WordPress.org

Make WordPress Core

Recent Updates Page 4 Toggle Comment Threads | Keyboard Shortcuts

  • Mike Schroder 1:18 am on January 7, 2016 Permalink |
    Tags:   

    WordPress 4.5 Deputies 

    A few weeks ago, I put out a call for volunteers for deputies for WordPress 4.5.

    Today, I’m excited to announce two deputies:

    Mel Choyce
    WordPress Committer Mel Choyce (@melchoyce) will be a Design Deputy, with a focus on maintaining UI/UX consistency and handling design decisions throughout the release.

    Adam Silverstein
    Core contributor Adam Silverstein (@adamsilverstein) will be a release Deputy! You’ll see him around both on the make blogs and trac helping to manage the release.

    Please join me in congratulating them both, and feel free to ping any of us with release questions as 4.5 gets rolling.

     
  • Aaron Jorbin 12:17 am on January 5, 2016 Permalink |
    Tags: , 4.4.1, ,   

    4.4.1 Release Candidate 

    A Release Candidate for WordPress 4.4.1 is now available. This maintenance release is scheduled for Wednesday, January 6, but first it needs your testing. This release fixes 52 issues reported against 4.4.

    WordPress 4.4 has thus far been downloaded over 7 million times since it’s release on December 8. Please test this release candidate to ensure 4.4.1 fixes the reported issues and doesn’t introduce any new ones.

    Contributors

    A total of 36 contributors have contributed to 4.4.1:

    Compute, DvanKooten, JPr, KrissieV, SergeyBiryukov, ShinichiN, aaroncampbell, afercia, azaozz, boonebgorges, dd32, dossy, eherman24, gblsm, hnle, igmoweb, jadpm, jeff@pyebrook.com, joemcgill, johnbillion, jorbin, meitar, nacin, netweb, obenland, ocean90, pento, peterwilsoncc, redsweater, rmccue, rogerhub, salcode, smerriman, scottbrownconsulting, stephenharris, swissspidy, tharsheblows, tyxla, voldemortensen, webaware, wonderboymusic, wp-architect

    Notable Bug Fixes

    Two severe bugs have been fixed. In some cases, users with an out of date version of OpenSSL being used by PHP were unable to use the HTTP API to communicate with to communicate with some https sites. Additionally, posts that reused a slug (or a part of a slug) would be redirected.
    The polyfill for emoji support has been updated to support Unicode 8.0. This means that diversity emoji, and other new emoji like 🌮 and 🏒 are fully supported. 

    All Changes

    Most components have received at least one change. This is a list of all tickets closed, sorted by component.
    (More …)

     
  • Jen 5:49 pm on January 4, 2016 Permalink |
    Tags: annual survey,   

    2015 Contributor Survey 

    Hi core team folks! Thanks for all your hard work and contributions in 2015. Could you contribute few more minutes to fill in the 2015 contributor survey? It will help us establish some baselines around the contributor experience so that we can see how things change over time.

    **This is being posted to all the Make teams, so if you subscribe to a bunch of p2s and keep seeing this post, know that you only need to fill the survey in once, not once per team.**

    The survey is anonymous (so you can be extra honest), all questions are optional (so you can skip any that you don’t want to answer), and we’ll post some aggregate results by the end of January. It took testers 5-10 minutes to complete on average (depends how much you have to say), so I bet you could knock it out right after you read this post! 🙂

    There are two sections of the survey. The first has questions about team involvement, recognition, and event involvement, and is pretty much what you’d expect from an annual survey (which teams did you contribute to, how happy are you as a contributor, etc).

    The second section is about demographics so we can take a stab at assessing how diverse our contributor base is. All questions are optional, but the more information we have the better we can figure out what we need to improve. If there’s some information you’d rather not identify, that’s okay, but please do not provide false information or use the form to make jokes — just skip those questions.

    The survey will be open until January 15, 2016. Whether you have 5 minutes now, or 10 over lunch (or whenever), please take the 2015 contributor survey. Thanks!

     
  • Mike Schroder 10:22 pm on December 30, 2015 Permalink |
    Tags: ,   

    WordPress 4.5: What’s on your Wishlist? 

    A few weeks ago, I put out an initial call for volunteers for 4.5.

    In the spirit of the much-commented @wonderboymusic 4.4 Wishlist post, I’d like to extend the call a bit more.

    • What are you most interested in seeing in WordPress 4.5 — big, or small?
    • What are your or your users’ biggest pain points?
    • What do you see as the most important UX or performance low-hanging fruit to be solved?

    Look forward to hearing from you in the comments!

    The WordPress 4.5 kickoff chat will be next Wednesday, January 6, 2016 16:00 UTC-5.

     
    • Rami Yushuvaev 10:23 pm on December 30, 2015 Permalink | Log in to Reply

      Unifying permission error messages – https://core.trac.wordpress.org/ticket/34521

    • Patrick Daly 10:27 pm on December 30, 2015 Permalink | Log in to Reply

      Editorial Workflow…

      https://core.trac.wordpress.org/ticket/23314 – Allow published posts to be revised without being updated immediately

      https://core.trac.wordpress.org/ticket/12706 – Custom post status bugs in the admin

      • Andrew Nacin 2:54 am on January 3, 2016 Permalink | Log in to Reply

        Both great ideas. Both require a lot of careful planning, decision-making, and implementation. Proposals welcome (from everyone).

    • Mike Schinkel 10:36 pm on December 30, 2015 Permalink | Log in to Reply

      PHP7 as base requirement? 🙂

      • Michael Beckwith 10:39 pm on December 30, 2015 Permalink | Log in to Reply

        If only

      • Matt van Andel 10:50 pm on December 30, 2015 Permalink | Log in to Reply

        I’d wholeheartedly support a bump to 5.3, though.

        • Max Foundry 10:58 pm on December 30, 2015 Permalink | Log in to Reply

          Ditto and +1

        • Jeff Farthing 11:00 pm on December 30, 2015 Permalink | Log in to Reply

          This.

        • rkoller 11:02 pm on December 30, 2015 Permalink | Log in to Reply

          hm but 5.3 as well as 5.4 are already end of life. http://php.net/supported-versions.php . Wouldn’t it be a reasonable move to only support versions with an active support or at least with provided security fixes?

          • Matt van Andel 11:42 pm on December 30, 2015 Permalink | Log in to Reply

            The issue is hosting services that hold onto old versions of php far longer than they should. At this point both 5.3 and 5.4 should be supported by almost all of them precisely because they are so old. With that in mind, I think it’s time we officially bump the requirements.

            • Sybre Waaijer 4:21 pm on December 31, 2015 Permalink

              I think if WordPress would makes this call — as it’s a dominating factor on the internet — hosting providers will be sure to update ASAP to maintain good customer support and reliability. Or create i.e. specific WordPress Hosting Packages which abide to this standard.

          • Erlend Sogge Heggen 3:33 pm on January 1, 2016 Permalink | Log in to Reply

            As a gentle nudge from WordPress’ side, I think it’d be cool if WordPress installs running on EOL PHP versions (5.2, 5.3, 5.4) would show an infobar on the wp-admin.php page, just telling users something like:

            “psst! It seems like you’re using a version of PHP which is at [“end-of-life”](exampe.com/read-more). No need to worry, your WordPress install will continue to work just fine, but you might want to ask your hosting provider if they’re planning to upgrade to a newer version of PHP soon”

        • Daniele Scasciafratte 11:26 pm on December 30, 2015 Permalink | Log in to Reply

          +1

      • Ipstenu (Mika Epstein) 11:31 pm on December 30, 2015 Permalink | Log in to Reply

        Not trolling. Is there a technical reason we need to?

        • Mike Schinkel 1:02 am on December 31, 2015 Permalink | Log in to Reply

          No real reason other than performance and ability to leverage new features like null coalescing, anonymous classes, etc.

          I know it would be a non-starter for backward compatibility though. Just wishing out loud, since he asked. I guess I was really the one trolling, but hopefully not viewed in a bad way. 🙂

          • Ipstenu (Mika Epstein) 1:45 am on December 31, 2015 Permalink | Log in to Reply

            I was legit wondering if there was a feature or such I’d missed that we need 🙂

            Backcompat aside, that’ll be your driving factor. When we have a legit need for 5.4 or 7, it’ll happen 🙂

            • Terence 12:35 pm on January 3, 2016 Permalink

              How about with PHP 7 your apps see up to 2x faster performance and 50% better memory consumption than PHP 5.6, allowing you to serve more concurrent users without adding any hardware? I should have thought that PHP 7 allowing the system to execute twice as many requests per second in comparison with the PHP 5.6, was reason enough.

            • Ipstenu (Mika Epstein) 3:28 pm on January 3, 2016 Permalink

              @pubdirltd – that’s not a feature WordPress needs. It’s one users want, and I want, but it’s in no way preventing the development of WP. Which works fine on 7. So again, if someone has a technical feature of 7 that we actually NEED, I’m all ears.

              Until then, we’re only 25% of the for million sites on the Internet. It’s a lot bigger ocean than just WP.

        • J.D. Grimes 2:27 pm on December 31, 2015 Permalink | Log in to Reply

          Yes. It allows us to more easily build OO code that can take advantage of autoloading. (Technically can be done now, but autoloading can be disabled below 5.3 so there has to be a backup plan for such cases.)

          Test and build tools and Travis CI will all be moving on. Travis already dropped support for 5.2 once and only brought it back mostly for WordPress.

          Neither of these things are necessities, but the extra burden on us all for supporting 5.2 is at some point going to surpass the burden of not supporting it. Maybe we aren’t there yet but waiting another year and a half for the number of site on 5.2 to drop to ~0 probably isn’t worth it.

        • Marcel Pol 11:17 am on January 4, 2016 Permalink | Log in to Reply

          To guard the users against security issues in PHP 5.2.
          Supporting 5.2 sends the message that is is a good idea to use it. Not supporting it anymore will make hosters upgrade their PHP and its security issues.

          • Scott Kingsley Clark 11:20 am on January 4, 2016 Permalink | Log in to Reply

            Text on Requirements page currently says:

            To run WordPress we recommend your host supports:
            PHP version 5.6 or greater
            MySQL version 5.6 or greater

            There are notes further below about support for 5.2.4+ but explicitly saying it exposes your site to security vulnerabilities.

            • summoner 11:37 pm on January 18, 2016 Permalink

              Well actually even PHP 5.5 is near its EOL so i think WP 4.5 should be able to check the server’s PHP version do the following:

              • upon WP’s installation process it should prompt the user that their server uses an EOL PHP version which technically is enough but may have security issues and the user should contact the hoster
              • when an already installed WP gets updated to WP 4.5 it should display a message with a link to detailed info. Similar to cookie notification bars. I would turn it on by default so that a very large number of WP users would contact their hosters (naturally this notification must be turned off extremly easy if the hoster just does not do anything)

              Here is why:

              • most average people will just try to install WP on their own and they will not ever read the requirements page on wordpress.org. So they will not know about security concerns of EOL PHP versions until their site gets hacked…
              • WP is the most widely used CMS and hosters are actually payed to maintain their services. Hosters who have PHP 5.2, 5.3. 5.4 installed should really have their investments payed back by now by their users so they really should be able to upgrade to at least PHP 5.6 (or even to 7) both technically and financially.

              Actually you can not sell a car if you KNOW that the safety belt is not strong enough and will be torn in case of an accident. Hosters who have only EOL PHP versions available do the exactly same thing and without some pressure they will be happy to continue that while collecting some more money from their customers.

            • summoner 12:10 am on January 19, 2016 Permalink

              Sorry, need to be some more exact:
              On upgraded installations the notification bar should be displayed even on the FRONT-END. That is why i compared it to a cookie notification bar. 😉

              I know that might sound as a no go for many of you, but that is why it should be extremly easy to turn off (ex under Settings->general). Otherwise hosters simply will not react as they did not even until now.

          • Ipstenu (Mika Epstein) 4:53 pm on January 4, 2016 Permalink | Log in to Reply

            Not supporting it anymore will make hosters upgrade their PHP and its security issues.

            I disagree. I think it’ll just make the users, not the web hosts, upset that they can’t use WP for reasons they don’t understand.

          • Jonathan Hefner 10:29 pm on January 6, 2016 Permalink | Log in to Reply

            Agreed. I also think that if it is *possible* to run WordPress on an unsupported PHP version, some hosts *will* do it, regardless of the security risks. And users will likely not know any better. And when said users are compromised, it is possible they will ignorantly blame WordPress itself.

            So +1 for bumping PHP version requirement (and even enforcing it with a version check).

        • jrf 2:48 am on January 6, 2016 Permalink | Log in to Reply

          Not so much PHP7, but a technical reason case can easily be made for moving up to PHP5.4, preferably 5.5 as that would provide access to the Intl extension which will enable much improved localization and internationalization functionality as well as better utf-8 support.

      • Sisir 8:54 am on December 31, 2015 Permalink | Log in to Reply

        +1 🙂 Although I don’t see it happening. -_-

      • askoxyz 10:58 am on December 31, 2015 Permalink | Log in to Reply

        Impossible for now, but a bump in requirements would be awesome.

      • Joost Abrahams 9:53 pm on January 5, 2016 Permalink | Log in to Reply

        As end user, non coder, small blogger, wide support for PHP is priceless. No hassle, just works.

    • Ryan Kanner 10:42 pm on December 30, 2015 Permalink | Log in to Reply

      Definitely adding orderby metadata for taxonomy -> https://core.trac.wordpress.org/ticket/34996
      Also would like to see some movement on the shortcake plugin. I think it’s pretty important for the future of shortcodes.

    • sosensible 10:43 pm on December 30, 2015 Permalink | Log in to Reply

      First, LOL Mike… I like the thought but that will be a few years before it happens.

      : : Seeing in 4.5 Notes : :

      • Shortcake plugin as part of the core.
      • Complete RESTful API

      : : Biggest Pain Points : :

      • WP_Query lacks rich relational function.

