In this episode, Malcom Peralty and I discuss the news of the week beginning with a new Theme.JSON generator created by David Gwyer. We then shared our thoughts on the new redesign of WP Tavern.com. We explain what data was exposed by a recent scrape of public Gravatar data and share alternatives for managing avatar images locally. We congratulated and thanked Helen 侯-Sandí as she leaves her post at 10up and moves on to new adventures. We wrapped up the show by discussing a CMS Marketshare analysis by Joost de Valk.
This Episode is Brought to You By GoDaddy Pro:
Are you looking to increase your productivity? One tool that helps thousands of web developers and designers do more every day is GoDaddy Pro.
Combining site, client, and project management, GoDaddy Pro is an all-in-one solution made by and for web professionals. Whether you’re new to web design or looking to grow your business, you’ll find free tools, products, guidance, and support to help you deliver results for clients.
Manage and monitor all your clients’ WordPress sites from a single place, no matter where they’re hosted. With a single click, perform bulk updates, backups, security checks, and more to save time and free up your day.
- Theme.json Generator
- WPTavern Redesign
- Gravatar Emails Exposed
- Helen Housandi Moves on From 10up/WordPress
- 1.6 Million WordPress Sites under Attack
- CMS MarketShare
Click to View Transcript:
Speaker 1 00:00:19 Welcome everyone to episode 20, one of the UWP mainline podcasts for Freddy December 10th, 2021. I’m your host, Jeff Chandler joined by Malcolm. Perotti. Hello, sir. Hello? Hello from the frosty north. Absolutely. Although here, it’s kind of the warm, well, it’s not warm north. You’re more north than me. It’s the warm south. Yeah. Yeah. Have you ever thought of yourself as living in this? No, no, no. I have not. Uh, well, we’re back here in another week. Another week of things to talk about, we, uh, apologize for no show. Last week, last week was a bit of a crap shoot. Uh, just things, things didn’t go well. And it was just, just a sucky week. And we were talking before the, for the, uh, before the show here, David himself, he’s having a bit of a crappy week, how it goes at, sir. Come on. What’s so crappy about it.
Speaker 1 00:01:08 I let it out. Tell us well, we’re, we’re, we’re, we’re we’re few and far between was show notes. Come on, man. Let it out. And I think I’ll keep most of it, uh, close to my chest, but I will say that’s fine. I did sign up for, um, better help.com again, to start working with a counselor to kind of sort my brain out a bit. So I’m so glad that those services exist. I wish they weren’t so pricey, but I’m so glad they exist. All right, man. Well, let me surround the you’re on the right track there. Yeah. So let’s see. Where are we at? What’s been going on here. Um, well, let’s talk about, uh, how about a theme that Jason theme generator voice say that 10 times fast, uh, David Guidewire is working on a, uh, he actually released a demo video that showcases his black theme a generator.
Speaker 1 00:01:59 And I was kind of wondering, uh, if this was going to happen, this was going to be the case of people who are going to create theme generators, because essentially what you’re doing is, you know, you’ve got your theme that Jason found that controls your fonts and your colors and things of that nature. And I think you could probably create a UI where you can take care of a lot of that stuff by clicking on NABS and putting in hex values and different codes. And then you click a button that says generate and bam. He had a theme that Jason fire you can use. And I guess then you would just need to put, uh, some sort of structure around it. Or maybe we just a bare minimum, uh, to turn it into a full site editing demon. And you could take care of all the layout and stuff within WordPress.
Speaker 1 00:02:41 But, uh, so this is at the very early stages of a project that David’s working on. In fact, he says that it’s his first web app, so it’s pretty cool. So he’s learning on the fly. There’s no word on when this is going to be released, but by taking a look at the demo video, you could see he’s pretty much got a UI. Uh, you click through a couple tabs, you add some, uh, some features and some functions. And next thing you know, it just gives you a, a, uh, a valid theme that Jason filed they can use, uh, in your theme. And I got a, I got to imagine that once full site editing is released 5.9 here later in, uh, or in January of next year and a full site editing black bay scenes. That just becomes the norm. I think we’re going to see a couple of these black team generators, uh, be released or come on. Those are gonna be kind of fun to play around with.
Speaker 2 00:03:33 Yeah, it’s so funny, right? Because I come from a slightly more developer background than you. And so my first thought was like,
Speaker 1 00:03:39 Yeah, you’re one of the folks who use theme frameworks. That’s the background you come from?
Speaker 2 00:03:44 Why, why does someone need this? Like, can’t like, if you look at the actual output of the theme dot Jason file that he creates in the demo video, it’s kind of like, uh, I mean, as long as I understood what the requirements were for setting it up, I mean, I could do, I could write this out myself. Like I don’t need necessarily a tool to do it. Do I? Um,
Speaker 1 00:04:04 So I like buttons.
Speaker 2 00:04:07 I’m always curious about the use cases, like who are the users that are going to love this and what are they going to use it for? Um,
Speaker 1 00:04:13 I think it’s
Speaker 2 00:04:15 Exactly, that’s, that’s the thing. Right. And, um, what features will he add to kind of differentiate it from the others that we’ll start doing this and, and what kind of audience will it serve? And, yeah, I’m, I’m excited to see how it evolves as well and what that market looks like and, and how this improves WordPress or setting up WordPress going forward. I think that, you know, the first thing that makes me scratch my head though, is, is, you know, when you think about it from the developer side, it’s kind of like, oh, this is pretty easy. I could write it myself. And then on like the customer side, you know, you have those customers that barely know what WordPress is. The last thing that they’re going to want to do is, you know, see this output of this, this, uh, Jason file, because to them, that would be like the scariest thing ever. So there’s only like a slice in between, um, you know, kind of like in, in that skill level where they’d be comfortable to see this and try to experiment and play with it and learn it. Um, but I’m excited for it. I think it’s a really great thing that he’s doing here and I can’t wait to see it evolve.
