Forcing Two-Factor Authentication on WordPress.com VIP

This notice relates to our customers hosted on WordPress.com VIP. VIP Go sites are not affected.

Keeping your sites secure is one of our top priorities. One of the ways bad actors attempt to compromise sites is to use the credentials of privileged users that may have had passwords leaked as part of a hack on another service.

Using unique passwords is one way to protect against this but another is two factor authentication (2FA). 2FA helps to verify that the person attempting to login is the actual user, and not an attacker.

To help you protect your sites from this type of attack, we’re introducing a policy of forced 2FA for all users with the ability to publish on WordPress.com VIP.

From 6th March any newly created users on a VIP site will be required to have two-factor authentication enabled in order to publish.

From 7th April all users with the ability to publish on a VIP site will be required to have two factor authentication enabled.

The change means that users without 2FA enabled will see a “Two Step Authentication is required to publish to this site” notice at the top of their admin screens.

2fa-required

For these users, instead of a Publish button, they will only see a “Submit for Review” button.

submit-review

Any users requiring the ability to publish should follow the instructions to enable two factor authentication on their account.

Some users have asked about options for two factor authentication without the use of a mobile device. Authy offers desktop applications that could be used in conjunction with our support for using an authenticator app. You may also be able to set up SMS delivery of two factor codes via VOIP services like Google Voice or Skype, though delivery may not be reliable in all areas and should be tested thoroughly before relying on it.

If you have any questions about this policy, please open a support ticket and we’ll happy to help.

Apple News plugin v1.2 now available

A new version of the Apple News plugin has been committed to the shared plugins repository. V1.2 is a feature and bugfix release and is intended to replace v1.1 and includes;

  • Added an experimental setting to enable HTML format on body elements.
  • Added settings for monospaced fonts, which applies to <pre>, <code>, and <samp> elements in body components when HTML formatting is enabled.
  • Added additional text formatting options, including tracking (letter-spacing) and line height.
  • Split text formatting options for headings to allow full customization per heading level.
  • Modified logic for image alignment so that centered and non-aligned images now appear centered instead of right-aligned.
  • Added an option for full-bleed images that will cause all centered and non-aligned images to display edge-to-edge.
  • Added logic to intelligently split body elements around anchor targets to allow for more opportunities for ad insertion.
  • Modified column span logic on left and right orientation to align the right side of the text with the right side of right-aligned images.
  • Fixed a bug caused by hardcoded column spans on center orientation.
  • Fixed a PHP warning about accessing a static class method using arrow syntax.
  • Added unit test coverage for new functionality.
  • Refactored several core files to conform to WordPress standards and PHP best practices.

We encourage all VIPs using Apple News to upgrade to this version by specifying the version parameter of wpcom_vip_load_plugin() like so;

wpcom_vip_load_plugin( ‘apple-news’, ‘plugins’, ‘1.2’ );

For VIP Go, we suggest you commit v1.2.1 from WordPress.org into your repository. Apple News uses Composer for dependencies which will not be automatically included upon deployment to VIP Go environments when using a Git submodule.

If you have any questions please open a ticket where we’ll be happy to assist you transition to the newest version.

Facebook Instant Articles v3.2 now available

A new version of the Facebook Instant Articles plugin has been committed to the shared plugins repository. V3.2 is a feature/maintenance/bugfix release and is intended to replace v3.1 and includes;

  • Adds development mode support to post meta box
  • Adds rule configuration for Instagram blockquotes
  • Adds rules for galleries
  • Migrates some unit tests
  • Switches to Facebook Graph SDK
  • Improves token invalidation flow
  • Fixes use of the_title filter
  • Improves encoding handling
  • Adds post type filter to the post meta box
  • Adds Playbuzz support
  • Rename SDK getter to avert apocalypse
  • Wizard copy improvements
  • Fixes issue with captions
  • Adds publication block for articles with transformation warnings
  • Fix https src attribute on some scripts

We encourage all VIPs using Facebook Instant Articles to upgrade to this version by specifying the version parameter of wpcom_vip_load_plugin() like so;

wpcom_vip_load_plugin( 'facebook-instant-articles', 'plugins', '3.2' );

For VIP Go, you can take advantage of the new version by updating your submodules to use the reviewed version.

