This Week In WordPress: XSS Security Scare, Facebook Abandons Plugin

This Week In WordPress: XSS Security Scare, Facebook Abandons Plugin

This week’s round-up of WordPress news, views and reviews summarized in our daily email newsletter, The WhiP.

Subscribe to The Whip for daily lashings of WordPress goodness.

Friday, April 17

Setting the Bar

(WordPress News)

On this week’s episode of WPWeekly, the guys at WP Tavern talk about how Pippin Williamson, founder of Easy Digital Downloads, sets the bar when it comes to being a role model in the WordPress ecosystem. VersionPress 1.0 is out. The plugin brings the power of Git version control system to WordPress. Suffice to say, the plugin has had a patchy history with funding.

Cloudup has been given a refreshed look. Automattic acquired the file storage and sharing service back in 2013.

A Freaking Mess


“It goes to show exactly what happens when you have people who represent themselves as WordPress developers doing work that they aren’t really qualified to do. In short, you’re left with a project that’s an ‘f’n mess’ and that ends up becoming the responsibility of someone else who is more qualified to solve the problem.” This is what happens when so-called WordPress developers fail, according to Tom McFarlin.


(Themes and Plugins)

The Array theme shop has returned to ThemeForest, a year after pulling out of Envato’s marketplace to rebrand and relaunch with the freedom to further build the business. At the time, founder Mike McAlister said the business had “officially outgrown the ThemeForest marketplace.”

The new, free Documentation Post Type plugin allows to you create a custom post type for product documentation, the advantage being you can store documents in a custom post type is that you’ll be able to easily organize, export, and maintain, separate from your regular posts and pages.

Here are some rather nice examples of sites that use Visual Composer, the best selling page builder plugin for WordPress.

Tried and True

(Tutorials, Tips, and Tricks)

WordPress Security: Tried and True Tips to Secure WordPress (WPMU DEV).

Building A Custom Archive Page For WordPress (Smashing Magazine).

Embracing The Spirit Of Open Source With WordPress Trac (WPMU DEV).

How to Avoid Comment Spam (WPSpeedster Blog).

What Is A Squeeze Page and How to Create One With WordPress (Elegant Themes).

Gravity Forms PayPal Error (and Solution): Some required information is missing or incomplete. Please correct your entries and try again (WP Garage).

The Goslings

(Off-Topic, Random Stuff)

James versus Ryan. The Coachella website uses WordPress, just sayin’.

All the best for a thoughtful and productive Friday and an awesome weekend.

Monday, April 20

Better the Web Host You Know

(WordPress News)

Pagely has announced some new managed WordPress features, including a new hosting management plugin, better bandwidth and CDN monitoring, and a useful developer mode to disable all caching just for your specific browser session to test changes without affecting the cache state of the entire site.

BuddyPress 2.3 will improve avatar uploads with the new BP attachments API.



Former photographer Robert Dall writes about the problems importing image IPTC data into WordPress and what he’s done about it in Confessions of a WordPress Trac Ticket Lobbyist.

“As a core developer for WordPress, I’m often asked what goes on behind the scenes. What is it like to contribute code to WordPress — a CMS used by 60 million people?” Developer Marko Heijnen shares his thoughts on contributing to WordPress.

Here are the best places to learn about WordPress (according to Elegant Themes).

WP Mayor continues its debate about the demise of the web hosting industry with a follow up to their recent post The End of The Web Hosting Industry.

Simply the Best?

(Themes and Plugins)

Here are The Best 100 Free WordPress Themes Ever we think you should try.


(Tutorials, Tips and Tricks)

Free Up WordPress Real Estate: Creating Your Own Tabbed Admin Interface (WPMU DEV).

Understanding File Permissions and Using Them to Secure Your Site (WPMU DEV).

Where To Find Quality Leads As A Web Designer (Elegant Themes).

Tools for Testing the Mobile Responsiveness of Your Site (WPEka).

Moving WordPress: Using Plugins to Move Your Site (tuts+).

How To Scan Your WordPress Site For Malware And Threats (WP Kube).

Making Developer-Friendly Themes and Plugins (WebDevStudios).

Eye Opening

(Off-Topic, Random Stuff)

Lior Frenkel, founder of The nuSchool, [email protected]#$ing hates it when clients don’t pay. So he wrote a book about it. Have you ever wondered how a visually impaired developer works?

All the best for a thoughtful and productive Monday.

Tuesday, April 21


(WordPress News)

You would be hard-pressed to find a site not affected by the XSS Vulnerability. In other words, update your plugins right now if you haven’t already. Sucuri and the WordPress core security team have spent the past week working to address a cross-site scripting vulnerability discovered in more than a dozen popular plugins, including JetPack, Gravity Forms and Easy Digital Downloads. The vulnerability stems from the improper use of the add_query_arg() and remove_query_arg() functions. It turns out inaccurate information in the WordPress Codex, leading many developers to assume these functions would properly escape user input, is to blame.

GoDaddy has bought out Elto, a marketplace for expert WordPress developers. The company originally started out as a WordPress customization service called Tweaky. According to TechCrunch, the acquisition is part of the web host’s plan to expand its resources for small businesses.

GitHub has launched a Licenses API to help open source developers license their code.

On this week’s episode of WPwatercooler, the folks discuss running a large scale website on WordPress.

And on the KitchenSinkWP podcast, host Adam Silver shares some insight into his business after a client jumped ship and ditched WordPress.

Lastly for this section, applications to host WordCamp Europe next year close this week.

Just Five Minutes


Does the Famous WordPress 5 Minute Install actually live up to its moniker? Elegant Themes attempts to find out.