      : : UX : :

      • Any feature that runs slow is bad. Most companies who extend the page editor to the front side, outside the ADMIN are painful slow. Any speed gains in this area are big wins. While I am open in spirit we should make core perform so well those slow plugins are either dropped or fixed. 🙂
    • Dave Navarro, Jr. 10:44 pm on December 30, 2015 Permalink | Log in to Reply

      When adding new plugins and themes from the repository, I’d REALLY like to have the feature back where I can sort the search results by date, last-date-updated, number-of-installs, ratings, etc… I REALLY REALLY miss that functionality.

      If I upload a plugin or theme ZIP file and the plugin/theme already exists, instead of an error messages, can I be prompted to replace the existing plugin? I have several plugins from third-parties that I get by ZIP file.

    • J.D. Grimes 10:45 pm on December 30, 2015 Permalink | Log in to Reply

      Several tickets I’d like to see action on (no particular order):

      #31281 #34114 #33472 #25137 #27770

    • Matt van Andel 10:49 pm on December 30, 2015 Permalink | Log in to Reply

      I REALLY want to get #16031 finally taken care of. I have a very comprehensive patch uploaded as of last August that does the trick admirably. The alternative is an even more substantial refactoring of the admin screens to merge handling and redirect behavior into the WP_List_Table class(es). I’m happy to work toward the latter solution if necessary, but I think the previous patch is peachy keen as-is.

    • Howdy_McGee 10:53 pm on December 30, 2015 Permalink | Log in to Reply

      I’m a developer who, when I deploy and monitor a theme, like to keep `debug.log` on so I can continually keep any active themes in tip-top shape. My **biggest** peeve is when simple conditionals throw out general `non-object` errors from core `query.php`. There’s a pretty large list which can be found on trac but it doesn’t seem to have gotten a ton of notice ( https://core.trac.wordpress.org/ticket/29660 ).

      The biggest problem is it isn’t just one error, when one of these issues happen there’s at least 4 errors together which spam my error logs like crazy and I have to really hunt down what specifically is causing the issue in my theme. It’s a trial and error process to fix what should be non-issues which I would love to see go away.

    • Pascal Birchler 10:53 pm on December 30, 2015 Permalink | Log in to Reply

      A short list of things I’d be interested in working on:

      • Notifications API — @johnbillion mentioned this first and @rmccue is interested as well. To quote John: “I’m going to kill wp_mail() and replace it with an API.”
      • Improving support options in core: Send anonymous crash reports, search help resources from inside the admin, show videos from WordPress.tv, leveraging WordPress.org as an OAuth provider, etc.
      • Embeds template improvements
      • chriscct7 11:58 pm on December 30, 2015 Permalink | Log in to Reply

        I’d love to help out with Notifications API as well

      • Michael Beckwith 1:48 am on December 31, 2015 Permalink | Log in to Reply

        There’s already early work going on to do something similar with regards to email in BuddyPress. Very exciting.

      • Peter Wilson 4:00 am on December 31, 2015 Permalink | Log in to Reply

        I can help out on embed templates, Pascal.

      • J.D. Grimes 2:27 pm on December 31, 2015 Permalink | Log in to Reply

        +1 for notification API

      • mrjarbenne 4:59 pm on January 1, 2016 Permalink | Log in to Reply

        Has there been any thought to creating embed templates for post formats? Currently text is well supported, but post formats like video and audio create an embed with the post title only. I acknowledge the difficulty in this may be that the majority of these types of of posts are embeds from other sites (YouTube, Soundcloud, etc) which creates an embed of an embed.

      • dmsnell 6:05 pm on January 4, 2016 Permalink | Log in to Reply

        After having done work with notifications at Automattic, I’d be happy to help. Please feel free to ping me in Slack 🙂

    • Aaron Brazell 10:54 pm on December 30, 2015 Permalink | Log in to Reply

      Indexing of meta tables. I’d say that postmeta and usermeta (probably now tax meta) are increasingly important for complex client deliveries

    • petermolnar 10:54 pm on December 30, 2015 Permalink | Log in to Reply

      webmentions (https://wordpress.org/plugins/webmention/) as featured plugin as a future replacement for pingback.

      • dshanske 11:06 pm on December 30, 2015 Permalink | Log in to Reply

        As someone who has contributed to that plugin, made a general nuisance of myself trying to improve trackbacks and pingbacks as well to the point that people wanted to use linkbacks again….+1 if there is such an option. I’m a mediocre programmer, but I would work on such a feature plugin with a strong lead.

        • Daniele Scasciafratte 11:27 pm on December 30, 2015 Permalink | Log in to Reply

          maybe a pingback vs webmention explanation will be improve the propose to a feature plugin.

          • dshanske 12:22 am on December 31, 2015 Permalink | Log in to Reply

            A pingback is an XML-RPC request advising that another site has linked to your site. Your site then goes back and checks the accuracy of that request. The presentation of pingbacks in WordPress, quite frankly, is lacking. The […] presentation is pretty useless.

            Webmention is an update to that, using only HTTP and x-www-form-urlencoded content. (http://indiewebcamp.com/webmention-spec).

            Now part of this goes to the idea of improving Linkbacks, which have become a spammy cesspool that people do not want to play with. But it has a lot of potential.

            In practice, sites that receive webmentions look for microformats markup(or optionally other parsed elements) and use this to render a better response. The Semantic Linkbacks plugin(https://wordpress.org/plugins/semantic-linkbacks/) does this for all types of linkbacks.

    • rkoller 10:55 pm on December 30, 2015 Permalink | Log in to Reply

      Two of my biggest pain points are summed up by Jeff Eaton in the back-end part of the toast redesign article: http://responsivewebdesign.com/toast/backend/

      • The current templates are spaghetti code and could use some sanity with something like Timber/Twig
      • WordPress is badly missing the ability of structured data. You have to use Advanced Custom fields but the content is encoded only as text in the post meta table anway.
      • petermolnar 10:58 pm on December 30, 2015 Permalink | Log in to Reply

        +1 for a Twig based “official” theme.

      • davidshq 3:59 am on December 31, 2015 Permalink | Log in to Reply

        +1 for Twig
        +1 for more ACF functionality. Maybe just buy it out, if he’s willing? 🙂

      • Scott Kingsley Clark 4:55 pm on January 3, 2016 Permalink | Log in to Reply

        Structured data registered via Fields API would be a great next step, there are also plugins that let you create tables for your post type(s) and store those custom fields in a correctly typed DB column.

        • rkoller 12:40 am on January 5, 2016 Permalink | Log in to Reply

          i agree. but wouldn’t it be a reasonable move not to rely on plugins to create tables for the post types with the correctly typed DB columns for the custom fields; instead update the core db schema for wordpress? i know it would extend the scope of the fields api project. but if the fields api would take care of the proper encoding and db storage you would ensure to have a solid, stable and especially more performant foundation for the fields api as well as wordpress in general. better to have that kind of functionality in core than in a plugin?

          • Scott Kingsley Clark 5:37 pm on January 5, 2016 Permalink | Log in to Reply

            I definitely won’t be able to tackle database structures in the Fields API project, that’s far outside of the scope and there’s plenty of debate to be had that I’d rather keep out of 🙂

            Related though, I am the lead developer of the Pods Framework, a content development framework that allows you to create new / extend content types for WP. One of the options is to create a table for your custom fields which get their own DB columns correctly typed — or have a completely custom table outside of the Posts area called an Advanced Content Type.

            I know a thing or two about this, and there’s little or no inkling that the WP core team will be heading in a direction of table manipulation or db restructuring for custom fields in the near future.

            • rkoller 11:13 pm on January 5, 2016 Permalink

              yep i am aware that it is out of the scope of the fields api project; but i wanted to bring it up again in the 4.5 wishlist discussion so maybe some wp core team members might chime in and give it a second thought. cuz if all the new field types are brought in it would be a huge step in the first place but you would still have the issue jeff eaton brought up in the article with acf at the moment: “This isn’t a problem if you’re only using custom field data when a post is loaded and displayed. If you plan to use these custom fields to handle complex relationships—connecting a post to multiple authors, say—the SQL queries to handle that data will be punishingly slow.” but i will give the pods framework a try and see how things are handled there and how it goes with acf pro at the moment. thanks for the headsup. 🙂

      • Jonathan Hefner 10:33 pm on January 6, 2016 Permalink | Log in to Reply

        A huge +1 for both points. The article you linked was very insightful. Someone else in this thread mentioned #33472, which is relevant.

    • seanbennick 11:03 pm on December 30, 2015 Permalink | Log in to Reply

      Improved image management. WordPress is not just a blog anymore, so the date organization structure doesn’t work. Adding categories and maybe even tags for images would solve a lot of issues.

      • petermolnar 11:07 pm on December 30, 2015 Permalink | Log in to Reply

        You could add custom taxonomy for attachments.

        As for the filesystem layout, I’m already moving the genarated images away from the upload directory and I’d welcome this change to WordPress itself to keep the upload dir clean.

      • davidshq 3:59 am on December 31, 2015 Permalink | Log in to Reply

        +1 The Enhanced Media Library plugin is a great place to look to see some of the missing functionality.

      • vherring 5:42 am on December 31, 2015 Permalink | Log in to Reply

        My biggest wish for WordPress is some real work be done on the media library, it’s barely adequate and the management of hundreds of photos is difficult and you absolutely have to resort to a third party to manage thousands. The average blogger has that now days.

      • szabesz 7:34 am on December 31, 2015 Permalink | Log in to Reply

        +1 for this. I should also mention that storing the actual image files in one folder or in folders generated based on the month in which they were uploaded is just not enough. We should have more options, for example: images stored in folders we want to put them into. We should be able to define our own folder structure.
        Another thing is all those resized versions of the images. Other CMS’es store them in a subfolder like “_resampled” or similar. But WordPress makes a big mess by storing them alongside the original.
        And the third thing is gallery management, which is extremely basic. There is a lot of room for improvement is this area. No wonder every week a new gallery plugins is released… Developers are trying to solve it on their own way.

      • Paal Joachim Romdahl 9:48 pm on January 1, 2016 Permalink | Log in to Reply

        A big +1 to better media management!

      • MHagemeister 9:38 am on January 2, 2016 Permalink | Log in to Reply

        That’s my biggest issue with WordPress as well at the moment. I have a huge library with tons of images and the filesystem structure is a mess. Like others have already mentioned, I’d love to keep the uploads folder clean and put all resized media in a seperate “resampled” folder (or whatever it should be called)

      • taloweb 10:44 am on January 2, 2016 Permalink | Log in to Reply

        yes +1 also for me!
        A better media manager without plugins is a must now!
        A tight relation btw posts and media items and no more html insertion (by now to find where is used an image we have to use regexp on html), a robust cache sistem without resized images with size in filenames (when you change theme it is a pain), an easy way to find unused images to clear filesystem and so on…

      • danielgoze 10:08 pm on January 4, 2016 Permalink | Log in to Reply

        +1 Fully agree. Image Categories seem like a must for a site with more than 10 items in Media. Enhanced Media Library does have some great tools.
        Some Ideas I’ve had over the years:
        • Bulk edit to apply/remove image categories.
        • Possibly breakup Media into “views” of Images, Downloads & Video (in the menu rather than the pulldown filter) so that clients can find things easier.
        • Sometimes I hide images that I don’t want the client to change in the theme or a plugin, with the new site icon tool in the customizer, I wouldn’t want the client to go in and put in a much lower res file in when they feel like it, something like a checkbox for “admin only” for any images that the site relies on.
        • Crop for any size – I’ve seen the crop for thumbnail, but sometimes one size needs just a slightly different focus (example: a person is halfway cropped and if the crop started more to the left), especially now with the responsive images.
        • Other plugins already handle this, but regenerating thumbnails, renaming actual files, replacing files with a new file, and cleaning file names as a standard feature would really be appreciated.

      • htrex 11:06 am on January 5, 2016 Permalink | Log in to Reply

        +1 yes, an enhanced media library taxonomy is really needed

      • Anthony Hortin 5:05 am on January 7, 2016 Permalink | Log in to Reply

        +1 for this. Managing a large amount of images is so cumbersome and time consuming. The images library needs the ability to create folders along with being able to drag/drop images into those folders. The current Grid/List UI also needs to be fixed. There’s two completely different workflows, depening on whether you’re loooking at the Grid view or the List view and it’s makes the UI confusing. i.e. there’s multiple screens that perform the exact same function

      • Claude Martin 12:52 pm on January 7, 2016 Permalink | Log in to Reply

        +1 Media management needs improvementS. And thanks for all

    • Jeff Farthing 11:06 pm on December 30, 2015 Permalink | Log in to Reply

    • Dave Navarro, Jr. 11:08 pm on December 30, 2015 Permalink | Log in to Reply

    • Ipstenu (Mika Epstein) 11:16 pm on December 30, 2015 Permalink | Log in to Reply

    • Daniel Bachhuber 11:17 pm on December 30, 2015 Permalink | Log in to Reply

      As a co-maintainer of the Shortcake Feature Plugin, I’d like to get Official Core Direction on shortcodes and shortcode UI before we spend too much more time on it.

    • Daniele Scasciafratte 11:25 pm on December 30, 2015 Permalink | Log in to Reply

      Add get_post filter: https://core.trac.wordpress.org/ticket/12955 the patch is ready with case study and example use
      Introduce helper function for AJAX checks: https://core.trac.wordpress.org/ticket/25669 standardize the check of is an ajax request. patch ready
      Add hook for custom post.php actions: https://core.trac.wordpress.org/ticket/27056 help the plugin developers, patch ready

    • j-falk 11:27 pm on December 30, 2015 Permalink | Log in to Reply

      My wish-list:

    • Giorgos Sarigiannidis 11:29 pm on December 30, 2015 Permalink | Log in to Reply

      My list, starting from the most feasible and moving to the most controversial / impossible to happen:

      1. Better plugin management at the WP Dashboard, taking advantage of your wordpress.org favorites collection. For example, order your favorite plugins based on those that you install more often and allow batch install and activation of multiple plugins at once.