If you have any questions please open a ticket where we’ll be happy to assist you transition to the newest version.

Facebook Instant Articles v3.1 is now available!

A new version of the Facebook Instant Articles plugin has been committed to the shared plugins repository. V3.1 is a feature and maintenance release and is intended to replace v3.0 and includes;

  • New on-boarding flow wizard
  • Automattic URL claiming
  • Submit for review from wizard
  • Improved transformation rules
  • Option to submit only articles without warnings
  • Jetpack compatibility
  • Added Jetpack carousel rules
  • Compatibility layer for Get The Image plugin
  • Fix for relative URL checking
  • Fix for missing subtitles
  • Fix for double call of wpautop
  • Fix for loadHTML warnings
  • Fix for get_cover_media function
  • Fix to prevent publishing of password protected posts

We encourage all VIPs using Facebook Instant Articles to upgrade to this version by specifying the version parameter of `wpcom_vip_load_plugin()` like so;

wpcom_vip_load_plugin( 'facebook-instant-articles', 'plugins', '3.1' );

For VIP Go, you can take advantage of the new version by updating your submodules to use the reviewed version. The release is tagged in Github.

If you have any questions please open a ticket where we’ll be happy to assist you transition to the newest version.

Frontend Uploader v1.1 is now available

A new version of the Frontend Uploader plugin has been committed to the shared plugins repository. V1.1 is intended to replace v0.9.4. This upgrade includes;

  • Refactored admin list tables to prevent “Headers already sent error”
  • Added Recaptcha support
  • Added option to auto-append uploaded images to posts
  • Preserve values in text fields on failed upload
  • Minor impovements
  • Bugfixes

We encourage all VIPs using Frontend Uploader to upgrade to this version by specifying the version parameter of wpcom_vip_load_plugin() like so;

wpcom_vip_load_plugin( 'wp-frontend-uploader', 'plugins', '1.1' );

If you have any questions please open a ticket where we’ll be happy to assist you transition to the newest version.

Inform Video Match v1.5.2 is now available

A new version of the Inform Video Match plugin has been committed to the shared plugins repository. V1.5.2 is intended to replace v1.3.2. This upgrade includes;

  • Added type of seaching keyword field where options are description, video id and title.
  • Sort by video type, video upload time.
  • In advance search sorting by video duration, start and end dates are added.
  • Video play list id is added in inform video setting page and video configuration section.
  • Added Analytics Hook for User Engagement
  • Removed help menu

We encourage all VIPs using Inform Video Match to upgrade to this version by specifying the version parameter of wpcom_vip_load_plugin() like so;

wpcom_vip_load_plugin( 'inform-video-match', 'plugins', '1.5.2' );

If you have any questions please open a ticket where we’ll be happy to assist you transition to the newest version.

Facebook Instant Articles v3.0 now available!

A new version of the Facebook Instant Articles plugin has been committed to the shared plugins repository. V3.0 is a feature and bugfix release and is intended to replace v2.11 and includes;

  • Fix versioning – use WP style
  • Ignore hyperlinks with a #
  • Allow filtering of post types used in the feed
  • Use v2.6 of the Facebook API
  • Coding standards & whitespace fixes
  • Load Facebook SDK over HTTPS
  • Avoid crawling of 404s
  • Replace social embeds with interactives
  • Use submission ID to check status in the admin
  • Fix over-zealous escaping

We encourage all VIPs using Facebook Instant Articles to upgrade to this version by specifying the version parameter of `wpcom_vip_load_plugin()` like so;

wpcom_vip_load_plugin( 'facebook-instant-articles', 'plugins', '3.0' );

This also means that we are now deprecating v1 and intend to remove the plugin in one month, on 9th August. v2.11 will remain available for those who want to use it, but we strongly encourage you to upgrade to v3.0.

