WordPress.org

What’s the coolest uses and applications built on top of WordPress APIs that you’ve seen? I’m looking for some examples to highlight in the State of the Word next month.

Out of the box, WordPress allows you to configure the default avatar that displays for commenters that don’t have one. The choices leave a lot to be desired. Thanks to a new plugin created by Lee Willis, called Wapuuvatar, you can replace default avatars with images of Wapuu.

Settings for Wapuuavatar

If you’re not familiar with Wapuu, it’s the official, GPL Licensed mascot of the WordPress project. Throughout the year, a number of WordCamps and local communities across the world have created local versions of the character. In fact, the Tavern has its own Wapuu.

WP Tavern Wapuu

The plugin has two settings. You can either replace the default avatar with random Wapuus or replace all Gravatars with Wapuu. Wapuuavatar uses a library of images from the official Wapuu GitHub repository and art work created by Michelle Schulp. Here’s how it looks in action on WP Tavern.

Wapuuavatar on the Tavern

Wapuuavatar is an easy way to replace boring avatars with works of art. The plugin works without issue on WordPress 4.4 beta 4 and is available for free on WordPress.org.

photo credit: Βethan – cc

Within the last few weeks, we’ve received emails from readers wanting to know why it’s taking so long for new themes to be reviewed on WordPress.org. Some theme authors are having to wait two months or more for their first review.

Ashley Evans submitted her theme in June and she’s yet to complete the review process. Throughout that time period, both Evans and the reviewer experienced delays in responding to each other. A few months into the review, the reviewer disappeared and Evans was assigned a new reviewer two days ago.

Understandably, the experience has discouraged Evan’s from submitting anymore themes to the directory:

Back in August, I said, ‘Screw it’ and released the theme as a free download on my blog. This process has basically made me vow to stick to adding plugins to the repo and stop adding any more themes.

I’m not blaming the theme review team since I can only imagine how much stuff they have to wade through. It’s just sad that the process has discouraged me from ever doing it again.

On October 9th, Tammie Lister updated the Theme Review queues and identified a number of themes that fell through the cracks. Most of those themes were approved or are still in the review process.

The System is Broken

Members of the WordPress Theme Review team agree that the system is broken. In June, the team published its suggested roadmap to improve multiple facets of the review process. One of the items on the list to help cut down the review queue is the auto-approval of theme updates. However, the team is still hard at work trying to code and implement changes to improve the system.

Help Them Help You

photo credit: Rob Shenk via – cc

One of the items high on the team’s to-do list is to put more effort towards education. In order to do that, Justin Tadlock says the team has to free up resources, “We need to free up our biggest resources, which are the team members themselves. However, we can’t free up those people when they’re spending 100% of their time doing reviews.”

The most important thing theme authors can do to speed up the review process is to check that your theme meets the Theme Review Requirements. According to Tadlock, “The majority of themes submitted don’t follow the guidelines which considerably slows down the process. Themes will often have 20-30 issues or more. If we can get to a point to where the majority of submissions only have a few minor issues, we really wouldn’t have a queue.”

Theme authors who test their themes against Theme Unit Test Data and the Theme Check Plugin substantially improve the system for everyone. What the team needs most is help. Tadlock offers three ways contributors can get involved to improve the situation.

1. Doing reviews.
2. Tackling Meta Trac tickets related to the theme directory.
3. Writing tutorials.

Tadlock isn’t sure how to get theme authors to raise the quality of their themes before the initial review, “That’s the sort of feedback I want to see from fellow theme authors. What do we need to do to help them get their themes ready before submission?”

How to Get Involved

The team is always in need of more theme reviewers. Reviewing themes is a great way to learn theme development and what not to do. If you’re interested in reviewing themes, read the following document from the Theme Review Handbook. It explains how to set up a testing environment with an example of a testing workflow.

The Theme Review Team also has a project meeting every Tuesday, November 10, 2015, 1:00 PM EST in the #themereview channel on Slack.

Exercise Patience

Exercising patience is a difficult thing to do if you’ve already waited eight weeks or more for the first review. However, fixing the system is going to take time. If you want to know about the status of your theme and it has an assigned reviewer, you should ask for a status update within the ticket. If your theme doesn’t have an assigned reviewer, you can ask about its status in the Theme Review Team Slack channel with a link to the theme.

Imperva, an international cyber security company founded in 2002, published its 2015 web application attack report. The report includes a thorough analysis of attack data obtained through its WAF or Web Application Firewall.

In the report, Imperva’s application defense center group analyzed 297,954 attacks and 22,850,023 alerts on 198 of the applications it protects behind its WAF. The data is from January 1st, 2015 – June 30th, 2015 and provides a solid overview of the number and types of attacks web applications are experiencing.

The report covers a lot of ground but for the purpose of this site, I’m focusing on WordPress.

Analysis Methodology

Automated tools recorded the web applications’ traffic and malicious events were documented in log files. Imperva’s application defense center group analyzed the data using special-purpose software and its knowledge base.

You can find more information that explains how the data was analyzed on page seven of the report.

