WordPress 4.4 Streamlines Content Sharing

For the last six years, WordPress has been an oEmbed consumer, adding support for services with nearly every major release since 2.9. In WordPress 4.4, it switches roles and is an oEmbed provider.

Proposed by Pascal Birchler earlier this year, oEmbeds for posts streamlines how they’re shared across the web. Here’s an example of what an oEmbedded post looks like.

Feature Plugin Merge Proposal: oEmbed

Content is displayed in an iFrame with a link to comments, a sharing button, and a link to the main page the article is hosted on. The continue reading link takes visitors to the source site. In the last three months, Birchler and members of the core team have worked hard to make sure embedded content is secure.

  • The iFrames use the sandbox attribute to enable extra restrictions on content that can appear in the inline frame.
  • The host and the embedded site communicate via postMessage to allow resizing and clicking on links safely

oEmbed discovery is turned on by default in WordPress 4.4. Too disable it, you’ll need install and activate the Disable Embeds plugin. The plugin does the following:

  • Prevents others from embedding your site.
  • Prevents you from embedding other non-whitelisted sites.
  • Disables all JavaScript

Some people are requesting that an option be added to disable oEmbeds rather than installing a plugin. In response to requests, Aaron Jorbin, WordPress core contributor, reemphasized WordPress’ philosophy on adding options.

Every time you give a user an option, you are asking them to make a decision. When a user doesn’t care or understand the option this ultimately leads to frustration. As developers we sometimes feel that providing options for everything is a good thing, you can never have too many choices, right?

Ultimately these choices end up being technical ones, choices that the average end-user has no interest in. It’s our duty as developers to make smart design decisions and avoid putting the weight of technical choices on our end users.

Birchler also responded saying, “The new embed functionality was developed with the majority of users in mind.” One of the largest problems with adding to options to WordPress is that they’re difficult to remove.

Some WordPress developers are excited to see how post embeds can be extended. Hugh Lashbrooke, who works for Automattic, thinks post embeds will be great for Custom Post Types, “I think the oEmbed feature has loads of awesome use cases for Custom Post Types. For example, being able to embed eCommerce products on other sites with dynamic add to cart links,” he said.

The easiest way to try post embeds is to log into TryWPBeta using these credentials.

  • Username: wcpdx
  • Password: wcpdx15

Create a new post and make sure the visual editor is selected. Copy a URL from one of the Make Core WordPress blog posts and paste it into the editor.

If you’d like to learn more about how this feature works, check out Birchler’s post where he explains what developers need to take note of and how to customize the output. WordPress 4.4 is scheduled for release in December.


97 responses to “WordPress 4.4 Streamlines Content Sharing”

  1. Personally I have no qualms if this is enabled by default. As long as 1) it can be disabled easily with an option since this feels like a large feature (not by installing a plugin) and 2) it doesn’t affect the performance of the site.

    It’s a good feature. The only thing is that I’m worried about the performance repercussions of it. Especially if the site is in a shared hosting environment. It could potentially slow down your load times without you knowing and eat up allotted bandwidth.

  2. How might ever allowing (or even enabling) others to potentially embed my posts on their site be a good thing? I can’t see it… or maybe I just don’t yet understand…

  3. A very nice toy.

    But a simple global option to disable oEmbeds (like emojis) would just make the lives of those of us managing dozens of business sites on WordPress so much easier.

    Making us install five or six plugins to just get to vanilla functionality is a far worse sin than simple options. Turn oEmbeds on by default, hide the option in advanced preferences, but make it easy for us to disable this bauble.

  4. the disable plugin says “Disables all JavaScript”
    Does this equate to disabling all javascript across our entire WP install?

    let’s see.. we need a new plugin that has checkboxes to disable bloat things that are likely never used on a majority of wp sites.
    Disable google font loading
    Disable emoji stuff loading
    Disable oembed
    Disable ping-o-matic (wish this was default – sucks trying to test a new wp install and as soon as it launches it pings out – then googlebot and others including hack bots are given the exact url of your test bed install)
    Disable Gravatar
    Disable sending sub-site users the contact email and ip addys of commenters with multi-site setup
    Disable XMLRPC
    Disable unlimited password guesses for login

    What other stuff am I missing like this (could check other installs and find other things I’ve to add plugins for to disable stuff)

    OR – make these boxes available right there in the settings tab… even better have them all turned OFF on install – and when install screens run – ask the users if they want to turn on the things core devs think are pretty and cool – with a note about how these things may sacrifice the privacy of your users and sacrifice performance of your site.

