A Week in Core – April 11, 2022

Welcome back to a new issue of Week in CoreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress.. Let’s take a look at what changed on TracTrac An open source project by Edgewall Software that serves as a bug tracker and project management tool for WordPress. between April 4 and April 11, 2022.

  • 77 commits
  • 119 contributors
  • 38 tickets created
  • 4 tickets reopened
  • 63 tickets closed

The Core team is currently working on the next major releasemajor release A release, identified by the first two numbers (3.6), which is the focus of a full release cycle and feature development. WordPress uses decimaling count for major release versions, so 2.8, 2.9, 3.0, and 3.1 are sequential and comparable in scope., WP 6.0 🛠

Ticketticket Created for both bug reports and feature development on the bug tracker. numbers are based on the Trac timeline for the period above. The following is a summary of commits, organized by component and/or focus.

Code changes

Administration

  • Allow floats for menu positions – #40927
  • Improved padding for pagination setting fields – #54219
  • Remove self-reference (“we”) in WordPress Adminadmin (and super admin)#46057
  • Remove term page check from ajax-response.js#55078, #54955
  • Replace “can not” with “cannot” after [53131]
  • Replace “can not” with “cannot” after [53131] – #46057, #38913
  • Restore the correct escaping function for base64-encoded SVG icons in the admin menu – #55539
  • Revert accidental changes made to theme.json in changeset [53131]
  • Revert unwanted spaces found in theme.json after [53131]

Application Passwords

  • Use a more appropriate helper text message for super-admins – #53234

BlockBlock Block is the abstract term used to describe units of markup that, composed together, form the content or layout of a webpage using the WordPress editor. The idea combines concepts of what in the past may have achieved with shortcodes, custom HTML, and embed discovery into a single consistent API and user experience. Editor

  • Backportbackport A port is when code from one branch (or trunk) is merged into another branch or trunk. Some changes in WordPress point releases are the result of backporting code from trunk to the release branch. the Global Styles Variations endpoint – #55505

Block Editor

  • Synchronize global styles endpoint code with GutenbergGutenberg The Gutenberg project is the new Editor Interface for WordPress. The editor improves the process and experience of creating new content, making writing rich content much simpler. It uses ‘blocks’ to add richness rather than shortcodes, custom HTML etc. https://wordpress.org/gutenberg/#55505

Build/Test Tools

  • Improve the accuracy of “fixed” SlackSlack Slack is a Collaborative Group Chat Platform https://slack.com/. The WordPress community has its own Slack Channel at https://make.wordpress.org/chat/. notifications – #54742
  • Prevent error when workflows run for new branches and tags – #54742
  • Update all 3rd party actions to their latest versions – #54725
  • Update generated CSSCSS Cascading Style Sheets. files after [53141]#55559
  • Update some NPM dependencies to the latest versions – #54727
  • Bring caniuse-lite to the latest version – #51750, #55505
  • Enable ReactReact React is a JavaScript library that makes it easy to reason about, construct, and maintain stateless and stateful user interfaces. https://reactjs.org/. Fast Refresh for block development – #51750, #55505
  • Fix npm install on Apple Silicon – #52690
  • Update webpack to v5.x – #51750
  • Improve code comments for block supports tests – #55505

Bundled Themes

  • Twenty Twenty One: Prevent loading translationtranslation The process (or result) of changing text, words, and display formatting to support another language. Also see localization, internationalization. file twice – #53589
  • Twenty Twenty: Improve padding for number input type – #53115

Code Modernization

  • Rename parameters that use reserved keywords in wp-admin/includes/class-wp-posts-list-table.php#55327
  • Rename parameters that use reserved keywords in wp-admin/includes/class-wp-site-health.php#55327
  • Rename parameters that use reserved keywords in wp-admin/includes/class-wp-site-icon.php#55327

Customize

  • Use correct dashicon for external links in the Additional CSS section – #55542

Docs

  • Adjust DocBlockdocblock (phpdoc, xref, inline docs) formatting for wp_robots_*() and related functions – #54729
  • Adjust some deprecated function DocBlocks – #54729
  • Misc. docblock fixes in wp-admin/includes/mic.php, as per documentation standards – #54729

Editor

  • Add localAutosaveInterval preference to editor settings – #55505
  • Add changes for new Comments Query LoopLoop The Loop is PHP code used by WordPress to display posts. Using The Loop, WordPress processes each post to be displayed on the current page, and formats it according to how it matches specified criteria within The Loop tags. Any HTML or PHP code in the Loop will be processed on each post. https://codex.wordpress.org/The_Loop. blocks – #55505
  • Add functionality required for theme export in the site editor – #55505
  • Add missing defaultDutone changes – #55505
  • Allow registration of blocks that include assets from within a theme – #54647, #55513
  • Backport block support changes from the Gutenberg pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party#55505
  • Fix post lock data inconsistencies – #55238
  • Limit display of tags on classic editor – #55052
  • Make block type aware of the ancestor field – #55531
  • Remove loading remote patterns from editor pages – #55505
  • Soft deprecate block supports functions – #55505
  • Update build_comment_query_vars_from_block from Gutenberg – #55505
  • Update layout handling for block supports – #55505
  • Update preload paths for post, site and widgets editors – #55505
  • Env: Revert accidental changes to the config – [53070]
  • Resolve homepage template on server-side – #55505

Embeds

  • Add YouTube shorts to the allow list – #55528

Feeds

  • Remove comment feed HTMLHTML HyperText Markup Language. The semantic scripting language primarily used for outputting content in web browsers. headers when empty – #54703

Formatting

  • Avoid escaping valid XML values in esc_xml()#55399

General

  • add missing strong tagtag A directory in Subversion. WordPress uses tags to store a single snapshot of a version (3.6, 3.6.1, etc.), the common convention of tags in version control systems. (Not to be confused with post tags.) to some error messages – #54437

I18Ni18n Internationalization, or the act of writing and preparing code to be fully translatable into other languages. Also see localization. Often written with a lowercase i so it is not confused with a lowercase L or the numeral 1. Often an acquired skill.

  • Add missing translator comment for application password helper text for Super Admins – #53234

Login, Registration

  • Fix coding standards errors in [53067]#35500
  • Prevent password reset to whitespace alone – #35500

Media

  • Align username and post title in Save postbox – #55508

Networks and Sites

  • Improve cache key generation in WP_Network_Query class – #55461
  • Improve cache key generation in WP_Site_Query class – #55462
  • Increase sort options in WP_Site_Query#55226
  • Remove duplicate cache entry – #42070

Permalinks

  • Improve settings page error messages – #53141

Plugins

  • Introduce the plugin_install_description filterFilter Filters are one of the two types of Hooks https://codex.wordpress.org/Plugin_API/Hooks. They provide a way for functions to modify data of other functions. They are the counterpart to Actions. Unlike Actions, filters are meant to work in an isolated manner, and should never have side effects such as affecting global variables and output.#55480
  • Update item count when plugin deleted – #55316

Posts, Post Types

  • Add object type specific registration filters – #53212
  • Make permalink fully visible on mobile – #54811

Query

Quick/Bulk Edit

  • Fix initial focus and keyboard operability – #35483
  • Fix padding in term quick edit – #35483

REST APIREST API The REST API is an acronym for the RESTful Application Program Interface (API) that uses HTTP requests to GET, PUT, POST and DELETE data. It is how the front end of an application (think “phone app” or “website”) can communicate with the data store (think “database” or “file system”) https://developer.wordpress.org/rest-api/.

  • Use rest_parse_embed_param function in WP_REST_Server class – #54015
  • Fix the wrong name in the comments controller – #55505

Script loader

  • Add wp-a11y as dependency of wp-ajax-response#55544, #42937

TaxonomyTaxonomy A taxonomy is a way to group things together. In WordPress, some common taxonomies are category, link, tag, or post format. https://codex.wordpress.org/Taxonomies#Default_Taxonomies.

  • Show error message for terms without a name – #47018

Toolbar

  • Add a filter to help remove site icons from toolbar for large multisitemultisite Used to describe a WordPress installation with a network of multiple blogs, grouped by sites. This installation type has shared users tables, and creates separate database tables for each blog (wp_posts becomes wp_0_posts). See also network, blog, site, and lazy load them by default – #54447

Upgrade/Install

  • Prevent JSJS JavaScript, a web scripting language typically executed in the browser. Often used for advanced user interfaces and behaviors. bugbug A bug is an error or unexpected result. Performance improvements, code optimization, and are considered enhancements, not defects. After feature freeze, only bugs are dealt with, with regressions (adverse changes from the previous version) being the highest priority. filling new passwords – #53974, #52086

Users

  • Improve wording of the “New Admin Email Address” email – #45915
  • Prevent author changes in bulk editor on large sites – #38741
  • Use autocomplete values on user profiles – #43886, #52714