As we approach the removal date for v1 we’ll contact any VIPs still loading that version.

If you have any questions please open a ticket where we’ll be happy to assist you transition to the newest version.

Loading Plugins From Your Theme

As of today, you can now use wpcom_vip_load_plugin() to load plugins that are bundled within your theme!

For WordPress.com

This is a follow-up to the recent shared plugins changes, in which some plugins were “deprecated” and moved to our reviewed plugins list. Some of you have already begun moving reviewed plugins into your themes and using require() to load them.

We realised that in making this change we’d overlooked the wpcom-helper.php files that we included in these plugins. By moving them to your themes and using require(), the helper files were no longer being loaded. We considered two options to resolve this;

  1. Have themes also manually require the wpcom-helper.php file
  2. Support theme-bundled plugins in wpcom_vip_load_plugin()

By far the most consistent and pain-free experience would be the second option, and that’s what we’re releasing today. Here’s how it works;

  • In your theme you can now create a plugins folder: theme-name/plugins
  • Within that theme you can place the plugins you would like to use, e.g.; theme-name/plugins/mce-table-buttons
  • That plugin might include a wpcom-helper.php: theme-name/plugins/mce-table-buttons/wpcom-helper.php
  • Now you can load that plugin with wpcom_vip_load_plugin( 'mce-table-buttons', 'theme' );

As you can see from the example above, the second parameter of wpcom_vip_load_plugin() now takes “theme” as a value. When this happens the function looks in the currently active theme for a plugins folder containing a plugin with the name specified. As a fallback, it will also search the parent theme (where applicable) and the shared plugins repository.

For those of you who have already moved plugins into your theme and used require() we will be in touch shortly with a patch to move you to this new method for your convenience.

What about custom shared plugins directories?

If you’re already using your own shared plugins directory (e.g. acme-plugins) nothing changes for you. You can still continue to load plugins in exactly the same way.

For VIP Go

On VIP Go we recommend that plugins are added to your plugins directory, and that you activate them using the wpcom_vip_load_plugins function rather than by using the WordPress plugins UI in the admin area. This ensures that your site code will function in a similar fashion across your different environments (e.g. local development environment, staging site, production site, etc).

Liveblog v1.5 is Now Available!

We’re very excited to announce that not only is Liveblog v1.5 now available for you to use, but it’s now included in shared plugins! This upgrade is intended to replace v1.3 and is a substantial feature release, including;

  • Key Events
  • Hashtags
  • Custom commands
  • Custom templating
  • Lazyloading

We strongly recommend taking a look through the Readme to learn all about the new features and the possibilities within.

Just like other plugins you can now activate Liveblog with:

wpcom_vip_load_plugin( 'liveblog', 'plugins', '1.5' )

We’ll still need to enable it for you, as per the docs, so open a ticket if you’d like to use Liveblog.

If you’re already using Liveblog v1.3, and want to upgrade to v1.5 there’s a one-time change we need to make to enable that for you. Please open a ticket about upgrading Liveblog and we’ll work with you to get that sorted.

Important Changes to VIP Shared Plugins

We’re excited to announce some changes to WordPress.com VIP that will make updating plugins even more efficient. To do this, we are introducing a versioning system for plugins, creating a new category of Reviewed Plugins, and deprecating a number of plugins from the Shared Plugins repository.

For VIP Go customers, these updates will not affect you. 

How will plugin versioning work?

The Shared Plugin repository is collection of plugins that are reviewed and maintained by the WordPress.com VIP team. We’re introducing versioning to help expedite the updating process for these plugins.

For Shared Plugins, we have introduced a third parameter to wpcom_vip_load_plugin, which allows you to specify the version you wish to load.

wpcom_vip_load_plugin( 'zoninator', 'plugins', '0.6' );

Note that the version parameter replaces the ‘release candidate’ parameter but the function maintains backwards compatibility so using true to load a release candidate will still work.

