Weblog Tools Collection: Anatomy Of A WordPress Release

During an interesting discussion regarding suggestions on how to improve WordPress core development on the WordPress hackers mailing list, Ryan Boren who is one of the core contributors with committ access laid out the foundation as to what the team tries to accomplish with each release of WordPress. I thought it would be good to bring this into more of the open for those wondering what’s involved.

** Alpha **

* Collect feature ideas from ideas forum, support forums, most popular plugins, dev brainstorms, and other sources.
* #wordpress-dev meetup to decide on which features we want to commit to and set the scope of the release
* While this is going on, do some trac gardening of things that got punted from the previous release. We’re pretty bad about this sometimes, but with 3.0 Peter and I have been going through some of the backlog.
* With features decided, create “task” tickets for all features targeted for the release. Set existing “enhancement” tickets that made the cut to “task”. Start developing and submitting patches to the tickets.
* At the same time, more trac gardening on existing tickets.
* Continuous integration in trunk, committing feature work early and often. Trunk may break at times, but we’re all dogfooding the latest bits.

** Feature Freeze **

* Once all features are deemed complete via meeting on #wordpress-dev, we enter feature freeze. Sometimes we have features that aren’t quite ready that are noted as exceptions to the freeze. Everything else is put in feature freeze with the hope of driving to beta on everything else. Ideally, there would be no freeze exceptions.
* Drive to remove all beta “blocker” bugs in prep for entering the beta cycle

** Beta **

* “blocker” tickets are cleared. Beta 1 is released to kick off the public beta cycle.
* Fix bugs and start punting enhancements.
* Release Beta 2 about a week later.
* Fix bugs and start punting less severe tickets.
* Release Beta 3 a week later.
* Punt everything but blockers and fix those blockers.

** RC **

* Release RC1
* Wait x days. In the past this has been from 1 day to a week or so.
* If more bugs, release RC2. (We haven’t done this in awhile).

** Final Release **

* Release it
* Monitor feedback and start collecting fixes for a maintenance release.

** Alpha **

Dion Hulse also had a good list of ideas. If you have any thoughts or ideas on how to improve core development, place them here in the comments.

Weblog Tools Collection: WordPress Search Based DOS Attack

I was notified on Twitter the other day that there was a new 0 Day denial of service exploit for WordPress. When asking on Twitter if it worked, numerous people replied that the published code did work and was taking down their sites. This raised some red flags for me so I jumped into the WordPress-Dev IRC channel to figure out what was going on.

The way this denial of service attack works is that a random search string is sent to the search form of a WordPress based website. Caching plugins do not work against this because the search string is randomized. It’s quite simple but what I’ve been told is that this is not an issue for WordPress to handle. Instead, this attack should be dealt with by the webhost on a firewall level. At one point, a ticket was created by Scribu but has since been closed as won’t fix.

So at the end of the day, the best defense you have is a competent webhost that will do their part to prevent these attacks from happening. No reason to be alarmed.

Weblog Tools Collection: Best Of WLTC 2009 Part 2

Part two of our best of series. While were looking back, feel free to post in the comments a link to what you consider to be one of the best articles about WordPress you’ve read all year. If enough submissions are received, we may just create one more best of 2009 post featuring articles submitted by you. Please do not submit links to articles on sites you own or maintain.

July:

Official WordPress Commercial Theme Directory is live
How Do You Post Content To Your Blog?
Best Method To Post Content To WordPress
Licensing is the vehicle, our users are the environment
Tips For Troubleshooting Problems With WordPress
Should I Update a Plugin if an Update is Available?
WordPress for Beginners: Publish post tips and tricks
What would you like in a WordPress Plugin?
Developing Post Ideas for Your WordPress Site
Create Private Twitter Like Site With WordPress
Why Should You Add Your Plugin to WordPress Extend?
Do you use the WordPress Codex?
Do You Use Scheduled Posts Feature In WordPress?

August:

Fare Thee Well WordPress 2.0
Use WordPress To Highlight Your Business/Portfolio
26 Places to Find Free Multimedia for Your Blog
Convert PSD Files To WordPress Themes
Notifying Unconfirmed Feedburner Email Subscribers
Download all the Competition Plugins!
The Correct Way To Report A Security Issue With WordPress
WP.me: URL Shortening Service From WordPress
Why Is Gravatar Still Not Mainstream?
10 Useful WordPress Hook Hacks
21 Great Plugins for Manage Multi-Author Blogs
Actions and Filters and Classes, Oh My!
Display Thumbnails For Related Posts in Wordpress
WordPress Stats Plug-in Review
Roles And Capabilities In Plain English

September:

¿Habla HTML?
Old WordPress version? Attack warning. Please upgrade!
WordPress For Beginners: Understanding User Roles
WordPress Cheatsheet
Are You Responsible Enough To Run WordPress?
The Best-Of Series: SEO Tools
Excellent Guide To Make Most of Your WordPress Install
Dealing With 404 Errors & Permanent Redirects In WordPress
WordPress Plugin Competition 2009 Runner Ups!
WordPress Plugin Competition 2009 Winner!
The Best-Of Series: Contact Forms
When Is A Plugin Considered A Ripoff?