Props

Thanks to the 119 (!) people who contributed to WordPress Core on Trac last week: @SergeyBiryukov (10), @audrasjb (9), @sabernhardt (9), @peterwilsoncc (8), @costdev (7), @johnbillion (7), @justinahinon (5), @davidbaumwald (5), @poena (5), @afercia (4), @kebbet (4), @johnjamesjacoby (4), @ramonopoly (4), @jrf (4), @spacedmonkey (4), @aristath (3), @afragen (3), @oandregal (3), @chaion07 (3), @walbo (3), @timothyblynjacobs (3), @Spacedmonkey (3), @Mamaduka (3), @mukesh27 (3), @azouamauriac (2), @jsnajdr (2), @swissspidy (2), @flixos90 (2), @gziolo (2), @hellofromTonya (2), @pbearne (2), @zieleadam (2), @lkraav (2), @ajlende (2), @furi3r (2), @desrosj (2), @darerodz (2), @antonvlasenko (2), @pbiron (2), @boonebgorges (2), @ocean90 (2), @rsiddharth (1), @Cybr (1), @kirtan95 (1), @TimothyBlynJacobs (1), @welcher (1), @dd32 (1), @justinbusa (1), @jb510 (1), @tobifjellner (1), @georgestephanis (1), @danielbachhuber (1), @lenasterg (1), @konradyoast (1), @wslyhbb (1), @birgire (1), @pross (1), @youknowriad (1), @henry.wright (1), @voldemortensen (1), @antonrinas (1), @jorbin (1), @aaronrobertshaw (1), @uday17035 (1), @WraithKenny (1), @azaozz (1), @conner_bw (1), @pikamander2 (1), @talldanwp (1), @whoisnegrello (1), @fabiankaegy (1), @w33zy (1), @KProvance (1), @bookdude13 (1), @TwisterMc (1), @clonemykey (1), @mitogh (1), @cbigler (1), @brookedot (1), @bedas (1), @agepcom (1), @adi64bit (1), @joedolson (1), @johnregan3 (1), @ryokuhi (1), @Boniu91 (1), @drago239 (1), @rachelbaker (1), @barryceelen (1), @milana_cap (1), @dlh (1), @scruffian (1), @marybaum (1), @shital-patel (1), @rumpel2116 (1), @charlyox (1), @Eric3D (1), @sumitsingh (1), @wpmakenorg (1), @oakesjosh (1), @NekoJonez (1), @mehedi890 (1), @Ankit K Gupta (1), @nayana123 (1), @ugyensupport (1), @helgatheviking (1), @zodiac1978 (1), @waterfire (1), @espiat (1), @thomasplevy (1), @Synchro (1), @sebastienserre (1), @Presskopp (1), @mkox (1), @mirkolofio (1), @michelangelovandam (1), @kubiq (1), @jadpm (1), and @sbossarte (1).

Congrats and welcome to our 19 (!) new contributors of the week: @furi3r, @kirtan95, @wslyhbb, @whoisnegrello, @w33zy, @KProvance, @TwisterMc, @clonemykey, @agepcom, @adi64bit, @drago239, @rumpel2116, @charlyox, @Eric3D, @wpmakenorg, @waterfire, @mirkolofio, @michelangelovandam, @sbossarte ♥️

Core committers: @gziolo (20), @peterwilsoncc (19), @audrasjb (14), @sergeybiryukov (9), @desrosj (5), @joedolson (5), @spacedmonkey (3), and @youknowriad (2).

#6-0, #core, #week-in-core

Bug Scrub for Two-Factor plugin

The Two-Factor plugin is nearing a 0.8.0 release and as part of that @georgestephanis and myself have scheduled a bugbug A bug is an error or unexpected result. Performance improvements, code optimization, and are considered enhancements, not defects. After feature freeze, only bugs are dealt with, with regressions (adverse changes from the previous version) being the highest priority. scrub for Wednesday, March 23rd at 13:00 UTC in the #core-passwords SlackSlack Slack is a Collaborative Group Chat Platform https://slack.com/. The WordPress community has its own Slack Channel at https://make.wordpress.org/chat/. channel.

The primary focus of the scrub will be reviewing PRs in the milestone to see which are ready (or close enough) to be wrapped up and merged versus punted to a future release. We will also review issues in the milestone that don’t have a linked PR to see if they’re urgent enough to work on a PR versus punted to a future release. The most pressing issue is two-factor#423 given its already impacting, so particular focus on that and its associated PR#427 will likely be where we begin the conversation.

The most helpful thing would for folks present during the scrub, or also helping asynchronously, will be testing those PRs in the milestone to ensure that they (1) resolve the root issue and (2) have no merge conflicts. Leaving a comment with your results on PRs will help dramatically.

There’s no immediate timeline for the 0.8.0 release though once we get through the bug scrub George and I will have a better sense of what work remains in getting 0.8.0 released. The sooner we can get a release out that includes a resolution for two-factor#423 the better, so thanks to all for helping!

#2fa, #two-factor

A Week in Core – November 15, 2021

Welcome back to a new issue of Week in CoreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress.. Let’s take a look at what changed on TracTrac An open source project by Edgewall Software that serves as a bug tracker and project management tool for WordPress. between November 8 and November 15, 2021.

  • 116 commits (!)
  • 204 contributors (!)
  • 57 tickets created
  • 10 tickets reopened
  • 89 tickets closed

The Core team is currently working on the major releasemajor release A release, identified by the first two numbers (3.6), which is the focus of a full release cycle and feature development. WordPress uses decimaling count for major release versions, so 2.8, 2.9, 3.0, and 3.1 are sequential and comparable in scope., WordPress 5.9 🛠

Ticketticket Created for both bug reports and feature development on the bug tracker. numbers are based on the Trac timeline for the period above. The following is a summary of commits, organized by component and/or focus.

Code changes

About/Help

  • Add commas to end of multi-line array items – #54357
  • add docs links to several screens – #54357

Administration

  • Restores “Customize” menu item for non-blockBlock Block is the abstract term used to describe units of markup that, composed together, form the content or layout of a webpage using the WordPress editor. The idea combines concepts of what in the past may have achieved with shortcodes, custom HTML, and embed discovery into a single consistent API and user experience. themes and moves for block themes – #54418

Bootstrap/Load

  • Add HTTP/3 as a valid HTTPHTTP HTTP is an acronym for Hyper Text Transfer Protocol. HTTP is the underlying protocol used by the World Wide Web and this protocol defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. protocol. – #54404
  • Bootstrap/Load: Check $_SERVER['SCRIPT_NAME'] exists before passing to strpos() in wp_fix_server_vars()#54142

Build/Test Tools

  • Cache the results of PHP_CodeSniffer across workflow runs – #49783
  • Exclude plugins and non-bundled themes from PHPPHP The web scripting language in which WordPress is primarily architected. WordPress requires PHP 5.6.20 or higher compatibility scans – #54425
  • Make adjustments to how Quick Draft tests confirm expected behavior – #54409
  • Mock no results remote request in WP_REST_Block_Directory_Controller:: get_items() – #54420
  • Mock remote request for WP_REST_Block_Directory_Controller::get_items()#54420
  • Mock remote request for unknown pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party in WP_REST_Plugins_Controller::create_item()#54420
  • Restore the httpsHTTPS HTTPS is an acronym for Hyper Text Transfer Protocol Secure. HTTPS is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between your browser and the website are encrypted. This is especially helpful for protecting sensitive data like banking information. URLURL A specific web address of a website or web page on the Internet, such as a website’s URL www.wordpress.org for browserify-aes – #54337
  • Update all 3rd party GitHubGitHub GitHub is a website that offers online implementation of git repositories that can can easily be shared, copied and modified by other developers. Public repositories are free to host, private repositories require a paid subscription. GitHub introduced the concept of the ‘pull request’ where code changes done in branches by contributors can be reviewed and discussed before being merged be the repository owner. https://github.com/ actions to the latest versions – #53363
  • Change default GitHub branchbranch A directory in Subversion. WordPress uses branches to store the latest development code for each major release (3.9, 4.0, etc.). Branches are then updated with code for any minor releases of that branch. Sometimes, a major version of WordPress and its minor versions are collectively referred to as a "branch", such as "the 4.0 branch". to trunktrunk A directory in Subversion containing the latest development code in preparation for the next major release cycle. If you are running "trunk", then you are on the latest revision.#54399
  • Update qUnit test fixtures after [52128]#54336

Bundled Theme

  • Display required text field in core themes – #54392
  • Import Twenty Twenty-Two, the new default theme for WordPress 5.9 – #54318
  • Twenty Eleven: Improve comment form styling for required fields – #54408
  • Twenty Nineteen: Apply coding standards fix from running composer format#54392
  • Twenty Twenty-One: Add privacy policy link to footer – #53445
  • Twenty Twenty-One: Correct default image alignment in the editor – #53809
  • Twenty Twenty-One: Prevent printing skip link focus fix when SCRIPT_DEBUG is enabled – #54429
  • Twenty Twenty-Two: Import the assets directory from GitHub – #52081
  • Twenty Twenty-Two: Import the latest changes from GitHub – #54318

Coding Standards

  • Minor alignment fix after [52058]#52058
  • PHP Code style errors – #43700
  • PHP Code style errors – #43700
  • Rename the $gzData argument to $gz_data in WP_Http_Encoding::compatible_gzinflate()#53359
  • Revert accidental image changes in [52171]#54168
  • Revert unrelated change to wp_send_user_request()#43700
  • Use strict comparison in wp-admin/includes/ms.php#47422

Comments

  • Don’t output “cancel comment reply link” if comments aren’t threaded – #37267
  • Use get_comment_author() to retrieve the comment author name in get_comment_reply_link()#53678

Database

  • WPDB: Capture error in wpdb::$last_error when insert fails instead of silently failing for invalidinvalid A resolution on the bug tracker (and generally common in software development, sometimes also notabug) that indicates the ticket is not a bug, is a support request, or is generally invalid. data or value too long – #37267

Docs

  • Add missing documentation for the $javascript parameter of the wp_inline_script_attributes filterFilter Filters are one of the two types of Hooks https://codex.wordpress.org/Plugin_API/Hooks. They provide a way for functions to modify data of other functions. They are the counterpart to Actions. Unlike Actions, filters are meant to work in an isolated manner, and should never have side effects such as affecting global variables and output.#53399
  • Avoid using “CPT” instead of “custom post typeCustom Post Type WordPress can hold and display many different types of content. A single item of such a content is generally called a post, although post is also a specific post type. Custom Post Types gives your site the ability to have templated posts, to simplify the concept.” – #53399, #54335, #54336
  • List the expected return type first in a few functions – #53399