WordPress Is the Most Attacked CMS Application

Out of the 198 applications protected, Imperva identified 55 that are CMS-based, 20 WordPress applications, 11 Drupal, and 24 that are based on 11 other CMS frameworks.

Average Number of Incidents per Applications CMS Slice

According to the report, CMS applications suffered an average of three times more attacks than non-CMS applications. WordPress applications suffered from 3,497 attacks in the reported period which is 250% more than non-CMS Applications. Note from the above image that spam attacks against WordPress outnumber all other types of attacks.

Imperva says the attraction to CMS applications, especially WordPress is not new.

CMS frameworks have an open nature,  with open developer communities that generate a never-ending sequence of plug-ins and add-ons, with varying levels of security. This situation has led to corresponding never-ending flow of CMS vulnerabilities, with WordPress as the leading CMS taking the lead also in the amount of published attacks.

Furthermore, the fact that WordPress and other CMS applications resemble each other facilitates automated scanning attacks that work effectively on all applications of this type with only minimal adjustments.

Varying levels of security in plugins have led to many vulnerabilities making WordPress the leader in the amount of published attacks.

Proportions of Attacks

Taking spam attacks out of the equation, the most popular attack type against WordPress applications is (RCE) Remote Command Execution with (RFI) Remote File Inclusion taking second place.

Proportion of Attack Types

• Remote File Inclusion (RFI) is an attack that allows an attacker to include a remote file, usually through a script, on the web server. This attack can lead to data theft or manipulation, malicious code execution on the web server, or malicious code execution on the application client side such as JavaScript execution, which can lead to other attacks. This vulnerability occurs due to the use of user-supplied input without proper validation.

• Remote Command Execution (RCE) is an attack that allows the attacker to execute operating system commands in a system shell. The attack exploits applications that suffer from insufficient input validation in conjunction with passing this input to a system shell. The attacker’s payload is executed with the same privileges of the vulnerable application and can lead to full compromise of the server.

Even though the other monitored CMS applications are written in PHP, RFI attacks on WordPress are significantly higher than all other applications. Imperva offers one possible explanation:

Attackers don’t target a specific application, but start with scanning the Internet for vulnerable applications. A Low Hanging Fruit approach that is simple and effective for the detection of potential RFI targets, would be to run a WordPress test and mount an RFI attack in case of success.

The report goes on to show geographic attack trends, PHP vs non-PHP attack incidents, traffic volume, case studies, and more.

No Need to Panic

Even though it’s only six months of data, the results don’t surprise me. WordPress is used on a quarter of the top 10 million websites ranked by Alexa so of course its going to be the most attacked CMS.

The data in the report reinforces my belief that every public site online is likely being scanned or attacked multiple times a day. Unless you’re using a service or plugin that logs these types of attacks, its hard to know how popular of a target a site is.

If you’re aware of a plugin or service that provides a user-friendly interface that shows and explains the attacks it’s protecting against a site, please send me a link in the comments.

Basic Security Principles

It’s imperative that you use a strong password and two-factor authentication. Consider using a service like Clef that allows you to login to WordPress without a password. I also highly encourage you to read the WordPress security whitepaper to learn how WordPress protects itself against common attacks mentioned in Imperva’s report and how to responsibly disclose a WordPress security vulnerability.

If you’re running or opening a new WordPress business, you should read Adam Soucie’s warning on the dangers of accepting credit cards. Soucie, a WordPress Developer based in Orlando, Florida describes what happened after working with a client that claimed to be hearing disabled.

Soucie went through the usual process of sending over a contract, bringing in a designer, discussing scope, and sending over an invoice. The client then claimed to be in the hospital and requested help to pay for one of the contractors involved in the project because he didn’t accept credit cards. According to Soucie, this should have been the red flag:

But I ignored it because I’ve also been a trusting person who is sympathetic to people with disabilities.  Plus I figured I had proof of everything, so I’d be protected.  I was so wrong.

To make a long story short, the ‘client’ was paying with stolen credit cards and the other contractor was in on the scam.  I discovered the scam when they started getting pushy about the contractor receiving his payments.  When leaving to make the final payment, I got a call from the person whose credit card info was stolen.  I reached out to my ‘client’ and she had disappeared.

As the merchant, Soucie was liable for the transaction. After not receiving help from the FBI Cyber Crimes division and the credit card companies, QuickBooks, Soucie’s payment processor, went after him for the total amount of $10,000. He was able to get the amount slightly reduced after working with QuickBooks. What looked like an awesome project quickly turned into a nightmare.

I highly encourage you to read his article as it includes tips to protect yourself and why you shouldn’t be too trusting. What advice do you have for freelancers who accept credit card payments? What signs should freelancers look for to avoid fraudulent scams like this one?

Earlier this year, Nick Haskins, founder of Aesop Interactive LLC, announced he was selling the company. Haskins was initially going to list the company on Flippa but after receiving advice from Syed Balkhi, used FE International to facilitate the sale. FE International is composed of website brokers that do the heavy lifting to help businesses find buyers.

An anonymous company based on the US East Coast without ties to the WordPress community is the new owner of Aesop Interactive LLC. Although terms of the deal are not public, Haskins confirms that he received close to his asking price of $100K.