Speaker 1 00:05:15 Yeah. Yeah. I mean, that’s, that’s the thing. I mean, I, I wonder how this is going to transcend into other projects into other black theme generators, how it’s going to maybe inspire some new ideas or different takes on creating these, uh, the thing that Jason found me with these themes themselves. Um, so, so that’s, that’s what I’m looking forward to. I mean, I, there’s going to be these there’s always going to be generators. I have to, there’s an entire website at that thing generate WP that might still be around. Uh I’m I’m wondering if they’re going to get on top of this theme that Jason Black clean generator bandwagon, uh, this seems like it’d be right up their alley, but, uh, yeah, we’ll, we’ll have to see just another tool to the end of the tool belt and see what happens, uh, or, you know, for some others it’s a toy, not a tool like, like for me, it’s a toilet. See what I can get in trouble with the WP Tavern. You know, I, I think I know a thing or two about that website, they’re sporting a new, it’s a sporting, a new coat of paint. If you haven’t checked it out yet, visit WP Tavern that com and you will see a new design by Justin
Speaker 2 00:06:22 Tatlock
Speaker 1 00:06:23 By not just into like, influenced by Justin Taylor. Like, uh, if you read the detailed article about the Tavern sporting, any design, he talks about that. Uh, well, first of all, the Tavern is now hosted on pressable, which is a web hosting company that was acquired by automatic a number of years ago, uh, by a member. I think his name on Twitter was Zippy kid. Um, but, uh, some of, some of you folks may remember that name, but it’s, uh, uh, Justin ended up working with the team, the, uh, automatic special projects team, because I think they, they actually have a, um, a theme behind the scenes. It’s like a special project, uh, where you can create it to me, it seems like it’s the new underscores, but it’s probably more than that. It was probably not the same as that, but that’s, that’s how I think it is. But I think the theme is based on that. So it supports full site editing. It’s black based, and you can take a [email protected] and just from the, uh, from the looks of it, it’s, it’s, it’s white, uh, black font. You can, there’s definitely it’s blocky. I mean, you’ve got,
Speaker 2 00:07:33 It’s very newspapery. And I think one of the things that when we brought this up as, as something to talk about today, I kind of wanted to transition to what does, like, what do news websites need to look like these days? And this kind of feels like, you know, it wants to be like the New York times kind of like that kind of clean Chris newsy kind of focus. And I love that they added in the little, like Beerstein with the foam on top. I think that that’s a real nice callback. I think that was really smart of them. Um, it is a very, like very elegant looking design, which is also nice. I think though that, you know, it lacks some, it still lacks some personality, like even the last design and this design, it just kind of lacks some of the fun or some of the tongue in cheek that kind of goes with the name. Um, and like, I’m gonna have people that have design skill and the time to do these things. You kind of expect them to elevate that. And, uh, I think they could have gone a bit further with this and that’s, that’s just how I feel. I mean,
Speaker 1 00:08:39 Oh, well, when I, when I read the feedback on this and the other, the previous design, some of the feedback I read from, from readers was that, you know, w what is this? This is boring. This is there’s there’s no, there’s no, there’s no wooden floor as a background image. There’s, there’s no, uh, beer stands all over the place. There’s no, uh, uh, little beer emoji is all over the place to represent now being in a Tavern it’s, there’s no, there’s no personality, but, you know, back in the day, I mean, this was 2009 when I was running the Tavern. And I, I added that wooden background image. It was a wooden floor or an image, but I cannot believe how that resonated with people over the years, how it actually, um, gave, gave the site look and feel like it, like its own thing. Like, it really was part of a terror, like a Tavern ass type website. And, uh, it just kind of took us my heart every time I read somebody say, or request to have something like that back. But here we are with the plain Jane Black and white elegant looking simpleness website and
Speaker 2 00:09:41 Happy to see the little like Stein as well. Right. Absolutely.
Speaker 1 00:09:45 Absolutely. You gotta have, you know, at least there’s one thing on here that represents a TIF. That’s the Beerstein
Speaker 2 00:09:52 I mean, and the old design doesn’t even have that I will say, like, in terms of your own site, in terms of WP main line, I mean, if you had, let’s say like a theme developer come to you and be like, you know, Jeff, we’re going to custom design WP mainline, what do you like, what do you want it to look like? Do you have some like ideas or thoughts in your head on like other things, like other elements that you wish you had the design skill to implement?
Speaker 1 00:10:17 Uh, let’s see. Yeah. If you visit WVU mainline, I mean, you’ve got to, I’ve got a boring one site too. If you look at it with other than the logo and stuff, it’s, it’s blue, blue font. I mean, other than the logo, there’s not really much there to indicate this is a ,
Speaker 1 00:10:36 But I mean, I’m thinking of like the railroad crossing signs. It’d be cool to find a way to implement those. Um, uh, definitely not the Blinky red lights at a crossing. That’s probably not very accessible, friendly. It probably drives people nuts. Uh, maybe maybe up here, uh, where the navigation is since I’ve got those two lines, you know, maybe make it look like a railroad track or something, you know, that, that that’d be kind of cool. I don’t know. I think stuff like that, uh, to, to, to bring originality, to bring uniqueness to the site.
