it failed to deliver the intended results, the Theme Review team leads made a unilateral decision behind closed doors, implementing a change requiring TA participants to join the team and perform a minimum number of reviews in order to continue having their own themes fast tracked through the review process. This was loudly decried by other members of the Theme Review team who were blindsided by the decision.
“We are removing the Trusted Author Program,” team lead William Patton announced in the most recent meeting. “It has not fulfilled the intended plan and has caused more problems than it is solving.”
Fellow team lead Sandilya Kafle outlined the reasons in a post published today. The entrance requirements for the program did not ensure that participants were truly “trusted” authors, as many had to be removed for gaming the system. Reviewers also reported that there was a group of people releasing clones of themes every week.
“We got lots of help from the TA authors – for which we’d like to thank them,” Kafle said. “However, there was still gaming from some of the authors – which resulted in their removal from the TA program. One of the intentions of the TA program was to reduce the gaming by the use of multiple accounts. However, we still saw some authors having multiple accounts so this intention was not realized though the program existing.”
The TA program’s entrance requirements also did not ensure that participants were prepared to review themes at a high level, which resulted in inconsistent reviews.
“We strongly believed that TA members were highly familiar with the requirements but we found that was not the case for all of them,” Kafle said. “Additionally, some authors did not feel confident enough in their own understanding of all requirements to perform reviews and set themes live. Instead many TA reviews went to the admin queue after approval. This was an indicator that the quality of the themes by TA’s may not be as high as expected.”
Most of the Theme Review team members present in the meeting were generally agreed on shutting the TA program down. Alexandru Cosmin, the former team lead who introduced the program, was the only vocal outlier, whose acrid responses to scrapping the program reflect a long-standing frustration with the slow queue.
“Honest opinion, and I could bet on this: by the end of the year we’ll have 5-month queues and multi-accounters,” Cosmin said. “We’ll see how fair it will be when you have guys with 15 accounts and authors complaining in the main chat about how long the queue is.”
Today’s decision to discontinue the TA program restores the natural order to the queue, with all theme authors receiving the same treatment. Tying an incentive program to the review system was ineffective for taming the queue.
Long queues and gaming the system have proven to be continual struggles for the Theme Review Team, but the existence of these problems underscores the significance of the official themes directory for theme shops. Companies continue to use WordPress.org to gain users for their commercial versions, and the directory remains an important distribution channel for WordPress themes.
Would you like to write for WP Tavern? We are always accepting guest posts from the community and are looking for new contributors. Get in touch with us and let’s discuss your ideas.
Automattic has acquired Tumblr, a long-time friendly rival company, for an undisclosed sum. Just six years after Yahoo acquired Tumblr for $1.1 billion, the company is said to have been acquired for “a nominal amount” from Verizon, who indirectly acquired Tumblr when it bought Yahoo in 2017.
Automattic CEO Matt Mullenweg declined to comment on the financial deals of the acquisition, but a source familiar to Axios puts the deal “well south of $20 million.”
Tumblr is Automattic’s biggest acquisition yet in terms of product users and employees gained. The microblogging and social networking website currently hosts 475.1 million blogs, for which Automattic will now assume operating costs. All 200 of Tumblr’s employees will be moving over to Automattic, bringing the company’s total employee count over 1,000.
Mullenweg took to the Post Status community Slack channel for an impromptu Q&A this afternoon where he discussed more of Automattic’s plans for Tumblr. He outlined a brief roadmap for Tumblr’s future that includes re-architecting its backend with WordPress:
Move infrastructure off Verizon
Support same APIs on both WP.com and Tumblr
Switch backend to be WP
Open source Tumblr.com client similar to Calypso
“WordPress is an open source web operating system that can power pretty much anything, including Tumblr.com, but it’s also a large property so will take a bit to figure out and migrate,” Mullenweg said.