      2. Allow (and perhaps encourage) security adjustments during WP install, like setting a login url other than wp-login.php, disable XML-RPC, disable pingbacks, disable comments etc.

      3. Adding native support for content translation.

      4. Absorb CMB2 to the core.

      5. During WP install, allow us to choose our theme between twenty-whatever and underscore_s.

      6. Add “Child plugin” support, to allow overriding a plugin’s settings the same way we do it in themes, with child themes.

    • Jon Brown 11:29 pm on December 30, 2015 Permalink | Log in to Reply

      So many things… but
      #1 land the Fields API. It’s _long long long_ over due.
      #2 Finish out the REST API.
      #3 Improvements to media management (better CORE tools for organizing and managing large asset libraries).
      #4 Improved image editing and flow. I for one didn’t really like the direction Image Flow was going, but incremental improvements would be welcome.

    • andreasnrb 12:01 am on December 31, 2015 Permalink | Log in to Reply

      #1 custom comment types

    • simonrcodrington 12:29 am on December 31, 2015 Permalink | Log in to Reply

      I’m always pretty keen for additional hooks and filters in the admin area to customize the way the UI works. For example adding new hooks into the new media modal window (https://core.trac.wordpress.org/ticket/35205)

      I’m keep to chase this up (as literally it’s just a quick edit to a few template files in core).

      Love to see more hooks and filters that give me the power to change up and extend the way WordPress does stuff.

    • davetgreen 12:34 am on December 31, 2015 Permalink | Log in to Reply

      Add a ‘Last Updated’ timestamp for each and every plugin in the list of installed plugins, so that admins can see at a glance how long it has been since an update. This way they can make an informed decision as to whether the plugin needs to be replaced by an alternative or not. The security implications of reducing the number of extremely outdated plugins are obvious. 🙂

      A nice to have would be a check carried out by WordPress that alerts the user if the plugin hasn’t been updated in X time frame: possibly 2 years as per the .org repo warning.

      I plan on working on this early in 2016 as my first WP commit proposal. 🙂

    • mbrsolution 12:49 am on December 31, 2015 Permalink | Log in to Reply

      I am sure many have asked this before or it maybe included already in the next version. I would really like the ability to upload an image or photo to the profile without using a plugin, a function and or without having to sign up to gravatar under discussion -> Avatars. …..sorry for this basic request.

      Thank you all for the great work you all put in with developing WordPress…….

    • ChokDK 1:32 am on December 31, 2015 Permalink | Log in to Reply

      I wish there was some kind of help for the “pro theme makers” so adjustment of 3/3 columns spacing/width would be easy and still responsive.
      For now, they don’t dare to make it user adjusted.

      I also wish the Soundcloud pre-picture for 1/3 columns could be resizeable instead of disappearing (as it is working now)

    • Amanda Rush 1:33 am on December 31, 2015 Permalink | Log in to Reply

      I’d like to see post formats given some serious attention. I don’t think they should be left up to theme authors without any kind of guidance as to how they should be handled, ETC. I’d be willing to work on this as I use them quite frequently.

    • KARTHOST 2:10 am on December 31, 2015 Permalink | Log in to Reply

      You asked for a Wish list here it is:

      1) Finish Rest API

      2) SIMPLE SSL Set up, example:
      In Settings
      [ x ] No HTTPS
      [ ] HTTPS Admin Only
      [ ] HTTPS Entire Site

      Make it that simple for the end user.

      3) Built in SMTP to allow site owner to set up a 3rd Party SMTP service (allow SSL Port 465 as well) and disable wp-mail.php or just use wp-mail.php (you can default to wp-mail.php, but email sending should be something related with core and have a choice as to what type service to be used.
      3a) Create email template and allow end user the ability to customize the content in the default emails WordPress install sends out and the email headers.

      Thanks for all considerations

      Roy Randolph

      • J.D. Grimes 2:30 pm on December 31, 2015 Permalink | Log in to Reply

        +1 for better SSL support. It seems like a black box to me, and I’m a dev. 🙂

      • Nico 11:08 pm on January 1, 2016 Permalink | Log in to Reply

        With HTTP/2 only working over SSL I suggest people move to HTTPS only and drop http and set their servers/move hosts if necessary for it.

        There is a useful wp-config setting `define(‘FORCE_SSL_ADMIN’, true);` with that setting it would prevent insecure admin in case of a mis-configured server. This is basically your `[ ] HTTPS Admin Only`.

        As for SSL config its pretty much a server setup thing that has nothing to to with WordPress, you setup your server to server over SSL and then switch the site URLs in the WordPress config from http to https. So I see no need for WordPress to do more then its already doing.

      • thomaswm 5:14 pm on January 2, 2016 Permalink | Log in to Reply

        +1 for simple SSL support. It will become really important now that Let’s Encrypt is handing out free SSL certificates.

        https://core.trac.wordpress.org/query?status=!closed&keywords=~https

      • nathangraham 4:56 am on January 3, 2016 Permalink | Log in to Reply

        +1 for simplifying SSL set up

    • chrishoward 2:17 am on December 31, 2015 Permalink | Log in to Reply

      • Media categories. Pleeeaasse!
      • Hooks on the post listing and post editor screens for displaying instructions or other info to users. This is especially useful for custom post types. Currently I hack into the views-edit-{cpt} and edit_form_after_title hooks, but that’s not tidy.
      • More and better use of contrast and colour in the admin UI. I know minimalism is all the rage, but that doesn’t make it good UX. e.g. The post editor meta boxes could do with stronger headers as almost every thing in the post editor is black/grey on white. The visual hierarchy of WP admin varies from minimal to too subtle.
    • Ben Hansen (ubernaut) 2:19 am on December 31, 2015 Permalink | Log in to Reply

    • Mike Schinkel 2:48 am on December 31, 2015 Permalink | Log in to Reply

      Definable Image Types and associates sizes for those types.

      Rather than have all images have all sizes, frequently is is helpful to design a `’hero’` as having one set of sizes and a `featured-story` as another set of sizes and so on.

      • Andrew Nacin 11:49 pm on January 1, 2016 Permalink | Log in to Reply

        I’ve always liked this in theory, but I’m not sure how you’d auto-magically choose which image gets which treatment. (Beyond say featured image, which has its own UI.)

        I’d be more inclined to spend time to make it so WordPress creates crops only when we need them, and not on upload. We could create a thumbnail and a silver master that is a bit smaller and thus easier to work with from the original, and then generate crops when we need them. (We can even fake non-proportional crop previews using canvas or something else.) This is something we’ve talked about extensively, and notably, @mikeschroder happened to be one of the people who instigated those conversations (and who shepherded WP_Image_Editor into core).

        • heintore 3:00 pm on January 5, 2016 Permalink | Log in to Reply

          @nacin – we’re using the OTF Regenerate Thumbnails plugin extensively on our clients’ sites. It works exactly as advertised by generating images on the fly. No custom functions needed, all calls to the_post_thumbnail and other thumbnail functions are handled automatically.

          There may be plenty of reasons why this particular approach is a terrible solution for WordPress core, but I’m much preferring this plugin over how WordPress handles crops now 🙂

          https://wordpress.org/plugins/otf-regenerate-thumbnails/

      • Joe McGill 9:46 pm on January 2, 2016 Permalink | Log in to Reply

        I’ve thought about having a custom image size created when an image is added as a featured image to a specific post type. Maybe something like that could work?

      • Brad Touesnard 12:38 pm on January 7, 2016 Permalink | Log in to Reply

        +1

        #11895 is related to this and I suggested the same solution:

        > I think there is certainly a need for a “treatments” concept that is independent of size though. For example, it’s pretty common to want to crop a photo a certain way for display on a listing page (e.g. post archive page) but display the uncropped version on the detail page (e.g. single post page). I’m guessing that was the original intention of the “Apply changes to:” feature, but it never really hit the mark.

    • dryanpress 3:13 am on December 31, 2015 Permalink | Log in to Reply

      • SVG Dashicons
      • Update on direction of shortcodes in core and Shortcake
      • WP Admin Toolbar Improvements (https://core.trac.wordpress.org/ticket/32678). Proposed i10 changes look great, love increased negative space, but even fewer sites would be listed in view. A live search and list of recently updated and/or pinned sites would go a long way in moderate and large networks.
      • Native multiple authors for Posts. Co-Authors-Plus may add this in plugin territory, but subsequent integration into a theme requires complicated overriding or child theming. Giving non-developers the ability to add multiple authors on Posts, Books, Report Chapters, Music Videos, etc is important.
    • Peter Wilson 4:08 am on December 31, 2015 Permalink | Log in to Reply

      My wish list/hobby horses:

      • #35206 to control white space in menus, as a follow up to #27762 in 4.4 and later reverted.
      • #32793 to combine jQuery and jQuery migrate and reduce HTTP requests.

      Otherwise, some of the tickets around HTTP2 would be lovely to get in.

    • WP Sites - Brad Dalton 7:11 am on December 31, 2015 Permalink | Log in to Reply

      1. I’d like to be able to wrap opening and closing php tags in code tags using the text editor and 2. link gallery images.

    • Marius (Clorith) 7:39 am on December 31, 2015 Permalink | Log in to Reply

      I’d love to see some kind of merge between #20578 (the option to not trigger `uninstall.php`) and #9757 (better handling of uploads when the theme/plugin exists).

      As it stands it’s painful having to change to a different theme to update a custom theme. The process was made slightly better by core remembering widgets, but you still need to change the look of your site for a period of time while uploading and re-configuring and it is a terrible user experience.

      Of course, premium themes often leverage some filters to apply updates, but imagine the sites that run old premium stuff that are avoiding updating because it’s a tedious process, and the presumably large amount of them that don’t have this filter interaction any way.

    • Rian Rietveld 7:51 am on December 31, 2015 Permalink | Log in to Reply

      The Accessibility team focusses for this release on:

      • Make the colors of the default Admin scheme conform to WCAG 2 AA (tickets are labeled #a11y-color)
      • Remove title attributes from links
      • Improve the accessibility of the customizer (for keyboard only, screen readers and for color contrast)

      Help with this is very welcome.

    • leemon 8:22 am on December 31, 2015 Permalink | Log in to Reply

      https://core.trac.wordpress.org/ticket/9777: Usability : add delete button to edit-tags.php
      https://core.trac.wordpress.org/ticket/20901: Taxonomy descriptions should be TinyMCE editable
      https://core.trac.wordpress.org/ticket/23421: Add sortable to taxonomy column
      https://core.trac.wordpress.org/ticket/14877: Ability to create exclusive custom taxonomies
      https://core.trac.wordpress.org/ticket/22938: Presentation of hierarchical taxonomy in Media modal should be checkboxes rather than comma-separated tag list
      https://core.trac.wordpress.org/ticket/21165: Make categories widget work with custom taxonomies
      https://core.trac.wordpress.org/ticket/5034: Impossible to have duplicate category slugs with different parents
      https://core.trac.wordpress.org/ticket/32378: Image Uploads automatically puts “Olympus Digital Camera” as caption
      https://core.trac.wordpress.org/ticket/32101: Ability to mark plugin as unmanaged
      https://core.trac.wordpress.org/ticket/22355: Template stack – Beyond parent/child theme relationships
      https://core.trac.wordpress.org/ticket/33407: Theme tags overhaul
      https://core.trac.wordpress.org/ticket/19627: Themes should be able to opt-in to a static front page
      https://core.trac.wordpress.org/ticket/22942: Remove Post by Email
      https://core.trac.wordpress.org/ticket/22363: Accents in attachment filenames should be sanitized
      https://core.trac.wordpress.org/ticket/12718: Better structure for admin menu

    • Sisir 8:32 am on December 31, 2015 Permalink | Log in to Reply

      I would love to see my reported bugs are resolved 🙂

      1. https://core.trac.wordpress.org/ticket/24990
      2. https://core.trac.wordpress.org/ticket/35216
      3. https://core.trac.wordpress.org/ticket/32920

      I don’t have #slack account. Never got my invitation. #2 is most critical if not all 😀

    • Martin Stehle 11:09 am on December 31, 2015 Permalink | Log in to Reply

      Please make Google Fonts in the backend and Emojis available only by activated checkboxes. Both features are on by default and generates dispensable traffic.

      More about the Google Fonts issue at ticket https://core.trac.wordpress.org/ticket/26072

      • askoxyz 11:17 am on December 31, 2015 Permalink | Log in to Reply

        +1

      • petermolnar 12:23 pm on December 31, 2015 Permalink | Log in to Reply

        YES, PLEASE.
        ( And that same for EVERY feature that is addon-level, like embed )

      • Last Rose Studios 3:43 pm on January 4, 2016 Permalink | Log in to Reply

        +1 Get rid of emojis – the fact that there area bunch of plugins and how-tos on how to remove them should be a clear indication that people don’t want them. There is no reason something like that should be in the core. At the very least, make it optional (activated only by checkbox).

    • Martin Stehle 11:25 am on December 31, 2015 Permalink | Log in to Reply

      Please make tags hierarchical like categories

    • Gerard Canters 12:20 pm on December 31, 2015 Permalink | Log in to Reply

      RFC:

      WP 4.3 accepted shortcodes with a tag containing a space, WP 4.4 does not. Also, you don’t get an error message or indication.
      Suggest to have add_shortcode funtion return a true result or an error-indication.
      In general should all functions return a true result or error.

    • benoitchantre 1:26 pm on December 31, 2015 Permalink | Log in to Reply

      I would like to see responsive image header and a drag and drop UI to reorder pages and custom post types.