When Haskins put the company up for sale, he specified two conditions the new owner must follow.

1. Aesop Story Engine MUST absolutely be maintained and kept free.
2. Editus must continue forward with development, in some way shape or form.

It’s unclear what the new owner’s plans are for Aesop Story Engine, Editus, and Story.AM.

Advice for Selling Your Company

The WordPress ecosystem is filled with thousands of companies from individuals to 50+ person agencies. Haskins offers the following advice for those thinking about selling their business, “Make sure that the books are buttoned up tight, because every check, every payment, every expense will be scrutinized and will ultimately determine what the appraisal price will be. Run a lean ship as the less overhead you have, the better.”

During the appraisal process, Haskins had to account for and explain every check number written during the last few months. Although it was a lot of work on his end, he highly recommends using FE International as they manage the negotiating, contract writing, and appraisal processes.

What’s Next for Haskins?

Haskins isn’t giving up WordPress development as he continues to work with the software on a daily basis managing CGCookie. When I asked what’s next in his WordPress journey, he replied, “Overall, there will be another project. It’s just that this chapter of the story is finished. I want to eventually write and publish an eBook on my experiences of starting, running, and selling a business.”

Who do you think the buyer is and what do you think will happen to Aesop Story Engine, Editus, and Story.AM?

Nearly seven months before the event takes place, tickets for WordCamp Europe 2016 in Vienna, Austria on June 24-26 are on sale. There are two types of tickets available, General admission and Microsponsor.

General admission tickets are € 40.00 each and cover both days to the event, access to all sessions, lunch, coffee breaks, warm up events, and the after party. It also includes a WCEU 2016 t-shirt, stickers and other swag.

Microsponsor tickets are € 150.00 and includes everything the general admission ticket offers. The major difference between the two besides cost, is that the microsponsor ticket is a great way to support the European WordPress community. Microsponsorships shows appreciation of the event and grants you a special mention on the sponsorship page.

Before you purchase tickets, it’s important to note that due to Paypal’s 60 day refund policy, the event is not issuing refunds. If you buy a ticket and want to give it away as a gift, or sell it to someone, you’ll need to edit the details using the link in your ticket purchase confirmation email.

Although the schedule is not yet posted, WordCamp Europe has an established history of being one of the best WordPress events of the year. Let us know if you plan on attending.

BuddyPress 2.4.0 “Pietro” named after an authentic Italian restaurant in Paris, France is available for download. This release includes support for cover photos that users can add to their profile or a group.

BuddyPress Cover Photos

Cover photos are built on top of the BuddyPress Attachments API meaning they should seamlessly integrate into themes. If you need to fine-tune the output for your site, check out the following Codex article.

Initially added in BuddyPress 2.2.0, Member Types allows developers to categorize the members of their community in a variety of ways. If you use this feature in your community, you can now specify that profile fields be made available to either one, some, or none of the registered Member Types.

Member Type Fields

Two companion stylesheets are included with 2.4.0 to make sure content looks great on both the TwentySixteen and TwentyThirteen themes.

Companion StyleSheets

This release also includes major accessibility improvements to front-end templates and the Dashboard screens. According to BuddyPress developers, accessibility is a major focus of the project and there is a concentrated, ongoing effort to make the software more accessible to users of all abilities.

Thanks to a new template hierarchy, groups can now have unique header images and layouts. Simply use the new front.php template inside the single groups templates directory.

Unique Homepages for Groups

In addition to all of the improvements listed above, 2.4.0 has over 100 bug fixes. It also contains the security patch applied in 2.3.5. BuddyPress is available for free from the WordPress plugin directory and if you run into any issues, you’re encouraged to report them in the support forums.

The WordPress 4.4 field guide is available and covers all of the major features in WordPress 4.4. The guide explains what the features are and more specifically, links to posts that explain how they work.

WordPress 4.4: Field Guide

While it doesn’t cover every single change, it gives developers and site maintainers an opportunity to learn and understand the major features before WordPress 4.4’s release.

If you haven’t tested your plugins and themes with WordPress 4.4, now is a great time to do so. In testing WordPress 4.4 betas on WP Tavern, I discovered two broken plugins. I notified the developers and they quickly released an update addressing the issues.

WordPress 4.4 is scheduled for release in December.

In this episode, Marcus Couch and I discuss the last two weeks of WordPress news. We go in-depth on what’s coming in WordPress 4.4 and I share a story of how upgrading WP Tavern to WordPress 4.4 beta 4 generated a white screen of death.

We cover what’s new in BuddyPress 2.4 and celebrate the milestone that WordPress is used on 25% of the top 10 million sites ranked by Alexa. Last but not least, we discuss how WordPress may reach 50% and what it means for the web.

Stories Discussed:

WordPress 4.4 Beta 4 Released
WP Remote Is Up for Sale
Pro Plugin Directory Is Seeking a New Owner
BuddyPress 2.4.0 – “Pietro”
More Than 250 Tickets Still Available for WordCamp US
A Quarter of the Top 10 Million Sites Ranked by Alexa Use WordPress

Plugins Picked By Marcus:

Ad Blocking Advisor adds a simple and elegant notification bar to your site that only displays to visitors who are using ad blocking software. The purpose of the notification is to ask (or advise) visitors to whitelist your site.

