Author Archives: Grace

Tomorrow: The Next VIP Developer Town Hall

This month’s VIP Developer Town Hall is Wednesday, July 6th at 1pm ET!

We’ve made a recent change to the Developer Orientation where it is self-directed as seen here. We have asked that new VIP developers go over the material beforehand and ask any questions you may have in our Town Hall.

Please note, this is also open to all current clients & partners. You’ll hear what’s new with VIP in terms of features, functionality, and platform improvements, and we’ll be there to answer your questions as well. You can join for the entire chat or for the part which interests you most.

You can join the Zoom chat here on July 6th at 1pm ET. (you can opt for audio-only if you prefer).

Join from PC, Mac, Linux, iOS or Android: https://zoom.us/j/742429886

Or Telephone:

Dial: +1 646 558 8656 (US Toll) or +1 408 638 0968 (US Toll)

Meeting ID: 461 857 934

International numbers available: https://zoom.us/zoomconference?m=J_zC4gC6r7PNtBnGgTGLqxZEBFotLYVS

July 6th: VIP Developer Town Hall

Next month’s VIP Developer Town Hall is Wednesday, July 6th at 1pm ET!

We have made a slight change to our VIP Developer Orientation and Townhall. We have created a self-directed orientation + video that you can access here: Developer Orientation

In that orientation we will walk you through an introduction video, review important documentation, and help you set up your development environment. We ask that you do this ahead of time, and feel free to ask any questions you may have during the Townhall on Wednesday, July 6th at 1pm ET using Zoom. Please note that audio and video will be enabled in this Townhall.

This is open to all current clients & partners as well. You’ll hear what’s new with VIP in terms of features, functionality, and platform improvements, and we’ll be there to answer your questions as well. You can join for the entire call or for the part which interests you most.

You can sign up for the VIP Developer Town Hall here:

Alert: Service Interruption on WordPress.com

Update at 8:14 PM ET: Our initial investigation shows that an attack on a WordPress.com site led to a surge in resource usage across the platform, which resulted in a disruption in service for most sites. The main disruption lasted approximately 6 minutes. We’re continuing work to confirm that this was the cause, identify the source of the attack, and make any relevant changes that might prevent future similar issues.

Update at 7:54 PM ET: Service has been restored. We’re continuing to investigate the root cause and will post more information here as it becomes available.

Original Alert: WordPress.com experienced a service interruption. We are working on the issue, and will follow up with another alert once this is resolved.

We’ll be posting updates to https://twitter.com/WPVIPStatus and via email until the issue is resolved.

Support Documentation Updates

Hello there! This is the newest addition in a series of periodic posts where we will highlight new support documentation and/or any changes made to existing docs. This is a great way to stay up-to-date with the latest VIP coding standards.

New Updates to “Validating, Sanitizing, and Escaping”:

Escape on String Creation
- Addition:
  - It is sometimes not practical to escape late. In a few rare circumstances you cannot pass the output to wp_kses since by definition it would strip the scripts that are being generated.
    In situations like this always escape while creating the string and store the value in a variable that is a postfixed with _escaped, _safe or _clean.
  - So instead of $variable do $variable_escaped or $variable_safe. Functions must always return “safe” html that do not rely on them being late escaped. This allows you to do echo my_custom_script_code(); without needing the script tag to be passed thru a version of WP_KSES that would allow such tags.

rawurlencode() should be used over urlencode() for ensure URLs are correctly encoded. Only legacy systems should use urlencode().
```
&lt;?php echo esc_url( 'http://example.com/a/safe/url?parameter=' . rawurlencode( $stored_class ) ); ?&gt;
```

New Updates to “Quickstart”:

To create unit tests for your plugin/theme
- Removal:
  - Important Note: Due to the PEAR install method being at end-of-life, PHPUnit does not currently install properly on Quickstart, and so unit testing will not work. We’re working on a new install method that addresses this.

New Addition to “Manipulating Changes”:

Manipulating Changes
- We also support the WebP image format—and while WebP isn’t yet supported by all browsers, we auto-detect which browsers your readers are using to make sure they can enjoy your images at the best possible quality. Our system will always serve your viewers the best image format at the highest speed possible.