    • Andrea Fercia 1:45 pm on December 31, 2015 Permalink | Log in to Reply

      1) Settings API: get rid of the tables and UI/accessibility improvements
      https://core.trac.wordpress.org/ticket/18801
      https://core.trac.wordpress.org/ticket/16413

      2) Re-think `$content_width`
      We’re in a “responsive era”, maybe re-think the whole idea of `$content_width` ? Some comments collected in the past months:
      https://core.trac.wordpress.org/ticket/21256#comment:25
      https://core.trac.wordpress.org/ticket/23863#comment:10
      https://github.com/Automattic/_s/issues/100#issuecomment-40746610
      https://irclogs.wordpress.org/chanlog.php?channel=wordpress-dev&day=2013-04-11&sort=asc#m593089

      3) Add a “typography” focus on Trac 🙂

      • Nico 11:20 pm on January 1, 2016 Permalink | Log in to Reply

        Totally agree with $content_width. I always hated that thing, even when not thinking about responsiveness.

      • robertwhitis 8:15 am on January 4, 2016 Permalink | Log in to Reply

        Along the lines of eliminating tables, the admin CSS classes need support for columns. An example would be the use of a jQuery repeater for a row of fields. There’s not really any built in support for a go-to way to handle columns currently that I am aware of.

      • Ahmad Awais 5:40 pm on January 4, 2016 Permalink | Log in to Reply

        +1 for #2.

    • tomdxw 2:21 pm on December 31, 2015 Permalink | Log in to Reply

      How about bcrypt? https://core.trac.wordpress.org/ticket/21022

      It’s a one-line change and it’ll make a huge difference to the security of 89% of WordPress sites (PHP 5.2 doesn’t support bcrypt, but PHPass falls back to using the old algorithm in that case).

    • Dave McHale 3:53 pm on December 31, 2015 Permalink | Log in to Reply

      One of the biggest complaints I hear from my users is the menu management tools in the admin. A CMS website with a moderate number of pages quickly becomes incredibly difficult to manage. An overhaul there is long overdue IMO.

      The classic widget management tools are equally frustrating to work with, but I think core is already on a path towards getting away from that screen as much as possible – so I don’t know if updates there are really worth time/attention.

      • Andrew Nacin 11:30 pm on January 1, 2016 Permalink | Log in to Reply

        I think a new exploration in menu management would require building an update as a plugin using the feature plugin model.

        Have you looked at menu management in the customizer? I feel like I prefer it. I agree it still becomes tough to work with, with a lot of pages, but have you ever used a menu-building experience that works well with a lot of pages? Actually, have you ever used a menu (as a user) with a lot of pages?

    • Najum Rahim 4:17 pm on December 31, 2015 Permalink | Log in to Reply

      My wishlist
      WP REST API

    • Scott Kingsley Clark 5:16 pm on December 31, 2015 Permalink | Log in to Reply

      I’m totally all about Fields API, there’s just a little bit more left to do and I’ll have it in a place where it’s ready for core proposal!

    • colomet 5:32 pm on December 31, 2015 Permalink | Log in to Reply

      If Photon can not refresh the pictures (in case we do changes). I preffer not to have photon and to have my own CDN.

    • colomet 5:33 pm on December 31, 2015 Permalink | Log in to Reply

      · Speed
      · Lower use of resources

      • Andrew Nacin 11:32 pm on January 1, 2016 Permalink | Log in to Reply

        These are nice wishes, but we realistically need concrete proposals for how to get there. For example, I pull up WordPress in KCacheGrind quite often when contributing, to identify bottlenecks and potential areas for improvement.

    • Justin Sainton 5:51 pm on December 31, 2015 Permalink | Log in to Reply

    • askoxyz 6:12 pm on December 31, 2015 Permalink | Log in to Reply

      Move WP Comment Humility (https://wordpress.org/plugins/wp-comment-humility/) to core, which moves the Comments top level menu under Posts top level menu, where it belongs now that comments are off on Pages by default.

      • Andrew Nacin 11:38 pm on January 1, 2016 Permalink | Log in to Reply

        I saw this proposal on Twitter the other day. I actually like it in theory, but:

        • It would probably be jarring/confusing for a lot of people who don’t know where their comments menu went. (This is a solvable problem, of course.)
        • If a custom post type supported comments, then what? (It could always move back. There’s of course been talk that comments should possibly be moderated per post type, but that gets annoying when all you have is posts and pages and you do use comments on pages — admittedly rare.)

        This absolutely could only be done if there was extensive usability testing with various scenarios that can back up the decision.

    • Ipstenu (Mika Epstein) 7:33 pm on December 31, 2015 Permalink | Log in to Reply

      Posts like this very one make me think that Emoji Reactions should be a thing. If we could all click an emoji +1/-1 (thumbs up/down) to vote, it would be so lovely.

      https://wordpress.org/plugins/emoji-reactions/ ? Pull that in? 😀

    • George 5:40 am on January 1, 2016 Permalink | Log in to Reply

      https://wordpress.org/plugins/custom-upload-dir/

      Add similar functionality to core.

    • luciole135 8:38 am on January 1, 2016 Permalink | Log in to Reply

      Hello,
      I hope to ask the right place unless I should not open a ticket for this?
      Some hosts including mine do not allow REWRITE RULES in the .htaccess file.
      It would be good to check before writing to it if the mod_rewrite is enabled before writing in the .htaccess because it induces 500 errors.

      • John Blackbourn 6:07 pm on January 4, 2016 Permalink | Log in to Reply

        Please open a ticket on core.trac.wordpress.org for this, with as many details as you can. The .htaccess handling code has been in WordPress for the best part of a decade, so it should be pretty stable by now, and there are lots of failsafes in place to prevent such 500 errors.

    • Ulrich 9:56 am on January 1, 2016 Permalink | Log in to Reply

      #32802: Update Masonry (v3.3.2) & imagesLoaded (v3.2.0) package
      #30797: New function for parent theme stylesheet uri
      #33407: Theme tags overhaul
      #26695 Themes: add support for multiple screenshots in themes
      #21256 New theme feature – add_theme_support( ‘content-width’, $defaults )

    • benoitchantre 1:13 pm on January 1, 2016 Permalink | Log in to Reply

    • szaqal21 1:21 pm on January 1, 2016 Permalink | Log in to Reply

      Add filter for _get_list_table() to allow using extended WP_Posts_List_Table class for edit screens, now it is hardcoded!

    • szaqal21 6:11 pm on January 1, 2016 Permalink | Log in to Reply

    • Maren-Reinecke 9:00 pm on January 1, 2016 Permalink | Log in to Reply

      1) I would very much appreciate a file manager for the media! As a photographer I have quite a lot of media and it´s not usefull to have them monthly organized…
      2) For the meta tags an opportunity to add noarchive, my old website worked with index, follow, noarchive, because I don´t want my media in google archives.

      Thanks for taking notice 🙂

      Maren

    • Paal Joachim Romdahl 9:53 pm on January 1, 2016 Permalink | Log in to Reply

      Thanks for asking Mike!

      Drag & drop of All posts/pages/categories.
      Finally getting this trac ticket feature in place: https://core.trac.wordpress.org/ticket/2702

      Additional field options in the customizer. Adjusting site title, description menu etc. As it would make simple design adjustments easier for the beginner without having to get into coding

      That’s all I can remember off the top of my heard right now!

      Happy New Year to everyone!!..:)
      What an awesome year this will become!!

    • davidperez 9:57 pm on January 1, 2016 Permalink | Log in to Reply

      Hello, Have a Button to Update everything: Plugins, Themes and Languages.

      Nice Work!

    • davidperez 10:02 pm on January 1, 2016 Permalink | Log in to Reply

      Another Idea would be Edit Taxonomies as full editor: Thumbnail, WYSIWYG Editor, …

    • christinecooper 10:39 pm on January 1, 2016 Permalink | Log in to Reply

      My wishlist for 4.5 is mainly implementing the fixes that have already been provided to numerous bug tickets.

      For example, view the following ticket:
      https://core.trac.wordpress.org/ticket/15448
      Which I outlined here:
      http://wordpress.stackexchange.com/questions/191923/sending-multipart-text-html-emails-via-wp-mail-will-likely-get-your-domain-b

      That’s only an example. There are too many tickets like these which have been laying there, with completely appropriate solutions, and no sight in adding these fixes to core.

    • luciole135 6:43 am on January 2, 2016 Permalink | Log in to Reply

      Add a third markdown text editor next to the two existing.

    • bonger 9:15 am on January 2, 2016 Permalink | Log in to Reply

      Bugs. 4.4 squashed around 600 gross. A similar drive now would be very worthwhile.

    • Frank Bueltge 1:23 pm on January 3, 2016 Permalink | Log in to Reply

      Wishs are fine, but goals are important.

      • Multisite Maintenance

      ** Like Settings API and much more equally single core.

      • Fields API
      • Notification API ( kills wp_mail() )
      • Working with priority on open bugs.
      • Relationship table, Post2Post – also about the network of Multisite
    • seanbennick 1:31 pm on January 3, 2016 Permalink | Log in to Reply

      I would also like to see Widgets that can be created once and used across multiple sidebars, footers, etc. Widget Builder – https://wordpress.org/plugins/widget-builder/ takes a decent step towards this, but I think this would be a solid addition to the core.

    • Pam Blizzard 7:45 pm on January 3, 2016 Permalink | Log in to Reply

      Please give me an option to hook and/or filter the Cheatin’ eh message. When delivering WP as a CMS, it’s too perplexing for the users and they don’t know what to do next. Give me an option to put meaningful instructions for my users on how to move forward or get help.

      • J.D. Grimes 5:01 pm on January 4, 2016 Permalink | Log in to Reply

        See #14530

        • Pam Blizzard 12:47 am on January 5, 2016 Permalink | Log in to Reply

          I respectfully disagree that it’s fixed, if the message, “Cheatin’, eh?” displays anywhere on a website that doesn’t belong to a WordPress developer.

      • John Blackbourn 6:11 pm on January 4, 2016 Permalink | Log in to Reply

        Do your users regularly see this message? If so, the root cause should be investigated because ideally no user should ever see this message.

        • Pam Blizzard 12:53 am on January 5, 2016 Permalink | Log in to Reply

          No, not regularly, but once is too much IMO. I have had clients email me from time to time upon receiving it and it’s embarrassing, when I have to explain that it’s considered “funny”. I get the joke, but they don’t. The message is not truly helpful, in any way. I know we can do better, and I’m willing to help in any way that I can.

          • Ipstenu (Mika Epstein) 5:33 pm on January 5, 2016 Permalink | Log in to Reply

            Pam, how/when/where are they seeing this?

            Becuase John’s point is that they NEVER should be able to see that. And it indicates something serious is behaving in an unexpected way 🙂 While agreeing that the message should be filterable, we still want to understand the circumstances that make it happen so we can possibly fix THAT too.

            (Of course if it’s ‘a plugin is doing something daft, we may not be able to, but it helps us understand the root cause.)

            To quote Nacin from the trac ticket:

            This warning should never be accessible via the UI. These are nothing more than sanity checks. If they can be accessed in a normal setup via the UI then that is a bug.

            So while it perhaps should be filterable, there’s an underlying bug there. That’s why the initial trac ticket was resolved with “Provide more helpful feedback than just “Cheatin’ uh?” for permission errors in wp-admin/js/customize-controls.js.”

            The bug, the part where people could legit click a link and get there, was fixed.

            Where are you running into this? What are your users doing?

            • Pam Blizzard 5:16 pm on January 6, 2016 Permalink

              I myself got it 3 days ago, when my browser hung after deleting a theme, and I hit refresh. Being experienced, I knew what it was and what the next step was. However, I’ve had 3 phone calls from clients about it in the last year, (prefer not to detail what caused it here, but can if really necessary) they just didn’t know where to go next.

              I searched Twitter, wpStackExchange and WP.org support on that term and found people posting about it within the last few months. The point is, it does appear.

              I’m trying to understand why it’s hard coded 34 times, http://bit.ly/1mGhBwp if it’s not needed, and “shouldn’t appear in the UI”

              Again, I’m willing to help out in any way I can. I’m not just kvetching, I’m here to learn and help.

          • Ipstenu (Mika Epstein) 5:21 pm on January 6, 2016 Permalink | Log in to Reply

            I myself got it 3 days ago, when my browser hung after deleting a theme, and I hit refresh.

            Yeah, that’s one of those cases where we can’t really avoid it. Let me guess, you force quit the browser and reopened with extant tabs? So WP tried to reload with an expired nonce. (Which is personally why I think this message should be filterable/customizable – unavoidable browser crashes happen. We didn’t used to have our browsers be able to reopen all tabs when restarting… Ahh the old days.)

            Can you tell us, in general terms, what the users were doing? Uploading a file, trying to use a specific plugin? I totally get that you can’t give us details 🙂 But if we can narrow down if a plugin is derping or if there’s a legit bug in WP, it helps.

            • Pam Blizzard 12:54 pm on January 7, 2016 Permalink

              I appreciate very much that you’re willing to troubleshoot the problem, and another venue like the support forums is probably more appropriate, and I will open a thread there. My point for the Wish List: The error message displays and is not worthwhile in any way, and in fact detrimental, because “Cheatin’, eh/uh?” is cutesy, flippant, accusatory and snarky and not indicative of the professional tool that WordPress is. If those 34 instances of that literal exist, let’s at least replace them with something like, “something unexpected happened, please return to your Dashboard or contact your support resources.” or something similar that helps the user go to the next step.

    • Spacedmonkey 8:11 pm on January 3, 2016 Permalink | Log in to Reply

    • Knut Sparhell 10:45 pm on January 3, 2016 Permalink | Log in to Reply

      Core framework for multi-language
      Fields API
      Continued Multisite cleanup
      Remove Post-by-email in favor of plugins
      Tool to convert Links to Menus, in preparation for removing Links in a later release
      Continued user facing options cleanup
      Unmanaged/private plugins marker
      Install multiple plugins
      Implement REST API endpoints
      New strategy for bumping requirements
      Framework for 2-factor authentication
      Better password hashing
      Frontend editing of posts (text)
      Customizer: Point at any customizable element to open it
      Customizer: Partial refresh

    • robertwhitis 8:27 am on January 4, 2016 Permalink | Log in to Reply

      I’m always happy to see work put into multisite.

