WordPress 4.3 to Focus on Mobile Experience, Admin UI, Better Passwords, and Customizer Improvements

notes

WordPress 4.3 development kicked off this week with release lead Konstantin Obenland at the helm. The main focus of this release will be to improve the experience of using WordPress on touch and small-screen devices. Contributors will also be renewing efforts to improve the Admin UI and the Network Admin UI, particularly as it relates to the experience on narrow screens and responsive list tables.

Customizer Design and Architectural Improvements

The customizer will also be getting some attention. Weston Ruter published a summary of the three areas he proposes tackling:

  • Customizer Partial Refresh: This feature plugin aims to refresh parts of a Customizer preview instead of reloading the entire page when a setting changed without transport=postMessage.
  • Customizer Transactions: This proposal is dependent on the Partial Refresh and involves re-architecting the customizer to make way for the possibility of feature plugins like scheduled settings, setting revisions, and drafted/pending settings.
  • Customizer Concurrency/Locking: This proposal would add concurrency/locking support to prevent multiple users from overwriting each other’s changes while working in the customizer.

Nick Halsey also has a few ideas he is proposing for iterating on customizer development that was completed in 4.2.

“I would like to aim for adding theme install in 4.3, which would require a shiny install process, and shiny updates could work into that well too,” he said. Halsey is aiming to have a functional and tested proposal ready before the scheduled time to decide on which features to merge in to 4.3.

He’s also hoping to renew work on Customizer UI design changes, which would separate navigation from the options UI by removing accordion behavior for a better experience. It will be interesting to see how these changes, if selected to merge into 4.3, affect theme developer’s adoption of the customizer.

Better Passwords Coming to WordPress 4.3

Mark Jaquith will be spearheading an effort to improve password creation in WordPress 4.3 and discussion will take place in the #core-passwords channel on Slack. The first leg of his proposal would make “user chooses own password” non-default so that a user can choose his own password or opt to allow WordPress to generate one.

Jaquith is also proposing that the password strength meter, added in WordPress 3.7, offer feedback on why a user’s selected password might be measured as weak.

“Simple feedback like ‘too short — add more characters!’, ‘Try adding some numbers and symbols!’,” he suggested. “Not only that, we could actually make the addition for them, show them their password attempt with some additions that would make it better.”

Also, Jaquith proposes adding an option to make the password entry visible, eliminating the need for entering it twice. The fourth and final leg of his password improvement proposal is a major and long-overdue step toward improving the security of WordPress.

“Let’s not send passwords via e-mail anymore; it’s insecure,” he said “We’re not getting around ‘full access to e-mail means you can reset,’ but we can stop passwords from sitting around in e-mail accounts forever.”

Contributors are aiming to release WordPress 4.3 on Tuesday, August 18th. Follow the project schedule for approximate dates for feature merge, betas, and release candidate(s).

Would you like to write for WP Tavern? We are always accepting guest posts from the community and are looking for new contributors. Get in touch with us and let's discuss your ideas.

23 Comments


  1. Hi Sarah,

    It could be out of topic, but I notice that since today, if I share post from your website on Facebook, the featured image doesn’t appear any more. The problem seems to be started only today, and I notice on other WP site too. Any idea what could be the problem?

    Report


  2. I can’t recall what service it was, but I remember singing up on some website that had a really cool feature for the passwords. It would tell you how much time would it take to crack you pass, just like https://howsecureismypassword.net/

    For example:

    123456 — 2 seconds
    P4ssword — 15 hours
    a$Dfy@d{u*f78-a — 4 trillion years

    I can imagine any other system more fun and simple. It would also make a lot of people think twice about their passwords. I’d love to see that feature on a future WordPress update.

    Report


    1. That’s at least partially meaningless though. The problem in the vast majority of cases is not the strength of the password. In almost all cases it’s not the password that’s cracked. Either the password was obtained by some sort of phishing attack or they found their way into the system by some other means and stole the complete password database or other data.

      It also seems to assume a brute force attack. A decent system would lock you out after a certain number of attempts or create (longer and longer) intervals to slow down any attack like that.

      While complex passwords are important they are also overrated. I have no idea how difficult it would be to integrate features like the ones mentioned into WordPress, but I should think they would be much more helpful than reminders about complex passwords.

      Also nothing stops people using their WordPress password in all kinds of other places, where the password database might be stolen and cracked. Which then in turn is used to gain access to other places including possibly your WordPress account.

      Report


      1. Totally agree. I was just suggesting a better system than the one proposed by Jaquith: “Simple feedback like ‘too short — add more characters!'”.

        But you’re right, there are better ways to improve security.