Editor

  • Update SVNSVN Subversion, the popular version control system (VCS) by the Apache project, used by WordPress to manage changes to its codebase. props to ignore new asset files – #54337, #53361
  • Update SVN props to ignore new asset files – #54337, #53361
  • Add documentation for the $block_editor_context parameter of the block_editor_rest_api_preload_paths hook – #52920, #53399
  • Site Editor and PHP changes from GutenbergGutenberg The Gutenberg project is the new Editor Interface for WordPress. The editor improves the process and experience of creating new content, making writing rich content much simpler. It uses ‘blocks’ to add richness rather than shortcodes, custom HTML etc. https://wordpress.org/gutenberg/ 10.1 – 11.9 – #54337
  • Site Editor: Load as full screen by default – #54337
  • Add Navigation Area infrastructure – #54337
  • Add block theme infrastructure – #54335
  • Add get_query_pagination_arrow function to core
  • Add public functions for interacting with global styles & settings – #54336
  • Fix fatal call to add_query_args() – #54337
  • Fix how the Site Editor is linked to – #54337
  • Fix incorrect access of ID field – #54337
  • Global Styles Rest endpoints – #54336
  • Global styles user content escaping – #54336
  • Load iframed assets in Site Editor – #54337
  • Update wordpress packages – #54337
  • Fix Linting error affecting trunk
  • Update wordpress packages – #54337
  • Update wordpress packages – #54337
  • Update block-theme-pl_PL.mo file. – #54336

Embeds

  • Conditionally enqueue wp-embed only if needed and send ready message in case script loads after post embed windows – #44632, #44306
  • Fix inclusion of wp-embed-template script and style when SCRIPT_DEBUG is disabled – #44632
  • Fix parsing of post embeds in wp_filter_oembed_result() by appending wp-embed script instead of prepending it in get_post_embed_html()#44632

External Libraries

  • Update the regenerator-runtime package to version 0.13.9#54027
  • Update ‘reactReact React is a JavaScript library that makes it easy to reason about, construct, and maintain stateless and stateful user interfaces. https://reactjs.org/.’ and ‘react-dom’ – #54337

General

  • Add “noopener” to wp_list_bookmarks() output – #53839
  • General: Convert wp_list_filter() into a wrapper for wp_filter_object_list()#53988
  • General: Minor fixes to Global Style related code – #54336

HTTP APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways.

  • Ensure value returned from 'http_allowed_safe_ports' is an array to avoid PHP 8+ TypeError fatal error – #54331
  • Introduce 'http_allowed_safe_ports' filter in wp_http_validate_url()#54331

Internationalization

  • Add language switcher on login/registration screens – #43700
  • Add missing translationtranslation The process (or result) of changing text, words, and display formatting to support another language. Also see localization, internationalization. wrapper for the Global Styles post type description – #54336

Login and Registration

  • Fix failing test for “email already exists” registration error improvement – #53631
  • Improve “email already exists” registration error message – #53631
  • Improve messaging for invalid log-out nonces – #52600
  • Pass $errors parameter to registration_redirect filter – #53992
  • Wrap long usernames in login error message – #37617

Mail

  • Add wp_mail_succeeded hook to wp_mail#53826

Media

  • Add “webp” extension to wp.media.controller.Library isImageAttachment#53917
  • Change upload button to a file input for better e2e targeting – #54168
  • Featured imageFeatured image A featured image is the main image used on your blog archive page and is pulled when the post or page is shared on social media. The image can be used to display in widget areas on your site or in a summary list of posts. modal loads only selected image – #42937
  • Featured image modal loads only selected image – #53765
  • Refine the heuristics to exclude certain images and iframes from being lazy-loaded to improve performance – #53675, #50425
  • Revert media uploader input change in [52059]#54168, #54411
  • Add audible notice on menu item add or remove – #53840

Options, MetaMeta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress. APIs

  • Correct docs for $_meta_value parameter in xxx_{$meta_type}_meta hooksHooks In WordPress theme and development, hooks are functions that can be applied to an action or a Filter in WordPress. Actions are functions performed when a certain event occurs in WordPress. Filters allow you to modify certain functions. Arguments used to hook both filters and actions look the same.#53102

Posts, Post Types

  • Add $old_status parameter to {$new_status}_{$post->post_type} action – #36180
  • Mark the wp_global_styles post type as _builtin#54336
  • Remove gutenberg text domain from post type strings – #54336, #54337
  • Update _edit_last meta when posts are edited in bulk – #42446

Quick/Bulk Edit

  • Disable auto-correct for slugs – #50499

REST APIREST API The REST API is an acronym for the RESTful Application Program Interface (API) that uses HTTP requests to GET, PUT, POST and DELETE data. It is how the front end of an application (think “phone app” or “website”) can communicate with the data store (think “database” or “file system”) https://developer.wordpress.org/rest-api/.

  • Add /wp/v2/block-navigation-areas endpoint – #54393
  • Add batch support for posts and terms controllers – #53063
  • Expose the site icon in the REST API index – #52321
  • Introduce Menu management endpoints – #40878
  • Regenerate wp-api-generated.js after [52068]#53063
  • Remove experimental block menu item types – #40878

RevisionsRevisions The WordPress revisions system stores a record of each saved draft or published update. The revision system allows you to see what changes were made in each revision by dragging a slider (or using the Next/Previous buttons). The display indicates what has changed in each revision.

  • Introduce wp_get_post_revisions_url() to get URL for editing revisions – #39062

TaxonomyTaxonomy A taxonomy is a way to group things together. In WordPress, some common taxonomies are category, link, tag, or post format. https://codex.wordpress.org/Taxonomies#Default_Taxonomies.

  • Allow get_*_*_link() and edit_term_link() functions to accept a term ID, WP_Term, or term object – #50225
  • Change some static strings to registration labels – #43060
  • Clarify the taxonomy labels for customizing the field descriptions on Edit Tags screen: – #43060
  • Display update notices when adding terms – #42937
  • Document that the get_terms filter can have null for $taxonomies#54222

Template

  • Fix “undefined index: 00” when archive month query is empty in wp_title()#31521

Themes

  • Avoid fatal error loading adminadmin (and super admin) styles when SCRIPT_DEBUG is false#54401, #54336
  • Check both parent and child themes for a theme.json file – #54401
  • Force a scrollbar on the Themes page to prevent visual shake on hover – #53478
  • Twenty Twenty-Two is now the default theme – #54318
  • Update theme.jsonJSON JSON, or JavaScript Object Notation, is a minimal, readable format for structuring data. It is used primarily to transmit data between a server and web application, as an alternative to XML. classes for WordPress 5.9 – #54336
  • Hide Customize from admin bar when using a block theme – #54337

Upgrade/Install

  • Deactivate the Gutenberg plugin if its version is 11.8 or lower – #54405
  • Update screen reader text counts in adminbar – #29022

Users

  • Introduce wp_list_users() function – #15145
  • Prevent infinite loopLoop The Loop is PHP code used by WordPress to display posts. Using The Loop, WordPress processes each post to be displayed on the current page, and formats it according to how it matches specified criteria within The Loop tags. Any HTML or PHP code in the Loop will be processed on each post. https://codex.wordpress.org/The_Loop. when using capability checks during determine_current_user on multisitemultisite Used to describe a WordPress installation with a network of multiple blogs, grouped by sites. This installation type has shared users tables, and creates separate database tables for each blog (wp_posts becomes wp_0_posts). See also network, blog, site#53386

Widgets

  • Use isset() in WP_Widget:: display_callback() to support ArrayIterator and ArrayObject#52728
  • Wraps long widgetWidget A WordPress Widget is a small block that performs a specific function. You can add these widgets in sidebars also known as widget-ready areas on your web page. WordPress widgets were originally created to provide a simple and easy-to-use way of giving design and structure control of the WordPress theme to the user. titles in classic Widgets screen – #37451

Props

Please note that it was the most prolific week since we restarted the Week in Core blogblog (versus network, site) posts last year!