MatchHeight adds the MatchHeight jQuery plugin to make the height of all selected elements exactly equal.

WP Term Images by John James Jacoby allows users to assign images to any visible category, tag, or taxonomy term using the media library, providing a customized look for taxonomies.

WPWeekly Meta:

Next Episode: Wednesday, November 18th 9:30 P.M. Eastern

Subscribe To WPWeekly Via Itunes: Click here to subscribe

Subscribe To WPWeekly Via RSS: Click here to subscribe

Subscribe To WPWeekly Via Stitcher Radio: Click here to subscribe

Listen To Episode #212:

Human Made LTD is selling its WordPress remote management service WP Remote. Launched in 2009 as a plugin called Site Monitor, the service has evolved over time to allow users to upgrade themes, plugins, and WordPress remotely. The service allows an unlimited amount of sites to be tracked for free.

Human Made is not able to devote the time and resources necessary to maintain the service, even as it continues to do well. According to Tom Willmot, Co-founder and CEO of Human Made, the team backed out of the premium version of the service due to a lack of resources:

We had ambitious plans for a version 2, we introduced a premium version that we backed out of because we didn’t have the resources to run and grow it, and we’ve got lots of great ideas both from its users and ourselves that we haven’t been able to act on. We’re too busy with other things, including Happytables, our client work, events, and more.

WP Remote has over 18K users with more than 96K sites monitored. Here are some other notable statistics:

• 1,850 people logged in during the past 30 days.
• 1,200 of those have more than five sites added to their account and 110 of them have more than 50 sites monitored.
• In the past 30 days WP Remote was used to perform over 20,000 plugin updates.
• Each week between 50 and 100 new users sign up and over half of them go on to add a site.

Although WP Remote converted 60 free users to its premium service, the company eliminated it due to the lack of internal resources to support, develop, and market it. WP Remote also has key relationships with web hosting companies such as, Pressable, BlueHost, and SiteGround.

Before inquiring about purchasing the service, I recommend that you read the history on how it was created. If you’re interested in acquiring WP Remote or have questions, contact Tom at  [email protected]. The company plans to decide who the buyer is by the end of February 2016 and is in early discussions with a few interested parties.

Steven Gliebe, creator of Pro Plugin Directory, is looking for a new owner. The site launched earlier this year and has more than 170 plugins listed in the directory. Gliebe doesn’t have the time to manage the project anymore and is looking to give it to someone who is capable of maximizing the site’s potential.

Since May of this year, commercial plugin developers have slowly added their products to the directory. Gliebe explains his original strategy for monetizing the site, “Build the directory up (get authors to list their plugins) in order to attract traffic (plugin buyers) then monetize it with display ads, affiliate links and/or sponsorships (not yet started).”

Gliebe spends 1-2 hours per week managing the directory which includes, moderating submissions, moderating comments, moderating reviews, answering emails, and responding to tweets. He suggests that the new owner will need to spend more time marketing in order for the project to keep growing.

One of the most interesting parts of the sale offer is where Gliebe explains what powers the site:

The site is powered by Easy Digital Downloads, the Frontend Submissions extension, the Product Reviews extension and Array’s Checkout theme (using a child theme for customizations like showing categories on the homepage).

Looking at the analytics, the site is experiencing low traffic numbers compared to when the site was launched. However, organic search traffic is steadily rising thanks to the content published on the site’s blog.

Pro Plugin Directory Traffic

Outside of Codecanyon, Pro Plugin Directory is one of the only other directories exclusively catered to commercial plugins. Here’s what Gliebe will give the buyer after purchasing the site:

The buyer will receive the domain, website files, database dump, mailing lists and Twitter account. Easy Digital Downloads add-on licenses and Checkout theme licenses will be transferred. You will need to purchase a new SSL certificate. I am looking for a capable buyer but if you require migration assistance or technical support after the sale, I will offer my services at $200/hour (five hours max).

Escrow will be used to facilitate the sale between both parties. If you’re interested in taking over the site or have questions, contact Steven Gliebe.

Welcome to the Post Status Draft podcast, which you can find on iTunes, Stitcher, and via RSS for your favorite podcatcher.

Joe is away this week, so Brian goes solo. Brian highlights WordCamp US and A Day of REST and describes why you should attend these events. He also tells the story of his first ever WordCamp San Francisco (the precursor to WCUS). Then, he interviews Mike McAlister, of Array Themes, and they talk about the process of building a commercial WordPress theme from the ground up.

The interview with Mike starts around 14 minutes in.

https://audio.simplecast.fm/19978.mp3

Direct Download
Topics & Links

Event Links

• WordCamp US
• A Day of REST
• Brian’s post on A Day of REST
• Brian’s first WordCamp SF
• Post Status and Pagely party
• Join the Post Status Club
• Podcast on the REST API

Interview with Mike

• Array Themes
• Previous interview with Mike
• Typecast for testing typefaces
• Typewolf for type inspiration and resources
• Playing with type
• Brian’s 2010 article on the profit ceiling in the theme market

BuddyPress 2.3.5 is available and patches a security vulnerability that may allow privilege escalation for logged-in users. BuddyPress 2.3.4 and previous versions are affected however, versions 2.0.4, 2.1.2, and 2.2.4 include the patch.