Speaker 2 00:11:06 That’s, that’s what I’m trying to go for. And that’s what I’m trying to say, right? Like that is, that should be the goal of a good website. I know that news websites don’t need to have the most elaborate designs or the most detailed designs or the most fun designs, but it doesn’t hurt to inject a little bit of life and levity into these websites. And I think it helps strengthen the brand and helps define the community a little bit. And, you know, I think that if you’re going to do a major redesign like this for any site you got to have, you have to think about those kinds of things a little bit and not be so like, I don’t know, overly professional in a way, because again, I think if you were to like blur this, like the WP Tavern website homepage, if you were to blur the logo and blur the texts, you couldn’t quite read what it was. I don’t think you would ever know which site this is. Cause I could probably find, you know, a hundred sites that look fairly similar to this. Um, and that’s kind of a disappointment and I think, I think they could go a little bit harder and a little bit further with us and especially with the resources that they kind of have. Right. So
Speaker 1 00:12:13 I know, I know some people have said that this just looks like a website or the Tavern looks like a site where it’s just a template with a font and then that’s it, you know, I mean, I, you know, there are in, in page builders and some of the templates that are out there, there’s a lot of them that kind of has this look and feel that, that, that the Tavern sporting. So yeah, I mean, I mean, what could be, what could they do to, it could be maybe, uh, some, some colors, uh, a background image. That’s no performance that actually, you know, adds to the look and feel of the entire site. And maybe in the comment section, a custom design comments, section that’s Tavern ask, however,
Speaker 2 00:12:50 And there was some little elements, right. So maybe, um, where you have like the recent comments, um, on the sidebar of the homepage or, um, is it on a single articles too? No, so they don’t have it on
Speaker 1 00:13:02 We’re like the list item that, you know, turn it into a beer Stein
Speaker 2 00:13:06 We’re even, or even with the headers. Right. You could have it. So like there’s two beer steins that are far apart, and as you scroll down, they like clink together in terms of like, so like, you know what I mean?
Speaker 1 00:13:17 I would wear up my mouse wheel doing something like that.
Speaker 2 00:13:20 Exactly. And, but it’s, it’s memorable. Right. It’s interesting. It’s engaging, it’s visually appealing. And I think we have to ask these questions about how much further can we push these designs because we want our web, like it’s so competitive these days, how do we kind of stand out from the crowd? Um, and I think they kind of missed the Mark A. Little bit here on that. And I think a lot of sites are missing the mark on that lately.
Speaker 1 00:13:43 What about the feedback of the people who own these sites? And they say, what the hell does it matter? What it looks like just as long as the content is good niche. I think that only goes so far.
Speaker 2 00:13:52 I agree. I mean, do you like, do you want to go back to a site every day like this? I mean, I might as well just read it in and our,
Speaker 1 00:14:00 Uh, yeah, that’s, that’s what I was getting at, you know, without the, without the uniqueness to design, to make a beautiful, do a nice cover around that content. I mean like, why not just read it through a feed reader you’re getting almost the same experience.
Speaker 2 00:14:15 Yeah,
Speaker 1 00:14:16 Yeah, yeah. So I don’t know tamarind sport and new design. We’ll have to see if they, uh, if it adds, uh, any more features I want now I will say it’s fast. It is fast. Uh, one of the sites that recently did a redesign and the whole brand thing was do the Wu by Bob Dunn and his, his site is he did a really good job. And I know he had direct feedback as to what he wanted the site to look like. And he worked with dev studios and maintain to put it together. And he’s got a very nice, uh, looking website, uh, with the, with the, the logos, the colors, he’s got this unique looking kind of background image for some of this news bits and stuff. Uh, so there’s a redesign I like,
Speaker 2 00:15:00 Right? Yep. I get what you’re saying.
Speaker 1 00:15:02 So there you go. I mean, so what am I going to w how am I, you know, I use a generate press and WP main line, and I use a theme, one of the themes or templates that, that came with it, and I’m kind of wondering, what am I going to do after WordPress 5.9? Am I going to, uh, uh, how am I going to redesign this? Am I going to just go out there and look for FSC, full site editing theme, uh, supports black base, whatever, and then just try and redo that. Am I going to stick with January press and maybe see if they, if there’s any way I can finagle things, or is there even a reason to change? I don’t know. You know, I’m pretty happy with what I have so far, so, and it’s not that technical or, uh, that, uh, demanding of a website. So I don’t know. Um, I mean, I’m going to move on from generate press here in the future,
Speaker 2 00:15:51 Out there in the WordPress world. If you’re a front end designer and developer, I honestly, though there might be someone who is interested in kind of helping you, maybe not necessarily redesign the whole thing, but who could kind of give you some more graphic design elements to place on this team that you’re already using. That kind of gets you a little closer to,
Speaker 1 00:16:10 And I know what to do. I know I’m going to go get some clip art. I’m going to ask you apply. That’s what I’ll do. No open source clipper. Come on, man. I
Speaker 2 00:16:19 Feel it
Speaker 1 00:16:19 Hurts. Don’t worry about it. It’d be nice. It’d be railroad theme. They’ll blank field will move. It’ll be jaggy perfect
Speaker 2 00:16:27 At some like MP3s AutoFair,
Speaker 1 00:16:30 Some dot WAV files. So they’re huge. Yeah, exactly. Yeah. Dot wave or O M pay the little, the little MPEG files or middies remember middies
Speaker 2 00:16:39 Yes, I remember middies oh my goodness. That’d be amazing. Actually. I wonder what trains going by. Sounds like admitting form because a lot of them can’t get the detail that you need to really replicate the true honest sound. So it’d be interesting. I don’t know.
Speaker 1 00:16:53 I’m getting them to implement the Konami code on WP mainline, where you do it. And it’s like some insane look on the website with a middy plane of a train room by giving me you’re giving me terrible ideas. That actually sound not that terrible.
Speaker 2 00:17:09 Maybe we should move on from this before we dig any deeper.
Speaker 1 00:17:13 Absolutely. Uh, so there’s a bit of an issue involving a Gravatar. It turns out that, uh, Gravatar made the headlines again, due to an unintended use of its API now Gravatar, which was created by Tom Preston Werner way back when and acquired by automatic in 2007 enables users to upload an image for an avatar and use it across any site that has built in support for the service, you know, and at the time when Gravatar was created, I thought it was a great idea. I supported it. I headed that WP Tavern. I said, man, it sure would be nice if all the forums I frequent and all the sites supporting Gravatar, cause then I’m going to have to upload my image to each one of those sites. And if something changes, I want to have to go to each one of those sites and change it.