Automattic doesn’t currently have plans to change the frontend Tumblr experience. Mullenweg said the Tumblr mobile app gets 20x more daily signups than the WordPress app. “It’s working amazingly well, despite being fairly constrained in what they can launch the past few years,” he said.
Tumblr changed its adult content policy in December 2018, banning pornographic content which reportedly accounted for 22.37 percent of incoming referral traffic from external sites in 2013 when it was acquired by Yahoo. Automattic has a similar content policy in place for WordPress.com and Mullenweg confirmed that the company does not plan to lift the ban on adult content.
“Adult content is not our forte either, and it creates a huge number of potential issues with app stores, payment providers, trust and safety… it’s a problem area best suited for companies fully dedicated to creating a great experience there,” Mullenweg said in response to questions on Hacker News. “I personally have very liberal views on these things, but supporting adult content as a business is very different.”
Automattic’s Tumblr Acquisition Opens Up New Possibilities for E-Commerce, Plugins, and Themes
Beyond this initial roadmap Mullenweg outlined, he also said he thinks “e-commerce on Tumblr is a great idea,” with simpler features developed first. In the past, Tumblr users who wanted to add e-commerce to their sites would need to use a service like Shopify or Ecwid and generate a Tumblr-compatible widget. Users would have to move to a self-hosted site on another platform in order to get more full-featured e-commerce capabilities. Automattic has the ability to build e-commerce into the platform using WooCommerce or any number of other existing solutions for simpler sales features.
An emerging Tumblr/WordPress plugin and theme ecosystem is also a possibility but may not affect the wider WordPress ecosystem as much unless Automattic opens up the Tumblr marketplace to third-party developers. Mullenweg said once Tumblr’s backend is on WordPress, the idea of plugins can be explored. Whether that is on a private network, like WordPress.com, or a new breed of self-hosted Tumblr sites, is yet to be seen.
Automattic’s apparent bargain basement deal on Tumblr is good news for the preservation of the open web, as the company is committed to supporting independent publishing. Migrating Tumblr’s infrastructure to WordPress also expands WordPress’ market share with a significantly younger user base. A study conducted by We Are Flint in 2018 found 43 percent of internet users between the ages of 18 to 24 years old used Tumblr.
Tumblr’s primary demographic thrives on community and its current feature set is built to support that. If Automattic can preserve Tumblr’s distinct community and convenient publishing, while invisibly re-architecting it to use WordPress, users could potentially enjoy seamless transitions across platforms to suit their publishing needs. This improves the likelihood that this generation of internet users will continue to own their own content instead of tossing it away on social media silos that feed on users’ most important thoughts, writings, and memories.
“I’m very excited about Tumblr’s next chapter and looking forward working with Matt Mullenweg and the entire team at Automattic,” Tumblr CEO Jeff D’Onofrio said. “I’m most excited for what this means for the entire Tumblr community. There is much more to do to make your experience a better one, and I’m super confident that we are in great hands with this news. Tumblr and WordPress share common founding principles. The plane has landed on a friendly runway. Now it is time to freshen up the jets.”
In the announcement on his Tumblr blog, Mullenweg said he sees “some good opportunities to standardize on the Open Source WordPress tech stack.” This migration will undoubtedly be a formidable technical challenge and Mullenweg promised to document the team’s work after it is complete. In the meantime, the Tumblr team has new functionality they plan to introduce after the acquisition is officially closed.
“When the possibility to join forces became concrete, it felt like a once-in-a-generation opportunity to have two beloved platforms work alongside each other to build a better, more open, more inclusive – and, frankly, more fun web,” Mullenweg said. “I knew we had to do it.”
Would you like to write for WP Tavern? We are always accepting guest posts from the community and are looking for new contributors. Get in touch with us and let’s discuss your ideas.
WooCommerce 3.7 was released today after four months in development. This minor release is backwards compatible with previous versions. Despite containing more than 1,290 commits, 3.7 is smaller than previous releases, as the WooCommerce team is working towards delivering more frequent releases to improve the stability of the platform.