According to the BuddyPress development team, there is no evidence that the bug has been exploited in the wild. If your WordPress site supports automatic updates to point releases, it will likely be updated by the time you read this post.

Slava Abakumov discovered the vulnerability and responsibly disclosed it to the development team. If you run into any issues with the update, you’re encouraged to post on the BuddyPress support forums.

I saw the new Steve Jobs movie a few days ago, which I enjoyed as a movie even though the main elements were fiction and it should have been titled something else.

But they had an awesome video interview with the amazing Arthur C. Clarke in 1974, which I’ve embedded above, where he said the following right around 0:56.

Interviewer: I wonder though, what sort of a life will it be in social terms if our whole life is built around the computer, if we become a computer-dependent society, computer-dependent individuals.

ACC: In some ways, but they’ll also enrich our society because it’ll make it possible for us to live anywhere we like. Any businessman, any executive could live almost anywhere on earth and still do his business through a device like this, and this is a wonderful thing, it means we won’t have to be stuck in cities, we can live out in the country or wherever we please, and still carry on complete interaction with human beings, as well as with other computers.

Wow, extremely prescient. Remember, this was 1974! The dominant technology companies of today still follow the same office-centric model as when computers took up entire rooms, but the dominant companies of tomorrow will be built and grow in a completely distributed fashion. (And of course, we’re hiring.)

See also, from 2012: Automattic, Forbes, and the Future of Work.

photo credit: vgrigoriu – cc

In a little less than a month, the first annual WordCamp US will be underway in Philadelphia, PA. There’s still 251 tickets available to attend the event in person. The schedule and sessions are published and it looks like an informational packed two-day event.

There are three tracks available, two of which will have typical length sessions with a third track dedicated to lightning talks. I highly encourage you to view the schedule and create a list of sessions to attend as the first day has over 40 of them.

Reed Gustow, one of the event’s primary organizers says they’re expecting a lot of attendees, “We’re expecting 2,000 attendees from across the United States and from many other countries, and it will be a wonderful opportunity to learn, share knowledge and meet others in the amazing WordPress community.”

In addition to WordCamp US, there will be a WordPress contributor day on December 6th. During contributor day, people from all walks of life get together and contribute to various parts of the WordPress project whether it’s the support forums, core code, documentation, and more. Mentors will be on hand to help new contributors.

Last but not least, the most important information is where to eat a great tasting cheesesteak. After all, it’s one of the things Philadelphia is known for. The WordCamp US organizing team has you covered with a post that describes the different types of cheesesteaks and where to find the best tasting ones.

Hotel and venue information for the event is on the WordCamp US website. Unfortunately, I’m not attending the event this year, but Sarah Gooding will be there. If you see her, stop her and say hi.

According to Matthias Gelbmann of W3Techs, 25% of the sites it surveys are using WordPress. The milestone comes two years after reaching the 20% mark.

Quarter of the Web

The following image shows WordPress’ rapid growth from 13.1% in January 2011 to 25% today.

WordPress’ Growth

Drupal and Joomla, two other popular open source content management systems combine for 4.9%, slightly less than 1/5th of WordPress.

W3Techs counts both self hosted WordPress and WordPress.com sites, “We only count the hosted sites if they are reachable via their own domain (not only as subdomain of wordpress.com), and they must qualify like all other sites in our surveys by getting enough visitors on that separate domain to make it into the top 10 million Alexa sites,” Gelbmann says.

This means that only those sites on WordPress.com that use domain mapping and have enough traffic to be in the top 10 million Alexa sites are counted leaving millions of WordPress.com sites uncounted. Only 1.25% of WordPress sites in the survey are hosted at WordPress.com.

The Fastest Growing CMS

The survey also shows that WordPress is still the fastest growing CMS, “Every 74 seconds a site within the top 10 million starts using WordPress. Compare this with Shopify, the second-fastest growing CMS, which is gaining a new site every 22 minutes,” Gelbmann says.

When sites are broken down into languages, WordPress is used on 37.3% of English language sites. Portuguese, Spanish, Swedish and Turkish sites are inbetween 38-40% while Bengali is 51.3% and 54.4% for Bosnian. Only 10.6% of WordPress sites are in Chinese with 6.9% for Korean.

About 94% of sites surveyed use a Unix-like operating system such as Ubuntu. Windows servers host 6.2% of WordPress sites making it the most popular CMS running on Windows servers.

Matt Mullenweg, Co-founder of the WordPress project, says the largest opportunity for growth is in the 57% of sites not using any identifiable CMS. Earlier this year, we learned that Jetpack is going to play a significant role in WordPress gaining 50% or more of market share.

In an interview with Adam Silver on the KitchensinkWP podcast, Mullenweg explains the path to 50% and beyond.

