Please update the forward of…

Please update the forward of slackinvitehelp@w….org to forum-password-resets@w… instead.


Change all SVN PHP Linting to PHP7?

Core needs some PHP7-syntax files for the tests folder (latest PHPUnit requires PHP7) to provide a compatibility layer which operates between PHP 5.2 and 7.2 with the default-installed PHPUnit

We’ve previously enabled PHP7 linting for meta.svn and plugins.svn, can we extend that linting to all svn’s?
I don’t expect that a PHP5-specific lint is really required by any of the remaining repo’s. bbPress/BuddyPress/core are going to need PHP7 files at some point, glotpress/ would benefit from PHP7 syntax too.

ref: &


Reverse DNS for

Transactional emails coming from the web server are getting dinged on their SpamAssassin score for not having correct Reverse DNS.

Presumably, the PTR should point to instead of This is the SpamAssassin rule message:

0.8 RDNS_NONE Delivered to internal network by a host with no rDNS

0.8 is almost 20% of the default spam threshold of 5, which gives us a lot less of a buffer, and we believe it’s contributing to ongoing reports of messages being flagged as spam.

Could we get the PTR record amended to address this issue?



Access to WordCamp error logs

With the new sandbox setup, we no longer have direct access to the error logs on production, which will make it difficult to learn about and reproduce errors in order to fix them.

I have a couple ideas about potential solutions, but I’d like to know if Systems has any thoughts or preferences.

1) Pipe errors into Slack, the same way that does. This would require setting up object caching (to rate limit the API hits, per Slack’s ToS). IIRC, @kovshenin looked into this a few years ago, and determined that there was a non-trivial amount of code that would need to be refactored in order to make it work. Konstantin, do you remember the details there?

2) Setup a cron job on production to parse the raw error log on disk, reduce it to the relevant/limited entries, and push those to Slack.

3) Setup a cron job on production to copy the raw error logs from production to sandboxes every ~60 seconds. They’d need a different name than the sandbox error logs, so that we could have both.

@coreymckrill and I could write any scripts that are necessary, etc.

Do you see any problems with any of those, or have any other ideas or suggestions?


Hello, can you please setup…

Hello, can you please setup proxy access for @nao and @chantalc? As polyglots mentors they’ll be helping out with managing rosetta sites and need access to the network.

For @nao you can use her a8c key, for @chantalc:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwrC2ENYnWN3DKyMLRMjx2frHCAx5An+CDHQHPE7fdJux8F4pW7ACkioLBDK7gLRIf2OsszlN7ERMth8QiIP5hytKQJg+qoBUy4rSsvfMZx096EcybHP6yPc9BhvQJsEIy+PFFXeT9btcKHDpdBLrv6oiSo+WyW3YzBefuZoCygHXQwIYauNohsZKJkYX3g1PU4CyLny9TBFHPeizv9Endoreye5YJvGkPnsePGc14Ght8pmeGS/V1R6KCJ5r4AbEpZv1Wu6uPMEyKmKuNXj/Ur42qK6bN+Wb/L1HTcqENSsnbzR/bcRpU/tYOfzJYr/gMPlkLp7HEsiVh9oP6j5/98iywzQ8DNotnj2Hsv7DfS7EvvlMCI1Ih8l3MIzBfKFUEMlbQXrIsk4Y5vV9PP4NguYZReGo2kf7aDh5J9W36Oc43KIdmLectHjakrcMoHuFWA/d8xlhI2IQrequZjnrsLqY9YTCoSQ2zuDFHTRt/vaXDV/TvdCdIbTU0DIgsxHa/HEwp2PdcBopeL9MMU0mOAWfONtj1KjZ4iOzpsSz0K72iGxs6Di2WqS0TI7Yg3lkYPgkg3PVkey7HJ9PeKeJ3BxomNlkfU8EUMOPfWNUnAfK8Ou/AatqZSWr/9nvBNimEEaRqblRkdE4lgClOahrNuJBlZlv3y0xlPdg/o3Bycw==

Thank you!


Could you please create a site for

We’ll also need a MySQL database, and SSH for @coreymckrill and myself, but if cPanel allows then I can do those myself.

Thank you 🙂


Potential Abuse of “Email Personalized Schedule” Feature

r6268-meta adds a new feature where WordCamp attendees can bookmark sessions on the schedule that they want to attend, and then e-mail themselves their personalized schedule (per #2733-meta). The feature is aimed at attendees, so it doesn’t require logging in to an account.

Screen Shot 2017-12-13 at 2.51.12 PM

The email portion of that is temporarily disabled, though, so that we can discuss the potential for abuse, and any necessary mitigations.

As far as I can tell, there are 3 primary scenarios for abuse:

“Dumb” bots

These are the ones that just search for any

they can find, and POST spam content to it. These shouldn’t work at all, since the
doesn’t have an action; instead, JavaScript traps the click event and sends the request to the REST API. Even if the bot tried to POST the request to the current URL, that still wouldn’t trigger the handler.

“Smart” bots

These are advanced enough to be able to interact with the DOM. I still don’t think these would work, because the handler returns early if no session IDs are passed. In order to actually send an email, the bot would have to star a session, meaning that it would have to be tailor-made to this particular plugin.

I don’t think anybody would go to that much trouble, since they could get much more impact for far less effort elsewhere. They wouldn’t be able to send any spam content, all they would achieve would be annoying the recipient, and hurt our server’s spam reputation. Annoying the recipient could be done more easily with millions of web forms that don’t require any complex interactions. Hurting our server’s reputation is plausible, but still seems very unlikely.

That doesn’t seem like a compelling enough reason to burden the user with a CAPTCHA, or to take up our limited time and introduce non-essential complexity with a rate-limiter.

A human manually submitting the form

This is essentially the same as a “smart” bot; the costs seem to far outweigh the benefits.

If we get any reports of abuse, or notice our mail server being blacklisted, then we can definitely temporarily disable the emails with email_fav_sessions_disabled() and work on a fix, but it seems premature to do anything right now.

Waiting until there’s actually some sign of abuse saves us the opportunity cost of spending time on a feature we’ll probably never use, and it also puts us in a better position to correctly fix the abuse in the unlikely event that it does happen. Right now we’re just guessing at how it might be abused, but if it does actually happen, then we’ll know the details and will be able to address it directly.

What do you all think? Do you all have any objections to turning it on?


Node.js 8.x on build server

Hi, as per #3320-meta could we please have a Node 8.x LTS release installed on
This will be needed for WordPress 5.0 & Gutenberg (once merged) build scripts to operate.

Currently we have a 0.10.x & 6.9.x release available in the nodejs-base role.



Cache corruption issue

Something is causing the Credits API results cache to be corrupted – I’m assuming a job somewhere is triggering it, but I have no way to track it down.

Are you able to find out what is writing to the props-4.9 key in the core-credits-api cache group?


Incorrect Return-Path on mail from

The Return-Path is currently set to, which may be contributing to emails getting marked as spam for some recipients. Relevant headers from one such email:

Received-SPF: Neutral ( is neither permitted nor denied by domain of ) client-ip:
    spf=neutral ( is neither permitted nor denied by domain of
Return-Path: <>
Date: Fri, 20 Oct 2017 12:20:46 +0000
From: WordPress <>

This same issue has come up before (1, 2), and it appears that the Return-Path was changed at that time, so perhaps it was somehow reverted at a later date?

cc @stankea