      Domain mapping in core would be huge.

    • rgllm 11:02 am on January 4, 2016 Permalink | Log in to Reply

      User roles.

    • nealumphred 1:35 pm on January 4, 2016 Permalink | Log in to Reply

      Return the VIEW POST option to the Admin Panel so that it can be seen and used after a post has been published.

      • John Blackbourn 6:13 pm on January 4, 2016 Permalink | Log in to Reply

        There are already two (or three, depending on the action) links to view the post from this screen. The ‘View Post’ link in the admin toolbar, and the permalink itself. Removing it was intentional. See #18306.

    • Ahmad Awais 5:54 pm on January 4, 2016 Permalink | Log in to Reply

      Late to the party. I’m looking forward to so many things in 4.5.

      — WP REST API (Of-course!)
      — Fields API (This is a long time coming and is a much-needed improvement)
      PHP Templating Engine Twig could be perfect
      Safe Mode Run
      — Weston Ruter’s idea of adding Add New Post/Page to the customizer
      — UX: I like how easily we can drag & drop images to upload them (Media -> Add New) Screenshot ,maybe we can have a similar drag & drop plugin and theme installer (Plugins -> Add New area)

      That’s all for now.

    • whizadree 5:54 pm on January 4, 2016 Permalink | Log in to Reply

      would like to see 2FA, Recaptcha as core spend much more time with user security and encrypting data within the database (no plain text info ) , more Customization for Admin without plugins , ( customize menus , custom links , hide unused ) , a core file manager with option for changing permissions and warning of security risks for both files and folders as core (with additional plugins to increase usage ) , better admin of sites using mobile devices such as a full WordPress mobile app the manage the system and install plugins from qr codes , and find a proper way to stop fake accounts / users

    • freetheweb 6:19 pm on January 4, 2016 Permalink | Log in to Reply

      • Custom CSS editor in the Customizer instead of having to install Jetpack
      • Enhanced Admin UI
      • Now that WordPress has established itself as a full CMS for the web, I think we should have custom taxonomies as part of the default admin options instead of having to install third party plugins to set them up, which is often confusing
    • Arunas Liuiza 7:16 pm on January 4, 2016 Permalink | Log in to Reply

      My biggest pain point is not in the features/code at the moment, but in the lack of documentation, particularly, on the JavaScript part of things – WP Editor, Media Manager, etc.

      On the code part of things, I’d love for wp_editor to have a flag to return its content instead of echoing everything all the time. I get tired of playing with `ob_start()` and friends every time I need to use it in some callback function or other.

    • calendarboy 12:38 am on January 5, 2016 Permalink | Log in to Reply

      I would like to be able to sort users by name, or by address

      On the Users page it appears you can sort by name, but it does not work. Instead, selecting Name actually just sorts on Username.

      I would like to be able to sort users by Name and by address.

      I have deleted over a thousand bogus “users” created by bots (despite using a catcha) over the past two days. It has taken hours and I’m nowhere near being done.

      With the ability to sort Users, I could have deleted all of the bogus entries in minutes.

    • Andrew Wilder 1:24 am on January 5, 2016 Permalink | Log in to Reply

      Right now, comments can only by linked to by using an anchor tag, and if the pagination is ever changed, then the anchor reference will be broken.

      I’d like to see comments get their own permalink structure — so links to specific comments will stay valid if the pagination ever changes. (I’ve run into changed pagination many times… maybe a site owner changes the comment display order, or changes the number of comments per post, or some comments get deleted, shifting them up to a new page…there are lots of ways the structure of http://oursite.com/blog-post/comment-page-5/#comment-12345” can break over time.)

      https://core.trac.wordpress.org/ticket/26133#comment:3

    • Daniel Llewellyn 4:31 am on January 5, 2016 Permalink | Log in to Reply

      selfishly I’d like #29325 to be merged, so I can wear a new contributor badge with pride 😀

    • Marko Heijnen 6:49 pm on January 5, 2016 Permalink | Log in to Reply

      • More control for images

        • Ability add more information for an image size like quality or zoom
        • Add the image size to the filters for responsive images. width/hight simply doesn’t work
        • Ability to auto generate images and to stop them from getting generated. Internal API which by default is off. Will makes things easier for plugins since internal APIs need to be changed.
        • non web image like Tiff converting to JPG (imagick).
        • Other cool imagick tricks to generate a thumbnail for PDF’s for example
      • XML-RPC component cleanup. What can still be done or where will the REST API be good enough. Making hard cuts.
    • benoitchantre 10:03 pm on January 5, 2016 Permalink | Log in to Reply

      #29783: User Admin Language

    • Nicolas Juen 10:22 am on January 6, 2016 Permalink | Log in to Reply

      More modern tools support :

      • Composer
      • Namespacing
      • Autoloading

      And potential muliple levels of themes, at least allow locate_template working on more than 2 folders with a hook to edit the paths available.

      • Nicolas Juen 10:24 am on January 6, 2016 Permalink | Log in to Reply

        And at least unified fields management (options,users, * meta ) with the currently developping Field API 🙂

    • Zwaar Contrast 2:10 pm on January 6, 2016 Permalink | Log in to Reply

      I’d like to be able to hook into the image editor!

    • Mel Choyce 7:20 pm on January 6, 2016 Permalink | Log in to Reply

    • Ryan Boren 8:11 pm on January 6, 2016 Permalink | Log in to Reply

      Some usability focused wishes.

      We’re WordPress and all about the open web. The open mobile web is rather a mess. The open web needs to be great on mobile, and WordPress can help make that happen.

      https://make.wordpress.org/flow/2015/06/13/the-top-5-impediments-to-flow-on-touch-devices/

      I arrive at WP sites through Twitter and other apps on my touch devices. Lots of people do. We come out of our apps, land on a site, touch an image, and get a bad experience. WP sites have poor media touch flow.

      https://make.wordpress.org/flow/windmills/#carousels-and-touch-media
      https://make.wordpress.org/flow/2015/02/26/core-support-for-wordpress-images-to-open-in-a-modal-window/

      The toolbar is overdue for an update. I like where this ticket is going.

      https://core.trac.wordpress.org/ticket/32678

      Retire media-new.php.

      https://make.wordpress.org/flow/2015/01/29/retiring-media-new-php/

      Continue reducing settings.

      https://core.trac.wordpress.org/ticket/32396
      https://wordpress.org/plugins/wp-core-settings-reduction-project/

      Keep advancing the customizer and live preview.

    • Grant Palin 10:44 pm on January 6, 2016 Permalink | Log in to Reply

      • native post relationships
      • ability to regenerate specific image thumbnails and not the whole lot
    • Rich Tabor 11:48 pm on January 6, 2016 Permalink | Log in to Reply

      How about a drag-and-drop-in-place element for the Featured Image metabox (like what we have for the post editor)?

    • Anthony Hortin 5:38 am on January 7, 2016 Permalink | Log in to Reply

      • Redesigned/improved Image Library along with the ability to create folders.
      • Fix the Image Library Grid/List UI so there’s not multiple screens that perform the exact same function. The whole Gird/List UI has been a mess since the Grid layout was introduced.
      • Customizer redesign including the ability to default to wider 2 column layout so you’re not scrolling for pages and pages when there’s heaps of options.
      • Better consistency with Customizer UI. Sometimes you click a button and more fields appear below it. Other times you click a button and a panel slides in and out of view. Sometimes when you click a button, the panel slides to the left, other times it slides to the right. Users shouldn’t have to wonder what’s going to happen when you click a button.
      • Better notification experience. Too many plugins/themes are cluttering up the WordPress Dashboard with multiple and constant notifications.
      • Redesign of the Show Password/Hide/Show/Cancel/Generate Password buttons on the User Profile screens. The UI is confusing and there are too many unnecessary buttons.
      • Anthony Hortin 6:45 am on January 19, 2016 Permalink | Log in to Reply

        Adding to my list above…

        • The ability to be able to upload AND overwrite existing plugins. So Annoying not being able to upload newer plugin versions through the dashboard and simply overwrite the old version
    • Ross Wintle 9:41 am on January 7, 2016 Permalink | Log in to Reply

      • Any movement towards an efficient API for post-to-post relationships
      • Now that the REST API is (nearly) here, we should start improving the core UI. Could we start by using AJAX for pagination/sorting/filtering on list tables
      • TWIG-like templating. Or at least, some API that enables us to better separate logic and display. Currently I can use things like the query var to pass data to a template (as documented in the codex page for get_template_part: https://codex.wordpress.org/Function_Reference/get_template_part#Passing_Variables_to_Template) but it would be nice to have a data API or some way to pass data to templates. WP isn’t MVC so I’m not entirely sure what this would look like.
      • Ability to both install and upload multiple plugins in one go, and to overwrite existing plugins (for when you’re uploading an update to an existing plugin)
      • Ability to set login/dashboard URL as part of core
    • Lisa 1:49 pm on January 7, 2016 Permalink | Log in to Reply

      Let’s make notifications a thing of delight for the user.

      Can we have a universal inbox for them, and maybe add Wapuu or something that makes people smile. Like – https://cloudup.com/cQtJsMhtf0L

    • HoaSi 11:07 pm on January 11, 2016 Permalink | Log in to Reply

      Further improvement to https://core.trac.wordpress.org/ticket/26937 would be nice.

    • Tim 1:58 pm on January 12, 2016 Permalink | Log in to Reply

      The top pain point for me and my clients is probably management of the media library (as mentioned by lots of others); I’d love to see that a priority.

      Other things I routinely install plugins for, and would love not to have to:

      • Tree view and drag-and-drop sorting of pages (and posts and other types)
      • Global disabling of the comment system for sites where comments are irrelevant
      • Adding featured images to taxonomies
      • Using a visual editor for taxonomy descriptions

      Nice as it would be to have multi-language and page-by-page permissions in core too, I do realise that these are huge endeavours and the core team probably wishes to leave them to third party plugins, even though those plugins are far from perfect. 🙂

    • Ipstenu (Mika Epstein) 9:44 pm on January 12, 2016 Permalink | Log in to Reply

      I’m going to sneak add https://core.trac.wordpress.org/ticket/35429 – Since I upload a LOT of plugins for testing, this would save me oddles of time 🙂

    • shackep 1:53 pm on January 14, 2016 Permalink | Log in to Reply

      I think “enable-media-replace” https://wordpress.org/plugins/enable-media-replace/ should be added to core. Such a simple handy plugin. And perhaps something like https://wordpress.org/plugins/media-item-url/ while we are at it. Small things that many people could find useful.

    • The-Dude 2:57 pm on January 14, 2016 Permalink | Log in to Reply

      Native TOC-Support working together with Pagebreak would be very helpfull! 🙂

    • Damir Calusic 11:02 am on January 17, 2016 Permalink | Log in to Reply

      We really need this simple fix https://core.trac.wordpress.org/ticket/28381

    • summoner 10:35 pm on January 18, 2016 Permalink | Log in to Reply

      +1 for LOT of enhancements in media library (ordered by complexity):

      • Media categories;
      • “enable-media-replace” as mentioned by shackep;
      • Different sizes in different folders;
      • Adding a per file generated pre- or suffix to original file names so that people can not harvest others’ original images by simply deleting some characters of the thumbnail url…;
      • Maybe even some content protection functionality Galleries are great but FB like photo albums would be welcome as well (see in: https://wordpress.org/plugins/simple-photo-albums / this one does not add any new menu items which is great);
      • Image focal points as mentioned by chrishoward;

      +1 WP simply MUST support multilanguage content out of the box (as even personal blogs tend to need that, not to mention business sites)

    • itsnotrocketsurgery 2:45 pm on January 25, 2016 Permalink | Log in to Reply

      A mechanism for tagging and filtering themes would be useful. When I provide my themes/child themes to end users, it would be useful for me to tag them with their colours and be able to provide a filter at the top of the theme selection page.

      I’m not aware that anything like this already exists and I’m not a developer, but it would be handy to freely tag themes somehow, even just from within the theme CSS header.

    • camelotcamel 11:12 am on January 28, 2016 Permalink | Log in to Reply

      It’s all been said before, but anyway:

      Better media management!

      • upload to user defined folders
      • “add from server” functionality
      • media categories
      • media replace
    • Settler11 8:38 am on February 2, 2016 Permalink | Log in to Reply

      The Duplicate Post plugin! Almost a million downloads.
      And media management; but that’s been said a thousand times I think. 🙂

    • ledgoti 3:53 pm on February 4, 2016 Permalink | Log in to Reply

  • Ryan McCue 12:35 am on December 15, 2015 Permalink |  

    WP REST API: OAuth Plugin Security Update 

    Hi everyone. This is a quick update on the OAuth 1.0a Server plugin, available on GitHub.

    Versions of the OAuth plugin prior to this commit contain a security issue during the authorization flow, regarding signature and nonce checks. Due to the OAuth architecture, it is highly unlikely this can be used to compromise a site or client application; however due to an abundance of caution, we recommend all users update to 0.2.1 immediately. (Pull the latest changes from master.)

    Thanks to @bradyvercher for responsible disclosure of this issue via HackerOne.

     
    • AITpro 12:54 am on December 15, 2015 Permalink | Log in to Reply

      Wow! HackerOne is awesome! What an absolutely brilliant idea. I will definitely be signing up.

  • Daniel Bachhuber 7:00 pm on December 11, 2015 Permalink |
    Tags: , ,   

    WP REST API: Version 2.0 Beta 9 

    For the last REST API release of 2015, we bring you: 2.0 Beta 9 “You Don’t Win Friends With Salad”. Download it from the plugin repository or from GitHub.