The next goal is the majority of websites. We want to get to 50%+ and there’s a lot of work between now and then. As the percentage increases, it gets harder and harder to grow the market share, and we have to grow the market share by doing things we haven’t done in the past – really thinking about the onboarding process, really thinking about the integration with social networks, and with how WordPress works on touch devices, which is going to be the predominant computing platform of the future. These things are going to be really important.

What got us here isn’t going to get us there. Once we get to 50%, we can decide something new we want to do

Automattic is experimenting with a new side project called Jetpack Onboarding. The project is an attempt to improve WordPress’ new user experience. Hosting companies that choose to implement it can modify, add, or remove steps.

Jetpack Onboarding Wizard

Keep in mind that W3Techs’ market share numbers are based on the top 10 million sites in Alexa. Fifty percent market share is 5 million of those 10 million sites. Are these the sites WordPress should be targeting with development efforts? Are they more important than the millions of sites not ranked by Alexa? I don’t think so but only time will tell.

If you listed the habits of successful people, tracking and measuring would be near the top of that list. I see it with people, companies, and teams that I work with. I see it in my own behavior.

Fred Wilson writes on Tracking and Measuring. Lack of measurement — picking stats and watching them before and after a launch — is one of the most common mistakes I see product teams make, certainly inside of Automattic.

People are abuzz because it looks like the W3Techs survey of the web now has WordPress at 25% market share.

Sometimes it goes up and down through the course of a month, but it’s still a pretty fun milestone that we can now say about one in four websites are now powered by the scrappy open source underdog with its roots stretching all the way back to a single person in Corsica, France. We should be comfortably past 25% by the end of the year.

The big opportunity is still the 57% of websites that don’t use any identifiable CMS yet, and that’s where I think there is still a ton of growth for us (and I’m also rooting for all the other open source CMSes).

If you want to celebrate with us come to the first-ever WordCamp US event next month in Philadelphia (tickets still available) — it’s shaping up to be an amazing event. We just published the schedule and there are some amazing speakers and sessions.

A few days ago, I offered advice on how non-developers can contribute to and influence core WordPress development. Communicating online is hard but where and how you communicate affects the likelihood of making an impact.

CMS Critic is a site I’ve read for years as it routinely publishes articles on a variety of content management systems, including WordPress.

In late October, Kaya Ismail published an article that describes how WordPress needs to improve itself in six ways. What could have been a great article, is instead a great example of how not to communicate grievances you have with WordPress.

Twenty Sixteen Developers Are Lazy

Many people, including myself have an opinion of the Twenty Sixteen theme in WordPress 4.4. Ismail thinks the developers behind the theme are lazy.

I totally understand that WordPress doesn’t need to compete with the massive library of third-party themes available out there, but that doesn’t mean that they should lead with a default theme as bad as that. It’s nothing short of lazy.

Tammie Lister, Takashi Irie, and others continue to work hard on Twenty Sixteen to prepare it for the WordPress 4.4 release in December. They are far from lazy people making Ismail’s opinion more of an insult. He doesn’t provide any examples or ideas on what should be in a default theme.

The WordPress Plugin Directory

According to Ismail, the WordPress plugin directory is filled with large chunks of trash in addition to great plugins. While some plugins in the directory could be coded better, his explanation falls short of describing a solution.

Many plugins simply don’t work, while many more are poorly put together, which in turn makes WordPress as a platform harder to use. Quality control needs to improve.

He doesn’t link to plugins that are broken, provide any code samples, or show where quality control is lacking. His statement is an assumption that’s not backed by evidence.

Those who oversee the plugin directory don’t test every submitted plugin to make sure it works with WordPress. Among other things, their job is to make sure plugin submissions don’t have security issues. If the moderators performed quality control on every plugin, the submission queue would likely have a substantial backlog.

Instead of writing baseless assumptions, Ismail should monitor the Make WordPress Plugins site to stay on top of what’s going on with the plugin directory and submit feedback where necessary. If a broken plugin is discovered, he should create a forum thread within the plugin’s support area.

This way, his feedback is seen by those who directly control the WordPress plugin directory. The simple act of reporting a broken plugin to the developer is a major step towards being part of the solution and not the problem.

Admin Menu Clutter

I agree with Ismail’s opinion that the WordPress admin menus can become cluttered if the right plugins are activated. At least in this case, he suggests an alternative.

I’d like to see WordPress group third-party menu options together, in a way that’s a little more organized and less intrusive. Perhaps this can be done by giving them a sub-section within the menu which can be collapsed. The solution itself is up to them, but the problem is evident.

There are guidelines for when plugin developers should create top-level or sub-level menu items but they’re not followed as well as they could be. Without strictly enforcing these guidelines, it’s out of WordPress’ hands. The complaint is aimed in the wrong direction and should point towards third-party developers, not WordPress itself.

If you want more control in how items are displayed in the admin menu, I recommend using the Menu Humility plugin by Mark Jaquith.

Akismet is Not Enough

According to Ismail, comment spam is a major issue with WordPress sites and Akismet doesn’t do enough to stop it.

Akismet, a spam comment filter, now comes with every WordPress install – which is a good thing. But the free version doesn’t do enough for me, as comments still pile up in the back end. If you ask me, WordPress needs to find another way to turn the unrelenting tide of spam.