October:

Inject Plugin Ideas Here ->
Do You Check Your Spam Comments? Tips to Deal With Spam.
Pinging Your Own Blog Posts? Good or Bad?
FTC says bloggers must disclose payments and freebies
Theme Authenticity Checker
Gravatar Encouragement
Using Conditional Statements In WordPress
Are Your Plugins Compatible?
Bulk Plugin Upgrades In 2.9
How Would You Leverage The WordPress Community?

November:

WordPress Warriors From Across The World
WordPress for the Desktop… Would You Use It?
The Best-Of Series: Download Managers
Darn You WordPress!!
How to Create an Author Info Section in WordPress
How Do You Do That?
Is Automattic Evil?
How to Create Micro Blogs Within WordPress
So we tried Intense Debate . . .
Google To Help Notify You Of New Updates
How To Disable Delete Post Functionality For Everyone Except Administrator
Translators – Thank You
The Geekier Side Of WordPress 2.9
Why are good plugins becoming orphans?

December:

WordPress Trademark Usage
WordPress 2.9 Packs in Loads of Features: Hands-on Review
Do You Use The Code Editor?
How Often do You Use Functions.php in Themes?
Publish The Feed Later
Is WordPress Spyware?
bbPress Lives
Assortment Of Tips For Consultants
2.9.1 Around The Corner
Trend For 2010 – Paying For Plugins
Four Great Questions

Weblog Tools Collection: Best Of WLTC 2009 Part 1

Throughout the course of a year on WeblogToolsCollection.com, there is a ton of information published about WordPress whether it be a link to something cool or a home grown guide covering a specific feature of WordPress. The purpose of this two part series is to look back at the best articles published on the site but it’s also to reflect on the achievements the software has undergone during 2009. While it’s good to keep things moving along into the future, it’s healthy to look at the past every once in awhile to measure progress.

From all of us here at WLTC, we wish you a safe and happy New Year!

January:

Plugin Review: Simple:Press Forum
Great Explanation Of Community
PHPBB And WordPress
Plugin Review: Referrer Detector
Do You Post By Email?
Plugin Review: WP Greet Box
Plugin Review: WP125
Michael Pick Of WordPress.TV
Et Tu Google? Then Fail, Net Safety

February:

Plugin Review: Autoclose
Want To Buy Sandbox?
Updated WP Plugin: Where did they go from here?
Plugin Review: MailPress
Mastering WordPress Shortcodes
FeedBurner is Dead, Long Live Feedburner
Plugin Review: Yawasp
Plugin Authors, Are you making the best of Readme.txt?
Plugin Review: Post Avatar
The manual Excerpt in WordPress. What, why, how, tips and plugins

March:

Plugin Review: Improved Plugin Installation
WordPress Plugin Development Beginner’s Guide
WPLookup – Find Functions and Template Tags Fast
How to Track RSS Subscribers in a Blog Contest
Plugin Review: WP Mollom
IE 8 and WordPress
How to write a good plugin review
New WordPress Plugin: Better Search
Plugin Review: WordPress Filter
Microsoft Web Platform Featured App: WordPress
Top 10 Characteristics of a Great WordPress Plugin
Plugin Review: cSprites for WordPress
Is It Time For Kubrick To Retire?

April:

Plugin Review: Post Templates
An Introduction and a Plugin Review: Admin Links Widget
How to Highlight Search Terms with jQuery
WordPress Download Monitor Review
WordPress Add Twitter RSS Plugin Review
Automattic buys Blo.gs
Announcing Wordpress Plugin Competition 2009 (3.0)
The Hidden Gem Of WordPress
9 Ways to Make Your WordPress Blog “Smart”
BuddyPress 1.0 Has Arrived!!