    That would fix the concern of “When a user doesn’t care or understand the option this ultimately leads to frustration.”

    Simply show a paragraph and graphic about each option – Gravatar! We think it’s awesome.. none of your visitors will use it – it will slow down your site, and there are nifty ways that people can uncover the identity of your commenters – so privacy is sacrificed.. your site will load slow many times, and so will your admin background.. but the small group of people who think gravatars are cool also think that you are too stupid to understand these things or care –
    (“choices that the average end-user has no interest in. It’s our duty as developers to make smart design decisions and avoid putting the weight of technical choices on our end users.”)
    – yeah – because people don’t understand page speed, and no one cares about privacy.

    So a plugin that can overwrite wp defaults, and do so with a new install before it launches it’s slew of reporting to multiple third parties that it was just installed in secret folder x – and stop all the other madness… that would be nice.

    I could go on about these things more.. but then it’s modded out into oblivion.. perhaps I’ll add a post on my blog that no one will read – but in a couple weeks maybe someone will embed it on their site and it’ll get read – lol

    The new auto-oembed – because copy and paste is so hard.. and the gem “press this” is not promoted well enough for anyone to use – but you can never have too many options right. lol.

    Thanks for the laugh you guys.

    • Does this equate to disabling all javascript across our entire WP install?

      No, it means it disables all JavaScript related to the new embeds feature.

      • “disables all JavaScript related to the new embeds feature.” = thanks for clarifying this – hopefully the plugin description will update to clarify that as well. Reading the brief description made me think I was forced to make a choice between allowing the embeds or breaking my theme functions.

    • Very well summarised DJ Steve. It is absurd that we need eight plugins to deal with what should just be a single advanced options page (well better on a normal options page and off by default, but let’s try to be diplomatic and seek compromises).

      WordPress is not a hack-a-thon project any more. Adding flavour of the month technology turned on by default and via aggressive auto-updates is not fair to WordPress’s business users (or even back to basics bloggers). BusinessPress is sorely needed.

        • Nice to see you here, Piet!

          I am interested in this concept but, like Piet, I’d prefer a different choice of name.

          • Thanks for your interest Piet and KTS915!

            It would be great to have you involved. What thoughts do you have on naming?

            WP Advanced Options is a bit dull.

            Some of our plugin names which we like are:

            * FV Simpler SEO
            * Thoughtful Comments
            * Pretty Social

            The reason I was thinking about BusinessPress as it suggests exactly what this plugin (perhaps eventually stable version) of WordPress is.

            I’d love to hear your thoughts.

            • private press. LeanPress.
              BetterPress. erk – nothing BP – makes me think of buddypress..

              hmm.. QuickerPress –
              (more power less third party weakening)

              @Alec – I was looking your site last night – did not know you worked with the fv flow video plugin till I saw just now that you mention the FV simpler – I’m about to buy a few of the pro version of that thing once I get this other theme fixed up and figure out if an odd layer is theme related or I’m not doing something else quite right – your plugin is the best for having html5 video with wordpress with mobile fallback (ogg) right there in the popup – the best I have tested out of a bunch in the repo this past week – smaller world these days.

            • PowerPress is a great name but in use for podcasting.

              Thanks for your kind words about our FV Player. Indeed a small world. We work hard to offer both intelligent defaults (out of the box) and advanced preferences. Leave no video behind.

              There’s also a (very sporty) Lean theme and a Lean Media plugin. Naming is hard.

              As a fallback from BusinessPress we do have FolioPress to hand (used in Foliopress WYSIWYG) but it sounds a bit too arty for what is essentially a plugin to help your WordPress get ripped.

            • How about Press30? Get to the end of that project as quickly as possible with this mean machine of a plugin.

            • @KTS915 – nice to see you here too :)

              @Alec – Need your private email address, tried finding it on the site after I signed up, but couldn’t. Would love to become part of this!

              Naming indeed is quite difficult and I (obviously) noticed that you have the domain for BusinessPress already. Wouldn’t do that for several reasons, mostly the fact that people will most likely mix it up with both BuddyPress and maybe even bbPress.

              Although I understand that you want to stay close to the software you fork from, you can also add something about WordPress in the byline.
              For example:
              [name] the business version of WordPress.

              or even without WordPress (they might sue you):

              [name] the better CMS for your business.

              Take the fork of Jigoshop, that became WooCommerce

              We will come up with something, no need to rush that yet…

  5. In my opinion, this feature should be disabled by default. It’s not a good idea to make an extra step (i.e. installing a plugin) mandatory for those wordpress users who wish to prevent their content from being embedded on other websites.