Thanks to the 204 (!) people who contributed to WordPress Core on Trac last week: @hellofromTonya (28), @audrasjb (21), @sabernhardt (14), @desrosj (11), @sergeybiryukov (11), @costdev (10), @johnbillion (9), @oandregal (8), @spacedmonkey (7), @peterwilsoncc (7), @poena (6), @swissspidy (6), @afercia (6), @youknowriad (6), @noisysocks (5), @davidbaumwald (5), @hellofromtonya (4), @birgire (4), @TimothyBlynJacobs (4), @SergeyBiryukov (4), @mukesh27 (3), @Mamaduka (3), @adamsilverstein (3), @antonvlasenko (3), @aristath (3), @pento (3), @dd32 (3), @chaion07 (3), @westonruter (3), @jorbin (3), @TobiasBg (2), @chrisvanpatten (2), @joedolson (2), @soean (2), @dilipbheda (2), @manishamakhija (2), @kjellr (2), @garrett-eclipse (2), @flixos90 (2), @kafleg (2), @Clorith (2), @dlh (2), @Boniu91 (2), @justinahinon (2), @ryelle (2), @ocean90 (2), @mte90 (2), @hareesh-pillai (2), @jrf (2), @webcommsat (2), @drewapicture (2), @tobifjellner (2), @bgardner (1), @rviscomi (1), @sourav926 (1), @jonoaldersonwp (1), @azaozz (1), @briceduclos (1), @colorful-tones (1), @tweetythierry (1), @pbearne (1), @sebastianpisula (1), @aaroncampbell (1), @kapilpaul (1), @xknown (1), @chriscct7 (1), @donmhico (1), @gziolo (1), @malthert (1), @greenshady (1), @nacin (1), @rohan013 (1), @bernhard-reiter (1), @ntsekouras (1), @tw2113 (1), @Nikschavan (1), @keyur5 (1), @paaljoachim (1), @jdy68 (1), @dgwyer (1), @almendron (1), @kallookoo (1), @zieladam (1), @palmiak (1), @andraganescu (1), @dingo_d (1), @isabel_brison (1), @utz119 (1), @kadamwhite (1), @scruffian (1), @NateWr (1), @schlessera (1), @Spacedmonkey (1), @ribaricplusplus (1), @talldanwp (1), @wpscholar (1), @pgking (1), @andynick (1), @richtabor (1), @kraftbj (1), @dimadin (1), @gregrickaby (1), @ellenbauer (1), @jffng (1), @dansoschin (1), @karmatosed (1), @littlebigthing (1), @williampatton (1), @onemaggie (1), @matveb (1), @mburridge (1), @mtoensing (1), @nickcernis (1), @nielslange (1), @wparslan (1), @georgestephanis (1), @davidkryzaniak (1), @lukecarbis (1), @galbaras (1), @jdgrimes (1), @justindocanto (1), @kwisatz (1), @liammitchell (1), @lucasw89 (1), @nettsite (1), @dpegasusm (1), @nlpro (1), @procodewp (1), @psufan (1), @richardfoley (1), @skunkbad (1), @travisnorthcutt (1), @fpcsjames (1), @asif2bd (1), @zoiec (1), @ianhayes94 (1), @david.binda (1), @mista-flo (1), @jeffpaul (1), @bravokeyl (1), @gkloveweb (1), @hitendra-chopda (1), @ovann86 (1), @anthonyeden (1), @pankajmohale (1), @sabrib (1), @xkon (1), @dlt101 (1), @mnelson4 (1), @datainterlock (1), @anandau14 (1), @woodyhayday (1), @henrywright (1), @aadilali (1), @jeremyescott (1), @davidmosterd (1), @herregroen (1), @michelwppi (1), @kebbet (1), @iaaxpage (1), @mclaurent (1), @theMikeD (1), @paulschreiber (1), @jeremyfelt (1), @dontgo2sleep (1), @swb1192 (1), @afragen (1), @JeffPaul (1), @Collizo4sky (1), @antpb (1), @hasanuzzamanshamim (1), @jigneshnakrani (1), @sourovroy (1), @rachelbaker (1), @soniakash (1), @benitolopez (1), @danielbachhuber (1), @PieWP (1), @szaqal21 (1), @mjulian7 (1), @pputzer (1), @mamaduka (1), @karpstrucking (1), @mcjambi (1), @ashfame (1), @annezazu (1), @calebwoodbridge (1), @guillaumeturpin (1), and @timothyblynjacobs (1).

Congrats and welcome to our 36 (!!) new contributors of the week: @manishamakhija, @rviscomi, @briceduclos, @keyur5, @kallookoo, @pgking, @andynick, @dansoschin, @mburridge, @mtoensing, @nickcernis, @wparslan, @justindocanto, @kwisatz, @liammitchell, @lucasw89, @nettsite, @dpegasusm, @psufan, @skunkbad, @zoiec, @ianhayes94, @anthonyeden, @sabrib, @dlt101, @datainterlock, @woodyhayday, @aadilali, @mclaurent, @dontgo2sleep, @swb1192, @hasanuzzamanshamim, @benitolopez, @mjulian7, @mcjambi, @calebwoodbridge. ♥️

Core committers: @hellofromtonya (23), @desrosj (18), @noisysocks (14), @joedolson (12), @sergeybiryukov (8), @jorgefilipecosta (7), @davidbaumwald (6), @peterwilsoncc (5), @timothyblynjacobs (5), @westonruter (4), @johnjamesjacoby (2), @jorbin (1), @johnbillion (1), @spacedmonkey (1), @adamsilverstein (1), @ocean90 (1), @youknowriad (1), @flixos90 (1), @antpb (1), @jffng (1), and @ryelle (1).

#5-8-2, #5-9, #core, #week-in-core

A Week in Core – May 24, 2021

Welcome back to a new issue of Week in CoreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress.. Let’s take a look at what changed on TracTrac An open source project by Edgewall Software that serves as a bug tracker and project management tool for WordPress. between May 17 and May 24, 2021.

  • 65 commits
  • 120 contributors
  • 49 tickets created
  • 9 tickets reopened
  • 64 tickets closed

Ticketticket Created for both bug reports and feature development on the bug tracker. numbers are based on the Trac timeline for the period above. The following is a summary of commits, organized by component and/or focus.

Code changes

Boostrap/Load

  • Further update the language in wp-config-sample.php#37199

Build/Test Tool

  • Use deterministic module ids in webpack for media – #53192
  • Use hashed/deterministic moduleIDs in webpack config – #53192
  • Use the new concurrency setting for GitHubGitHub GitHub is a website that offers online implementation of git repositories that can can easily be shared, copied and modified by other developers. Public repositories are free to host, private repositories require a paid subscription. GitHub introduced the concept of the ‘pull request’ where code changes done in branches by contributors can be reviewed and discussed before being merged be the repository owner. https://github.com/ Actions – #53080
  • Use assertInstanceOf() instead of assertTrue() in some tests – #52625
  • Improve PHPUnit version retrieval – #52625
  • Remove trailing commas in function calls in _wp_array_get() tests – #51461, #51720, #52625
  • Rename classes in phpunit/tests/privacy/ per the naming conventions – #52625
  • Rename some classes in phpunit/tests/theme/ per the naming conventions – #52625
  • Correct description for the Tests_Functions_wpArraySet class – #53175, #52625
  • Add missing tests for the _wp_array_get() function – #51461, #51720, #52625

Documentation

  • Some documentation and test improvements for WP_Theme_JSON and WP_Theme_JSON_Resolver classes: – #52991, #53175
  • Use 3-digit, x.x.x-style semantic versioning for two _doing_it_wrong() calls – #52628
  • Include @since in register_block_type definition – #53233

Bundled Themes

  • Twenty Twenty: Hide some elements for print that are not useful in that context – #50433
  • Twenty Twenty-One: Re-add px unit to the adminadmin (and super admin) bar height custom property – #52624, #52564
  • Update devDependencies for default themes – #52624
  • Twenty Twenty-One: Update devDependencies#52624
  • Twenty Nineteen: Update theme information in the package.json file – #53196
  • Twenty Twenty: Update theme information in the package.json file – #53196
  • Twenty Twenty: Correct label attribute references to aria_label in get_search_form#51877, #53225
  • Themes: Add an indication of whether a theme is a child themeChild theme A Child Theme is a customized theme based upon a Parent Theme. It’s considered best practice to create a child theme if you want to modify the CSS of your theme. https://developer.wordpress.org/themes/advanced-topics/child-themes/. on networknetwork (versus site, blog) admin Themes screen – #30240

Editor

  • Use the blockBlock Block is the abstract term used to describe units of markup that, composed together, form the content or layout of a webpage using the WordPress editor. The idea combines concepts of what in the past may have achieved with shortcodes, custom HTML, and embed discovery into a single consistent API and user experience. editor context in filters that used the editor name – #52920
  • Hide the quicktags toolbar when JavaScriptJavaScript JavaScript or JS is an object-oriented computer programming language commonly used to create interactive effects within web browsers. WordPress makes extensive use of JS for a better user experience. While PHP is executed on the server, JS executes within a user’s browser. https://www.javascript.com/. is disabled – #40570
  • Update color merging algorithm – #53175
  • Add Global Styles support using theme.jsonJSON JSON, or JavaScript Object Notation, is a minimal, readable format for structuring data. It is used primarily to transmit data between a server and web application, as an alternative to XML. file – #53175
  • Remove gutenberg text domain from Query and Social Links block patterns – #53265, #53248
  • Remove unused param in get_default_block_editor_settings#52920
  • Rename the unit testunit test Code written to test a small piece of code or functionality within a larger application. Everything from themes to WordPress core have a series of unit tests. Also see regression. file for _wp_array_set function – #53175
  • Fix failing unit test for i18ni18n Internationalization, or the act of writing and preparing code to be fully translatable into other languages. Also see localization. Often written with a lowercase i so it is not confused with a lowercase L or the numeral 1. Often an acquired skill. support in theme.json#52991
  • Remove editor type specific filters for block editor configuration – #52920
  • Rename should_load_separate_core_block_assets for consistency – #50328
  • Add Global Settings support using theme.json file – #53175
  • Extend register_block_type to accept the path file or folder with block.json#53233
  • Update WordPress packages published for GutenbergGutenberg The Gutenberg project is the new Editor Interface for WordPress. The editor improves the process and experience of creating new content, making writing rich content much simpler. It uses ‘blocks’ to add richness rather than shortcodes, custom HTML etc. https://wordpress.org/gutenberg/ 10.6 – #52991
  • Update lodash to the latest version 4.17.21 – #52991
  • Add missing class WP_Block_Editor_Context – #52920
  • Extract block_editor_rest_api_preload method for use with different editor screens – #52920
  • Add missing unit tests for block_has_support#53257, #52991
  • Updated the WordPress packages from Gutenberg 10.7.0 RCrelease candidate One of the final stages in the version release cycle, this version signals the potential to be a final release to the public. Also see alpha (beta).#52991
  • Add missing unit tests for construct_wp_query_args#53240, #52991
  • Removed useless block editor render context value – #53250
  • Block Patterns: Include the Query and Social Icons block patterns from Gutenberg 10.7.0 – #53248

Internationalization

  • Combine escaping and translationtranslation The process (or result) of changing text, words, and display formatting to support another language. Also see localization, internationalization. functions – #53153
  • Improve the wording of some error messages – #50382

Formatting

  • KSES: Allow calc() and var() values to be used in inline CSSCSS Cascading Style Sheets.#46197, #46498
  • KSES: Remove duplicate object-position property – #52991

General/Administration

  • Avoid unnecessary calls to update_user_option()#43339
  • Some documentation and test improvements for the _wp_array_set()#53175, #52625
  • Add _wp_array_set function – #53175
  • Ensure consistent type for integer properties of a bookmark object – #53235
  • Ensure consistent type for integer properties of WP_Post, WP_Term, and WP_User#53235, #52995
  • List Tables: Wrap long search terms onto a new line – #52749

Media

  • Some documentation and test improvements for the image_editor_output_format filterFilter Filters are one of the two types of Hooks https://codex.wordpress.org/Plugin_API/Hooks. They provide a way for functions to modify data of other functions. They are the counterpart to Actions. Unlike Actions, filters are meant to work in an isolated manner, and should never have side effects such as affecting global variables and output.: – #52867
  • Introduces image_editor_output_format filter for setting default MIME type of sub size image output – #52867

Menus

  • Do not auto-set locations for new menus – #52949

Plugins

  • Add support for Update URI headerHeader The header of your site is typically the first thing people will experience. The masthead or header art located across the top of your page is part of the look and feel of your website. It can influence a visitor’s opinion about your content and you/ your organization’s brand. It may also look different on different screen sizes.#14179, #23318, #32101

RevisionsRevisions The WordPress revisions system stores a record of each saved draft or published update. The revision system allows you to see what changes were made in each revision by dragging a slider (or using the Next/Previous buttons). The display indicates what has changed in each revision.