    Should I use 2.0 Beta 9 in production?

    This is a great question. I (Daniel) will do my best to answer from my perspective — Ryan, Rachel or Joe may have different opinions.

    As many of you may already know, the v1.x branch is essentially deprecated and only maintained for security and major compatibility issues. Even its latest release, v1.2.4, still includes some annoying bugs. The v2.0 Betas introduce aton of new features, functionality, and general improvements. But, there will never be a formal v2.0 plugin release — v2.0 will be endpoint inclusion into WordPress core.

    Right now, we’re doing our darned best to get the endpoints into core at the end of January 2016. Between now and then we have at least 74 issues to wade through. Beta 9 includes 32 merged pull requests.

    In the interest of feeling confident about the code we’re committing to core, we are and will be making breaking changes in the Betas. Significantly, Beta 10 will remove the core directory, and will be incompatible with WordPress 4.3.

    Short answer: you’re welcome to use the Betas in production if you understand the ramifications. When updating, we expect you to read through the changelog and thoroughly test each release with your project. You should probably have test coverage on any custom endpoints you’re writing. And, set aside time to properly debug any issues you uncover and submit pull requests with test coverage.

    If you aren’t comfortable with aforementioned ramifications, please refrain from using the v2.0 Betas in production. We do encourage everyone to use them locally, or in staging / test environments, and look forward to your feedback.

    Changelog

    Here are some highlights:

    • Move tags and categories to top-level endpoints. Tags are now accessible at `/wp/v2/tags`, and categories accessible at `/wp/v2/categories`. Post terms reside at `/wp/v2/posts//tags` and `/wp/v2//categories`.
    • Return object for requests to `/wp/v2/taxonomies`. This is consistent with `/wp/v2/types` and `/wp/v2/statuses`.
    • Remove `rest_get_timezone()`. `json_get_timezone()` was only ever used in v1. This function causes fatals, and shouldn’t be used.
    • Rename `register_api_field()` to `register_rest_field()`. Introduces a `register_api_field()` function for backwards compat, which calls `_doing_it_wrong()`. However, `register_api_field()` won’t ever be committed to WordPress core, so you should update your function calls.
    • Change taxonomies’ `post_type` argument to `type`. It’s consistent with how we’re exposing post types in the API.
    • Sync infrastructure with shipped in WordPress 4.4.
      • `wp-includes/rest-api/rest-functions.php` is removed, and its functions moved into `wp-includes/rest-api.php`.
      • Send nocache headers for REST requests.
      • Fix handling of HEAD requests.
      • Mark `WP_REST_Server::get_raw_data()` as static.
      • Unabbreviate error string.
    • Change terms endpoints to use `term_id` not `tt_id`.
    • Standardize declaration of `context` param for `GET` requests across controllers. However, we’re still inconsistent in which controllers expose which params. Follow #1845 for further discussion.
    • Link types / taxonomies to their collections, and vice versa. Collections link to their type / taxonomy with the `about` relation; types / taxonomies link to their collection with the `item` relation, which is imperfect and may change in the future.

    As always, we have a detailed changelog as well as the full set of changes if you’re interested.

     
  • John Blackbourn 5:08 pm on December 11, 2015 Permalink |  

    Additional labels for custom post types and custom taxonomies 

    In WordPress 4.3 and 4.4, additional labels have been made available for custom post types and custom taxonomies. These get passed in via the labels argument when using register_post_type() and register_taxonomy().

    New post type labels in 4.3:

    • featured_image – Overrides the “Featured Image” phrase for this post type. See #19257.
    • set_featured_image – Overrides the “Set featured image” phrase for this post type. See #19257.
    • remove_featured_image – Overrides the “Remove featured image” phrase for this post type. See #19257.
    • use_featured_image – Overrides the “Use as featured image” phrase for this post type. See #19257.

    New post type labels in 4.4:

    • archives – The post type archive label used in nav menus. Default “Post Archives”. See #16075.
    • insert_into_item – Overrides the “Insert into post”/”Insert into page” phrase (used when inserting media into a post). See #33616.
    • uploaded_to_this_item – Overrides the “Uploaded to this post”/”Uploaded to this page” phrase (used when viewing media attached to a post). See #33616.
    • filter_items_list – Screen reader text for the filter links heading on the post type listing screen. Default “Filter posts list”/”Filter pages list”. See #32147.
    • items_list_navigation – Screen reader text for the pagination heading on the post type listing screen. Default “Posts list navigation”/”Pages list navigation”. See #32147.
    • items_list – Screen reader text for the items list heading on the post type listing screen. Default “Posts list”/”Pages list”. See #32147.

    New taxonomy labels in 4.3:

    • no_terms – Used when indicating that there are no terms in the given taxonomy associated with an object. Default “No tags”/”No categories”. See #32150.

    New taxonomy labels in 4.4:

    • items_list_navigation – Screen reader text for the pagination heading on the term listing screen. Default “Tags list navigation”/”Categories list navigation”. See #32147.
    • items_list – Screen reader text for the items list heading on the term listing screen. Default “Tags list”/”Categories list”. See #32147.

    See the documentation for get_post_type_labels() and get_taxonomy_labels() for the full list of available labels.

     
  • George Stephanis 3:52 pm on December 11, 2015 Permalink |
    Tags: , ,   

    2FA! 2FA! 2FA! 

    Howdy, all! I’m back, and we’re getting the Two-Factor Train rolling again!

    We had our first meeting yesterday at the usual time (22:00 UTC / 5pm Eastern) in #core-passwords.

    https://wordpress.slack.com/archives/core-passwords/p1449784908000119

    Following some critical feedback and discussions both at the Community Summit and at WordCamp US, we’re adjusting our focus. Technical feasibility is turning out to be far less of a concern than ensuring we don’t create an undue support burden by users getting locked out and providing a way back in.

    Previously, we had been anticipating the primary way to override a loss of their second factor would be either adding a constant or modifying the database records (either directly or via a shell tool such as WP-CLI). However, we have had a number of concerns from assorted interested parties, and the fact of the matter is that it is feeling like too high of a barrier for many WordPress users. As @macmanx (new Forums Team Rep) summarized in our chat yesterday,

    I’ll say it this way: We want users to be able to secure their sites with 2FA, not sit back and watch outdated abandoned sites pile up because they locked themselves out and simply give up when when we mention FTP, Database, or SSH.

    So, there are several things that have been brought up:

    Require a constant in `wp-config.php` to enable 2FA

    The idea being that, by adding a constant to wp-config, the user has demonstrated that they know how to use FTP and edit files on their server manually, so if all goes to heck, they have the ability and knowledge to take the constant back out, so they can get back into their site admin.

    I feel that this is a bad idea, because it violates many of the WordPress Core Philosophies. It wouldn’t work out of the box, and we’re no longer designing for the majority. It results in us adding not only an option, but an option that’s hard to set.

    If we have to hide it behind a constant, I feel that it shouldn’t even be in Core, and would be better left as a plugin.

    (yes, I know Multisite runs this way, but there are other reasons that was merged into core)

    Require multiple providers being enabled

    The idea here being that if the user has two, there is less likelihood of getting locked out as they’d have a backup. However, for myself, I can’t tell you how many times I’ve downloaded backup codes and promptly lost them. Or how many times my phone has been destroyed (washing machines and phones shouldn’t be friends). There’s still a lot of opportunity for things to go wrong, especially on the scale of powering a quarter of the web. Edge cases become commonplace. 🙁

    Send Text Messages

    No can do, this would require a third-party server to send them through, and that’s plugin territory.

    Leave Emailed Codes as an always-available fallback

    This, I feel is our best option.

    There are some concerns regarding the large percentage of WordPress sites that are on servers that can’t send email (as high as 25% by some guesstimates I’ve heard floated), so we’d need to send a code and make sure it gets received before turning on the actual two-factor login prompt.

    While it doesn’t provide the best security (if someone breaks into your email address, they could both reset your password and get the incoming authentication code), it is 1) no worse than the status quo, 2) not our responsibility to keep secure, and 3) if they’ve broken into your email, you probably have bigger concerns.

    We can certainly include a filter for methods to disable / add from plugins, and so if someone wants to disable email manually, they totes can. By explicitly disabling the Core security feature, they’re then demonstrating that they know enough to fix it if it goes wrong.

    In the end, my feelings were largely best summed up by @michael-arestad, describing the two ways of balancing ease of use versus airtight security:

    Ease-of-use: core potential
    Airtight security: plugin town

    And we can always ship the plugin ourselves to let folks disable Email, but that feels like if it were in wp-admin that we’d be giving them just enough rope to hang themselves. 🙁

    ===

    Now, none of this is finalized, so if you disagree, please voice your concerns in the comment section below. I’m hoping that we’ll get enough discussion that we’ll be able to confidently make a final decision on what path we’re taking at next week’s meeting — which will be on Thursday at 5pm Eastern / 22:00 UTC in #core-passwords

     
    • Samuel Wood (Otto) 4:00 pm on December 11, 2015 Permalink | Log in to Reply

      +1 for “email as an always-on fallback” and “must verify a code via email to even turn 2FA on in the first place”. Best solution.

    • chriscct7 4:01 pm on December 11, 2015 Permalink | Log in to Reply

      For emails, what about using .org as an email provider where the site would ping .org and .org would send out the email?

      Also with text messages you don’t need to use a third party service. You can just use a library that maps carriers to their standard email to SMS address and then send an email (or .org sends an email) to that email. An example is https://github.com/JeffMatson/WP-SMS-Notifications/blob/master/carrier-list.php

      • George Stephanis 4:04 pm on December 11, 2015 Permalink | Log in to Reply

        Doesn’t work for all carriers. For example, Project Fi (which I’m on) doesn’t have an email to txt message gateway.

        • chatmandesign 4:05 pm on December 11, 2015 Permalink | Log in to Reply

          Would be a nice option to provide for those on carriers that support it, but definitely not something that can be relied upon for all users.

          • George Stephanis 4:07 pm on December 11, 2015 Permalink | Log in to Reply

            It also is something that would be easy to forget to update if you change cell phone carriers. Then the old carrier’s gateway would fail silently.

      • Mark-k 4:35 pm on December 11, 2015 Permalink | Log in to Reply

        I think that free SMS is mainly a US thing. I don’t know of any email to SMS gateway for any of the companies operating in israel.

        Making wordpress.org an email relay will just increase the option it will be marked as spammer, and there is the privacy aspect as well.

        • George Stephanis 4:44 pm on December 11, 2015 Permalink | Log in to Reply

          I agree, plus I hesitate to route something as critical as login through one central server for the default fallback core implementation. Feels like putting too many eggs in one basket.

          • Jon Brown 5:28 pm on December 11, 2015 Permalink | Log in to Reply

            and for those that travel internationally… SMS isn’t always available (changed SIM Cards, outside mobile coverage but on WiFi, etc..)

    • chatmandesign 4:02 pm on December 11, 2015 Permalink | Log in to Reply

      Is 2FA really something that should be built into core? It seems like you provide some good arguments why 2FA should be managed by technical administrators and security experts, not managed by end users at all.

      To be honest, I’d rather see federated login support built into core… Then the people who want 2FA can simply choose a login provider that has the technical chops to provide 2FA in a way that’s actually secure (e.g., Google).

      • Mikel King 4:29 pm on December 11, 2015 Permalink | Log in to Reply

        I have to agree leaving 2fa to the realm of 3rd party systems makes better sense.

        I think user base would be better served with having password expiration, character diversity, character length and history retention as well as session duration limit settings built into the core.

      • thetechnuttyuk 1:46 pm on January 25, 2016 Permalink | Log in to Reply

        I agree with this, 2FA should stay with the people who know what they are doing. I think it is okay to maybe add the option of WordPress 2FA within something like Jetpack, or to provide a tip message within Core to download the plugin, as WordPress built 2FA might be eaiser to those who don’t know how to set-up this as well.

        But I don’t think it should be built in.

        Third parties can do a much better job, a great example being Duo Security, who currently offer an awesome all-around solution that integrates directly with WordPress, we use it on all our sites and it works perfectly.

    • Varun Sridharan 4:02 pm on December 11, 2015 Permalink | Log in to Reply

      +1 For Emails .

      Nice feature 🙂

    • Omaar Osmaan 4:03 pm on December 11, 2015 Permalink | Log in to Reply

      +1 for email as an always-on fallback, and to verify a code for the first place.

      May be “require a constant in `wp-config.php` to *disable* 2FA”- should be a doable, too.

    • Mikel King 4:21 pm on December 11, 2015 Permalink | Log in to Reply

      I understand you feeling about the wp constant; however, why not reverse that process. Where normally we would have to define a constant to turn something on why not make it on by default and if you get into trouble you have to define DISABLE_2FA?

      That being said I just completed lighting up DUO Security’s 2fa system on our production sites and overall the users have embraced it. So I believe that it’s ready for primetime if you can make it work.

      On a side note does anyone else find the discussion of enhanced security and FTP in the same breath ironic?

      • George Stephanis 4:28 pm on December 11, 2015 Permalink | Log in to Reply

        I understand you feeling about the wp constant; however, why not reverse that process. Where normally we would have to define a constant to turn something on why not make it on by default and if you get into trouble you have to define DISABLE_2FA?

        We will be including at least one constant / filter or something to that effect to disable 2fa.

        I personally think filters is better than constants, as you can have multiple plugins messing with a filter no problem, but if two try to define the same constant, it’s sad christmas.

        • Omaar Osmaan 4:30 pm on December 11, 2015 Permalink | Log in to Reply

          From a end-user perspective, constants are easy to assign- as a Dev, I would prefer the filter, yes.

        • Mikel King 4:33 pm on December 11, 2015 Permalink | Log in to Reply

          If a user did something stupid locking themselves out would they need an mu-plugin to trigger the filter so that they could attain access again?

          • George Stephanis 4:39 pm on December 11, 2015 Permalink | Log in to Reply

            You mean with the proposed always available Email fallback that just emails them a code?