New Addition to “Caching”:

Example: Caching WP_Query

Try and avoid cache slams when setting multiple caches by using a more random cache expiration time, using something like:

&lt;?php $args = array( 'orderby' =&gt; 'comment_count', 'posts_per_page' =&gt; '1', 'ignore_sticky_posts' =&gt; 1 );
$query = new WP_Query( $args );
while ( $query-&gt;have_posts() ) : $query-&gt;the_post();
	// do stuff
endwhile;

Here’s how to modify that loop to cache the results of the WP_Query object:

// First, let's see if we have the data in the cache already
$query = wp_cache_get( 'ordered_comments_query' ); // the cache key is a unique identifier for this data

if( $query == false ) {
	// Looks like the cache didn't have our data
	// Let's generate the query
	$args = array( 'orderby' =&gt; 'comment_count', 'posts_per_page' =&gt; '1', 'ignore_sticky_posts' =&gt; 1 );
	$query = new WP_Query( $args );

	// Now, let's save the data to the cache
	// In this case, we're telling the cache to expire the data after 300 seconds
	wp_cache_set( 'ordered_comments_query', $query, '', 300 ); // the third parameter is $group, which can be useful if you're looking to group related cached values together
}

// Once we're here, the $query var will be set either from the cache or from manually generating the WP_Query object
while ( $query-&gt;have_posts() ) : $query-&gt;the_post();
	// do stuff
endwhile;

New Additions to “Code Review: What We Look For”:

Use wp_json_encode() over json_encode()
- wp_json_encode() will take care of making sure the string is valid utf-8 while the regular function will return false if it encounters invalid utf-8. It also supports backwards compatibility for versions of PHP that do not accept all the parameters

Use wp_parse_url() instead of parsurl()
- In PHP versions lower than 5.4.7 schemeless and relative urls would not be parsed correctly by parse_url() we therefore recommend that you use wp_parse_url for backwards compatibility

Minified Javascript files
- Javascript files that are minified should also be committed with changes to their unminified counterparts. Minified files cannot be read for review, and are much harder to work with when debugging issues.

Inserting HTML directly into DOM with Javascript
- To avoid XSS, inserting HTML directly into the document should be avoided. Instead, DOM nodes should be programmatically created and appended to the DOM. This means avoiding .html(), .innerHTML(), and other related functions, and instead using .append(), .prepend(), .before(), .after(), and so on. More information.

Use wp_safe_redirect() instead of wp_redirect()
- Using wp_safe_redirect(), along with the allowed_redirect_hosts filter, can help avoid any chances of malicious redirects within code. It’s also important to remember to call exit() after a redirect so that no other unwanted code is executed.

Mobile Detection
- When targeting mobile visitors, jetpack_is_mobile() should be used instead of wp_is_mobile. It is more robust and works better with full page caching.

Using bloginfo() without escaping
- Keeping with the theme of Escaping All the Things, code that uses bloginfo() should use get_bloginfo() instead so that the data can be properly late escaped on output. Since get_bloginfo() can return multiple types of data, and it can be used in multiple places, it may need escaped with many different functions depending on the context:
```
echo '&lt;a href=&quot;' . esc_url( get_bloginfo( 'url' ) ) . '&quot;&gt;' . esc_html( get_bloginfo( 'name' ) ) . '&lt;/a&gt;';

echo '&lt;meta property=&quot;og:description&quot; content=&quot;' . esc_attr( get_bloginfo( 'description' ) ) . '&quot;&gt;';
```
Custom wp_mail headers
- The PHP Mailer is properly escaping headers for you only in case you’re using appropriate filters inside WordPress. Every time you want to create custom headers using user supplied data (eg.: “FROM” header), make sure you’re using filters provided by WordPress for you. See https://developer.wordpress.org/reference/hooks/wp_mail_from/ and https://developer.wordpress.org/reference/hooks/wp_mail_from_name/

Functions that use JOINS, taxonomy relation queries, -cat, -tax queries, subselects or API calls
- category__not_in, tag__not_in, and tax_query with NOT IN (these should never be used unless using Elasticsearch)

reCaptcha for Share by Email
- To protect against abuse of Jetpack’s share by e-mail feature (aka Sharedaddy) it must be implemented along with reCaptcha. This helps protect against the risk of the WordPress.com network being seen as a source of e-mail spam, which would adversely affect VIP sites. This blog post explains how to implement reCaptcha.

Using closing PHP tags
- All PHP files should omit the closing PHP tag to prevent accidental output of whitespace and other characters, which can cause issues such as ‘Headers already sent‘ errors. This is part of the WordPress Coding Standards.

