WordPress News Update April 2019
  • Save

The WordPress Update: #wpdrama And Malicious Code Abound In April

Howdy, WordPress friends. We’re checking in with the latest WordPress news and updates in our April 2019 edition of The WordPress Update.

If you’re not already familiar with The WordPress Update, it’s our monthly WordPress news roundup where we share everything that’s happening in the WordPress community, as well as our thoughts on the latest stories. Then, we post it here on the blog and send it out to our newsletter subscribers.

If you want to stay on top of the latest WordPress news and make sure you get all the future versions of The WordPress Update, the best thing to do is to sign up for the newsletter.

This month, the WordPress world was filled with #wpdrama over aggressive marketing from Automattic and malicious code in a popular theme shop. Beyond that, the core team pushed back the WordPress 5.2 release date to May and GoDaddy made another acquisition in the WordPress space.

Let’s get to all the latest WordPress news from April 2019…

WordPress 5.2 release date pushed back to May 7

WordPress 5.2 was originally scheduled for release at the end of April, which would’ve made it a big feature in this edition of The WordPress Update.

However, due to the large number of open tickets, the core team has made the decision to push back the release date about a week. It’s now scheduled for release on May 7 and will bring with it:

  • A new admin interface for the Site Health project. It will be located in the Tools menu of your dashboard.
  • Block editor performance improvements, as well as additions like new blocks and block management tools (everything released up to Gutenberg 5.4 – remember, Gutenberg versions are different than WordPress core versions).
  • Fatal error recovery mode (this was supposed to be in WordPress 5.1 but got pushed back due to issues with the implementation)

Jetpack injects itself into WordPress.org search results – drama ensues

One of the biggest stories this month surrounded the popular Jetpack plugin from Automattic, the same company behind the for-profit WordPress.com site (and also heavily involved in the open-source WordPress.org project, though the two are supposed to be separate entities).

That “supposed to” is key, as this story involves what a lot of people view to be favoritism.

Ok, here’s the deal:

The Jetpack plugin has a ton of features – it does everything from contact forms to image optimization to social sharing to related posts…you get the idea.

Because there are so many features wrapped up into one plugin, a lot of people just plain don’t know what all Jetpack can do. This is made worse by the fact that Automattic has inked deals with a ton of popular hosts to pre-install Jetpack on new sites. So if someone didn’t even make the conscious decision to install Jetpack on their site, it’s not surprising that they have no idea what Jetpack actually does.

So, in what Automattic claims is just an innocent attempt to educate users, Automattic added a new feature in Jetpack 7.1 that injects Jetpack into the WordPress.org search results whenever someone searches for a feature that’s contained in the Jetpack plugin. You can see an example below:

Jetpack Search
  • Save

Now, people were upset with this for a couple of reasons:

  • It looks exactly like other search results, which is misleading to users as there’s little indication that the Jetpack listing is not an actual search result.
  • It pushes other plugins down. Plugin authors put a ton of time and effort into ranking their plugins in these results, so it’s unfair for Jetpack to just skip that and inject itself.

But what really got people upset was the fact that Jetpack included recommendations for exclusively paid features – like backups – which is a pretty clear violation of the WordPress.org rules.

Some would say that’s evidence that Automattic gets a pass at WordPress.org because of its cozy relationship (the person in charge of the plugin directory is essentially an Automattic employee).

As a result of the backlash, the Automattic team removed the mentions for paid services, but the free suggestions remain.

You can see a lot of discussion in the WP Tavern posts about this topic. I recommend starting with this one, and then there’s this one about the Jetpack team’s decision to remove the paid services.

Eric Karkovack also has some interesting thoughts on the “pollution of the WordPress dashboard”.

WooCommerce 3.6 tries to add marketplace suggestions

WooCommerce, another Automattic project, also had its own monetization drama in April.

WooCommerce 3.6 was supposed to add a feature called “Marketplace Suggestions”, which would add contextual recommendations for paid plugins to the Product data box that store owners use to add and manage products, as well as other spots, like the product listing.

You can see an example below, and WP Tavern has more on the subject:

WooCommerce Suggestions
  • Save

As with the Jetpack suggestions, people were…not happy, so to speak.

Due to the negative response, the WooCommerce team opted to remove suggestions from the product listing. The suggestions will still appear in other spots, but they also added options to completely turn them off.

Beyond the marketplace suggestions, WooCommerce 3.6 also added some new product blocks, as well as performance improvements.

The pipdig theme shop embeds malicious code in its companion plugin – even more drama ensues

April was a drama-filled month in the WordPress world, and Automattic’s aggressive marketing tactics weren’t the only thing that got play.

There was also a massive dustup with a theme shop named pipdig, who makes a variety of lifestyle and fashion WordPress themes.

Essentially, Wordfence and Jem Turner, a freelancer, discovered some extremely malicious code in the Pipdig Powerpack Plugin, which was a companion plugin to all of pipdig’s themes.

This code could be used to:

  • DDoS sites, essentially turning pipdig users’ sites into a botnet to send malicious traffic to other websites (which pipdig apparently used to target competitors)
  • Completely delete/reset a site, obliterating all that site’s data from afar

What’s worse is that pipdig seemed to deliberately mask this code, using unrelated code comments to hide the code’s true functionality.

After the discovery, pipdig denied any wrongdoing, but it’s pretty clear that what they did was intentional and malicious. Since then, they’ve been refusing to honor refunds and many pipdig customers are switching away to different themes.

For the best overall roundup of this issue, check out this detailed summary from Sarah at WP Tavern. And if you want to see how things unfolded, you can find Wordfence’s original post here, and a follow-up here.

Needless to say, if you are still using a theme from pipdig, you should look into switching ASAP.

PluginVulnerabilities.com intentionally releases 0-day WordPress plugin exploits

Ok, let’s finish out the last piece of drama from this month!

In software terms, a 0-day exploit is essentially a bug that has just been discovered. Normally, when a non-malicious entity discovers such an exploit, they discretely contact the developer so that the developer can fix the issue before it’s exploited by malicious folks. Then, once the issue is already fixed, people will often release the exploit so that the public knows what happened, but cannot be hurt by it anymore. This is called Responsible Disclosure.

That’s how it’s supposed to happen. But a service called PluginVulnerabilities.com is bucking that trend and publicly disclosing vulnerabilities in WordPress plugins right away in an act of protest against the WordPress.org support forum moderators.

This means that malicious actors have a chance to exploit the vulnerability before a developer can patch the issue.

Irrespective of any legitimate gripes against the support forum moderators, this isn’t really a good way to protest because it puts thousands of regular WordPress users at risk.

If you want to learn more, check out this WP Tavern thread. The comments are a good read because you’ll see responses from both regular folks, as well as the PluginVulnerabilities.com team.

GoDaddy acquires CoBlocks

Finally, the WordPress space continues to get even more consolidated, with GoDaddy snapping up yet another WordPress business. This time, it’s the CoBlocks project, as well as associated projects ThemeBeans and Block Gallery.

This move looks quite similar to how WP Engine acquired Array Themes/Atomic Blocks back in October 2018, and it’s quite interesting to see these big hosting giants getting into the WordPress theme and plugin space.

Because of WordPress’ popularity, this type of consolidation was bound to happen. But still, I think we all hope that WordPress can keep up its diverse and independent nature, even as huge companies are moving in.

And that wraps up all of the most important WordPress news and articles from April 2019.

Make sure to subscribe to the newsletter by using the box below. And also check back next month for all the exciting news that’s bound to drop in May.

  • Save