Themes team meeting agenda for January 24, 2023

The themes team conducts a meeting on the second and fourth Tuesday of the month. This month’s second meeting is on the 24th of January.

The meeting takes place in the #themereview channel on WordPress SlackSlack Slack is a Collaborative Group Chat Platform https://slack.com/. The WordPress community has its own Slack Channel at https://make.wordpress.org/chat/. and you need an account to participate.

Channel: #themereview | Time: Tuesday, January 24, 2023, 15:00 UTC

Along with the fixed agendas, we have an open floor at the end where you can ask or share anything related to themes.

We encourage all members, and anyone interested to attend. You can also add your agenda in the comment section below.

Meeting agenda

  1. Weekly updates
  2. Open floor

1. Weekly updates

Theme Tickets and Help Scout updates

Current statistics can be found on: https://themes.trac.wordpress.org/ 

Themes TracTrac Trac is the place where contributors create issues for bugs or feature requests much like GitHub.https://core.trac.wordpress.org/. ticket graph: https://themes.trac.wordpress.org/ticketgraph

Check regular weekly updates here.

2. Open floor

We will discuss everything related to themes. Attendees can ask or share theme-related things.

Please comment in the comment box below if you have anything to bring up during the open floor.

#agenda, #meeting, #themes-team

Nominations Call for the themes team representatives: 2023 Edition

The Themes team is looking for team representatives for the year 2023. . It’s time to nominate team representatives. We would like to request you to comment in the below comment section about your nomination. Based on the nominations, 2 themes team representatives will be elected.

Currently, @acosmin and me (@kafleg) are the team representatives. @utz119 left the team reps role a few weeks back.

What are Team Reps?

Team reps are responsible for communicating on behalf of the team. 

In the WordPress open-source project, each team has on average one or two reps (i.e. an abbreviation for team representative).  

Read here to know more about team reps.

Responsibilities:

  • They represent the team
  • Communication with other teams 
  • Post weekly updates 
  • Mentor theme reviewers 
  • Transfer themes, suspend or delist themes (if necessary)
  • Conduct team meetings, write meeting agendas and meeting notes 
  • Guide theme authors and reply to their questions 
  • Regularly check themes team email and follow-up etc. 
  • Maintain Theme Check pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party
  • Review Patterns and set live or delist them

What are the qualifications?

A representative should be an active member of the WordPress Community. Someone reliable and trusted, familiar with WordPress theme development.

How to nominate someone? 

The deadline for nominations is Wednesday, November 30, 2022.

Nomination text sample: “I would like to nominate @nominee_wp_username”. Or you can also nominate yourself. You can write “I would like to nominate myself”. 

If you get nominated but if you are not ready for the reps, you can decline it as well.

How Will the Election Work?

If we get more than 2 names and can’t decide on reps by acceptance, then we will go with the voting like an election. We will write another post with detailed information about the voting process. (if necessary). 

Once the results are done, the new team repTeam Rep A Team Rep is a person who represents the Make WordPress team to the rest of the project, make sure issues are raised and addressed as needed, and coordinates cross-team efforts.(s) will be announced in a new blog post. 

If you have any questions, comment below. Happy Nominating!

A Guide to Writing Secure Themes – Part 1: Introduction

As a developer, keeping your users secure should be your most important priority.

Having a theme available on WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ is a huge responsibility, because security issues make every site running the theme potentially vulnerable.

This guide will give you an introduction to the techniques you can apply to write secure code.

The guide is broken up into parts to make it easier to read and apply. It contains everything I learned over the past three years while reviewing themes for WordPress.org, premium themes for WordPress.comWordPress.com An online implementation of WordPress code that lets you immediately access a new WordPress environment to publish your content. WordPress.com is a private company owned by Automattic that hosts the largest multisite in the world. This is arguably the best place to start blogging if you have never touched WordPress before. https://wordpress.com/, as well as themes and plugins for WordPress.com VIP.

Before we get to the techniques, let’s have a look at the principles of secure code.

Principles of secure code

Writing secure code is not about using a particular function, tool, or workflow. Those things change over time, with new development techniques emerging and new security issues arising.