  6. LOL at the nay sayers. I guess the attitude here is that oembed is only for youtube and just every other site on the net but not for small little wordpress because our content do not deserve to be nicely quoted in other sites (but will the same people object to having support to opengraph which basically does the same? I doubt it).

    I don’t get why would anyone not want his post/product/whatever to be quoted in a nice way at other sites? Is the fear is that you will get more traffic and exposure to the site? People usually pay SEO and SME experts to achieve exactly that…..

    • mark, i think you might want to try your post again without sarcasm and the i know better than you attitude.

      • Zero sarcasm. Most people will beg for someone to embed their content, I know that I will be very happy if anyone embedded mine.The only people that object to the feature are those that now need to know one more thing about wordpress getting them out of their comfort zone.

        Intra site embedding is a no brainer helpful feature for everyone, Inter site is again no brainer in a network. Even on events plugins, woocommerce and EDD this can probably be used for affiliates.

        So what are the objections based on? On the mind set that wordpress is a small system that should serve only a very narrow needs. At least I haven’t seen any factual argument why you will want to turn oembed off.

          • resorting to ad hominem just show how weak are the arguments against the feature. Even if for some reason you want to disable all those 7 features you complain about, you need to just once prepare an install with all of them as mu-plugins or mark them as favorites at the plugin repository so it will be easy to install them.

            BTW I was the first (and probably only) to create a plugin that returns the XML-RPC to pre 3.5 state https://wordpress.org/plugins/control-xml-rpc-publishing/, but I probably should not confuse people with facts.

            • Peculiar stats on your Control XML-RPC publishing plugin. Over 2000+ active installs but only 7,700 downloads. Those who like it really like it. Thanks for helping make WordPress more secure and more flexible.

              You wrote:

              if for some reason you want to disable all those 7 features you complain about, you need to just once prepare an install with all of them as mu-plugins or mark them as favorites at the plugin repository so it will be easy to install them.

              Everything is easy until you have to do it and maintain it Mark.

              How about that simple options screen? Click, click, click, click, click, click. I’m done.

              Not only that but we’re unlikely to turn off all of those plugins for all sites. Horses for courses. Hence an options screen is faster/more flexible/better.

              I’m very interested in why a former warrior for clean and lean WordPress is now out mocking those of us still fighting the good fight. Would you like to share a little background?

            • @Mark –
              er”7 features you complain about, you need to just once prepare an install with all of them as mu-plugins”

              Interesting idea – can’t believe I had not thought of that route…

              I wonder if there would be a way to disable pingo-matic or whatever other third party services WP auto pings (automatic, google, gravatar.. others?) via an mu-plugin..

              and which would fire first on a new install? The WP pinging stuff, or the mu plugin to prevent it. I would guess that WP would ping everything and then the plugin would kick in after the first set of pings..

              but I know little of plugin priorities and what the core sets on those things… so perhaps this kind of method is possible. Love to see it happen / work!

            • @djsteveb, whatever you can do in a plugin you can do in a mu-plugin, you can just skip the whole activation thing that waste your time.

              The thing is just to select plugins or write code that defaults to your desire behavior otherwise you do not gain much.

            • @Alec,

              How about that simple options screen? Click, click, click, click, click, click. I’m done.

              There is nothing wrong with it, except this is not what the wordpress developers believe in. Maybe drupal with its admin oriented attitude is a better choice for you. WordPress is not and doesn’t aim to be a solution that fits all possible needs.

    • I guess the attitude here is that oembed is only for youtube and just every other site on the net but not for small little wordpress because our content do not deserve to be nicely quoted in other sites

      Frankly, @mark k., you could hardly be more wrong. Probably one of the fastest-growing uses of WordPress has been in what are generally known as membership sites (though this term can be somewhat misleading as it really encompasses any site with protected content). The whole point of such sites is that the content is too good or too important to be copied and pasted willy-nilly.

      Like djsteveb, I start the development of every new site by disabling a ton of unnecessary garbage. Now I have to add another thing to that list.

        • @mark k,

          Try reading that again.

          The point is that, for sites with protected content, there is absolutely no point in oembed. That’s why, for many of us, this is a ridiculous “feature” that shouldn’t be cluttering up our sites in the first place.

          • The point is that, for sites with protected content, there is absolutely no point in oembed.