Speaker 1 00:17:57 But I don’t know the more, the more I think about it in the more sites I’m not actually frequenting these days, the more I’m like I’m kinda mad with the whole, with the whole Gravatar thing, but the website security service have I been poned recently contacted its users to notify them that their email address may have been part of data that was scraped from Gravatar. The service actually references an article that was published on bleeping computer from 2020, that details how security researcher carload Dato use the Gravatar API to easily enumerate MD five hashes that are associated with a user’s email address. Now, in addition to these email addresses, uh, data was able to scrape any information that the user placed in your Gravatar profile using this, uh, API endpoint, which they were not supposed to do as a unintended use of that API. So automatic has since, or the Gravatar service has since closed down that portion of the API to prevent this from happening.
Speaker 1 00:18:53 But, uh, dado had already scraped the information of w I think it was 1.2 somewhere around one point. Uh, I can actually look at it right now. Oh, about 120 113 million Gravatar accounts. Now, when you sign up for Gravatar, they make it plain and simple in your face saying, look, our job is to create a public profile that’s easily maintainable, and you can maintain it from one place instead of all these myriad of different sites. And what you put in this profile is public information. So, you know, there’s, there’s no biggie there, but the reason why this in the enumerating of email addresses, uh, that’s been an issue for years. It’s been brought up in 2009, 2013, 2016, where if you look at the source code of a website in the comment section, you’ll see an MD five hash of, uh, which would be the email address of that Gravatar user. And by using something like, uh, uh, hash cat or one of these other programs out there, you can actually turn that empty. You can, uh, can I reverse engineered MD five hash to figure out the email address? So it’s, it’s almost like the MD five hash is kind of like a courtesy of, of, uh, well,
Speaker 2 00:20:14 So it’s an over some it’s, it was an oversimplified kind of thing. It was never really intended for real deep security. It was just a layer of obfuscation to simplify something. So instead of saying like, you know, [email protected], let’s just change that to a series of letters and numbers. And then we know that we don’t have to deal with an at symbol in a URL and stuff like that. So, I mean, it, it simplified a lot of things in kind of early and mid web, but every MD five hash at this point has been like reversed. So like there’s not a single MD five hash that exists at this point that can’t be reversed back into the values that it’s like semi obfuscating.
Speaker 1 00:20:51 I mean, finding, figuring out an email address through Gravatar is no big deal. The problem here is that this person was able to scrape all of that pro easily scrape all of that data, put it together in one data set. And now people are able to use that in, in phishing attempts, uh, social engineering, those types of attacks, um, and some of those profiles included information like Bitcoin wallets or cryptocurrency, wallet addresses, and some of that other stuff. So, yeah, I don’t know. I, I think email addresses are, is information that a user typically reserves the right to make public or not. And I’m willing to bet that most people who, who use Gravatar probably didn’t sign up thinking that their email addresses become public knowledge outside of the sites that utilize the service. Well, that’s, there it is. Now your email address is out there. Now I’m part of a data dump
Speaker 2 00:21:46 What’s amusing to me is that I probably change email addresses every, like I dunno, three to five years. So I, I don’t even remember which email address I would have with Gravatar anymore. Like, I’d have to figure that out and do that whole like reset password probably too. And it’s just a nightmare, but, um, yeah, I dunno. I, I never really kind of got all the way into Gravatar either. I, I was hopeful for it like you, that it was going to be like a central service for like profile and identity online and actually maybe even make it easy to log in or register for other services. I think that was a long hope that I had, I don’t know if they ever said that they were going to go in that direction, but, um, you know, how you can log into websites using like your Facebook login. I always thought Gravatar login was something that would eventually come to exist. Um, but yeah, I, I, I don’t know. I never really got all the way in and then
Speaker 1 00:22:36 I think, I think get hub supports Gravatar there’s I know, I think vBulletin and some of the other forums, software projects probably support Gravatar, but I don’t know if you, uh, it continues to remain as a core feature in WordPress. In fact, you can even upload in a fresh install of WordPress. You can’t manage avatars locally, user avatars it’s either Gravatar or nothing. So if you want an alternative to Gravatar or you want to manage or have your users to be able to manage their avatars themselves, I recommend a plugin called WP user advertisers, uh, by John James Jacoby. And he does a good job of keeping it updated. And basically what it allows you to do is, uh, it allows users to upload and select their own advertisers. And by the way, I wrote an article back in 2016 for the Tavern where I describe that it’s, it’s a pretty crappy user experience I’m managing and changing your avatar from within WordPress. And this article got me to check in and see if there’s any been, been any changes on that. No, it’s still a pretty crappy managing and changing your avatar from within the backend of WordPress, which I don’t understand, but you know, nowadays from now on until eternity, I don’t bother with Gravatar anymore. If I can help it, if I do any new WordPress sites that I manage, I use the WP user advertised.
Speaker 2 00:24:02 I just turned it off. It’s more data to pull in on a page load that’s probably not needed, but I don’t, I don’t do any community sites. So for me, those faces aren’t as important.
Speaker 1 00:24:10 Yeah. Yeah. You know where some of those websites are just, it’s a web ATAR is a webinar.
Speaker 2 00:24:16 There’s a couple of them. There’s like a robot one and a weird shape one.
Speaker 1 00:24:21 Yeah. So there you have it. So Gravatar is just going to keep on going and doing what they do. And, uh, if, uh, basically whatever information you have and your Gravatar profile is now part of the data dump. So if you want, you can go into Gravatar, you could delete it or not. I don’t think it really matters at this point, but Hey, at least, uh, at least passwords are not considered public profile information. You all have that going for us.