            • Mikel King 6:48 pm on December 11, 2015 Permalink

              I was thinking more of a mu-plugin that unlocks that user’s account. Similar to how you described the constant definition below. The advantage is that you could apply the filter to multiple account in said plugin. However the disadvantage is that most users & general site admins are not very savvy when it comes to mu-plugins so it’s a technical barrier…

          • Ipstenu (Mika Epstein) 10:40 pm on December 11, 2015 Permalink | Log in to Reply

            The issue there is that a required MU plugin means they have to have file access to the system AND know how to install that.

            And when they don’t, they’ll be putting undue burden on hosts who have to walk people through things.

            My issue (and this isn’t news to George) is that users do NOT know how to dig themselves out of holes, and if we’re throwing them into one (TFA) we damn well have to make sure they have a ladder accessible to the majority of users.

            Sadly that means email and confirm code before locking in. It’s the lowest common denominator.

        • idealien 6:13 pm on December 11, 2015 Permalink | Log in to Reply

          “We will be including at least one constant / filter or something to that effect to disable 2fa.”

          +1 for wp-config constant required to enable the 2FA feature.

          Please keep the use-case of sites that use LDAP for external validation in mind. All UI / strings / messages that trigger related to WP passwords should respect that constant / filter as any reference to a WP password just adds user confusion.

          If / when this does come to core – please set a higher standard than 4.3 release notes did at communicating the new messages and hooks to disable email notifications. Paint a clear picture between new / updated functionality and new / updated constants, hooks, filters, etc related to it.

    • AITpro 4:32 pm on December 11, 2015 Permalink | Log in to Reply

      There are some concerns regarding the large percentage of WordPress sites that are on servers that can’t send email (as high as 25% by some guesstimates I’ve heard floated), so we’d need to send a code and make sure it gets received before turning on the actual two-factor login prompt.

      In my experience over the past 5 years, I am seeing an increasing trend in automatic emails (PHP mail() vs direct emails sent from a computer email application like Outlook) being rejected due to anti-spam measures on sending and receiving Mail servers and 3rd party email services that automatically blacklist Mail Server IP addresses. At this point in time I would say 25% automated email failure/rejection is an accurate number. I imagine that that number will continue to increase steadily. So logically a fallback system like generating a non-email time sensitive encrypted/hashed string may be a smart move in the long run. Example: example.com/unlockme.php?action=foo&key=EwtNARIrmZEWBRTvYzdn&unlock=blah

      • AITpro 4:37 pm on December 11, 2015 Permalink | Log in to Reply

        Oops forgot to mention this very important point: When generating/sending emails from yourself to yourself from your own server there is not typically going to be a problem with automated emails being rejected. The problem occurs when dealing with different sending and receiving Mail Servers. ie someone is using a different Mail Server other than the origin Mail Server for that website.

      • George Stephanis 4:41 pm on December 11, 2015 Permalink | Log in to Reply

        We’re only keeping Email on as an emergency fallback. There are other providers that will be also included, such as TOTP (Google Authenticator), Backup Codes kept in a safe place, FIDO U2F usb security keys, and others.

        So it’s not a ‘purely email’ 2fa system. Just that email will always be available if you lose the other methods.

    • CotswoldPhoto 4:36 pm on December 11, 2015 Permalink | Log in to Reply

      My feeling is that you have 2 levels of user; those who are happy to edit wp-config.php and those that are not. So, why not add a switch in wp-config.php that by default is commented out? If a user is capable and willing to uncomment it to enable 2FA, they have no need of an emailed backdoor password. If they are locked out, they can edit the wp-config.php file to switch it back off. Then, a second level of enabling that requires the user to enable it in admin, where it will send out a ‘rescue’ email, or maybe just show the backdoor one time passkeys for them to copy? Once off the page, the keys are hashed. I seem to recall this is what Joomla used to (may still does?) do.
      Why should 2FA be in core? Security like this SHOULD be. Only with it in core will all the variety of user and alternative login plugins adopt and support the core code.

      • George Stephanis 4:43 pm on December 11, 2015 Permalink | Log in to Reply

        So, why not add a switch in wp-config.php that by default is commented out?

        For new installs, perhaps, but on updates wp-config.php is never touched, so this wouldn’t help most sites.

        • CotswoldPhoto 5:12 pm on December 11, 2015 Permalink | Log in to Reply

          But you could allow the more competent user to add the line? I have edited the wp-config.php file of every site I have ever made in WordPress.

          • George Stephanis 5:15 pm on December 11, 2015 Permalink | Log in to Reply

            Sure, and you’re certainly not a typical user, let alone those who don’t even know what FTP is. We need to do our best to make 2FA accessible to everyone, not just the privilege of the technically minded.

    • Brandon Kraft 4:48 pm on December 11, 2015 Permalink | Log in to Reply

      Another alternate idea: Infrastructure in Core, methods in plugins. At least initially.

      Instead of asking users to install possibly multiple, random plugins to provide multi-method 2fa, we put the infrastructure in Core, release the major methods via plugins (either a “special” status, a la the importers, assuming the #core-passwords group is willing to maintain it long-term).

      The current code allows for extending it through other plugins, so if new third-party solutions or new standards come out, Core provides an easy way to allow for that extendability while insuring some level of compatibility.

      /////////

      My fear with an e-mail backup, even if it is verified as working, could always stop working (moved hosts, shared hosts get blacklisted and the e-mail provider silently drops blacklisted e-mails). I’m not sure a way to ensure an always available 2fa method that isn’t open to some type of failure.

      • George Stephanis 4:50 pm on December 11, 2015 Permalink | Log in to Reply

        I really dislike shipping a whole infrastructure in core that does nothing, when we can easily provide solid implementations of some providers. It feels like we’re violating “Good Software should run Out of the Box”

    • Dave McHale 4:54 pm on December 11, 2015 Permalink | Log in to Reply

      Can you clarify the final point in the post? Would a filter/constant be available that disables the email functionality, or the 2FA itself?

      Similar to Brandon above, I’d be concerned with host failures, host moves, all sorts of variables that may change after-the-fact. While no solution will be perfect, I think, it seems sensible to me that at least a constant be provided for “if all hell breaks loose, set this constant in your wp-config to turn off 2FA entirely”. At least then a technical admin can disable the feature, log back in, and hopefully troubleshoot from there. As long as this is the case, I think the option provided definitely sounds like the most sensible of the alternatives listed.

      • George Stephanis 5:09 pm on December 11, 2015 Permalink | Log in to Reply

        Yes, regardless of everything else, there will be a constant to turn off 2FA. I’m thinking something like…

        `define( ‘DISABLE_2FA’, true );` — disables it entirely while the constant is in effect
        `define( ‘DISABLE_2FA’, 12 );` — disables it only for user ID 12
        `define( ‘DISABLE_2FA’, ‘bob’ );` — disables it only for username `bob`
        `define( ‘DISABLE_2FA’, ‘bob, jane’ );` — disables it for users `bob` and `jane`

        Some of these may be overthinking it, so I’m not sure what the final disable implementation will be, but all of these are feasible.

        • Brandon Kraft 5:13 pm on December 11, 2015 Permalink | Log in to Reply

          Should we have an UI for admins to tempoarily disable/reset/issue-backup-code for a particular user?

          (Or do we already? Haven’t ran the plugin on a multi-user site yet).

          • George Stephanis 5:14 pm on December 11, 2015 Permalink | Log in to Reply

            Yeah, we do already. Admins can disable other users methods just as they can change passwords and whatever.

            • Mikel King 6:43 pm on December 11, 2015 Permalink

              The real concern here is if it’s the admin that’s borked their 2fa access. I mean it is most important to ensure that every account with admin capabilities is using 2fa.

        • Dave McHale 5:20 pm on December 11, 2015 Permalink | Log in to Reply

          Nice. And I like those ideas. I would personally prefer to use them as one-off definitions, rather than allowing your fourth example with both users. If someone wants to turn it off for multiple users, I don’t see harm in making them just use two lines such as

          `define( ‘DISABLE_2FA’, ‘bob’ );`
          `define( ‘DISABLE_2FA’, ‘jane’ );`

          Still clean, and less potential for disaster while parsing out human-typed delimited input, too. Plus if you DO allow for multiple users by username, you would probably want to support multiple users by id, too, and that starts getting even messier, I think.

          Will per-user filters to disable 2FA be implemented by default as well? Will core support “2FA is turned on for this site, but you can check a box to have a single user opt OUT of using it”?

          • George Stephanis 5:21 pm on December 11, 2015 Permalink | Log in to Reply

            I see plenty of harm in that, insofar as a single constant can’t be defined twice. It’s a PHP thing.

            • Mikel King 6:40 pm on December 11, 2015 Permalink

              That’s exactly what I was thinking. I think the filter method may be the only way to hit multiple users at once.

          • George Stephanis 5:24 pm on December 11, 2015 Permalink | Log in to Reply

            Will per-user filters to disable 2FA be implemented by default as well? Will core support “2FA is turned on for this site, but you can check a box to have a single user opt OUT of using it”?

            Getting a bit out of scope for this discussion, but the filters will look something like

            `apply_filters( ‘user_can_2fa’, $configured, $user );` — or something akin to that, so you can use the filter to turn it on or off for either everyone or just specific users, based on their WP_User as passed to the filter.

            If you’d like to talk about this more in depth, please ping me in Slack? #core-passwords

        • Omaar Osmaan 1:59 pm on December 12, 2015 Permalink | Log in to Reply

          Multiple options for the constant looks good.

          But may be constant could be just to hard-disable the 2FA entirely- overriding the filters, and keep it simple. While the filter could provide all those flexibility to empower 2FA options.

    • rawrly 5:11 pm on December 11, 2015 Permalink | Log in to Reply

      Emailing a reset token for 2FA, is an ideal solution. Not only is it no-less secure than the current “forgot password” system, it leaves what is effectively evidence of tampering with someone’s wordpress site, on a third party server (the email server, assuming it’s hosted elsewhere.)

      Setting up an option in wp-config, i agree sounds odd. Wouldn’t the standard put this option setting in wp_options in the database? In cases where email reset tokens are not wanted, I’m sure that advanced user could use phpmyadmin or myql on the CLI just as easily as they could use vim/nano/pico/emacs. (What I mean here, it sounds like a lot of extra work for something to be non-standard and help a very small number of users)

      You however did not give a lot of credit for one-time use emergency tokens. Basically a “reset 2fa token” that never expires until deleted or used. These are somewhat of a standard for cases where touching the database is not an option (possible on some hosting platforms I am sure, if not for users being unfamiliar) and email might not be trusted enough verification (again, a fringe case, but maybe email service is broken on the WP site’s server). They wouldn’t have to be required to be generated if not wanted, and should not be the only option for resetting 2fa, but can be one more option that would cover almost all (including the most fringe) cases for 2fa users wanting access in case of emergency lost second factors (and as secure as their personal laptop/desk are.)

      • George Stephanis 5:39 pm on December 11, 2015 Permalink | Log in to Reply

        You however did not give a lot of credit for one-time use emergency tokens. Basically a “reset 2fa token” that never expires until deleted or used.

        We already have these fully implemented. But we can’t rely on them, because humans lose things.

        • TobiasBg 5:41 pm on December 11, 2015 Permalink | Log in to Reply

          One idea here could also be to show regular reminders every two-three months or so, when a user logs in, about whether a backup email address is still correct, how many backup codes have been used, etc., similar to how Google does it.

        • Mikel King 6:51 pm on December 11, 2015 Permalink | Log in to Reply

          Or worse forget to even save those tokens somewhere offline for future use. Or even worse yet store those OTP’s in a email folder that then get’s hacked and well Bob’s your uncle…

        • rawrly 7:51 pm on December 14, 2015 Permalink | Log in to Reply

          As long as it’s an option, that’s great. It certainly is a bit much to ask as the only solution for resetting 2FA.

    • Jon Brown 5:40 pm on December 11, 2015 Permalink | Log in to Reply

      Yes in core. Yes email fallback, but… have the ability to _disable_ email fall back via define in wp-config.

      Further, I definitely would like the ability to restrict 2FA to certain user roles. because:
      1) I don’t want to run into having to support membership users that enabled 2FA because it was there…
      2) I equally like the idea of mandating the administrators and editors use 2FA.

      Currently we handle (2) by using 2FA on /wp-login.php, but not requiring it on our custom /login pages. If an admin tries to login on /login they get denied and redirected to /wp-login.php. Pippin wrote a quick plugin for this on Restrict Content Pro: https://github.com/pippinsplugins/rcp-fatwpl/blob/master/rcp-force-admins-to-wp-login.php

      • George Stephanis 8:11 pm on December 11, 2015 Permalink | Log in to Reply

        but… have the ability to _disable_ email fall back via define in wp-config.

        Why a defined constant? I’d been expecting that we’d using a filter for that, but very eager to hear arguments in favor of a constant instead.

        Further, I definitely would like the ability to restrict 2FA to certain user roles. because:

        Both of these restrictions, forcing it on or off, will be totes doable, I expect, either globally, or on a user-by-user basis (and therefore on a user role basis)

    • Philip Ingram 6:03 pm on December 11, 2015 Permalink | Log in to Reply

      Yes in core, yes to email feedback, yes to disable via constant, yes to the idea of a unique randomized url for a traditional login fallback.

      Personally while I use a 2F plugin that works very well I can’t help but feel the dread of knowing this doesn’t really solve any of my REAL problems security-wise with my sites. While my sites don’t get hacked I still feel the pain of the hack attempts.

      Hackers bots are killing the web for WordPress sites. Every site I work on eventually becomes discovered and expects repeated hack attempts (sometimes upwards of thousands of hits per minutes) because there is no seamless and easy way to obscure that the site is running on WordPress. Changing the url and disabling xmlrpc is not a solution either but helps in some cases.