May:

Smarter Theme Development
Five Tools to Increase the RSS Subscribers for your WordPress Blog
Plugins to Spruce Up Your WordPress Based Website
I am sick of splogs Copying our Content!
Need Help With That?
Theme Development Checklist
WP PluginsUsed: A Plugin Review
What Are Your Theme Standards?
Five Comment Related Plugins for WordPress
Five Image Related Plugins for your WordPress Site
What can WordPress do for you?
Five Ad Manager Plugins for WordPress

June:

WordPress Plugin Compatibility Checker
Publish Blog Posts In WordPress From Yahoo Mail
Resources To Get You Kick Started With WordPress Plugin And Theme Development
Checklist For New WordPress Installation
Killing The WordPress Bugs and Helping Out With User Problems [WordPress Community]
Should you use a Mobile WordPress Plugin?
Antivirus Plugin For WordPress
Security And Anti-spam Plugins For WordPress
How Has WordPress Changed Your {Blogging} Life?
Does It Matter If I Use 1 Plugin Or 100s Of Them?
Attention All Plugin Authors
Interviews: Matt Mullenweg – WordPress Co-Founder
Benchmarking the WordPress Admin Panel
WordPress Configuration Tricks

Weblog Tools Collection: Four Great Questions

Alex Denning who is the man behind WPShout.com has published the last of a four-part series which asks notable members within the WordPress community four interesting questions. The questions are as follows.

Why WordPress?
What Would You Change In WordPress?
What Problems Currently Face The WordPress Community?
What Is The Future Of WordPress?

I had the opportunity to participate in this community survey with the question regarding the future of WordPress being my favorite. Here is what I had to say:

WordPress will continue to be used as a platform to do things that go far beyond blogging. As these projects end up in the showcase and acquire press, more people will begin to realize that WordPress is an excellent blogging tool but it’s by far the not only thing it is capable of doing. WordPress will continue to evolve as a framework or a platform that will enable these creative uses of the software. Hopefully one day, when Matt is asked what is WordPress capable of doing, his response will be, anything you can imagine.

You don’t have to concentrate on answering this question in the comments but, I am interested in what your response to that question would be.

Weblog Tools Collection: Trend For 2010 – Paying For Plugins

While paying for plugins is nothing new, I’m predicting that by the end of 2010, there will be a large assortment of plugins for WordPress that will be available for purchase. As we wind down 2009, I’m already beginning to see the trend in action with at least 3 of my 31 installed plugins switching to a paid model. Each person is doing something a little different but the end result is the same. I have to pay to keep using it.

Now I don’t particularly have a problem with plugin authors charging for support or for services around the plugin but I’m seeing the plugin being bundled as part of the purchase. So in a way, you’re not only paying for the plugin, you’re paying for access to support. In most cases, the free plugin becomes dormant and I’m forced to either stick with what works until a version of WordPress is released which breaks the plugin or I pony up the cash to receive upgrades. Shopp, GravityForms and now Ajax Edit Comments each have their own repository server that enables customers to receive upgrades. This is all part of the deal.

I remember a post a year or so ago asking people what would they pay for that they currently did’nt have to. WordPress was one of the things people would pay for if it had a price tag. My question is slightly different. What if every plugin you use on your site requires you to pay money before you get access to upgrades, support, etc? Personally, I don’t mind paying for great work and I can part with my cash for three or five plugins but not for 31.

Not to put down the work of those making a business out of their plugin but something to keep in mind is that as it stands, plugins hosted in the WordPress.org plugin repository contain no price tags. However, some of them do have links, wording, and such to up-sell services or the pro version of the plugin. I don’t have a problem with that as long as the slimmed down version is not crippled to the point where it doesn’t make sense to use the lower end version.

If the authors of the plugins I use on my own site all decided to ditch the free version in favor of a paid model in order to help them make a living, that is their decision to make. However, one of the greatest assets of the WordPress plugin world is that there is an abundant amount of choices for most tasks. Some better than others.

My hope is that the WordPress plugin repository will continue to be free of pay-for plugins. This will insure that I will always have a place to browse an assortment of free alternatives. If the plugin repository were to ever allow commercial plugins to be listed alongside free ones, I’m thinking that the commercial choices would far outweigh the free ones. I really don’t want to go down the road I traveled with Joomla where anytime I wanted to have cool functionality added to my site, I had to pay for it.

Is this a trend you also see in 2010 or do you see something else? Any thoughts on the matter?

Weblog Tools Collection: 2.9.1 Around The Corner

WordPress 2.9 was released last weekend. Yesterday, I was notified that 2.9.1 is most likely around the corner due to some issues that arose because of a last-minute addition to the core of WordPress. The issues revolve around scheduled posts not firing because the cron scheduler ends up broken. The patch can be found here which is already a part of 2.9.1.