Speaker 2 00:24:48 I would recommend though, that if you did have your email address in that Gravatar data dump, it doesn’t hurt to update your password and make sure you have good password security or to FFA or something like that. Um, because they could bot attack those email addresses potentially, and try to gain access to your email, which would be really bad. So just be safe out there.
Speaker 1 00:25:10 So everyone out there and WordPress man, are you looking at increased your productivity? Well, one tool that helps thousands of what developers and designers do more every day, let’s go daddy pro combining site, client, and project management, GoDaddy pros, and all in one solution made by and for what professionals, whether you’re new to web design, looking to grow your business, you’ll find free tools, products, guidance, and support to help you deliver results for clients, manage and monitor all of your client’s WordPress sites from a single place, no matter where they’re hosted with a single click perform bulk updates, backups, security checks, and more to save time and free up your day. And for more information, you can check out godaddy.com forward slash proach. I got the hub dashboard, uh, every, any anyone notice when I do these ad reads and I’m doing them in a way I make myself laugh.
Speaker 1 00:25:57 Um, I just, uh, I’m glad I have a good sense of humor, but I’m professional about it. Thank you. Thank you very much. Uh, so long time, WordPress lead developer, core developer, Helen, who Sandy, she announced that she is moving on from 10 up, which she’s been there for about 10 years. And she’s also kind of moving on from WordPress. She kind of says in her announcement posts that no, she doesn’t want to work. She doesn’t think that she wants to work on WordPress itself. Full-time again, which she feels should be okay. She has ideas and wants, but she has no real drive to manifest them herself anymore. She feels very good about the current direction of the project, especially the adder out of there. And she knows that there’s wonderfully smart and kind people who work on it. And she’s thankful to have been part of such a great community and project for a long time.
Speaker 1 00:26:53 And she says that you will definitely have not seen the last of her. And she’s, uh, you know, at the point where she was willing to spend time and meet people at, uh, work camps again, and she has joined a another company, but she’s leaving that reveal, uh, for a later day. So I just wanted to say, thank you, Helen, for all of your work and your contributions to WordPress and, and what you’ve done over the years and, uh, looking forward to, uh, seeing how you influence the tech world in the future and, uh, enjoy your new adventure.
Speaker 2 00:27:30 Yeah, I think it’s really great that, uh, it sounds like she’s got an engineering manager position that she’s really happy with. I, uh, I, I can’t help, but feel a little gutted for the tennis team. Um, she, when I worked there, she was a staple of that company and I’m sure that has not changed at all. Um, she was the director of open-source initiatives at 10 up. She was a WordPress lead developer. Um, she, you know, was just amazing to like listen to, and, and I just, I, I can’t imagine after so long with that company, she’s like a fixture there for her to leave. I was just, when you posted that before the show, I was just like, how does that even happen? Like, I dunno if I was, if I was a, the executive team at tenet, man, I’d be like driving by with, uh, dump trucks of money saying, please don’t leave. But I get that sometimes you get to the point where 10 years, And especially in the tech world, right? I mean, you think of the turnover in most agencies is typically around that, you know, eight to 16 months and she’s lasted 10 years at the same agency. That’s huge. So, um, kudos to her for that, but, uh, wow. It’s just, that’s going to be an interesting change.
Speaker 1 00:28:50 So in other news, uh, what’s going on here with the 1.5, 1.6 million WordPress sites hit with, uh, some attacks.
Speaker 2 00:29:01 Yeah, so it, it seems like, um, there were some plugins that, uh, have this options, update vulnerability in them,
Speaker 1 00:29:12 Pelvis press capabilities. You know, I know the, I know the folks over at published press, they have great products and they do have the, this is a plugin where you can manage the various roles and capabilities of users. And apparently they had an oopsy.
Speaker 2 00:29:27 Yeah, it’s, what’s really interesting is not just that there’s a bunch of sites being attacked. It’s that they’re being attacked from 16,000 different IP addresses over the last 36 hours for a total of over 13 million, um, tracked or, or like noted attacks on websites. Um, it’s funny in that, in the word fence posts, they give you like, you’re the top 10 offending IP addresses that you might want to block on your firewall, whether or not you have these plugins, you’re probably getting traffic sent to your WordPress site by these IP addresses. And it’s just, it’s not useful traffic. So grab that list, blocked them. Um, it does go on to kind of say like, Hey, if you’re using like published press capabilities, can you be social plugin, Pinterest, automatic WordPress automatic,
Speaker 1 00:30:12 A number of themes too. Yeah. The Epsilon frameworks can version. So there’s a number of themes that a part of the Absalon framework that are affected by this as well.
Speaker 2 00:30:22 Yeah. And some of them are bigger than others. Um, I didn’t see any in here that I’m like, okay, I know that theme, or I’ve installed that one in myself before, but like a news mag has over 10,000 active installations in it. Um,
Speaker 1 00:30:35 Oh yeah. A lot of these themes are free and available on a theme repo. That’s right. Yeah,
Speaker 2 00:30:39 Yeah. Yeah. So if you’re not running the latest version of these, you might just kind of want to double-check that because otherwise, um, you’re not in a good place and actually one of the themes, which was kind of interesting to me, uh, nature, Maglite, there’s actually no patch for that theme currently for this issue. So if you’re running that it’s recommended that you actually uninstalled that from your site and switch teams like now, or
Speaker 1 00:31:01 Yeah. If that, if that theme is available on the, uh, theme directory, I would, I’d be very surprised if you can access it right now. It’s probably already been taken down based on, Wordfence probably getting in touch with them, the theme review team, and probably haven’t had taken down or at least suspended.
Speaker 2 00:31:18 Yeah.
Speaker 1 00:31:20 But what was going on in here was that, uh, attackers were updating, the users can register option two enabled and setting the default role option two administrator in most cases using the publish press capabilities plugin. So that’s a yikes so
Speaker 2 00:31:38 Little issue. That’s a big issue.