To clarify, Akismet has been bundled with WordPress since version 2.0 and there’s no difference between the free and commercial versions in how Akismet protects sites. He doesn’t provide any suggestions on what WordPress could do to thwart spam but says it has to do something.

What are members of the WordPress core team supposed to do with this kind of feedback? It’s not helpful, doesn’t provide any ideas, and is easy to discard.

Updates are Hard

Depending on your webhost’s configuration, updating themes, plugins, and WordPress is as simple as clicking a button. For the more adventurous, you can configure them to happen automatically. For Ismail, the update process is difficult.

Updating a plugin may cause conflicts between it and another plugin. Updating a theme can erase your modifications (unless you use a child theme), whereas updating WordPress itself can render a variety of your plugins redundant until their developers apply a patch. Confused yet? You should be.

He makes a few good points but editing a theme instead of a child theme is like editing WordPress core files which should almost never happen. It’s true that there is a slight risk of things breaking after an update but it’s more of an anomaly than a common occurrence.

Ismail suggests that WordPress look into preserving theme changes across the board and to provide alerts if  plugins interfere with each other. I like these suggestions and my hope is that one day, WordPress will be able to create a snapshot during the update process to provide assurance that the site won’t break after an update is applied.

WordPress Hack-a-thon

Ismail’s last point is how WordPress can improve its security.

I think we can all agree that WordPress needs to beef itself up (by shoring up its admin login page, for example), but I call for it to go a step further and start offering better protection, even if it comes at a small price.

Third party solutions exist, sure. But why should I have to patch together several security plugins, each with their own confusing settings, just to secure my website? Many WordPress users have become accustom to handling their own security in this way; but I think WordPress needs to take on more responsibility.

He wants WordPress to go a step further and offer better protection but doesn’t say what that protection is. He also doesn’t explain where, how, or why WordPress should take on more responsibility to make sites more secure.

Be Part of the Solution, Not the Problem

Ismail concludes his article by saying it’s time for WordPress to innovate. He also says, “The onus isn’t on me to provide the solution, it’s upon WordPress. And it’s about time they started coming up with innovative solutions for their long-standing issues.”

The article is another example of how CMS Critic chooses not to be part of the solution. Everyone is entitled to their opinions, but airing grievances which sound more like demands and telling core developers to start innovating is not a recipe for results.

This quote from WordPress core developer, Mark Jaquith, eloquently describes how important communication skills are in an open source project.

The number one skill you need for just about any job, but specifically working on open source, is communication skills. You need to have clarity, consistency, compassion, relatability, a little bit of a thick skin and a decent sense of humor.

The onus may not be on Ismail or any of us to come up with solutions, but he and others can help discover and be part of solutions by taking an active role in giving constructive feedback in the right place. WordPress has its fair share of issues but there are plenty of opportunities for people to step up and contribute to make the software better.

Jetpack 3.8 is available for download and includes, Google+ badges, Twitch.TV embed shortcode, improvements to the contact form module, and bug fixes.

Users can now display a Google+ Badge widget that shows your Google+ profile, page, or community.

Google Plus Badge Settings

You can configure the badge’s width, layout, and choose between a light or dark color scheme. A Google+ icon has also been added to the Social Media Icons widget bringing the total number of available icons to nine.

Those who use the Shortcode Embeds module can now easily embed videos from Twitch.tv using the [ twitchtv ] shortcode. The shortcode’s attributes allow you to modify the width, height, and whether or not the video autoplays.

In previous versions of Jetpack, the Contact Form module checkbox field type was limited to a single item. In Jetpack 3.8, check box field types can have multiple items.

Multiple Options Field

One of my favorite enhancements in Jetpack 3.8 is the improved styling to contact form email responses. In previous versions of Jetpack, emails didn’t match the order of the fields within the contact form. Now, any responses to the contact form will show up in the order you set.

Other notable improvements in Jetpack 3.8 include:

• Lots of new filters to allow further customization of Jetpack.
• Better error messaging for Subscription Widget sign up forms.
• Improvements and enhancements to accessibility.

In addition to features and bug fixes, this release contains contributions from Daisuke Takahashi and Eduardo Reveles. Takahashi lives in Japan and is responsible for the Google+ Badge Widget. Reveles not only filed a substantial amount of issue reports on Github but also submitted a lot of patches.

These two are among a group of more than 40 people who worked on Jetpack 3.8. Check out Jetpack’s contribute page if you’d like to get involved with the project. Also, be sure to read how you can join the Jetpack beta testing team to be among the first to test new features.

I was wondering the other day how many miles of road were in every state, and guessed that Texas must be the highest. It turns out it is, according to this list of the road mileage of every state. It’s about 70% more than the runner-up, California. After TX and CA, it’s Illinois, Kansas, Minnesota, and Missouri.

While developers celebrate the first half of the WordPress REST API being merged into WordPress, there’s also another reason to celebrate. Six years in the making, taxonomy term meta will be available in WordPress 4.4.

If you’re like me and don’t have a clue as to what taxonomy term meta is, I highly encourage you to read Justin Tadlock’s explanation and tutorial. In the post, Tadlock explains why term meta is significant and some of the possibilities it affords developers.