      I think the problem is much worse than protecting the login credentials. We need to be looking at how we can approach the problem of dealing with the constant knocking at the door costing against server resources and bandwidth resulting in poor performance and excessive hosting costs.

      Normally in a one-off scenario I would think this the responsibility of the IT/Server arena not the website application software however when one product powers 25% of the web, I think the responsibility crosses the barrier as only my WordPress site’s experience this problem on such a massive scale.

      There is such a wide number of hijacked IP addresses, blocking at the web server has very little effect and doesn’t address the amount of hits. Especially for those running on inexpensive shared servers hosting upwards of 6000 sites where the large majority are receiving constant bot activity specifically targeting WordPress sites.

      For some, the only approach for relief is to use a security DNS service that is already aware of the large majority of compromised IP addresses and block the attack before it even hits the web server. This comes at a price. Additionally, the different server builds adds complexity whether apache, nginx etc. so my thoughts are strongly leaning towards a way to finally be able to obscure a site is running WordPress. Is a free 3rd party filtering (firewalled DNS) service out of the question for an open source project like this? Could the means justify the cost of WordPress fixing the “WordPress” inherited security problem?

      On a similar scale, we see this problem spiraling out of control much like email spam where even the age old tradition of blacklisting isn’t very efficient anymore and more often a nuisance for legitimate users.

      • George Stephanis 8:17 pm on December 11, 2015 Permalink | Log in to Reply

        yes to the idea of a unique randomized url for a traditional login fallback.

        This feels just like the Backup Codes provider we already have, except instead of being per user, it’s global — and therefore a touch more dangerous. It would let anyone that knows the randomized url thingy bypass 2fa on any other user account, if it’s global. If it’s per user, then it’s just a more complicated version of backup codes.

        While my sites don’t get hacked I still feel the pain of the hack attempts.

        Have you considered the Protect module in Jetpack? It’s good at saving server load by exiting early on attempts from bad ip addresses. Unfortunately, it’s not something that can be done in Core WordPress, as it’s dependent on a third party server identifying the botnets trying to break into sites.

        Anyway, as fascinating as the topic is, I’m afraid it’s out of scope for this project, apart from 2FA making WordPress more difficult for botnets to crack into, and therefore less appealing.

    • Philip Ingram 8:55 pm on December 11, 2015 Permalink | Log in to Reply

      In regards to the randomized url, yes global is much simpler and if somehow a hacker figured out /wp-login.php?7c850yqbaude4cxr=ts43ng0t564dopl0 they’d still have to have a real username to brute force against but likely get locked in the first few attempts anyway. Another fail safe might be to email notify an admin of the attempt of a failed login via that obscure url so it could be changed immediately.

      I’d prefer wp-login.php was no longer a constant. I know obscurity is not considered a good practice for website security but the lack of obscurity it what puts my sites on the radar in the first place. No one seems to care about hacking my non-wp sites.

      While not off topic by any means I do understand this is out of scope but thanks for allowing me to post my thoughts regardless.

    • dmccan 11:01 pm on December 11, 2015 Permalink | Log in to Reply

      If I read the old session notes correctly, this discussion is really the lowest common denominator fallback for sites that cannot or don’t implement additional 2FA options or for times when alternatives aren’t available (such as cell phone loss). For example, it looks like there is to be support for using the Google Authenticator service. It has clients for Android and iOS. So, I think you are on a good track with the plan as outlined.

      FWIW, WordPress.com has 2FA with SMS recovery. I know JetPack is separate, but perhaps the JetPack team would allow JetPack users to register their cell phone number for account recovery as another option.

    • Ryan Hellyer 4:34 am on December 12, 2015 Permalink | Log in to Reply

      It sounds like you guys have done an excellent job on this. The email backup solution sounds perfect.

    • Jon (Kenshino) 10:27 am on December 12, 2015 Permalink | Log in to Reply

      Loving the discussion

      But just to make things clear…. When the Support Team suggested having email by default as a fall-back, it isn’t the same as having it as the only fall back.

      Our suggestion really focuses on – is there any easy, non-code way for the normal users to get back to logging in if they really have no idea what they’re enabling.

      Once they’re comfortable and/or they are advanced users, they can swap out the email fall back to some other fall back. But they must always have 2 levels of providers to allow them to login. (Or possibly use a filter to deactivate that requirement, once they are able to put in code, that shows a level of tech competency whereby we can take off the training wheels)

      I have the experience of getting to WCUS, trying to login Facebook only to find it disabled because me being in another country. My backup phone number was unfortunately not one that had roaming enabled. Facebook wanted my photo ID and other really intimate details that I had no intention to give so I gave up and logged in when I returned.

      Users should always have the choice to select the providers that they are comfortable with.

      And do remember though, admins must also have to be comfortable to support 2FA. Normal subscriber roles on websites shouldn’t be able to enable 2FA if the admins don’t even know what it is or at least how it works on WordPress. Administrators should definitely be given the master button like how it is implemented by Google Apps.

    • Doug Smith 3:33 pm on December 12, 2015 Permalink | Log in to Reply

      The regular username / password login can be reset by e-mail as a fallback. A major use case for a second factor is to protect against something like a compromised e-mail account being used to reset logins. Doesn’t using the same fallback for factors then effectively remove the second factor?

    • Michael Arestad 8:53 pm on December 12, 2015 Permalink | Log in to Reply

      I’m still very much on the fence with this being in core from a user experience standpoint. I’m really worried about people locking themselves out one way or another. I’m worried about the ease of use. I’m worried about users avoiding it altogether.

      If it feels really nice to use and isn’t presenting people with tons of settings (kinda like Slack’s email login, but that’s probably more like 1fa), then I’d be more comfortable with it.

      If it’s something that only a very few will use, I would prefer it not be in core. My gut feeling is that adoption of it would be low for a few reasons:
      1. 2fa can be pretty confusing.
      2. It requires some aspect of app switching (to check email/text/etc) to do it. If it’s pretty dang tedious to do and makes you think, why do it?
      3. They have never used it before, so why use it now?

      I want to see where this ends up before I weigh in either way, though. I think it’s definitely needed, but maybe not wanted by the majority of users. I like @kraftbj‘s suggestion of at the very least maybe providing the infrastructure in core (if needed) for 2fa plugins.

    • thetechnuttyuk 1:37 pm on January 25, 2016 Permalink | Log in to Reply

      I noticed this today, so sorry I’m a bit late to the party, I just need to mention my thoughts on WordPress integrating 2FA directly into WordPress, as I have a problem with it.

      That problem is that generally WordPress likes to add features without a turn-off switch, srcset was a recent example of that. 2FA would need to have a turn off switch, that completely turns it off, not just kinda turns it off, completely turns it off, not only because not everyone wants to use it, but because some people want to use software that is better than what WordPress is likely going to integrate, Duo Security being the perfect example of that.

      For that reason, I believe it’s better to simply keep this feature as a plugin addition, maybe ask the user if they want to add it via something like Jetpack, or just showing a message in Core, but honestly, this should not be a built-in feature that has no option for turning off, without adding code in files you’ll forget about and replace a year later.

  • Mike Schroder 5:42 am on December 11, 2015 Permalink |
    Tags: ,   

    December 10 Meeting Summary and 4.5 Call for Volunteers 

    We gathered together after the marvelous release of 4.4. Many congrats to @wonderboymusic, his deputies @sergeybiryukov and @ocean90, and all contributors who helped out! See the full transcript for the entire chat.

    On 4.4

    What’s Next?
    @helen is building a product design team that is kicking off shortly. I’m excited about this — it’s an opportunity to really step up our game in the UX space. She’ll be building out a few projects and calling for volunteers on make/design, so watch there if you’re interested in getting involved.

    Officially, 4.5 doesn’t kick off until early January, but I’d like to start off with a ready-to-go set of teams. The time between now and then is also great for preparing feature plugins that you’re interested in seeing merged.

    4.5 Call for Volunteers
    Currently looking for those interested in:

    • Being a Release Backup/Deputy
    • Contributing to Week in Core Summary Posts
    • Working on a particular development focus or feature

    If you’re interested in contributing in any of these areas/roles, please leave a comment! Feel free to ping me in the Make WordPress Slack (@mike) if you have any questions on these roles.

     
    • WP Sites - Brad Dalton 5:56 am on December 11, 2015 Permalink | Log in to Reply

      I’d like to be a volunteer & contribute however according to my competitiors, i don’t know what i’m doing, my code doesn’t work and i don’t know anything about WordPress!

    • yehudah 7:03 am on December 11, 2015 Permalink | Log in to Reply

      I would like to help, I don’t care in which area.

    • Nick Halsey 7:38 am on December 11, 2015 Permalink | Log in to Reply

      Count me in for working with @westonruter and others on the Customizer. Most of my availability will be in the next month, so I’m planning on trying to get moving on several UI and UX-related items (including possible new features). As I mentioned in the meeting, a possible theme of eliminating dead-ends to improve user flow is emerging and I’ll expand on that once it’s more fleshed out.

      Also, I just realized that the work to re-imagine the toolbar that was done during 4.3 was never completed – #32678. I think that should be doable for 4.5, and would help improve flow between the frontend and admin.

    • Varun Sridharan 9:17 am on December 11, 2015 Permalink | Log in to Reply

      I would like to volunteer and contribute my time to WordPress 🙂
      i am basically strong in development. so i can do development or being a release backup/Deputy

    • Justin Greer 11:19 am on December 11, 2015 Permalink | Log in to Reply

      Throw me in somewhere needed! Just let me know where! 🙂

    • Ahmad Awais 2:50 pm on December 11, 2015 Permalink | Log in to Reply

      Would love to contribute again. @westonruter‘s idea on the Customizer SPA looks pretty good to me.

    • Rami Yushuvaev 1:50 am on December 12, 2015 Permalink | Log in to Reply

      I will defiantly continue contributing to core!

    • Morgan Estes 2:32 am on December 12, 2015 Permalink | Log in to Reply

      I’m interested in working on inline JS docs, and giving the Toolbar some love. Oh, and Week in Core. 🙂

    • Joe McGill 4:44 am on December 12, 2015 Permalink | Log in to Reply

      I’d like to see if we can push forward the improved imagick compression settings from the RICG plugin project and explore the possibility of streamlining some of our media internals, maybe something like #23424.

    • Najum Rahim 4:21 pm on December 12, 2015 Permalink | Log in to Reply

      I would to contribute efforts and time to WordPress.

    • Scott Kingsley Clark 4:21 pm on December 12, 2015 Permalink | Log in to Reply

      I’ll be focusing on Fields API, not sure if it’ll be ready in time for the 4.5 merge window but I’ll be hopeful!

    • Mostafa 8:36 am on December 31, 2015 Permalink | Log in to Reply

      I really want to contribute on WordPress Core…..but how?
      Can i contribute on core just by fix a bug and make a patch for it?

    • vinorodrigues 12:49 am on January 1, 2016 Permalink | Log in to Reply

      I can help.

    • ucheng 6:05 pm on January 4, 2016 Permalink | Log in to Reply

      I have no experience on contributing to WordPress core, but I really want to make it in 2016. Since I have made a plugin for Layers WP, I want to focus on Customizer and make it better!

    • SlimBob 2:11 pm on January 5, 2016 Permalink | Log in to Reply

      I’m interested in working on a particular development focus or feature.

  • Helen Hou-Sandi 7:56 pm on December 9, 2015 Permalink |
    Tags:   

    Welcome the 4.5 class of committers! 

    As announced in the State of the Word this year at WordCamp US by @matt, there are seven new committers to introduce.

    Many of you have seen Michael Arestad‘s (@michaelarestad) design and front-end development contributions over the last couple of years, notably with the redesign of Press This in WordPress 4.2. His numerous, high quality contributions are a welcome addition to core. I personally am looking forward to his work on markup and styling, having relied heavily on his judgment for quite some time now.

    WordPress 4.4 adds a new embed feature to WordPress, making it an oEmbed provider for the first time. Work on this new feature was done in a large part by Pascal Birchler (@swissspidy), who has been doing great work for the past few releases. Pascal’s clear communication and thorough support of the flow mindset are things we can all be inspired by.

    Rachel Baker (@rachelbaker) is the co-lead of the REST API, a Comments component maintainer, and a major contributor to WordPress 4.4. Her work has made it possible for sites around the world to utilize the REST API, making WordPress a great application platform. Look for more of these contributions as the REST API iterates within core.

    Likewise, Joe Hoyle (@joehoyle) is a major contributor to the REST API. As we prepare to commit the REST API endpoints in an upcoming WordPress release, there will be more and more to come from both him and Rachel.

    As a Media component maintainer and a long-time contributor across many components and features, Mike Schroder (@mikeschroder) helped shepherd the responsive images feature plugin into core for WordPress 4.4. He was also a backup release lead for WordPress 3.9.

    Throughout the WordPress admin interface, everywhere you look you’ll see the work of Mel Choyce (@melchoyce). Her design and experience contributions are long-standing and have benefited the entire ecosystem. As one of the maintainers of the Dashicons project, the icons you interact with daily are a big part of her contributions, as well as themes available in the WordPress.org Theme Directory.

    Eric Andrew Lewis (@ericlewis) has been contributing in various forms for many years, exploring lesser-known areas, documenting them, and challenging assumptions. Most recently, you may have seen his work as a Media component maintainer or with the shiny updates feature in WordPress 4.2.

    Additionally, Ella Van Dorpe (@iseulde), Konstantin Obenland (@obenland), Weston Ruter (@westonruter), Tammie Lister (@karmatosed), Andrea Fercia, (@afercia) and Ryan McCue (@rmccue [that’s one M, two C’s]) have all had their guest commit renewed.

    Please join me in welcoming this great set of new committers!

     
c
compose new post
j
next post/next comment
k
previous post/previous comment
r
reply
e
edit
o
show/hide comments
t
go to top
l
go to login
h
show/hide help
shift + esc
cancel
Skip to toolbar