While reading the support thread, I became concerned with some of the responses that were published. For example, “How could you release an upgrade that is obviously this problem-filled?” or “WordPress should have tested 2.9 before releasing it!“. I’m not sure how many times this has to be preached to the choir but each version of WordPress is tested before it’s release to the public. That is what the Beta releases are for as well as the Release Candidates. WordPress 2.9 went through one release candidate version and two beta releases. In fact, before RC1 hit the public, all of the tickets assigned for that version were closed. Each version was tested by anyone who volunteered. There seems to be this notion that there are thousands of WordPress developers and they should iron out every bug before releasing software to the public. While there are hundreds of WordPress developers submitting patches here and there as well as squashing bugs, not every hosting setup can be tested. This is where the end users come in.

Dion Hulse who has been a long time contributor to the WordPress project illustrates this problem quite well in a blog post entitled WordPress, A Call To Arms. I think Dion says it best in the first paragraph which illustrates the lack of testing problem quite well.

WordPress 2.9 was just released, And several users have run into a bug. Surprising? Not really. There’s one simple reason for this, While thousands of people Test each and every WordPress release, These users are not You.

While hundreds or thousands download the betas to perform testing, the real crux of the testing comes when the “Stable” release is shipped. The stable version is installed by everyone because it’s considered to be stable only since you now have hundreds of thousands of blogs running the software which translates into more testing environments, you’re going to run into bugs the testers simply didn’t find. This gives the perception that the Stable release was not stable at all and therefor, should have never been released. But, if the software were never released, the bug would most likely would not have been found.

Please Help Out:

It’s very easy to setup a test installation of WordPress, especially since the release of Peter Westwoods plugin called Beta Tester. While testing on a local server is a good idea, most local servers are not setup to mimic the configuration of the public web server. This is why it’s actually better to test on the same setup as your public facing site than on a local server.

Now, if you happen to come across something you believe to be a bug, please refer to this article in the Codex which contains instructions on how to report it.

Weblog Tools Collection: Why Is Gravatar Still Not Mainstream?

Remember Gravatar? That service Automattic acquired back on October 18th, 2007. It’s nearing two years since the acquisition and I don’t know about you but, I don’t feel as though Gravatar has gone mainstream. Just as a refresher course, the idea behind Gravatar is to host a globally-recognized avatar that is tied to an email address. This means that using your Gravatar is as simple as using the same email address to sign up to supported services/software that you used on Gravatar.com.

Doing a bit of history, Gravatar has been around since at least 2004. At least that is as far back as the Web Archive has records of it which makes it all the more surprising that more services and software do not support it out of the box. For example, Twitter, Facebook, phpBB, all have their own way of handling avatars. No support what so ever for the Gravatar service, even though there are numerous examples of how to implement it.

Could it be that we are really better off with each system managing avatars in their own way? Or is it the fact that most end users of various software and or services have not spoken loudly enough to have Gravatar support built in? My request is for software developers not to ditch their own avatar management solution, but to build Gravatar support in addition to. At least in this fashion, you could gauge how popular the use of Gravatar is to manage avatars on your software/service compared to your home grown solution opting to use one, the other, or both.

Gravatar is now hosted under the guide of Automattic, a company that has proven with WordPress.com that they know what they’re doing when it comes to scalability and server infrastructure. Users of bbPress, WordPress.com, and the self installed version of WordPress are spoiled to have Gravatar support built right into the software. To this day, I don’t think the Gravatar idea has come to fruition which is why I’m asking you to contact the developers of your favorite software or services which has its own version of avatar management and let them know you want Gravatar support to be built in. At the very least, a mod or plugin to add the functionality to the software should suffice.

If you participate in this event, be sure to let me know the response you receive in the comments below. Also feel free to link to plugins or mods that add Gravatar support to their respective pieces of software as it would be nice to have all of that information in one place.

Weblog Tools Collection: Not So Thankless After All

Back in early July, I asked the question is WordPress a thankless community? Not surprisingly, this post struck a chord with both developers and end users. The point of the article was to raise awareness that there are a number of people who give to the WordPress community and it seemed as though a large portion of the community was not stopping to at least say thank you for the contributions. In the article, I present a few different methods for showing appreciation or for giving back but too many people in the comments focused on the monetary aspect of the situation which is not what I had in mind.

In this post, I’m going to highlight a number of different ideas, comments, and blog posts that came out of the discussion.

First, we have Matt Mullenweg who shares his thoughts on the idea that WordPress is a thankless community. This was a question and answer session at WordCamp Montreal where someone in the audience must have been reading WeblogToolsCollection.com. Who ever asked Matt this question, thank you! The question was asked at 33:40.