            Yes those sites owners disable sharing on facebook and indexing by goole…. NOT. I think you don’t realy understand that kind of sites if you do not know how much effort is going there into promoting the visability of their public areas as a traffic driver and a bait to make people pay for the private content.

            for many of us, this is a ridiculous “feature” that shouldn’t be cluttering up our sites

            So in the name of fighting clutter you want to add clutter into the UI?

            And where are those “many” have been before today? It is not like this feature was developed in some hidden place away from the public…. The “many” are just the tavern trolls, that like to troll but never to actually participate in anyway in the development, and in open source if you do not participate in the development then you just don’t count.

            • Yes those sites owners disable sharing on facebook and indexing by goole

              I didn’t know a quiet town in northern England was involved in indexing. But it makes about as much sense as your comment. What organizations or research groups want their intranets indexed, for goodness’ sake?

              The “many” are just the tavern trolls, that like to troll but never to actually participate in anyway in the development, and in open source if you do not participate in the development then you just don’t count.

              That’s quite possibly the silliest thing I’ve seen written on WP Tavern over the course of this year — and there has been some competition. Either you haven’t been following the discussions, or you’ve just written off all the developers who have been regularly criticizing these accretions of code crud.

              Perhaps you should take note of your own previous words: resorting to ad hominem just shows how weak are your arguments.

    • @Mark – I can’t think of every reason people may not want this feature, or every reason people may want this feature. I can think of some ways in which it would be a problem for me with a couple of my sites however.

      For one iframing – it’s lazy and can be used in malicious ways both by the hosting site and the iframer.. aside from the non-sandbox things which is a nice add-in to the mix, for one it does me no good, and a lot of bad actually if someone in mongolia iframes –

      They get to view my – I don’t get a chance to serve an ad or extra info with that content. I know there are debates about info being free as in total freedom – I get that there appears to be two links back to the content which gives the viewers a chance to learn more – and the styling is nice..

      However with several of my wordpress sites I have completely blocked China, Ukraine, Mongolia, and a host of other countries either from access completely with htaccess geo ip rules, or from parts of my wp like registration, comments, etc..

      So not to get into the debate of should not be locked away from being shared – my point about this method is that the iframe has other downsides – taxing our server resources and without us being able to recoup the expense..

      Is this a problem for everyone? No. It’s has been a problem for me a couple of times however. A couple pieces of iframed content got popular in Korea and China one time – suddenly our server was maxing out bandwidth and sql requests.. essentially someone scraping a piece of content and posting it in dozens of forums basically made our server spotty for our regular users – while these other sites were (possibly unknowingly) kind of DDoSing our server that was sharing the content.

      I can think of some other issues – but I’ve gotten into issues with comments being too long here before – so hopefully you can understand at least a view that is not opposed to sharing some, but indeed this particular method should be cause for serious concerns.

      • For one iframing – it’s lazy and can be used in malicious ways both by the hosting site and the iframer.. aside from the non-sandbox things which is a nice add-in to the mix, for one it does me no good, and a lot of bad actually if someone in mongolia iframes –

        Everyone can iframe your site. The Oembed feature do not change this in any real way. It will actually continue to be easier to write an iframe then install an Oembed client and learn how to use it just in order to embed your site.
        If you don’t like it, it should be easy to block it by checking the referer. Which of course brings on the similarities between this and image hot linking which I am not sure how many people view it as a real problem although it also wastes CPU and bandwidth.

        They get to view my – I don’t get a chance to serve an ad or extra info with that content.

        Why do you have the impression that you will not be able to add an ad to it? I havn’t looked at the code yet but I am sure it obeys all wordpress development patterns including filtering the content tht will be displayed.
        The fear of ads sent from the Oembed server will probably be a reason why people will not embed content from random sites.

        Is this a problem for everyone? No

        Which I think is the point of the discussion. If the likelihood of this feature hurting more then helping then it just should not be at core at all. If there are 5% of wordpress sites that will want to turn it off, then there is no reason to clutter the admin UI of the 95% with options they will not understand and will never turn off. For the affected 5% it is not that hard to install a plugin.
        When you power 20%+ of the internet sites it is just impossible to make everybody happy all the time and someone needs to make the call who is preferred over whom. With the wordpress “no options” design philosophy it is not a surprise there is no option to turn it off and there is really no point in asking for one as it will be the same as asking the feature to not be included in core at all which is ok to ask, but the people that oppose it should have raised their voice a month ago when there was the merge proposal, now deep into beta it is too late.