New Update to “Uncached Functions”:

get_posts()
- When using WP_Query instead of get_posts don’t forget about setting ignore_sticky_posts and no_found_rows params appropriately (both are hardcoded inside a get_posts function with value of true )

New Update to “Term queries should consider include_children => false”:

We recommend ’include_children’ => false to be added to all taxonomy queries when possible.

New Update to “Gravatars and Blavatars”:

Disabling
- If you are not using Gravatars and Blavatars and need to disable the loading of related Javascript and CSS resources, you can use wpcom_vip_disable_hovercards() in your theme.
- You’ll also want to disable the default favicon redirect with remove_action( 'init', 'dynamic_favicon' );

New Support Documentation:

That’s about it! If you have any questions, please feel free to open up a support ticket with us!

Tomorrow: The Next VIP Developer Town Hall

This month’s VIP Developer Town Hall is tomorrow: Wednesday, May 4th at 1pm ET!

During this Town Hall we will be focusing on WP-API. Our very own, Stéphane Boisvert will give a short presentation and answer any questions you may have!

You can join the Zoom chat here on May 4th at 1pm ET. (you can opt for audio-only if you prefer).

Join from PC, Mac, Linux, iOS or Android: https://zoom.us/j/290226504

Or iPhone one-tap: 16465588656,290226504# or 14086380968,290226504#

Or Telephone:
Dial: +1 646 558 8656 (US Toll) or +1 408 638 0968 (US Toll)
Meeting ID: 290 226 504
International numbers available: https://zoom.us/zoomconference?m=LXTgUrXeIT5TbGatpkww-6GOaEZdQbGq

May 4th: VIP Developer Town Hall

Next month’s VIP Developer Town Hall is Wednesday, May 4th at 1pm ET!

For new VIP Developers, we have created a self-directed orientation + video that you can access here: Developer Orientation

In that orientation we will walk you through an introduction video, review important documentation, and help you set up your development environment. We ask that you do this ahead of time, and feel free to ask any questions you may have during the Townhall on Wednesday, May 4th at 1pm ET using Zoom. Please note that audio and video will be enabled in this Townhall.

You can sign up for the VIP Developer Town Hall here:

Tomorrow: The Next VIP Developer Town Hall

This month’s VIP Developer Town Hall is tomorrow: Wednesday, April 6th at 1pm ET!

During this Town Hall we will be focusing on Term Meta. Our very own, Matt Perry, who has been working on this will give a short presentation and answer any questions you may have!

You can join the Zoom chat here on April 6th at 1pm ET. (you can opt for audio-only if you prefer).

Join from PC, Mac, Linux, iOS or Android: https://zoom.us/j/900846933

Or iPhone one-tap: 14086380968,900846933# or 16465588656,900846933#

Or Telephone:
Dial: +1 408 638 0968 (US Toll) or +1 646 558 8656 (US Toll)
Meeting ID: 900 846 933
International numbers available: https://zoom.us/zoomconference?m=y-zEkLcItRlGTtV_2Rw3j-2SJG8fB-he

April 6th: VIP Developer Town Hall

Next month’s VIP Developer Town Hall is Wednesday, April 6th at 1pm ET!

We have made a slight change to our VIP Developer Orientation and Townhall. We have created a self-directed orientation + video that you can access here: Developer Orientation

In that orientation we will walk you through an introduction video, review important documentation, and help you set up your development environment. We ask that you do this ahead of time, and feel free to ask any questions you may have during the Townhall on Wednesday, April 6th at 1pm ET using Zoom. Please note that audio and video will be enabled in this Townhall.

You can sign up for the VIP Developer Town Hall here:

Alert: Image Upload Issue

We are currently having an issue with image uploads. We are looking into the issue and will update this post as soon as possible.

We’ll also update @WPVIPStatus as we receive them.

Thank you for your patience!

Update 9:15 UTC: This has been fixed. Please note, if you uploaded images over 2 hours ago and now find that there are still some broken images, it will be fixed shortly once the queue catches up.

Tomorrow: The Next VIP Developer Town Hall

This month’s VIP Developer Town Hall is Wednesday, March 2nd at 1pm ET!

You can join the Zoom chat here on March 2nd at 1pm ET. (you can opt for audio-only if you prefer).

Join from PC, Mac, Linux, iOS or Android: https://zoom.us/j/461857934

Or Telephone:

Dial: +1 646 558 8656 (US Toll) or +1 408 638 0968 (US Toll)

Meeting ID: 461 857 934

International numbers available: https://zoom.us/zoomconference?m=2wmpNJFeskKx8bGt_as5WDx8lPMihN1C