Donnacha of WordSkill published a comment that I thought captured the essence of what I was trying to get across.

Yeah, a dollar – that’s a days pay for some people in this world.

One of the key points of the Open Source movement, and it is something that is a risk of being lost in this mad rush towards commercializing the WordPress eco-system, we are meant to be working together to lift up all humanity, not just privileged Westerners.

IF A PLUGIN IS WORTH A DOLLAR, surely we should be sending hundreds to the folks who contributed to the WordPress core?

… but they would laugh, possibly even be insulted, because their efforts are about something much bigger than grubbing a few lousy tips.

Thank plugin authors, link to them, credit them, try to be helpful on their forums, install WordPress for a neighbor. If they request donations, sure, buy them a beer, but don’t forget that this project used to be about something higher, and certainly don’t criticize other users who either cannot or don’t want to donate

We had a number of people write about this particular subject on their own blogs and I’d like to highlight a few posts that I think make for a great read.

Code Is Poetry
Scribu turns the tables and thanks his users
Extending thanks outside of WordPress
Thanks to all the developers, you rock!
Academic Sandbox looks at this issue from a generational point of view

I have one more link that features an idea that I have really gotten behind called Donate Friday. DonateFriday exists to socially show some love to plugin or theme authors every Friday. The way it works is you choose a theme or plugin author to donate to, place their name and a link to their plugin or theme in the tweet, and then add in the #donatefriday hashtag so that it can be tracked. I’ve participated in this event twice and it’s a cool way to not only show some love, but to spread the word of plugins you take value in. If you want to see it in action, check out the hashtag search on Twitter.

Last but not least, I wanted to point you in the direction of a Codex article which discusses how to contribute to WordPress because much of the same material can be applied to theme and plugin authors. But the most interesting part of this page is the section describing the donation of money which is what I’ll leave you with to ponder.

The WordPress Community exists because everyone takes part in some way, by giving their time, energy, and sometimes even money, because they believe in the valuable services WordPress provides. We invite you to join the community in whatever way you feel is appropriate, and giving money to WordPress Theme and Plugin authors and developers who give so freely of their creativity and expertise by offering their services for free to all WordPress users is a good place to start.

If you use a WordPress Theme or Plugin and your WordPress blog depends upon it, contact the author and find out how you can give back and support their continued efforts. It takes a lot of time and energy to create and then support their Themes and Plugins, keeping them updated as WordPress changes and bugs are found. Many take donations or appreciate it when you blog about their Plugin or Theme. Others offer their Plugins and Themes as experiential portfolios – you play with it, you like it, you hire them. Most clearly indicate how they appreciate compensation for their hard work – give back to WordPress by giving back to them.

The more the WordPress Community supports the programmers, developers, testers, and challengers, the stronger and better WordPress becomes. Sometimes that means donating money, sometimes it means saying thank you.

Just remember, every contribution counts, no matter what it looks like. It takes every one of us to make WordPress better.

Weblog Tools Collection: The Correct Way To Report A Security Issue With WordPress

If you don’t know by now, WordPress 2.8.4 has hit the public and it addresses a mild but hugely annoying issue. There was no advanced warning regarding the vulnerability but it was quickly patched in the core of WordPress for the next release. Unfortunately, word quickly spread and in fact, even my site WPTavern.com was affected by the problem as I received an email letting me know what my new password was even though I didn’t request one. Here are the details regarding the annoyance:

a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.

Thus WordPress 2.8.4. However, there are certain ways in which to respectfully report security vulnerabilities. An article on the vulnerability published by Programmerfish.com in my opinion did more harm than good. The article discusses the vulnerability, explains how to put it in practice, then goes on to show some examples of the vulnerability in action which the author performed on sites they didn’t own. The author tries to justify his/her actions by stating that it was just a proof-of-concept. The author has taken plenty of heat from folks in the comments which I believe to be appropriate.

The Correct Way:

If you discover a security problem with WordPress, this is the correct way to go about it. If you believe you’ve found a security problem in a release of WordPress please send mail to security at the WordPress.org domain and we’ll do our best to address it as soon as possible.

It is standard practice to notify the vendor (the WordPress developers, in this case) of a security problem before publicizing so a fix can be prepared and public damage due to the vulnerability minimized.

If you would like to see this method put into practice, check out the report time line from CoreLabs, a research and development company that discovered the privileges unchecked in admin.php problem which lead to the release of WordPress 2.8.1. They notified the WordPress team on June 6th of the problem. By communicating back and forth, the issue was resolved by July 8th. A day after, the new versions of WordPress and WordPress MU were released to the public to minimize damage of the exploit. In this situation, everyone wins.