The common element that connects all these things together is the state of mind of the developer. This mindset is based on three principles:

  1. Don’t assume anything. Only act on what you know for sure.
  2. Don’t trust any data. Consider data invalid and insecure until proven valid and secure.
  3. Don’t become complacent. Web technologies evolve, and so do best practices.

With these principles on our mind, let’s clarify the meaning of a few terms we’re going to use in this series.

Commonly used terms

Input and output

When we talk about input, this designates all the data that is given to our code.

The most prevalent use case is information entered by the user, for example into a form field or the browser address bar. But it also encompasses data retrieved from stored cookies or from external services, like the Twitter APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways..

Themes deal with this data in various ways. They might store it into the database, use it to retrieve data from the database, or display it to the user.

When we talk about displaying information, we use the word output. But output is not just what we see on the screen, it’s all the data provided by our code.

Imagine a PHPPHP PHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML. http://php.net/manual/en/intro-whatis.php. script that passes data to a JavascriptJavaScript JavaScript or JS is an object-oriented computer programming language commonly used to create interactive effects within web browsers. WordPress makes extensive use of JS for a better user experience. While PHP is executed on the server, JS executes within a user’s browser. https://www.javascript.com/. script, such as data used to initialize a slider for example. In this case, the PHP outputs the data that is then used as input by the Javascript.

If your code connects to a REST APIREST API The REST API is an acronym for the RESTful Application Program Interface (API) that uses HTTP requests to GET, PUT, POST and DELETE data. It is how the front end of an application (think “phone app” or “website”) can communicate with the data store (think “database” or “file system”) https://developer.wordpress.org/rest-api/., the JSONJSON JSON, or JavaScript Object Notation, is a minimal, readable format for structuring data. It is used primarily to transmit data between a server and web application, as an alternative to XML. data returned by the API is the output, that your code then uses as input.

Dynamic and static data

When we talk about dynamic or static data, this is not to be confused with the static keyword in PHP.

When we talk about static data, we designate data that cannot be changed except by changing the code. Here is an example:

<?php echo 'Hello World'; ?>

So when you read static, think of static HTMLHTML HTML is an acronym for Hyper Text Markup Language. It is a markup language that is used in the development of web pages and websites. pages. These documents cannot return information that is not present in their source code.

Dynamic data on the other hand can be modified through different ways. For example:

<?php echo __( 'Hello World', 'wptrt' ); ?>

In this code sample, the __() translation function returns data. This data can be filtered, or modified by loading a translation.

What we are outputting is the return value of the function. Let’s look at this in more detail.

Return values

Return values is data provided by a function. In PHP you often see these return statements in functions:

<?php
function wptrt_add_numbers( $a, $b ) {
    return $a + $b;
}
?>

Functions can return all kinds of data. Currently in PHP there is no way to force a function to return a certain type of data.

This is important to keep in mind, because a lot of WordPress functions contain filters. So you can never be sure about the data that a certain function returns.

Now that we have seen the vocabulary, we’ll look at common attacks.

Common attacks

In order for you to secure your code, you need to understand how attacks work.

A good starting point is to read through the list of the Top 10 attacks in 2013, published by the Open Web Application Security Project (OWASP).

Google Application security also has a very good introduction to Cross-Site scription (XSS) attacks. You actually can test out these attacks in the browser.

If you are interested in specific attacks for WordPress, I recommend reading the Sucuri Blog.

Conclusion

This part should have provided you with a good overview of what security is, the related terminology, and the type of attacks encountered.

In the next part, we’re going to look at how you can protect against some of these attacks by validating data before use.

#writing-secure-themes

Themes team meeting agenda for November 08, 2022

The themes team conducts a meeting on the second and fourth Tuesday of the month. This month’s second meeting is on the 25th of October.

The meeting takes place in the #themereview channel on WordPress SlackSlack Slack is a Collaborative Group Chat Platform https://slack.com/. The WordPress community has its own Slack Channel at https://make.wordpress.org/chat/. and you need an account to participate.

Channel: #themereview | Time: Tuesday, November 08 2022, 15:00 UTC

Along with the fixed agendas, we have an open floor at the end where you can ask or share anything related to themes.

We encourage all members, and anyone interested to attend. You can also add your agenda in the comment section below.

