Presented by Kerry Carron on 02/25/2019 12:00pm
Welcome to this week's Network News Lets get started with the WordPress industry news.
WordPress @ Work
WordPress 5.1 is available as the newest stable WordPress version release. The WordPress 5.1 focuses on improving the overall performance of the newer editor which was released with the 5.0 major release. In addition, 5.1 begins the better, faster, and more secure WordPress journey adding some essential tools for website administrators and developers.
Site Health Features for Security and Speed
- notices to administrators of sites that run long-outdated versions of PHP
- PHP version check of new plugin installation and restricting installation of incompatible plugins
Block Editor Performance
- quicker to start
- smoother typing
- New database table to store metadata and arbitrary site data for multisite and network context.
- Updated Cron API - new functions and filters
- DEBUG constant updates
- Config file constant updates
- New short-circuit functions
- New human_readable_duration function
- Improved taxonomy meta box sanitization
- Limited LIKE support for meta keys
- New "doing it wrong" notice when registering API endpoints
WordPress Community News
- Bootstrap has released versions 4.3.1 and 3.4.1 to patch an XSS vulnerability (CVE-2019-8331)
- Alex Mills liver is too damaged by the Leukemia to continue with treatment. Alex is choosing to remain at home where he can be comfortable with family and friends. He is encouraging members of the WordPress community to fork and maintain his open-source plugins. View the Plugins and build upon Alex's legacy.
- BuddyPress 4.2.0 is now available. This is a security and maintenance release. All BuddyPress installations are strongly encouraged to upgrade as soon as possible.
- The Ecwid e-commerce plugin, a Woocommerce alternative with a focus on small businesses, is now fully integrated with the new Block Editor
From: WordCamp Central
WordCamp Dayton, OH, USA – DAYTON, OH, USA March 1–2, 2019
WordCamp Cebu –
CEBU, Philippines March 2, 2019
WordCamp Kolkata –
KOLKATA, WEST BENGAL, INDIA March 3, 2019
WordCamp Nordic –
HELSINKI, FINLAND – WordCamp NORDIC (REGIONAL WordCamp) March 7–8, 2019
WordCamp Kota Kinabalu –
KOTA KINABALU March 9, 2019
WordCamp Greenville, SC, USA – GREENVILLE, SC, March 9, 2019
WordCamp Miami, USA – MIAMI, FL USA March 15–17, 2019
WordCamp Kathmandu –
KATHMANDU, BAGMATI, NEPAL March 16–17, 2019
WordCamp Osnabrück –
OSNABRÜCK, GERMANY March 23–24, 2019
WordCamp Bordeaux – BORDEAUX, FRANCE March 23, 2019
WordCamp Entebbe – ENTEBBE, UGANDA March 30–31, 2019
Known WordPress Vulnerabilities
Vulnerabilities without a Fix
There were no known vulnerabilities without a fix this week.
Simple Social Buttons 2.0.4-2.0.21 - Authenticated Option Injection:
The flow of this plugin's process had a flaw that when combined with the missing permission check resulted in allowing non-admin users with an ability to modify WP installation options from the wp-options table.
This means anyone who can register new accounts on a site could make modifications to a WordPress site's main settings and could allow an attacker to take over sites by installing backdoors and/or taking over admin accounts.
Update to version 2.0.22
LoginPress <= 1.1.15 - Authenticated Blind SQL Injection:
The potential for an unauthorized attack which could be performed by any user on the site.
The lack of permission check in settings import allows any registered user to be able to import custom plugin settings and adjust login pages as they like. The SQL injection vulnerability is also in the settings import. When checking to see if the image is already uploaded, it is allowed to makes queries directly to the database without sanitizing the appropriate image URL.
Update to version 1.1.16
Newspaper Theme <= 9.2.2 - Cross-Site Scripting (XSS)
This is an Envato Theme Forest theme. Cross-Site Scripting vulnerabilities are susceptible to attacks that inject malicious scripts. Malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of HTML.