  • add a new filter for revisions to keep by post type – #51550

Script Loader

  • Stop loading polyfills specific to Internet Explorer – #53078

Site Health

  • Make sure the submit_button() function is available in request_filesystem_credentials()#53206
  • Skip REST tests during scheduled events – #52112

Widgets

  • Make sure WP_Widget constructor creates a correct classname value for a namespaced widgetWidget A WordPress Widget is a small block that performs a specific function. You can add these widgets in sidebars also known as widget-ready areas on your web page. WordPress widgets were originally created to provide a simple and easy-to-use way of giving design and structure control of the WordPress theme to the user. class – #44098
  • Make sure WP_Widget constructor creates a correct id_base value for a namespaced widget class – #44098

XML-RPC

  • Set HTTPHTTP HTTP is an acronym for Hyper Text Transfer Protocol. HTTP is the underlying protocol used by the World Wide Web and this protocol defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. status code in accordance with the spec – #52958

Props

Thanks to the 120 (!) people who contributed to WordPress Core on Trac last week:

@SergeyBiryukov (9), @youknowriad (6), @poena (5), @ntsekouras (5), @nosolosw (5), @johnbillion (5), @desrosj (4), @mukesh27 (4), @peterwilsoncc (3), @audrasjb (3), @williampatton (3), @joyously (3), @jorgefilipecosta (3), @sabernhardt (3), @Boniu91 (2), @azaozz (2), @gziolo (2), @jorbin (2), @hermpheus (2), @hellofromTonya (2), @justinahinon (2), @ocean90 (2), @hareesh-pillai (2), @chrisvanpatten (2), @timothyblynjacobs (2), @nhuja (1), @mweichert (1), @DavidAnderson (1), @meloniq (1), @miqrogroove (1), @afragen (1), @markjaquith (1), @apedog (1), @DrewAPicture (1), @markparnell (1), @JeroenReumkens (1), @design_dolphin (1), @filosofo (1), @grapplerulrich (1), @sean212 (1), @earnjam (1), @rmccue (1), @infolu (1), @dingdang (1), @jdgrimes (1), @crazycoders (1), @Ipstenu (1), @nvartolomei (1), @chriscct7 (1), @mordauk (1), @knutsp (1), @GaryJ (1), @benoitchantre (1), @TJNowell (1), @gMagicScott (1), @Otto42 (1), @mikejolley (1), @juliobox (1), @aspexi (1), @Rarst (1), @ryno267 (1), @lev0 (1), @jb510 (1), @gregorlove (1), @jamesbonham (1), @GeekStreetWP (1), @khromov (1), @georgestephanis (1), @joostdevalk (1), @damonganto (1), @dd32 (1), @davidbaumwald (1), @olafklejnstrupjensen (1), @jeremyfelt (1), @Mte90 (1), @ariskataoka (1), @kjellr (1), @Presskopp (1), @karmatosed (1), @Travel_girl (1), @helen (1), @jacklenox (1), @bradt (1), @seanchayes (1), @welcher (1), @Mista-Flo (1), @dpik (1), @Clorith (1), @lakrisgubben (1), @DeusTron (1), @obenland (1), @zkancs (1), @johnjamesjacoby (1), @jrf (1), @rogerlos (1), @dlh (1), @displaynone (1), @grantmkin (1), @aristath (1), @arkrs (1), @mcsf (1), @matveb (1), @dimadin (1), @jeremy80 (1), @kishanjasani (1), @ipulc2 (1), @sergiomdgomes (1), @Chouby (1), @dartiss (1), @TimothyBlynJacobs (1), @szaqal21 (1), @sahilmepani (1), @sumitsingh (1), @antpb (1), @mikeschroder (1), @spacedmonkey (1), @adamsilverstein (1), @schlessera (1), @swissspidy (1), and @dougwollison (1).

Congrats and welcome to our 11 (!) new contributors of the week! @jeremy80, @hermpheus, @ariskataoka, @dpik, @lakrisgubben, @DeusTron, @zkancs, @grantmkin, @arkrs, @ipulc2, and @sahilmepani. ♥️

Core committers: @sergeybiryukov (26), @gziolo (16), @desrosj (8), @youknowriad (5), @jorgefilipecosta (2), @peterwilsoncc (2), @davidbaumwald (2), @adamsilverstein (1), @antpb (1), @ryelle (1), and @clorith (1).

#5-8, #week-in-core

A Week in Core – May 17, 2021

Welcome back to a new issue of Week in CoreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress.. Let’s take a look at what changed on TracTrac An open source project by Edgewall Software that serves as a bug tracker and project management tool for WordPress. between May 10 and May 17, 2021.

  • 28 commits
  • 90 contributors
  • 47 tickets created
  • 8 tickets reopened
  • 40 tickets closed

Ticketticket Created for both bug reports and feature development on the bug tracker. numbers are based on the Trac timeline for the period above. The following is a summary of commits, organized by component and/or focus.

Code changes

Boostrap/Load

  • Have language in wp-config-sample.php better match install instructions – #37199
  • Boostrap/Load: Strengthen language in wp-config-sample.php – #37199
  • Bootstrap/Load: Improve docs for error reporting – #41902

Build/Test Tools

  • Update the several dependencies – #52624

Bundled Themes

  • Update twenty_twenty_one_password_form function to actually use a $post parameter – #53091

Coding Standards

  • Adds spacing so define() statements displayed when creating a networknetwork (versus site, blog)#53182

Docs

  • Update documentation in wp-config-sample.php per the documentation standards – #52628
  • Update help key documentation link in REST APIREST API The REST API is an acronym for the RESTful Application Program Interface (API) that uses HTTP requests to GET, PUT, POST and DELETE data. It is how the front end of an application (think “phone app” or “website”) can communicate with the data store (think “database” or “file system”) https://developer.wordpress.org/rest-api/. response – #53162
  • Miscellaneous DocBlockdocblock (phpdoc, xref, inline docs) corrections – #52628
  • Update documentation in phpunit/includes/abstract-testcase.php per the documentation standards – #52628
  • Clarify the @since note for unlink-homepage-logo in get_custom_logo()#51075, #52628

Editor

  • Remove editor type specific filters for blockBlock Block is the abstract term used to describe units of markup that, composed together, form the content or layout of a webpage using the WordPress editor. The idea combines concepts of what in the past may have achieved with shortcodes, custom HTML, and embed discovery into a single consistent API and user experience. editor configuration – #52920
  • Rename should_load_separate_core_block_assets for consistency – #50328
  • Some documentation and test improvements for loading separate assets for core blocks – #50328, #52620, #53180
  • Fix regressionregression A software bug that breaks or degrades something that previously worked. Regressions are often treated as critical bugs or blockers. Recent regressions may be given higher priorities. A "3.6 regression" would be a bug in 3.6 that worked as intended in 3.5. introduced with loading separate block assets – #53180
  • Enqueue script and style assets only for blocks present on the page – #50328, #52620

External Libraries

  • Update the Requests library to version 1.8.0#53101

KSES

  • Allow calc() and var() values to be used in inline CSSCSS Cascading Style Sheets.#46197, #46498
  • Remove duplicate object-position property – #52991

Login, Users

  • Use a monospace font to display passwords – #40275

Network and Sites

  • Display site icons in the My Sites menu – #46657

Plugins

  • Add support for Update URI headerHeader The header of your site is typically the first thing people will experience. The masthead or header art located across the top of your page is part of the look and feel of your website. It can influence a visitor’s opinion about your content and you/ your organization’s brand. It may also look different on different screen sizes.#14179, #23318, #32101

Post Thumbnails

  • Display the “Remove featured imageFeatured image A featured image is the main image used on your blog archive page and is pulled when the post or page is shared on social media. The image can be used to display in widget areas on your site or in a summary list of posts.” link in the classic editor in red color – #45198

Posts, Post Types

  • Enable revisionsRevisions The WordPress revisions system stores a record of each saved draft or published update. The revision system allows you to see what changes were made in each revision by dragging a slider (or using the Next/Previous buttons). The display indicates what has changed in each revision. for the wp_block post type – #53072

Site Health

  • Remove status text indentation – #52966
  • Improve the appearance of Site Health Status dashboard widgetWidget A WordPress Widget is a small block that performs a specific function. You can add these widgets in sidebars also known as widget-ready areas on your web page. WordPress widgets were originally created to provide a simple and easy-to-use way of giving design and structure control of the WordPress theme to the user.#52966

Toolbar

  • Reset box-shadow on links – #40594

Props

Thanks to the 90 (!) people who contributed to WordPress Core on Trac last week:

@SergeyBiryukov (4), @dd32 (3), @desrosj (3), @rmccue (3), @audrasjb (3), @aristath (3), @jorbin (3), @sabernhardt (3), @joyously (3), @hareesh-pillai (2), @hedgefield (2), @schlessera (2), @mukesh27 (2), @hellofromTonya (2), @utz119 (1), @ryno267 (1), @benoitchantre (1), @chriscct7 (1), @monikarao (1), @robdxw (1), @florianbrinkmann (1), @kraftbj (1), @dougwollison (1), @gregorlove (1), @sasagar (1), @lev0 (1), @youknowriad (1), @TimothyBJacobs (1), @mcsf (1), @westonruter (1), @aduth (1), @johnjamesjacoby (1), @matveb (1), @joemcgill (1), @Clorith (1), @mblach (1), @afercia (1), @paulschreiber (1), @burhandodhy (1), @aspexi (1), @netweb (1), @justinahinon (1), @soulseekah (1), @ozh (1), @travisnorthcutt (1), @carlalexander (1), @skithund (1), @jrf (1), @GaryJ (1), @JeroenReumkens (1), @nhuja (1), @sean212 (1), @filosofo (1), @infolu (1), @dingdang (1), @grapplerulrich (1), @williampatton (1), @earnjam (1), @design_dolphin (1), @mweichert (1), @jamesbonham (1), @olafklejnstrupjensen (1), @displaynone (1), @poena (1), @DavidAnderson (1), @DrewAPicture (1), @markjaquith (1), @meloniq (1), @markparnell (1), @apedog (1), @mikejolley (1), @Ipstenu (1), @juliobox (1), @Rarst (1), @Otto42 (1), @gMagicScott (1), @mordauk (1), @knutsp (1), @TJNowell (1), @jb510 (1), @GeekStreetWP (1), @crazycoders (1), @miqrogroove (1), @afragen (1), @jdgrimes (1), @damonganto (1), @khromov (1), @georgestephanis (1), @joostdevalk (1), and @nvartolomei (1).

Congrats and welcome to our 18 (!!) new contributors of the week! @ryno267, @gregorlove, @sasagar, @lev0, @mblach, @aspexi, @carlalexander, @JeroenReumkens, @sean212, @infolu, @dingdang, @design_dolphin, @jamesbonham, @olafklejnstrupjensen, @displaynone, @gMagicScott, @GeekStreetWP, and @damonganto ♥️

Core committers: @sergeybiryukov (11), @desrosj (4), @gziolo (4), @jorbin (3), @davidbaumwald (2), @ryelle (2), and @clorith (1).

#5-8, #week-in-core

A Week in Core – December 7, 2020

Welcome back to a new issue of Week in CoreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress.. Let’s take a look at what changed on TracTrac An open source project by Edgewall Software that serves as a bug tracker and project management tool for WordPress. between November 30 and December 7, 2020.

  • 17 commits
  • 54 contributors
  • 61 tickets created
  • 13 tickets reopened
  • 61 tickets closed

Ticketticket Created for both bug reports and feature development on the bug tracker. numbers based on the Trac timeline for the period above. The following is a summary of commits, organized by component.

Code changes

Administration

  • Make sure row actions for recent comments in Activity dashboard widgetWidget A WordPress Widget is a small block that performs a specific function. You can add these widgets in sidebars also known as widget-ready areas on your web page. WordPress widgets were originally created to provide a simple and easy-to-use way of giving design and structure control of the WordPress theme to the user. stay visible when a single row gets focus – #51886

Application Passwords

  • Prevent conflicts when Basic Auth is already used by the site – #51939
  • Ensure the Created At and Last Used dates are properly translated – #51918
  • Return true when rate limiting a password’s last used time – #51922
  • Ensure REST APIREST API The REST API is an acronym for the RESTful Application Program Interface (API) that uses HTTP requests to GET, PUT, POST and DELETE data. It is how the front end of an application (think “phone app” or “website”) can communicate with the data store (think “database” or “file system”) https://developer.wordpress.org/rest-api/. responses are properly translated – #51871

Bundled Themes

  • Twenty Twenty-One: Fix the nesting of the main element – #51944
  • Twenty Twenty-One: Sync the latest changes for 5.6 RC2 – #51526
  • Twenty Twenty-One: Use consistent HTMLHTML HyperText Markup Language. The semantic scripting language primarily used for outputting content in web browsers. comments after closing HTML tags – #51950
  • Twenty Twenty-One: Use esc_url() for the WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ link in footer.php – #51954

Editor

  • Update components package for WordPress 5.6 RC3 – #51923
  • Don’t unnecessarily split a translatable string in blockBlock Block is the abstract term used to describe units of markup that, composed together, form the content or layout of a webpage using the WordPress editor. The idea combines concepts of what in the past may have achieved with shortcodes, custom HTML, and embed discovery into a single consistent API and user experience. templates – #51893

Help/About

  • Move trailing punctuation in the jQuery Migrate Helper pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party link outside of the HTML tagtag A directory in Subversion. WordPress uses tags to store a single snapshot of a version (3.6, 3.6.1, etc.), the common convention of tags in version control systems. (Not to be confused with post tags.)#51813

Media

  • Return WP_Error when cropping with bad input to avoid fatal – #51937
  • Revert [49567]: This addresses a regressionregression A software bug that breaks or degrades something that previously worked. Regressions are often treated as critical bugs or blockers. Recent regressions may be given higher priorities. A "3.6 regression" would be a bug in 3.6 that worked as intended in 3.5. with the pagination section in Media Library no longer taking additional query filtering into account – #39968

Multisitemultisite Used to describe a WordPress installation with a network of multiple blogs, grouped by sites. This installation type has shared users tables, and creates separate database tables for each blog (wp_posts becomes wp_0_posts). See also network, blog, site

  • Cache absolute dirsize paths to avoid PHPPHP The web scripting language in which WordPress is primarily architected. WordPress requires PHP 5.6.20 or higher 8 fatal – #51913

Upgrade/Install

  • Check $wp_version global for displaying “You are using a development version” message in the adminadmin (and super admin) footer – #51892
  • Update sodium_compat to v1.14.0 – #51925

Props

Thanks to everyone who contributed to WordPress Core on Trac last week:

@SergeyBiryukov (4), @audrasjb (4), @kebbet (4), @TimothyBlynJacobs (3), @pbiron (3), @poena (3), @hellofromtonya (3), @Clorith (3), @helen (2), @adamsilverstein (2), @ocean90 (2), @tobifjellner (2), @peterwilsoncc (2), @mukesh27 (2), @allancole (1), @melchoyce (1), @ryelle (1), @felipeelia (1), @aljullu (1), @chaton666 (1), @albertomake (1), @mkaz (1), @ingereck (1), @paaljoachim (1), @luminuu (1), @sabernhardt (1), @hareesh-pillai (1), @oglekler (1), @hellofromTonya (1), @azaozz (1), @iCaleb (1), @kjellr (1), @alexstine (1), @markscottrobson (1), @janthiel (1), @chexwarrior (1), @georgestephanis (1), @marybaum (1), @Boniu91 (1), @metalandcoffee (1), @pedromendonca (1), @antpb (1), @francina (1), @fierevere (1), @afragen (1), @jrf (1), @dlh (1), @isabel_brison (1), @sarahricker (1), @kevin940726 (1), @talldanwp (1), @psmits1567 (1), @arcangelini (1) and @trepmal (1).

Core committers: @sergeybiryukov (10), @iandunn (2), @peterwilsoncc (1), @helen (1) and @desrosj (1).

#week-in-core

WordPress 5.6 Beta 4 delayed from November 10th to November 12th, 2020

During the November 4th core chat, some questions were raised about the readiness of the CoreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. auto-update feature, scheduled to land in WordPress 5.6. Questions ranged from the implementation of it to the scope of the output desired. A separate post is coming with more information on that discussion and the planned next steps.

In order to allow some more time to refine the work done so far, WordPress 5.6 BetaBeta A pre-release of software that is given out to a large group of users to trial under real conditions. Beta versions have gone through alpha testing in-house and are generally fairly close in look, feel and function to the final product; however, design changes often occur as part of the process. 4 will be delayed from today, November 10th, to Thursday, November 12th, 2020.

At this moment, no delay is expected on the release: everyone is working to make WordPress 5.6 available on December 8th.

Thank you to @francina who helped me craft this draft. 🙂

#5-6, #auto-updates, #core-auto-updates

Application Passwords: Integration Guide

WordPress 5.6 will finally see the introduction of a new system for making authenticated requests to various WordPress APIs — Application Passwords.

The existing cookie-based authentication system is not being removed, and any custom authentication solutions provided by plugins should continue to operate normally.

For any sites using the Application Passwords feature plugin, it is recommended to deactivate the pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party after upgrading to WordPress 5.6. However, sites won’t experience any errors if the plugin remains active. The current plan is to use the plugin for future prototyping.

Application Password Format

Application Passwords are 24-characters long, generated by wp_generate_password() without the use of special characters — so they consist exclusively of upper-case, lower-case, and numeric characters. For the cryptographically curious, that comes to over 142 bits of entropy.

When presented to the user for entering into an application, they are displayed chunked for ease of use, like so:

abcd EFGH 1234 ijkl MNOP 6789

Application passwords can be used with or without the spaces — if included, spaces will just be stripped out before the password is hashed and verified.

Data Store

WordPress will be storing a user’s application passwords as an array in user metaMeta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress., similar to how interactive login sessions (via WP_Session_Tokens) are stored already.

The WP_Application_Passwords class has all the methods for storing and retrieving records. Records include a number of attributes about them — including assigned name for the application, a timestamp for when it was created, and data on their last usage such as, date and IP address. Each application password is also assigned a uuid for reference, in case you’d like to build infrastructure for additional properties and store them in an alternate location.

Getting Credentials

Generating Manually

From the Edit User page, you can generate new, and view or revoke existing application passwords. The form and the list table are both fully extensibleExtensible This is the ability to add additional functionality to the code. Plugins extend the WordPress core software. to allow for overloading to store additional data (more on this later, in “Authentication Scoping”).