“Accessibility will not force you to make a product that is ugly, boring, or cluttered. It will introduce a set of constraints to incorporate as you consider your design. These design constraints will give you new ideas to explore that will lead to better products for all of your users.” Seven things every designer needs to know about accessibility.

All it took was a simple exit-intent pop-up to help WP Site Care grows its email list by 1075%.

“Maybe I’m missing something, but I do not get that mentality. At all.” Tom McFarlin can’t quite wrap his head around some people’s aversion to product diversity.

Super Heroes

(Themes and Plugins)

On the WPMU DEV Blog, here are some great plugins for adding notes, reminders or even instructions to your dashboard and admin pages.

Rebrand and customize the backend of your site with these WordPress admin themes.

We list the best affiliate plugins for WordPress that will help bring in the cash.

Heroic Knowledge Base is a premium plugin lets you create a knowledge base for your product or service so you can spend less time answering support tickets.

The Responsible plugin lets you test the responsiveness of your site.

Forty Winks

(Tutorials, Tips, and Tricks)

Forty Blogging Topics for WordPress Agencies (Chris Lema).

The Ultimate Guide to WordPress e-Commerce: Part 1 (Torque).

How to Audit Your Affiliate Links – Find Broken URLs in WordPress and Fix Them (WP Lift).

Eye Opening

(Off-Topic, Random Stuff)

Tuesday is the saddest day of the week on Twitter if you believe the science of happiness on social media.

All the best for a thoughtful and productive Tuesday.

Wednesday, April 22

Ambiguous Documentation

(WordPress News)

If you haven’t already, make sure you update your sites to WordPress 4.1.2 ASAP. The security update addresses the XSS vulnerability. Meanwhile, news sites aren’t shying away from reporting that the vulnerability was caused by “developers struggling” with “ambiguous documentation.”

Speaking of the security scare, WP Tavern offers some great information on what to do if you buy or sell items on ThemeForest and CodeCanyon.

Facebook has abandoned its official WordPress plugin. It’s currently active on more than 200,000 websites.

And here’s the story of how 16-year-old developer Sam Berson goes to school by day and manages wpContent by night.

Brace Yourself


Brace yourself: Mobilegeddon is here. Google’s new mobile-friendly algorithm was anticipated to be the biggest algorithm shakeup in years. Torque takes a detailed look at what it’s all about.

CloudFlare or MaxCDN? WinningWP compares what each other does and how they differ.

Here are the best web development tools you probably aren’t using.

WebDev Studios has put together a handy Lonely Planet-style guide to WordCamps.

Solid Foundation

(Themes and Plugins)

WP Lift has reviewed a bunch of free plugins for multi-author blogs.

Gateway is an elegant new free theme built on the Foundation framework.

Create a post style like Mashable does with Qards, DesignModo’s drag and drop theme builder.

Tweet Wheel is a free new plugin for automating the promotion of website content on Twitter.

And lastly, there’s a great round-up of plugins for mobile websites at Web Designer Depot.

On the Fly

(Tutorials, Tips, and Tricks)

Updating WordPress on the Fly with Dynamic Local Area Information(WPMU DEV).

Thoughts on an API-First WordPress (CSS Tricks).

Making Themes More WYSIWYG with the WordPress Customizer (WP Shout).

An Interface For The WordPress Settings API (Tom McFarlin).

Create a Simple CRM in WordPress: Restricting / Hiding Unused Admin Menu Items (tuts+).

Qards: How to Create a Post Story Like Mashable Does (WP Mayor).

Apple and Oranges

(Off-Topic, Random Stuff)

Elevator.js fixes those apparently awkward “scroll to top” moments the old-fashioned way.

Matt Mullenweg really loves Apple products (he thinks he’s spent in excess of $100k!) and says it’s about time where was an Apple Loyalty Program.

All the best for a thoughtful and productive Wednesday.

Thursday, April 23

Effective Immediately

(WordPress News)

There’s no escaping the Theme Customizer now – all new themes submitted to the directory are now required to include customization options using the Customizer, rather than a separate theme options panel. The changes are effective immediately.

Bob Dunn, who runs, is crowdfunding in the hope of running a series of beginner workshops in Seattle on how to use WordPress. So far he’s raised $170 of his $7800 goal.

If you’re into the cute punk Wapuu logo created for WordCamp London this year, you can now by the t-shirt from the WordPress swag store.

Envato, the company that runs ThemeForest, has warned its theme and plugin authors to update their products in light of the XSS security vulnerability.

Pagely’s latest 8 Questions series features Jennifer Bourn, WordCamp speaker and founder of Bourn Creative (who also happens to be a Lego and tacos fanatic).

Stay SaaS-sy


Why WordPress plugin developers have to start thinking SaaS (if you want to actually make some money).

LatestWP has a great article on Google’s new mobile search update, how it affects WordPress, and what you need to do about it.

Divi It Up

(Themes and Plugins)

Elegant Themes offers a sneak peak at Divi 2.4. The release will include global settings and a fluid grid.

Here’s a list of the best knowledge base themes for customer support, FAQs and wikis, according to WP Lift.

Power User

(Tutorials, Tips, and Tricks)

The Power User’s Ultimate Guide to the WordPress Admin Area (WPMU DEV).

The Importance of SSL and Why You Need It (Torque).

Extending WordPress With Custom Content Types (Smashing Magazine).

Defining An Interface For The WordPress Settings API (Part 2) (Tom McFarlin).

Comedy Quest

(Off-Topic, Random Stuff)

If you need some incentive to check off the items on your to-do list, turn your life into an RPG. And in case you forgot, Google remembers everything – everything! – you’ve ever searched for.

All the best for a thoughtful and productive Thursday.