WooCommerce 3.7 bundles updates from the WooCommerce Blocks feature plugin version 2.3, including the following new blocks and enhancements to existing blocks:
A new focal point picker on the Featured Product block
A new Product Categories List block
A new Featured Category block
A new Products By Tag(s) block
Featured Product now allows for featuring a product by variation, linking to the product page with the variation pre-selected
Here’s an example of the featured category block, which lets store owners stay right inside the editor to select the category and see an instant preview of the content.
WooCommerce developers are working on creating more block editor capabilities for store owners. Future versions of the WooCommerce Blocks plugin will include new blocks for product filtering and for displaying product reviews. These will be tested first through the WooCommerce Blocks feature plugin before being added to core.
WooCommerce 3.7 Requires WordPress 4.9+ and PHP 5.6+
This release bumps the minimum required WordPress version to 4.9 and the minimum required PHP version to 5.6. There are new upgrade nudges in WooCommerce 3.6, alerting users who will need to to upgrade WordPress and PHP versions in order to update their stores to WooCommerce 3.7.
The increased minimum versions allows WooCommerce developers to include new and more performant code in future versions of the plugin. It also enables them to utilize PHP packages. The Product Blocks and REST API functionality have been removed from core and are now loaded via Composer.
WooCommerce Blocks Rebranded
Users may notice some visual changes to how WooCommerce blocks appear in the editor. The blocks have been updated to better reflect the WooCommerce brand. This is becoming more common, as plugins with multiple blocks carve out their own branded spaces in the block inserter.
A few other notable enhancements in WooCommerce 3.7 include the following:
Email Settings: New “Additional Content” sections replace the old hardcoded “Thanks” sections so store owners don’t have to override templates to change the wording
Coupon admin pages: Automatically generate new coupon codes with the click of a button
Performance improvements, new dedicated table for tax classes, reduced number of queries to populate variations, excluding Action Scheduler tasks from comments queries to speed up page load times
The WooCommerce Admin feature plugin continues to make progress and currently has 300,000 active installations. The plugin provides a new JavaScript-based dashboard for monitoring store reports and sales metrics. Recent updates include more data on the Customer Report page, improved navigation bar design, and an improved Stock Activity panel that automatically responds to inventory updates. Store owners who want to preview this functionality in WooCommerce can install the feature plugin.
Version 3.7 should not cause any backwards compatibility issues but the update includes a few database upgrade routines. The WooCommerce team recommends those with large amounts of data in their databases to upgrade using the WP CLI command wp wc update, instead of through the admin. Check out the release post and beta announcement for more details.
Would you like to write for WP Tavern? We are always accepting guest posts from the community and are looking for new contributors. Get in touch with us and let’s discuss your ideas.
WordPress contributors, developers, and community members are currently debating a proposal to would implement a new policy regarding security support for older versions. The discussion began last week when security team lead Jake Spurlock asked for feedback on different approaches to backporting security fixes to older versions. Following up on this discussion, Ian Dunn, a full-time contributor to WordPress core, sponsored by Automattic, has published a proposal for moving forward with a new policy:
Support the latest 6 versions, and auto-update unsupported sites to the oldest supported version.
That would mean that the currently supported versions would be 4.7 – 5.2, and the 3.7 – 4.6 branches would eventually be auto-updated to 4.7.
In practice, that’d provide roughly 2 years of support for each branch, and roughly 10% of current sites would eventually be auto-updated to 4.7. Once 5.3 is released, the oldest supported version would be become 4.8.
Dunn outlined a detailed plan for implementing the new policy that involves testing a small subset of sites to identify problems before gradually updating older sites from one major version to the next (not all at once). Site administrators would be notified at least 30 days prior to the automatic updates with emails and notices in the admin that would also offer the opportunity to opt out.