The Application Passwords section of Edit User screen, after a new application password has been created.
The Edit User screen, after a new application password has been created.

Once a given password has been used, it will keep track of where and when it has been used – the “Last Used” column is accurate to within 24 hours (so that WordPress isn’t writing to the database on every usage — only if it’s a new day). This can be incredibly useful for identifying passwords that are no longer in use, so that they can be safely revoked.

Authorization Flow

To ensure that application password functionality is available, fire off a request to the REST APIREST API The REST API is an acronym for the RESTful Application Program Interface (API) that uses HTTP requests to GET, PUT, POST and DELETE data. It is how the front end of an application (think “phone app” or “website”) can communicate with the data store (think “database” or “file system”) https://developer.wordpress.org/rest-api/. root URLURL A specific web address of a website or web page on the Internet, such as a website’s URL www.wordpress.org, and look at the authentication key in the response data. If this key is empty, then application passwords are not available (perhaps because the request is not over https:// or it has been intentionally disabled).

If, however, response.authentication is an object with a key of application-passwords it will offer a URL to send a user to complete the authentication flow. (You could just guess at the URL, but this gives us more of the relevant information in one go, as well as confirming that application passwords are available and enabled.)

The response.authentication['application-passwords'].endpoints.authorization url will likely look something like this:

https://example.com/wp-admin/authorize-application.php

Instead of just sending the user there to generate an application password, it would then be up to the user to reliably re-enter it into your application. So instead, some additional GET parameters are accepted along with the request:

  • app_name (required) – The human readable identifier for your app. This will be the name of the generated application password, so structure it like … “WordPress Mobile App on iPhone 12” for uniqueness between multiple versions.
    Whatever name you suggest can be edited by the user if they choose before the application is created. While you can choose to not pre-populate it for the user, it is required to create a password, so they will then be forced to create their own, and could select a non-intuitive option.
  • app_id (recommended) – a UUID formatted identifier. The app_id allows for identifying instances of your application, it has no special meaning in and of itself. As a developer, you can use the app_id to locate all Application Passwords created for your application.
    In the event of a data breach, your app_id could be distributed to void credentials generated with it, or if a site wants to allow only a given app_id or set of app_ids to register, this would enable that. However, it is strictly on the honor system — there is nothing to stop applications from generating new uuids with every authorization.
  • success_url (recommended) – The URL that you’d like the user to be sent to if they approve the connection. Three GET variables will be appended when they are passed back (site_url, user_login, and password); these credentials can then be used for APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways. calls.
    If the success_url variable is omitted, a password will be generated and displayed to the user instead, to manually enter into their application.
  • reject_url (optional) – If included, the user will get sent there if they reject the connection. If omitted, the user will be sent to the success_url, with ?success=false appended to the end.
    If the success_url is omitted, the user just will be sent to their WordPress dashboard.
A screenshot of the new Authorize Application screen in the WP-Admin. A button is displayed to approve the connection, and one to reject the connection.
A screenshot of what the authorization flow will look like to a user.

As the parameters are all passed in via GET variables, if the user needs to log in first, they will all be preserved through the redirect parameter, so the user can then continue with authorization.

It is also worth noting that the success_url and redirect_url parameters will generate an error if they use a http:// rather than https:// protocol — however other application protocols are acceptable! So if you have a myapp:// link that opens your Android, iOS / MacOS, or Windowsthose will work!

Here is an example of a simple javascript application (under 100 lines of code) that uses this to authenticate to a WordPress site. Though not the tidiest code, it was created in under two hours one evening, but it goes through the proper flows and can make authenticated requests.

Programmatically through the REST API

If you have previously been using a different system to access the REST API and would prefer to switch over to using application passwords, it’s easy! You can generate yourself a new application password via a POST request to the new /wp/v2/users/me/application-passwords endpoint. Once you’ve got the new application password in the response data, you can delete any old credentials and just use the coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. implementation instead — but please consider using something like libsodium (which has a library bundled with WordPress alreadyhere’s an implementation example) or Vault to store the credentials encrypted, rather than in plaintext.

Using Credentials

REST API

The credentials can be passed along to REST API requests served over https:// using Basic Auth / RFC 7617, which is nearly ubiquitous in its availability — here’s the documentation for how to use it with cURL.

For a simple command-line script example, just swap out USERNAME, PASSWORD, and HOSTNAME in this with their respective values:

curl --user "USERNAME:PASSWORD" https://HOSTNAME/wp-json/wp/v2/users?context=edit

XML-RPC API

To use a generated application password with the legacy XML-RPC API, you can just use it directly in lieu of the account’s real password.

For a simple command-line script example, again just swap out USERNAME, PASSWORD, and HOSTNAME in this with their respective values:

curl -H 'Content-Type: text/xml' -d '<methodCall><methodName>wp.getUsers</methodName><params><param><value>1</value></param><param><value>USERNAME</value></param><param><value>PASSWORD</value></param></params></methodCall>' https://HOSTNAME/xmlrpc.php

Future 🔮 APIs

The application passwords authentication scheme can also be applied to future APIs for WordPress as they become available. For example, if GraphQL or other systems are enabled in WordPress, application passwords will provide them with a solid, established authentication infrastructure to build off of out of the box.

As an example of this, with a trivial code addition identifying whether the current load is an api request, WPGraphQL will now be able to accept authenticated requests without the need of an ancillary plugin, using just the application passwords functionality that has merged into core.

Using an Application Password on wp-login.php

You can’t. 😅 The point of application passwords are that they are to be used programmatically for applications, and not by humans for interactive sessions.

Feature Availability

By default, Application Passwords is available to all users on sites served over SSLSSL Secure Sockets Layer. Provides a secure means of sending data over the internet. Used for authenticated and private actions./HTTPSHTTPS HTTPS is an acronym for Hyper Text Transfer Protocol Secure. HTTPS is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between your browser and the website are encrypted. This is especially helpful for protecting sensitive data like banking information.. This can be customized using the wp_is_application_passwords_available and wp_is_application_passwords_available_for_user filters.

For example, to completely disable Application Passwords add the following code snippet to your site.

add_filter( 'wp_is_application_passwords_available', '__return_false' );

Without SSL, it is possible for the Application Password to be seen by an attacker on your networknetwork (versus site, blog) or the network between your site and the authorized application. If you are ok with this risk, you can force availability with the following code snippet.

add_filter( 'wp_is_application_passwords_available', '__return_true' );

If desired, it is possible to restrict what users on your site can use the Application Passwords feature. For example, to restrict usage to administrator users, use the following code snippet.

function my_prefix_customize_app_password_availability(
	$available,
	$user
) {
	if ( ! user_can( $user, 'manage_options' ) ) {
		$available = false;
	}

	return $available;
}

add_filter(
	'wp_is_application_passwords_available_for_user',
	'my_prefix_customize_app_password_availability',
	10,
	2
);

Future Development

Authentication Scoping

In future versions, the expectation is to include the ability to scope a given application password to limit its access. The intention is to work on building this in plugin-land until it’s ready for a core proposal.

What might password scoping look like? Here’s some methods being considered:

  • In a multisitemultisite Used to describe a WordPress installation with a network of multiple blogs, grouped by sites. This installation type has shared users tables, and creates separate database tables for each blog (wp_posts becomes wp_0_posts). See also network, blog, site environment, either restrict the credentials to a subset of the user’s blogs, or restrict it to only operate in a normal “blogblog (versus network, site) adminadmin (and super admin)” context, and not a “network admin” context.
  • Restrict functionality to only manage content — posts, pages, comments, custom post types — and disallow infrastructure management functionality like managing plugins, themes, and users.
  • Restrict the role that credentials can allow an application to operate as. For example, an Editor may restrict a set of credentials to only operate as though they had Author or Contributor permissions.

However this is done, implementing additional functionality to enforce the principle of least privilege on an application-by-application basis is a worthwhile expansion on the included functionality.

Fine-grained Capabilities

Right now, a user’s application passwords can be managed by any user who has permission to edit_user them. The ability to customize this behavior using a new set of more fine-grained capabilities is currently planned for 5.7.

Eventually Two-Factor Authentication?

Another useful bit of application passwords is that it will removes an obstacle for the inclusion of multi-factor authentication on interactive logins.

Previously, if you enabled an interactive step — whether captcha or second factor validation — on login pages, you would be in a bind with other non-interactive authentications, for example the legacy XML-RPC system. After all, if a bad actor can just brute force or use social engineering to discern the user’s password, it would be trivially usable via XML-RPC, where there is no ability to include an interactive prompt, and that functionality would need to be disabled entirely.

With that use case now being provided for via application passwords, there is additional flexibility for the normal browser-based wp-login.php system to evolve.

Further Resources

For bugbug A bug is an error or unexpected result. Performance improvements, code optimization, and are considered enhancements, not defects. After feature freeze, only bugs are dealt with, with regressions (adverse changes from the previous version) being the highest priority. reports or enhancements, open a Trac ticket in the new App Passwords component with the rest-api focus.

Props @timothyblynjacobs, @m_butcher, @desrosj, @jeffmatson, for helping to write, review, and proofread.

#5-6, #application-passwords, #authentication, #core-passwords, #dev-notes, #rest-api, #two-factor

Proposal: REST API Authentication / Application Passwords

Problem statement: no way to authenticate third-party access to REST APIREST API The REST API is an acronym for the RESTful Application Program Interface (API) that uses HTTP requests to GET, PUT, POST and DELETE data. It is how the front end of an application (think “phone app” or “website”) can communicate with the data store (think “database” or “file system”) https://developer.wordpress.org/rest-api/.