        • “If there are 5% of wordpress sites that will want to turn it off, then there is no reason to clutter the admin UI of the 95% with options they will not understand and will never turn off”

          In my fantasy world.. next wordpress update happens, instead of the redirect with a video showing on screen, there is a modal with a checkbox offering to turn on this awesome feature. A brief description, hover to learn more – click to learn even more (with comments from those who cheer it and pan it for stated reasons)

          If 5% of users turn it on – then it would be great feedback that it should never have been added to core. If 80% turn it on then indeed it may have been a good decisions.

          The admin ui is already cluttered, a few more checkboxes to turn on and off a few important things will not make it worse.

          As a WP user I have been more frustrated by options being hidden as default (be sure to click screen options!) – than I have been clicking page to page to find out where that dang setting for X and Y are.

          I still feel it is shortsighted and unfair to millions of people to add things to core like I mentioned above ( https://wptavern.com/wordpress-4-4-streamlines-content-sharing/comment-page-1#comment-99935 ) without an option to turn them off in core. Adding plugins to disable bloat and security issues is adding more bloat.

          I get the conflict of interest with things like gravatar and akismet – however the google fonts, xmlrpc, this embed thing, emoji bloat – please, add a friggin checkbox to disable.

          4.4 is the only update I am excited about since about 1.6 – yet I find there are more features being added that should be plugins, and on top of that no way to turn them off.. without adding plugins.. which sucks for many installs.

          • Making a checkbox off by default and measuring how many people enable it is just a self fulfilling prophesy. Same for the other way around. People are unlikely to change settings, they have life and googling for the meaning of obscure settings is not considered fun. Therefor your test to measure how useful a feature is, is really pointless.

            The feature will fail only if once 4.4 is released people will flood trac to open tickets about it.

  7. Interesting feature. But why not disable it by default and drop a add_theme_support in functions.php if you want it enabled? And if it catches on it may get enabled by default in a future release.

  8. Regarding to WordPress Philosophy

    The rule of thumb is that the core should provide features that 80% or more of end users will actually appreciate and use.

    I think here applies the same like with Emojis, this rule was broken.

    In this case it would be helpful that core installation of WordPress include Disable Emoji and Disable Embeds plugins by default instead of Hello Dolly and Akismet.

  9. Wish I could take the time to learn how to make a great plugin because an advanced options page plugin that included switches to turn off all the pretty items that add nothing to the experience could be turned off all at once.

    Maybe the embeds will be promoted as much as the custom post types we were forced to take.

    • Hi Doug,

      We are working on that plugin. BusinessPress will also dump the built-in WordPress and Automattic dashboard advertising and excessive branding. Finally BP will set the contact links to your company’s preferred support channels and support pages (you are free to set them to WordPress if you don’t want to support your own sites).

      If you’d like early access, we’ve put up a signup form. We’ve been building WordPress since 2005. We’d love additional developer help on this one, so please do drop us a line if you have time to contribute and/or test.

      You’ll see from that page that we’d also like to maintain stable and secure versions of WordPress on a longer development cycle but that will have to come later (we’ve done the due diligence: long term secure version is a big undertaking). For now the focus will be on cleaning up existing WordPress via a plugin which is an achievable goal. There’s some great preliminary work out there on which to build.

      It’s good to know that there are other serious people out there using WordPress, seeking a stable and reliable non-experimental platform for their clients. It pains me every time to have to charge our small business clients to fix what was not broken.

      • I like your idea here, I think some others had proposed something similar as a fork with a different name.. can’t remember what that was / is atm..

        may I suggest not calling it “BP” – as every time I see that I think “OMG someone is doing something with BuddyPress!)

        Then I am let down to learn, no not the BP I want to get some love. LOL

  10. ‘Every time you give a user an option, you are asking them to make a decision. When a user doesn’t care or understand the option this ultimately leads to frustration.’

    Why is the user who doesn’t understand something or is not prepared to take the time to do so more important than someone who makes the effort to learn?

    • Robert, you would only be correct here if the user had to make a decision to start with. That is the magic reason why you have a thing called “default settings”. It means that you can have incredibly complex features that don’t have to be activated on setup, and the end user doesn’t have to make that decision until they are good and ready (which may be never).

      If you make the effort to learn, then you can activate all those features and enjoy them.

      Put it another way: Considering that this is a feature that only some would consider valuable (and others would consider an annoyance that needs turning off) isn’t it better served with an official or semi official plug in rather than being forced into the core? If you take the time to learn, clearly activating a plug in to get these features would be well within your grasp. Having them forced into every wordpress install and making it hard (if not impossible) to turn them off isn’t something that appeals to many users.