After reading through the tutorial, I have a better understanding as to why developers are so excited. Not only does it create more opportunities to extend WordPress, but does so in a standard and expected way. Previous to WordPress 4.4, developers had to rely on work-arounds to add term meta to taxonomies.

Let us know what you think of the tutorial and how you plan to take advantage of this feature once WordPress 4.4 is released.

Better Blockquotes is a free WordPress plugin created by Devin Price that makes it easy to add citations to blockquotes. When a user clicks the blockquote button with no text highlighted, a dialogue box pops up with options to add a quote, citation, and a citation link.

Better Blockquote Options

Citations are inserted into the post with HTML5 markup. The blockquote button retains its default behaviour with highlighted text. I tested the plugin on WordPress 4.4 beta 3 and it works as advertised.

I did notice however, that the citation displays immediately after the last character in the quote. I’d prefer to have

a space between the last character and the citation.

Better Blockquotes in the Visual Editor

An example of how better blockquotes looks in a post.

How a Better Blockquote Looks in a Post

Based on feedback, Price says he’ll attempt to add it to WordPress core as an enhancement. Is better blockquotes something you’d like to see added to WordPress?

Tech blog idea: A site that covers the top headlines on Techmeme 6, 12, or 18 months after they happened, and explores the delta between what people said was going to happen when they raised funding, or did an acquisition, and what actually happens after time has run its course. We keep covering announcements like they matter. Can also compare analyst and commentator predictions for claim chowder.

If you don’t consider yourself a developer and want to contribute to WordPress core, Hugh Lashbrooke’s guide offers a few different techniques. The guide explains how and where to provide feedback and how important it is to beta test new features.

Over the years, I’ve used WP Tavern to advocate for and against features in WordPress. One of the best pieces of advice I can give non-developers is to organize your thoughts or stance on a specific feature or direction and publish them on your site. This allows you to control the conversation and gives you plenty of space to explain your perspective.

A great example is this post asking for help to add comment moderation approval notifications to WordPress. I explain why it’s needed with a link to the ticket I created to keep track of the conversation. I prefer to write about potential features and based on feedback, I’ll either create a trac ticket myself or someone will do it for me with a link to the post.

The Tavern is in the dashboard and is read by a large audience, including core developers. However, thanks to social media, a well constructed post with solid points will make the rounds on Twitter, Facebook, and within WordPress sub-communities.

It’s those posts and associated comments that serve as one of many foundations for change in WordPress without touching a line of code. Keep in mind that there’s no guarantee you’ll be able to directly influence WordPress core development with words alone, but respectful, in-depth conversations with differing opinions and perspectives are an important part of the community regardless.

Daniel Bachhuber, who maintains WP-CLI, has successfully raised more than $21K through his Kickstarter campaign. He created the campaign to generate funding to develop a CLI interface for the WordPress REST API.

According to Bachhuber, the project will allow WordPress REST API endpoints registered via plugins and themes to automatically be usable as WP-CLI commands. Developers will also be able to push and pull posts including, custom post types, users, and other WordPress REST API data between separate WordPress installations with a simple WP-CLI command.

Bachhuber requested $17.5K and within twelve hours of publishing the campaign, he received more than the asking amount from 51 backers, including one who contributed $8,500. Bachhuber will donate one hour of time to the WordPress REST API project in 2016 for every $100 over the funding goal. Based on the current amount, that’s 46 hours.

With funding in place, Bachhuber will work on the project throughout the first half of 2016, “$17,500 represents 150 hours of development at $100/hour, plus Kickstarter’s cut and costs associated with the rewards. I intend to use this time over the first six months of 2016,” he said.

There’s still 28 days left in the campaign and if it reaches $40K, he pledges to help figure out how the REST API will handle password protected posts.

93Digital, a London-based WordPress development agency, has published a WordPress time machine. The page features a timeline where visitors can browse every major version of WordPress released since 1.0. Versions are displayed in a horizontal timeline format with fancy animations when hovered over.

WordPress Time Machine

Unfortunately, the animations are more distracting than they are useful and add a small delay when viewing images. The full-size images are not large enough and appear blurry when clicked on. If 93Digital removes the animations and uses larger images, the timeline would be a nice way to visually browse through WordPress’ history.

If you’d like to see clear, large images of past WordPress releases and learn about some of the key features in each version, I recommend reading WordPress through the ages. Through the images, you can see the natural progression of features, designs, and layouts WordPress has gone through during the past 10 years.

In this video Shigeru Miyamoto and Takashi Tezuka discuss World 1-1, or the very first level in the very first Super Mario Bros. It’s fascinating how every element on the level is designed to introduce you to a mechanic of the game, or how Mario moves and jumps. This is interesting if you like Mario, but also important for any developer in any medium who is thinking about the NUX (new user experience) of their product. I sometimes joke that in WordPress we put people on the boss monster level the first time they enter the dashboard. There have been improvements but still so much to do to naturally introduce people to our interface.

The Atlantic: Daylight Saving Time Is Terrible: Here’s a Simple Plan to Fix It.