Ever since the REST API infrastructure merged via #33982 and shipped in WordPress 4.4 in December 2015, it’s been gaining momentum and been used in more and more places—throughout WordPress’s adminadmin (and super admin), via plugins and themes, and enabled deep, robust interactions powering new functionality such as the GutenbergGutenberg The Gutenberg project is the new Editor Interface for WordPress. The editor improves the process and experience of creating new content, making writing rich content much simpler. It uses ‘blocks’ to add richness rather than shortcodes, custom HTML etc. https://wordpress.org/gutenberg/ blockBlock Block is the abstract term used to describe units of markup that, composed together, form the content or layout of a webpage using the WordPress editor. The idea combines concepts of what in the past may have achieved with shortcodes, custom HTML, and embed discovery into a single consistent API and user experience. editor.

However, the functionality has been limited in that the only way to make authenticated requests to the APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways. in coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. has been through Cookie & Nonce-based authentication—there is no good way for third-party applications to communicate with WordPress in an authenticated fashion, apart from the legacy XML-RPC API.

This has resulted in frustration for our Mobile teams especially as they’re working to integrate Gutenberg support, which relies on the REST API. After some time having to store username/password to spoof a cookie and interactive session to scrape a nonce from the wp-admin DOM, and then to use an endpoint to get it instead via [46253]. All of which is a tremendously messy and awkward usage that completely falls apart if someone uses a variant of a two-factor authentication system.

Spoofing an interactive session just to make API requests is bad form and needlessly complex.

We’d like to propose integrating Application Passwords into Core.

There have been many systems considered, including everything from multiple incarnations of OAuth, JWT, and even some solutions that are combinations of the two. Some called for a centralized app repository, some had open registration, but all were complex and none of them could build sufficient traction to come to fruition.

Broad conceptual overview of varying methods (See: WP-API/authentication#15)

A simpler alternative to Application Passwords is pure Basic Authentication and detailed in #42790. However, Application Passwords is more comprehensive, and a far superior of a choice for the reasons that follow.

Benefit: Ease of API Requests

Given a login and an application password, making an API request is as simple as

curl --user "USERNAME:APPLICATION_PASSWORD" -X POST -d "title=New Title" https://my.wordpress.site/wp-json/wp/v2/posts/POST_ID

It uses the standard HTTPHTTP HTTP is an acronym for Hyper Text Transfer Protocol. HTTP is the underlying protocol used by the World Wide Web and this protocol defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. authorization headers. Everything supports this trivially.

Benefit: Ease of Revoking Credentials

Application Passwords makes it easy to revoke any individual application password, or wholesale void all of a user’s application passwords. Application Passwords also lists the date a password was last used and the IP it was used from to help track down inactive credentials or bad actors using them from unexpected locations.

Benefit: Ease of Requesting API Credentials

While it is possible for a user to go to their user profile page and generate a new application password, for example if they are creating a command line tool for themselves, the ideal workflow looks something like this:

To request a password for your application, redirect users to:

https://example.com/wp-admin/authorize-application.php

The URLURL A specific web address of a website or web page on the Internet, such as a website’s URL www.wordpress.org is included in the REST API index to facilitate automated discovery.

{
  "name": "Trunk",
  "authentication": {
    "application-passwords": {
      "endpoints": {
        "authorization": "http://example.com/wp-admin/authorize-application.php"
      }
    }
  }
}

and use the following GET request parameters to specify:

  • app_name (required) – The human readable identifier for your app. This will be the name of the generated application password, so structure it like … “WordPress Mobile App on iPhone 12” for uniqueness between multiple versions. If omitted, the user will be required to provide an application name.
  • success_url (recommended) – The URL that you’d like the user to be sent to if they approve the connection. Two GET variables will be appended when they are passed back (user_login and password); these credentials can then be used for API calls. If the success_url variable is omitted, a password will be generated and displayed to the user, to manually enter into your application.
  • reject_url (optional) – If included, the user will get sent there if they reject the connection. If omitted, the user will be sent to the success_url, with ?success=false appended to the end. If the success_url is omitted, the user will be sent to their WordPress dashboard.

If the user is logged out, they’ll be redirected to the WordPress Login page. After logging in, they’ll be immediately redirected back to the Authorize Application screen.

In discussions with @timothyblynjacobs we’re unsure about whether to add a state parameter (which is just stored and passed back to the application to prevent CSRF attacks). Realistically apps could just include it on their own in the success_url or a site_url parameter (which could remind the application what site the returned credentials are for). Requiring apps to pass a state parameter could encourage best practices, but we wouldn’t be able to enforce that they validate its contents.

It’s also worth noting that the success_url and reject_url are both explicitly designed that apps can pass in custom protocols for the return URLs. That is, they could set them to be wordpress://authentication so that the user’s phone automatically redirects them back from their web browser, directly into the application with the credentials appended to the query. You may have seen this previously with other applications where you “Login with Facebook” in your browser and then Facebook sends you directly back into your app. Or with how your web browser can open Zoom directly on your laptop, pre-populating the room ID and password.

Benefit: Login Security

Unlike pure basic auth that requires entering in credentials directly into the application, Application Passwords allows for an interactive authentication flow. This means that login security features like Two Factor or reCAPTCHA can continue to protect user accounts.

One of the reasons XML-RPC is so often recommended to be disabled is that it allows brute forcing user’s passwords since those additional security protections can’t be implemented. A risk of implementing pure basic auth is that sites will be forced to disable it because it can’t be interactive.

Proposed solution: merge Application Passwords to core

While there is a standalone plugin for Application Passwords that’s developed in a GitHub repo, PR#540 to WordPress-develop is the official work we’re proposing to be merged into core. The pull request is based off of the original feature pluginFeature Plugin A plugin that was created with the intention of eventually being proposed for inclusion in WordPress Core. See Features as Plugins.’s codebase. We welcome comments on this proposal post, contributions to Application Passwords itself, and even more so review and feedback on the existing merge proposal pull request.

Props to @timothyblynjacobs for help on the content of this post, @jeffpaul for help on the structure of this post, and the many many people who have contributed to the analysis behind this proposal and to Application Passwords.

#application-passwords, #authentication, #rest-api, #two-factor

Editor chat summary: 8th July, 2020

This post summarizes the weekly editor chat meeting (agenda here) held on 2020-07-08 14:00 UTC in Slack. Moderated by @get_dave.

GutenbergGutenberg The Gutenberg project is the new Editor Interface for WordPress. The editor improves the process and experience of creating new content, making writing rich content much simpler. It uses ‘blocks’ to add richness rather than shortcodes, custom HTML etc. https://wordpress.org/gutenberg/ 8.5.0 release

  • Gutenberg 8.5.0 was released just prior to the meeting.
  • @youknowriad highlighted:
    • Better Drag and Drop
    • Possibility to upload external images on image blocks
    • A11yAccessibility Accessibility (commonly shortened to a11y) refers to the design of products, devices, services, or environments for people with disabilities. The concept of accessible design ensures both “direct access” (i.e. unassisted) and “indirect access” meaning compatibility with a person’s assistive technology (for example, computer screen readers). (https://en.wikipedia.org/wiki/Accessibility): Allow disabling arrow navigation across blocks
    • Anchor support added into most static blocks

WordPress 5.5

  • With Gutenberg 8.5.0 released, the focus now shifts to getting everything ready for inclusion in WordPress 5.5.
  • @ellatrix is maintaining a project board for 5.5 of issues/PRs that need to be completed.
  • @youknowriad noted the importance of:
    • testing Gutenberg 8.5.0 with WordPress 5.5 betaBeta A pre-release of software that is given out to a large group of users to trial under real conditions. Beta versions have gone through alpha testing in-house and are generally fairly close in look, feel and function to the final product; however, design changes often occur as part of the process. 1.
    • those familiar with performance-related work, to do some monitoring and improvements.
  • @andraganescu has helpfully prepared a post which summarises the features expected to be included in WordPress 5.5.

Monthly Priorities

  • In addition to Gutenberg 8.5.0 and WordPress 5.5 the following items were highlighted as priorities for the month:
    • Full Site Editing.
    • Navigation screen and navigation blockBlock Block is the abstract term used to describe units of markup that, composed together, form the content or layout of a webpage using the WordPress editor. The idea combines concepts of what in the past may have achieved with shortcodes, custom HTML, and embed discovery into a single consistent API and user experience..
    • Global Styles.
    • WidgetWidget A WordPress Widget is a small block that performs a specific function. You can add these widgets in sidebars also known as widget-ready areas on your web page. WordPress widgets were originally created to provide a simple and easy-to-use way of giving design and structure control of the WordPress theme to the user. screen.
  • @michael-arestad invited feedback on Full Site Editing flows.
  • @jeffpaul raised a query about the readiness of the Block Directory for inclusion in WP 5.5:
    • are there items the team needs to help with to ensure the non-coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. components are ready for the 5.5 release such that the Block Directory can be considered “ready” for 5.5? (Slack conversation)
    • @tellyworth was invited to provide an update on this.

WordCampWordCamp WordCamps are casual, locally-organized conferences covering everything related to WordPress. They're one of the places where the WordPress community comes together to teach one another what they’ve learned throughout the year and share the joy. Learn more. US Contributor DayContributor Day Contributor Days are standalone days, frequently held before or after WordCamps but they can also happen at any time. They are events where people get together to work on various areas of https://make.wordpress.org/ There are many teams that people can participate in, each with a different focus. https://2017.us.wordcamp.org/contributor-day/ https://make.wordpress.org/support/handbook/getting-started/getting-started-at-a-contributor-day/.

  • @georgestephanis asked for a volunteer to be a point of contact for WordCamp US Contributor day for the Core Editor team.
  • @itsjusteileen volunteered to take on this role (Slack discussion).
  • @youknowriad suggested another “Introduction to Gutenberg contributing” workshop might be a good idea.

Task Coordination

Open Floor

Thanks to everyone who attended.

#core-editor, #core-editor-summary, #meeting-notes