We will maintain two versions of each shared plugin at any one time, allowing you to upgrade to new versions at your own pace. We very much recommend you always use the latest available version, which you can find by looking in the shared plugins repository itself.

When a new plugin is released, the older version will be deprecated and eventually removed. We will always communicate specific timelines when this happens, to help you prepare and migrate.

What are the new Reviewed Plugins?

Reviewed Plugins expand the number of plugins approved and recommended by the VIP team. Every plugin reviewed by the VIP team will be added to this list. If you’d like to use a plugin on this list, simply commit the plugin to your theme in a single commit, letting us know in the message that it’s a reviewed plugin. We will review and deploy. Please note that we do not maintain these plugins, so your team will be responsible for updates.

If you’d like to use a newer plugin than what’s on the list, please let us know via tickets, and we’ll work quickly to add it to the list.

What plugins are being deprecated?

While these plugins are still recommended by our team, we will no longer be maintaining them in the shared plugins repository. If you wish to continue using this plugin, please work with us to clone the plugin into your theme as soon as possible. These plugins will now be listed in our Reviewed Plugins list.

  • advanced-excerpt
  • ajax-comment-loading
  • ajax-comment-preview
  • angellist
  • blimply
  • breadcrumb-navxt-39
  • category-posts-widget
  • column-shortcodes
  • comment-probation
  • daylife
  • disable-comments-query
  • disqus
  • dynamic-content-gallery
  • easy-custom-fields
  • ecwid
  • editorial-calendar
  • expiring-posts
  • external-links-new-window
  • external-permalinks-redux
  • facebook-simple-translation
  • feedwordpress
  • findthebest
  • five-min-video-suggest
  • flag-comments
  • formategory
  • gallery-style-cleanup
  • get-the-image
  • google-calendar-events
  • gumroad
  • history-bar
  • ice
  • image-metadata-cruncher
  • internacional
  • json-feed
  • kapost-byline
  • kimili-flash-embed
  • lift-search
  • lightbox-plus
  • localtime
  • mce-table-buttons
  • most-commented
  • nbcs-advanced-blacklist
  • nbcs-moderation-queue-alerts
  • ndn-video-match
  • objects-to-objects
  • optimizely
  • options-importer
  • post-forking
  • post-revision-workflow
  • postrelease-vip
  • publishing-checklist
  • pushup
  • roost
  • search-excerpt
  • sem-frame-buster
  • seo-auto-linker
  • seo-friendly-images-mod
  • share-this-classic-wpcom
  • share-this-wpcom
  • shopify-store
  • shortcode-ui
  • simple-page-ordering
  • simply-show-ids
  • speed-bumps
  • sticky-custom-post-types
  • stipple
  • subheading
  • table-of-contents
  • taxonomy-images
  • term-management-tools
  • the-attached-image
  • tidal
  • tw-print
  • usatsi_gallery
  • view-all-posts-pages
  • voce-settings-api
  • wordtwit-1.3-mod
  • wp-discourse
  • wp-frontend-uploader
  • wp-google-analytics
  • wp-help
  • wp-page-numbers
  • wp-pagenavi
  • wp-paginate
  • wp-seo
  • zemanta

Ok, so remind me what I need to do?

  • Going forward, you will need to specify a version when loading a shared plugin, by adding a third parameter to the `wpcom_vip_load_plugin` function.
  • If you are using a plugin that is being deprecated, please know that we will no longer be updating or maintaining the plugin. You should clone the plugin into your theme as soon as possible. When you’re ready, please open a ticket with us and we will clone the plugin for you. You will then need to switch to loading the plugin from your theme by updating functions.php.
  • If you are planning on submitting a new plugin for review, check the Reviewed Plugins list. If it’s already reviewed, simply commit the plugin to your theme, letting us know in the message that it’s a reviewed plugin. If the plugin is not on the list, you can submit to us for review.

We hope this will make future plugin updates more efficient for everyone. For more, read our handy Plugins Documentation. And as always, if you have any questions please open a support ticket.