        Report


      2. Thats 100% on the money. Weak installations, previous security matters all can result in data compromised. Its actually one of the areas I love about .NET is security and roles are in the .NET framework and can be as coarse or granular as a developer wants it to be. There is no reason to “roll your own” as its already in there. Same “now” with MVC and SEO etc, there is really no reason to go outside the framework itself as it can do anything one wants it to really do all in a solid unified codebase.

        Report


    2. Results are weird though. The password “administrator” would take 19 years to crack, how foolish.

      Report


  3. It’s interesting reading about the passwords changes. However something’s not clear to me. If WordPress will not send the password via email anymore, how will the user know it’s auto-generated password?

    Report


  4. The problem tends to be how many usernames and passwords people have. Many are used and people eventually “huddle” into sites they like. So if someone loves cooking sites, recipes. They may sign up for 100 sites over two years but actually only frequent a handful. Yet, uIDs’ and Pwd’s are all over the place at 400 sites over the past 4 years.

    One cant remember “ASwerfs34wd” for this site, “adkahtndvmASD343” for that site and password managers are a pain and a keylogger or network capture hack malware is hard to defend against.

    What we recommend people generally do is setup an email address at Yahoo or GMX or other free mail operations. Use that email as a base email address when signing to new sites. In as far as UserID’s go, use memorable permutations. For example, this is WPTavern. Whats my favorite color? Blue. Whats my computer? A Gateway. Whats my favorite number? 54. My favorite animal, a dog. My passwords will always have permutations of these elements. The first three letters of the site will always be “lower/upper/lower case” and be at the start or the end of the password.

    A password permutation might be “wPt54GatewaY” or “GatewaYBluewPt”

    Use one set of permutations for new signup sites (ones I dont know if I’d hand out at) and make the criteria different. aka: My favorite video game of all time, favorite number, favorite coffee and favorite color.

    If one decides to make it a frequent romp then move it to the main email address and change the password to the first form permutation.

    One can refine it more, “54” will always precede or be after the “three letter site name” so at Amazon lets say, “aMa54BlueDog” or “54aMaDogBlue” or “DoGBluEaMa54”

    Just a simply formula and odd’s of getting beaned due to some hack be that on the PC or via a site exposing data via being hacked are very very neutralized.

    We do recommend for eCommerce that an additional piece or two pieces be added such as the first 4 digits/numbers in a drivers license for example affixed to the front or back of the password.

    Report


  5. I am not fan of usernames at all. Its unnecessary. The best for me is email and password what I choose, without restriction. On some sites I just use simple password what I remember and its not important to be too secure.
    Generated passwords are crapy for me, user still have to change it, there are many unnecessary steps. I think – email and password, works the best. Each additional step makes me nervous.
    On sites where “hard” password is required I have usually problem and need to reset password many times ;)

    Would be nice if core WordPress implement something really basic, who will want more secure site or something additional can always use some plugin for extend it.

    Report


  6. Instead of better passwords the first step should be, that the name of the admin account is NOT shown anywhere in the source code anymore! My admin name is probably as strong as other peoples’ passwords. But then (if you post as admin) you get on top of each post a line with the “entry-author”, which in source code displays a link to the name of the admin account! I deleted the corresponding line of code from my theme…

    Report


    1. Isn’t posting as admin a bit like running a system as root?

      Report


      1. yes. You should never have a reason to post as admin, it will also make the UI easier to navigate if you will use an editor user to post things.

        Of course for most people the idea of having two users sounds as too much work…..

        Report


  7. I think we have seen that coming about improving WP touch devices and that stuff, thing I found needed nowdays

    Report


  8. Has anyone studied the effects of adding reCAPTCHA or Honeypot, etc to the WordPress login to combat these issues?

    Report


    1. Alot of assaults are apparently on XML-RPC (Remote Procedure Calls).

      Report


  9. It is not all about the shiny interface, or design.
    WE want wordpress to be as flexible as possible. And personally, I want wordpress to incorporate schema.org as well

    Report


  10. I have never ever heard of hacker who cares about your password. Passwords are supposed to be easy for you to use, hackers have other means and guessing passwords is not what any real hacker have ever done. Please, please and please, leave my passwords alone and move on.

    Report


    1. Hackers don’t guess passwords, they write a simple program and give it a dictionary and let the program guess the passwords, and set them off crawling the web. You can test every 8 character password possible in seconds on a standard PC these days.

      I also remember several cases of people being hacked by children at school who guessed passwords…

      Passwords are easy to crack precisely because they’re meant to be easy for people like you. They don’t work if they’re not hard, and no amount of please will change that

      Report

Comments are closed.