The proposal has received dozens of comments, with some contributors in support, some in favor of modifications to the rollout, and others who are unequivocally opposed to the idea of auto-updating old sites to major versions.
One of the prevailing concerns is that many admins will not receive any notice due to non-functioning email addresses or not logging into their admin dashboards frequently enough. Opponents also contend that even though there are fallbacks for sites that fail to upgrade, some sites may be broken in a way that WordPress cannot detect, due to problems with plugins or themes.
“A back-end notice will not even begin to make up for the lack of reliable email communication,” Glenn Messersmith said. “There are tons of site owners who never venture into the back-end once their site has been developed. These are the very people who will not get email notifications either because the email address is that of some long gone developer.
“There is no way any sort of error detection can act as a safety net for those who never saw any notifications. There are all sorts of ways that a site owner might consider their site to be ‘broken’ which an update script could not possibly detect.”
In response to concerns about abandoned sites breaking or administrators relying heavily on a plugin that has been abandoned, Dunn agreed that these types of situations may be unavoidable under the current proposal.
“I can definitely sympathize with that situation, but we have to draw the line somewhere,” Dunn said. “We don’t have unlimited resources, and the current policy has damaging effects for the entire WordPress ecosystem.
“In reality, choices are never between a purely good thing and a purely bad thing; they’re always between competing tradeoffs.
“I definitely agree that it’s bad if a small number of site owner have to do extra work to upgrade their site, but in the grand scheme of things, that’s much, much better than having our security team be hindered by an extremely onerous support policy.”
Proposal Author Claims “Nobody Would be Forced to Update;” Opponents Argue that Requiring Users to Opt Out is Not Consent
In addition to the problem of possibly breaking sites, those opposed to the proposal are not on board with WordPress forcing an update without getting explicit consent from site administrators. Providing users a way to opt into automatic updates for major core releases is one of the nine projects that Matt Mullenweg had identified for working on in 2019. However, the plan for this proposal is more aggressive in that it would require site owners on the 3.7 – 4.6 branches to opt out if they do not want to be incrementally auto-updated to 4.7.
“They still retain agency no matter what, nobody would be forced to update, everybody retains control over their site and can opt-out if they want to,” Dunn said. “Something being on by default is very different from forcing somebody to do something. We would make it very easy to opt out — just install a plugin, no config required — and the instructions for opting out would be included in every email and admin notice.”
Dunn further clarified in a comment regarding who would receive these updates:
Nobody would be forced, it would instead be an opt-out process. If someone has already disabled auto-updates to major versions, that would be respected and their site would not be updated.
If someone clicked the opt-out link in the email, or if they clicked the opt-out button in the admin notice, then the updates would also be disabled.
The only people who would receive the updates are the ones who:
1) Want the update 2) Don’t care 3) Have abandoned their sites or email accounts
Several participants in the discussion asked why the process of getting these sites on 4.7 cannot be opt-in for consent, instead of forcing the update on those who don’t opt out. No matter how convenient the opt-out mechanism is, having one in place doesn’t constitute consent. Many site owners who will be forced into this process thought they would be safe in opting for maintenance and security updates and leaving their sites to perform “updates while you sleep,” as the 3.7 release post described the feature.
“Insecure sites are bad, but arguably, retrospectively enlarging the power granted to oneself by this mechanism is worse,” UpdraftPlus creator David Andersonsaid. “Potentially it could damage trust + reputation more than insecurity. I’d argue that huge dashboard ugly, irremovable notices on older versions warning of upcoming abandonment + the need to update would be better. Let the site owner take responsibility. Don’t play nanny, abuse trust, break sites and then write blog posts about how it was necessary collateral damage. Nobody who wakes up to a broken site will be happy with that.”
Andrew Nacin, WordPress 3.7 release lead and co-author of WordPress’ automatic background updates feature, encouraged those behind the proposal to clarify that WordPress only supports the latest major version and has never officially supported older versions.