Speaker 1 00:31:40 Now anyone can register in the new user role is, is admin meds. That’s it, man. Yeah. That’s not good.
Speaker 2 00:31:46 Can you still a castle so to speak?
Speaker 1 00:31:48 Absolutely. So if you were using published press capabilities, and again, some of these other plugins will have links to these in the show notes that you want to make sure that you’re updated to the latest versions because they’re patched, then you won’t have to worry about it. However you should, if you were using these plugins, you should, double-check your go to settings general and look at the membership area, make sure that, uh, the, the anyone can register is as is not checked or if it is make sure that the new user default role is not set to administrators, set it back to subscriber.
Speaker 2 00:32:21 I will say too, that if your site has already been compromised, they might be able to hide that information from you. So if you’re running these plugins, it might be worth reaching out to your web host and saying, Hey, is there anything we can do to just make sure that everything is a okay.
Speaker 1 00:32:36 Um, and also I should backup time or utilize backup time.
Speaker 2 00:32:40 Yeah. And check your user list as well. If you, if you go there and you click on administrator, so you go to your WordPress admin panel users, um, and then you click on administrator, it’ll list your administrators again, unfortunately through code, some people can hide different accounts, but, um, if they haven’t done that and you see someone on there that shouldn’t have administrative roles, bump them down to subscriber, remove them, do whatever you need to do, but just kind of be cautious everyone. This is, this is not good
Speaker 1 00:33:07 Throughout the years of using WordPress has a site that you have or own that maybe you forgot about. Have you ever been, uh, exploited as have any of your sites been succumbed to a malware or a vulnerabilities security issue where you just had to wipe it or restore from a backup? Yes.
Speaker 2 00:33:26 More than once. Yep. Wow. Yeah. I’ve, I’ve been, I mean, again, part of that is just the sheer number of like clients sites that I’ve run, but even on my own personal sites, I’ve like, you know, been lax on security sometimes or updates. And next thing, you know, it’s, it’s a bad situation. Um, I would say honestly, most of the issues that I’ve had in general with WordPress security has been due to, um, someone with administrative permissions, having a weak password and mean not having a system in place to like restrict the number of attempts that people can have to attempt to log in with different usernames. I think that that combination has probably been like my biggest hole, um, in terms of security over time, which I’m much more cognizant of these days, uh, and much more like, um, actively aware of and dealing with to make sure that it doesn’t ever happen to me again. Um, but I haven’t had too many issues where it’s been like a plugin that has caused the issue or a theme that’s caused the issue. It’s it’s usually been like that brute force.
Speaker 1 00:34:29 Yeah. I think, I think it’s still a thing too. If you visit WP admin and visit a lot or just a login page, I think by default, it’s an unlimited amount of tries that you could do. I mean, that’s the whole reason why I remember back in the day brute protect, that was a whole service dedicated to protecting a WP admin. And it was kind of like the Akismet, but for your login form or your registration form on WordPress and automatically up acquiring them a number of years ago. And now I think grouper tack it’s part of, it’s probably a service as part of jet pack or Geopack protect, but some kind of security solution that they have. But, um, men, the stats that blue protect was showing me when I was running the Tavern, I was looking at it. Oh my goodness. It was still a scary to know that that’s how many attempts was going on or how many attempts that were blocked of people accessing WPN men. And just, it just guessing. And most of all this stuff was automated.
Speaker 2 00:35:24 Yep. It is. It’s amazing. The, uh, engineering
Speaker 1 00:35:29 Going to record our show right now, who knows how many attempts are being made to log into WordPress? I don’t want to know. No. I mean either, but you know, that’s in here hearing lies by the way. Speaking of security, um, do you, can you recommend or know of, and maybe somebody in our audience knows you can contact me on Twitter at Jeff email me, but I’m, I’m, I’m kind of in the market for a two factor authentication plugin. Um, I use strong passwords on WP mainline and every other website that, uh, that I maintain or have admin privileges on. But I, I’m kinda thinking that I want to do some, maybe implement two factor authentication
Speaker 2 00:36:13 And I’m using only enough. The Wordfence plugin allows you to do two.
Speaker 1 00:36:17 Okay. Wordfence I know they have a, they have a free option. So I want to, as part
Speaker 2 00:36:20 Of the free option, it is, it is. Yep.
Speaker 1 00:36:23 Okay. So I might look in the word fence, uh, other than, oh, let’s talk about this. This is interesting CMS market share, uh, Yoast of all key does a, um, a biannual analysis. So I think it’s two year. Is that what bi-annual means? Yep. Thank you. Thank you. So I’m going to call you right brain and, uh, to help out the left side of my brain, but he does a bi-annual analysis of the CMS market share numbers provided by W3C texts and w three taxes, the company that everybody calls and everybody looks towards when they’re bringing up or talking about market share numbers for S for your content management systems. And he says that, wow, in the previous two analysis analysis is of the ecosystem. There’s a lot that has changed with some interesting new trends in the last six months. Uh, we can cover some of these things, um, in the numbers. Um, but I’ll just ask it out of the gate, uh, going over this report and his analysis, anything that strikes that strikes you as, as ad or worrisome, or maybe a bit surprising, because I, I have one thing that he mentioned that I’ll, I’ll bring it up after you answered.
Speaker 2 00:37:35 Um, for me, I think the, the thing that made me go wow, the most was, um, the, the continual arise of Shopify was one of the big things. And then secondarily, I was like, Ooh, the slow death of Joomla
Speaker 1 00:37:50 Drupal. And it was interesting.
Speaker 2 00:37:53 Yeah. So like, if you look at those two lines, um, going in their opposite directions, it’s, it’s super interesting to me. I mean, I have numerous times thought about like, you know, surely Shopify is basically as big as it’s going to get and not just keeps growing and I’m just blown away. I, I, I don’t know if you’ve ever used Shopify before. I’ve, I’ve developed a couple of projects on Shopify. Um, my thought on that is I felt like I was being bled to death, like death from a thousand paper cuts, because everything you want to do, every feature that you want to add is another monthly subscription of like $3, $5, $2, $8.