XSS attacks could use the theme to send malicious code to a different end user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script.
Update to fixed in version 9.5
WP Cost Estimation
- < 9.660 - Upload Directory Traversal
- < 9.644 - Arbitrary File Upload and Delete
This is an Envato Code Canyon Plugin for building e-commerce-centric forms. Hackers were using the hacked site to hijack incoming traffic and redirect it to other websites with the potential of exploiting the backdoor further at a later date.
Wordfence identified the second vulnerability and the developer quickly created and released a fix.
Update to version 9.660
OwnWP Community Focus
We’ve had a lot of blog post activity on the site and within the Slack channel since our last Network News. Many OwnWP posts (7), as well as member feed posts (4), are now available. Be sure to join the Network Nudge channel in Slack to get member’s activity feed in real-time.
Read Our Recent Posts
- A Solution to Simplify Your Video Creation
- OwnWP YouTube Channel Offering Public Video Playlists
- Come Feel the Love
- What are Weekly Webinars?
- Attention Grabbing Videos Result in Action Being Taken
- Honoring U.S. Presidents
- What are Community Connections?
The Outsourcing webinar should also be posting later today.
Member Login Anomaly
We have been having some technical issues with our member login area that we have not yet been able to isolate. Members attempt to login and receive an alert message that they are not authorized in that location but as soon as they navigate to the home page, they are, in fact, logged in.
Obviously, this is a less than ideal situation. It is important to know that we can occasionally replicate the issue however, we have not yet been able to isolate the cause.
The bottom line is that though it appears that members are not able to log in, they really are being logged in. Thankfully, it does not appear to truly affect any actual access to any of the member area.
We created this inspirational image quote for you to share across your social networks. This image is free for members to download (available in your member’s area within the Giveaways). The OwnWP branding will not be on the downloaded copies – we left that part blank so you could add your own.
Please feel free to use your image anywhere you like. If you’d like to thank us, simply let others know that you got it from your OwnWP membership and how they can join us too.
Affiliate Product of the Week – Dealing with Problem Clients
Dealing with Problem Clients is a book is written specifically for web developers working with clients. It is written by a friend and fellow OwnWP member Nathan Ingram. Nathan works with WordPress web developers individually and in groups to help them remove the obstacles preventing them from becoming more successful in their freelance businesses. Nathan has been a freelance web developer since 1995 and is based in Birmingham, Alabama.
The book is presented in two parts.
- A series of stories about relatable WordPress freelancers who encounter four types of clients causing problems in their lives and their business, aka the Friendly Monsters.
You’ll probably even recognize yourself in one of these characters or by having been in similar situations.
- The second part of the book explains the essential systems and structures needed to contain the monsters.
2 Ways Get the Book:
Use Our Link: Click this link (or the book image) to get the details, and if you happen to buy, we get a thank you commission – a little to keep this site running for a while and maybe even enough to buy a fancy coffee.
Option 2: With this link, you can still explore the page and make a purchase, but this time we’ll get nothing. But hey, it’s OK. No worries, no guilt trip.
Either way, there’s no obligation to buy or take action – we’re just here to help you… Connect. Network. Thrive!
OwnWP Calendar of Events – Registrations are free.
Mondays @ 2 pm Mountain time – Network News followed by our Community Connections
Thursdays @ Noon Mountain time – Weekly Webinar
If you or anyone you know is interested in presenting on OwnWP either as a single, stand-alone presentation or more regularly scheduled event, please contact us.
Presenter Bio: Kerry Carron
Kerry Carron is a loving wife and mother of three grown boys. As a freelancer, Kerry has built hundreds of WordPress websites and assisted other freelancers and small agencies with WordPress support and business development. She is the founder of OwnWP, a production of Ultimate Solution, LLC.
Kerry specializes in processes and creating systems. She is passionate about helping others find their path to success and her aspiration with OwnWP is to encourage other freelancers in finding and using the right combination of tools and skills they need to do more than merely survive!