“It takes a lot of work, for sure, to backport,” Nacin said. “But we should still stick to our north star, which is that WordPress is backwards compatible from version to version, that WordPress users shouldn’t need to worry about what version they are running, and that we should just keep sites up to date if we are able.”
Nacin offered more context on the original strategy for introducing automatic updates, which included gradually moving to having major releases as auto updates so all sites would eventually be on the latest version:
First, when we first released automatic background updates, we thought that our next big push would be to get to major release auto updates in the next few years. In practice, we can do this at any time, and, indeed, 3.7 supported this as a flag. But the idea was we would invest energy in sandboxing, whitescreen protection, improving our rollback functionality, etc., so our success rate was as high for major versions as it was for minor versions. (The failure rate scales somewhat linearly with the number of files that need to be copied over, and also gets more complex when files need to be added, rather than just changed.) Once we did this, we’d simply start updating all sites to the latest version and stop backporting. Obviously we still haven’t gotten here.
He commented that overall the proposal is “a great plan” but emphasized the benefits of communicating to users that it is safe to update and that WordPress only intends to support the latest version.
Most participants in the discussion are in favor of the security team discontinuing backporting fixes to older versions of WordPress. The question that remains unanswered for opponents is why is it WordPress’ responsibility to force older sites to update.
“I don’t think it should be WordPress’ decision to update sites that they don’t manage to major/breaking versions, but I think maintaining those branches should be stopped,” Will Stocks said. “You (WordPress) don’t own the infrastructure or business processes, or understand the support in place to manage those sites. There is also a reason those sites are still on that version today and have not upgraded past.”
There are other approaches that can still draw a line to respect the security team’s limited resources without forcing any non-consensual updates to major versions. Rachel Cherry, director of WPCampus, commented on the proposal, strongly urging WordPress to establish consent before updating these sites:
We are getting into the weeds of whether or not forced updates will cause tech issues and missing the real problem altogether.
We are discussing force updating people’s software when they have not given consent.
And for what end? What is the real problem here? Because we don’t want to worry about updating old versions?
There are other ways to solve this problem.
We can make a clear policy regarding EOL support for releases.
We can add a setting to core that lets the user choose whether or not they want auto updates and going forward that is the decision maker. Then we have consent.
We can work on education and communication regarding updates.
We can email people that their site is outdated and insecure and they should update ASAP, along with links to education and best practices. If they still need help, encourage them to reach out to a professional.
We can fix this problem for going forward, but we do not have implied retroactive consent just because we never put a permission mechanism in place.
If someone didn’t update their site, they did so for a reason. Or indifference. Either way, we have no right to go in like this and modify people’s websites.
Participants in the discussion are still wrestling with the potential implications of the proposed policy change. Minor updates have proven to be very reliable as auto-updates. Dunn reported that the 3.7.29 auto-update had only one failure that had to be rolled back to 3.7.28. Using the auto update system to push major updates to sites as old as these has not yet been thoroughly tested.
“Whether or not we do auto-update the 3.7 -> 5.x releases, I fully support making it clear that this is something we expect to start doing for the future (5.x -> x.x+),” Jeremy Felt commented on the proposal. “The work on testing infrastructure and code to support this should absolutely be done either way.” Felt also said he appreciated the staggered rollout scheduling for the proposed releases as well as the plan to provide an officially supported plugin for disabling auto-updates.
Discussion is still open on the proposal, but so far there seems to be a fundamental disagreement among participants about whether WordPress has the right to force major version updates without explicit consent, even if it is with the intention of saving site owners from potentially getting hacked.
“One thing is for sure, it appears to be a majority concern so far, while many of us are fond of these noble intentions, I’m just not so sure being the benevolent overlord of the Internet is a good image for WP moving forward,” plugin developer Philip Ingram said.
Would you like to write for WP Tavern? We are always accepting guest posts from the community and are looking for new contributors. Get in touch with us and let’s discuss your ideas.