Speaker 1 00:38:31 And that’s probably because it’s a, it’s a software as a service. Right?
Speaker 2 00:38:34 Exactly. And so by the time you get your monthly bill, you’re going, wait, I’m spending like $180 a month on my like, shop that I set up, like, okay, as long as I’m getting good conversions, that’s fine. But for like, as you’re starting out, you’re going, this is dumb. Like I could set up a woo commerce shop for way cheaper than this. So like, I don’t in my brain, I kind of get to this wall where I’m like, why is Shopify? So like, you know, growing so much or so potent, what, what was your kind of takeaway from this?
Speaker 1 00:39:03 So we’ll just really quickly here. Uh, the tap 10 CMS is we’ll cover, I guess I’ll just go down the line. You’ve got WordPress at 43%, then you’ve got Shopify. Yeah. 4.3% Wix at 1.9 Squarespace, 1.8 Juma and number five at 1.8% drip, a 1.3 blogger at 1% bit tricks at 0.9 Magento, uh, was 0.6% in OpenCart at 0.6%. And one of the notes about the numbers by Yoast evoke, uh, is this, and I’ll just quote him. He says new contenders, all software as a service. He says, what Flo and Weebly have both shown nice growth over the past 12 months, web flow, especially can be expected to be knocking on the door of the top 10, by this time, next year as an open source enthusiast. It pains me to see that all of the software as a service tools are winning and open source in general is losing everywhere. And boy, that, that statement kind of struck out at me cause he’s right. And the numbers show it.
Speaker 2 00:40:08 Yeah. And I have to admit, so I have tried web flow as well, and it feels really good. Like Jeff, if you haven’t had a chance yet go sign up for a free web flow account and play with it for like two or three hours. And I think you’re going to agree with me that there’s an empowerment that web flow provides, um, that I haven’t even in like Squarespace or some of those other like tools I’ve never, I’ve never felt as empowered with those as I do with web flow, I feel like web flow is the answer to like, what if wordpress.com and Squarespace like truly had a child and they still allowed you to do like custom post types and custom content types. Um, it, it, it is super empowering and I can totally see why web flow is growing like crazy right now. Um, because honestly, if I was to start in like the CMS news world today, or if I was to starting like the CMS or building sites for clients world today, I would probably be doing a hundred percent web flow. Wow.
Speaker 1 00:41:07 Uh that’s uh, I guess I’m gonna have to check it out. Um, he also mentioned in his analysis that overall the market is consolidating the, the entire CMS market is consolidating. He does mention that he’s kind of sad as well about the truthful and Juma decline. The numbers of decline and Shopify wins wakes is winning those a square page. Squarespace is winning. Um, and all of those software as a service providers are generating more revenue. They’re getting a hold of, of more money. So we’ll have to see how, or, you know, if any way possible WordPress can continue to battle against these behemoths with, uh, as they continue to generate more money, get access to more, uh, revenue that they can spend. But now looking at WordPress at 43% market share, and we can go back, let’s go back 10 years when even, even then 10 years ago, the numbers were still huge for her presence for market share. Could you have ever predicted, or could you even have predicted a scenario let’s even go back to 2007? Let’s go way back now, let’s go back to that too. Near the beginning. Could, could, could any of us have seen WordPress becoming this dominant on the web?
Speaker 2 00:42:22 No, I don’t think so. I think, I think that we all assume that it was going to kind of hang around with some of the more mature, um, options that were available on.
Speaker 1 00:42:31 I thought it was good. The question I have is why is WordPress at 43%? Why is it,
Speaker 2 00:42:36 Why is it not like right there right next to
Speaker 1 00:42:38 It? I mean, it, Drupal was not that bad Drupal has been maintained. The dev developers love it. It’s a, it’s a pretty good solid content management system. Well, how come its market share is not up? What’s the problem.
Speaker 2 00:42:53 I, I wish I had an answer for you. And I think that’s a great question. That’s the community. I mean, Hey everyone, if you’re a Drupal fan or, you know why Drupal’s only at 1.3% messaged Jeff on Twitter or wherever you can find them. I I’d be interested in that answer too, because I, you know, I, I’m not a fan of Drupal by any stretch, but I mean that, that gap between Drupal and WordPress is just, it’s shocking to me. Um, the gap between Squarespace and WordPress is shocking to me, the growth in Shopify is shocking to me. I mean, maybe I’m just out of touch and I’m like, you know, getting old and get off my lawn. But, uh, yeah, I, I don’t understand it. I just, I don’t, I love WordPress don’t get me wrong, but I don’t understand why the gap is as big as it is.
Speaker 1 00:43:34 And, uh, yo Stan says that e-commerce continues its rise, uh, as a result of COVID-19 where people have been buying and selling things online, he says, as a result, e-commerce is becoming more important and e-commerce sites take up a bigger portion of the top 10 million sites online. Those are the ones that attract by w through texts. And he says that he honestly doesn’t know where all these e-commerce sites are coming from. Uh, but he also mentions that, uh, just like WordPress WooCommerce was growth seems to be slowing a bit over the last six months who commerce added 0.4% market share while Shopify added 0.6%. He says, it’s a bit too early to draw conclusions over this. So let’s see where these figures are six months from now.
Speaker 2 00:44:17 Yeah, I agree. And I kind of wished that he had more data from more e-commerce providers. Like, you know, what our big commerce installs looking like, or what are other like, um, uh, what’s another e-commerce solution. I’m sure you have a bunch of them in your
Speaker 1 00:44:32 Head when I think of will commerce or e-commerce it’s like WP e-commerce is a classic, the shop plugin shop with two PS that’s, as far as I know that still around and kicking. Um, but yeah, in all this mess, I keep forgetting about big commerce, B commerce made, uh, some large inroads into the WordPress space and community about a year or two ago. In fact, I remember, I think tofa DeRosa had a bit of influence into that. He was kind of like there were press liaison and, and, uh, that’s how, that’s how I came across big commerce, but, but they’re right up there as well. Yeah.