Meeting agenda

  1. Weekly updates
  2. Help on fixing issues on the Theme Handbook.
  3. Open floor

#agenda, #meeting, #themes-team

Meeting notes from the 9th of July 2019

The meeting started with a quick round of updates. There is still no resolution about the trusted authors (TA) issues.
After that we started discussing the proposed meeting agendas.

The following is the recap of the meeting, you can read the meeting transcript in the slack archives (a Slack account is required).

Docs team discussion about the theme developer handbook

There was a discussion on the #docs slackSlack Slack is a Collaborative Group Chat Platform https://slack.com/. The WordPress community has its own Slack Channel at https://make.wordpress.org/chat/. channel about handover of the theme developer handbook to the TRT.
The idea is to have a single responsible person from the TRT team that will take care of the developer handbook for the themes. This means updating it with new requirements and keeping it up to date in general.

It was agreed that the person in charge of the theme developer handbook will be @acalfieri, who is an experienced reviewer and has been an active member of TRT for a long time.
Of course, if there will be interested volunteers to help you can always ask in the slack channel.

AccessibilityAccessibility Accessibility (commonly shortened to a11y) refers to the design of products, devices, services, or environments for people with disabilities. The concept of accessible design ensures both “direct access” (i.e. unassisted) and “indirect access” meaning compatibility with a person’s assistive technology (for example, computer screen readers). (https://en.wikipedia.org/wiki/Accessibility) (a11yAccessibility Accessibility (commonly shortened to a11y) refers to the design of products, devices, services, or environments for people with disabilities. The concept of accessible design ensures both “direct access” (i.e. unassisted) and “indirect access” meaning compatibility with a person’s assistive technology (for example, computer screen readers). (https://en.wikipedia.org/wiki/Accessibility)) requirements

In the accessibility team meeting it was proposed to add some of the requirements from the themes which use accessibility-ready tag to standard themes in the repository.

The emphasis is on making the themes easier to use, especially for the people with certain types of disabilities.
The proposal included incorporating the keyboard navigation, control, skip link, and form labelling requirements from the existing accessibility-ready requirements.

This is the first step in making all themes in wordpress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ repository accessible.

The changed requirement wouldn’t encompass all the accessibility-ready requirements to be present on the standard themes, nor would it automatically make them accessibility-ready, but by incorporating one by one requirements, through longer time period, the idea is to encourage theme authors to write accessible themes out of the box.

It was agreed that the skip links requirement from the accessibility part will be moved to the required section of the review handbook, and that the team will implement new a11y requirement every two months. This will give theme authors enough time to make their themes more accessible.

Removing Demo Content from the theme

It was already agreed with removing demo content files (xml, json or some other format) from the themes. But there needs to be alternative to that.

It was agreed that the requirement should be updated with following to make it more clear:

Importing or Downloading:


Themes are not allowed to import content to a user’s site.
Themes are not allowed to link directly to an XML, JSONJSON JSON, or JavaScript Object Notation, is a minimal, readable format for structuring data. It is used primarily to transmit data between a server and web application, as an alternative to XML., ZIP, or other file for direct download or import.
Themes are not allowed to bundle demo content via an XML, JSON, ZIP, or other file.

Also, a meeting will be held in the #design slack channel about updating the wordpress.org previewer content which can then be used as a starting content for the developers to develop their themes.

Theme generated notices

All the notifications generated by a theme should use the admin_notices APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways. and follow the CoreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. design pattern. They must be dismissible. Everything wrapped in the admin notice needs to follow Core UIUI UI is an acronym for User Interface - the layout of the page the user interacts with. Think ‘how are they doing that’ and less about what they are doing. design for the notices.

This will be a requirement on all the themes.

Open floor discussions

There was a mention of the tool that can help reviewers review a theme – WPTRT-Cloud-Launcher. It’s a Chrome extension that launches a cloud instance that comes pre-configured with the theme and theme snifferTheme Sniffer Theme Sniffer is a plugin utilizing custom sniffs for PHP_CodeSniffer that statically analyzes your theme and ensures that it adheres to WordPress coding conventions, as well as checking your code against PHP version compatibility. The plugin is available from GitHub. Themes are not required to pass the Theme Sniffer scan without warnings or errors to be included in the theme directory./check plugins installed.

#meeting, #meeting-notes, #trt