Speaker 2 00:45:06 And I’d be interested to see what that market share looks like. They’re probably not Shopify numbers, but I think they’re worthy of being on these kinds of graphs.
Speaker 1 00:45:13 Wow. You know, but, but again, I like to go back to that, to that quote, where he says it pains me to see this software as a service tools are winning and open source in general is losing everywhere. That’s I don’t know. I guess, keep that in the back of your head folks, because man, that’s kind of, that’s, that’s depressing, but I think, I think it’s also not surprising because as a software, as a service, what do you have, do you get a tailored solution that is tightly controlled by the provider? And you know, when you create that sort of very strict, uh, area for providing the service and you don’t have the wild west of plugins, you don’t have the wild west of themes. And, uh, you know, you have at the very least a robust API that third parties can build on top of no, I, I don’t know.
Speaker 1 00:46:02 It’s like there’s many benefits to, to be in part of a software as a service solution, instead of as opposed to like WordPress and WooCommerce, where, Hey, I found this plugin on Etsy, you know, install it on your WordPress site and who knows what happened. It’s, you know, just the wa we’re pressed it’s the wild west and SAS is just, I don’t know, the county jail. I dunno, maybe that that’s a terrible comparison, but I don’t know. Hopefully, hopefully, uh, open source in general, not just WordPress, but open source in general can continue. It’s continuing to strengthen that, lose to software as a service, because it’s all about breaking down the walled gardens, right? 3d centralization, all that crap.
Speaker 2 00:46:48 Yeah. I mean, and, and speaking of decentralization, I mean, you know, decentralized WordPress news, um, if you want to support WP main line, go check out for $49 per year. You can be a real fan and, uh, you can continue to kind of make sure that, uh, Jeff and I can bring you this podcast and the news, and there’s no corporate overlord
Speaker 1 00:47:08 Software as a service you’re minting required. There you go. You do not have to hook up minimum ask or any other crypto wallet to WP mainline to support this show.
Speaker 2 00:47:19 Amazing.
Speaker 1 00:47:20 Let’s see. So next week’s going to be an interesting week next week show because we have the state of the word on Tuesday, December, and that’s where we’re going to kind of get a measure. The pulse on what’s been happening with WordPress of element of the, this year, previous years, and what’s going to be happening in the future. And a lot of people were stoked to hear what may ask to say on web three and, and the blockchain, and maybe get his thoughts on it. What, what, how it relates to WordPress and whatever else. I know there’s a lot of people looking forward to that. And I’m kind of, I’m interested just to see a general direction of where Matt sees WordPress heading in the next year or two and what his plans are and sort of the direction that WordPress is going to take.
Speaker 2 00:48:08 I think you should, uh, host a watch party or listen party or whatever.
Speaker 1 00:48:11 Yeah, man, there’s so many people doing those. I’ve already made some of them like, Ooh, Ooh, uh,
Speaker 2 00:48:17 Who’s running one. It’s your fans go and listen to,
Speaker 1 00:48:22 Uh, there’s some out there. Oh, I know, I know a number of people were actually hosting Twitter spaces. A couple of different writers spaces are going to be happening. Um, either during or after. I don’t know what post status is having an after for our state of the word space. Um, in fact, there’s actually going to be, I think Cory Miller is representing post-data. So we’ll be there in person and Matt mulloway, uh, sent an invitation to post status and said, Hey, is there anybody, is there anybody from post status? It’s going to be here. Maybe we can do a little interview. And David Bisset, couldn’t make it because of prior obligations, but Corey Miller is going to be there. So Corey is going to follow Matt Mullenweg into a conference room and do a little interview. That’ll be interesting to see. And I’ve got a couple of places that are interested in my take on the state of the word. So I’m supposed to record a little shindig and send that out to a couple of people, but, uh, yeah. Yeah. So we’ll all be, uh, sitting on the edges of our seats on Tuesday for the state of the word.
Speaker 2 00:49:24 Do me a favor. If you, if you do find, uh, any kind of cool people that are going to run Twitter spaces or websites, they’re going to do like viewing parties or whatever, make sure you tweet about them so that I can maybe pick one or the other people can pick one as well.
Speaker 1 00:49:37 Okie dokie. And what that, and that’s going to wrap it up for today’s episode, find show notes for this show. And every other episode on WP, mainline.com, just click the podcast link. It’s all right there. And you can follow me on Twitter at Jeff road, J E F F R zero, where I tweet pictures of a pizza Crescent rolls and some other things. And, uh, David, how about you, sir?
Speaker 2 00:50:01 Uh, you can find me at find purpose on Twitter and I’m always [email protected] and for, uh, you know, whatever your website building needs at Cambra creative.
Speaker 1 00:50:13 Um, so we’re getting towards the end of the year here. In fact, uh, in about two weeks, I celebrate another revolution around the sun with my birthday. So that’d be cool. Um, yeah. So there, the end of the year crunch, and then, uh, do you think things are gonna slow down for you? You can take a breath on it. Come January. Are you going to be, is it just grinding all year long? There’s no, there’s no stopping. Oh, I’m hoping to go a little slower in January. I think really though my slow period will be after my wife graduates from her undergrad. And uh, we’ll, we’ll probably we’ll hopefully find a little bit of time to just kind of be it’s just about four months away. That’s nothing in the grand scheme of things. Yeah, you’re right. You’re absolutely right. Um, time flies by. Yes, it does. All right. So everybody enjoy the rest of your weekend. I’m glad we got the hanging out with you today and we’ll talk to you again next Friday afternoon or evening so long everybody