    • Because WordPress is built with users without technical understanding in mind, and not as a platform to make money.

      People that want business oriented wordpress should just fork it and add all the options they desire. Forking is just two clicks away on github.

      • “just fork it”

        Given the many things added to WP in the way they have been for some time now, I think we will see this option gaining a lot of steam. It saddens me to see this community need to split more.

        “users without technical understanding in mind”
        LOL –
        I can see the ad now:
        Automattic preys upon ignorant people and force feeds them updates that slow down their web sites, sacrifices the privacy of the website admins and the privacy of visitors to your site; and leaves gaping security holes that would make —-hub blush. All under the umbrella of a few people saying that wordpress users should not make technical decisions or have choices that clutter – make it easy for people to turn off these “bonus features”

        But you now have Emoji!

        Now Private Press is an available fork of the once great W—press
        – it respects your privacy, site speed, your visitors’ privacy, and time; by default, right out of the box!

        Plus, if you’d like to add smileys code, have your page give up data to third parties like gravatar and google on each page visit, you can turn on the default settings just like a regular wordpress user – all with the click of a checkbox.

        Because we find needles in a haystack easier when viewing the whole haystack on a single page we cluttered up your settings page by adding one more set of options to the 31 default WP settings.. and put them all on one page instead of 6 separate sub tabs of the admin bar.

        Of course you can unclutter this with the click of a button to “restore and divide the settings options”,
        and that will even hide the options to see comments, and turn comments on and off for your page and post views!

        Yes, we know that stuff is all hidden when you start writing a post along with all the other sidebar stuff now – but we like nostaglia, and having people hunt for something under a tab to check box something to then scroll and see it appear down below is fun, like an easter egg hunt, so we made this an option to bring back for all you hunter gatherer / checkbox seeing haters out there.

        You can even journey into the wordpress plugin repo and try to decipher which plugins are trustworthy to turn on privacy features and security features using the old defaults if you like.

        Better W—press with no clicks..

        Want to get back to bloatpress / dumbed down press? For people who can’t be trusted to make a technical decision, or reading two paragraphs to learn what a button does and why it may be good or bad option for their particular use:
        Clicking a simple button – take me back to Wpress defaults.

        Faster, less sacrificing of your privacy and the privacy of your visitors, more secure since xmlrpc is disabled by default – although you can re-enable without a plugin to install / trust! -A simple checkbox and click if you want to use a phone app to post and read comments with xmlrpc.
        (with some info about xmlrpc, attacks using it, and links to more info / discussion)
        / end ad

        Given how decisions like this embed thing, and how many others were made with the past several versions, I think you may be right mark – it is indeed time for something better, and a fork may be the best way forward for many of us.

        If only we could do that with windows.. never imagined it would be so much work to turn off “features”
        – wordpress has become like the auto-update of windows 10.
        Tough to stop, and no information about the privacy issues. A few at the top making decisions for millions based upon the end users supposed stupidity.
        (lack of understanding, lack of ability to learn about an issue and make a choice.)

        I have another solution I have started to research,

        It’s time for a wordpress to static html generator
        (did some googlin on this a few times, have not read enough to know if there is a viable option for this currently)

        However I do see the future being a local hosted or server hosted wordpress that is outside of public_html.. it generates static html files – creates the site – done.

        no more security issues, the static generator can remove the calls to gfonts and gravatar. strip the emoji call. there will be no xmlrpc generated by default.

        I believe a majority of wp based sites would be better served by a plugin that removes wordpress from the public directory completely.

        Most of our wp sites don’t need all the dynamic stuff at all. Heck, a zen cached set of html files would be all I need for dozens of sites. No more worrying about “security patches- must update all wordpresses the next two days!”

        Guess I’m getting close to the moderation too many words limit I bet.. so I’ll leave these thoughts here.

        • As I said to @Alec, it is not clear why are bothering with wordpress at all. If all you need is a static site then there are tools designed exactly for that (moveable type come to mind but I just don’t keep track and sure there are more modern options). Of course static sites can not have a contact form, shop or private sections, but if your clients don’t need it (or can get them via JS from 3rd party sites) then wordpress is not the right tool for you.

          • @Mark K – I have tried and still use many tools for things static. From netobjects fusion to good ol’ notepad++. I do really prefer bootstrap and foundation for building sites.

            However wordpress has a lot going for it – and when someone has a solid way to have wordpress as a backend generator – people will be able to take advantage of the many themes, some quick drag / drop ordering, and a few good plugins – it’s an excellent tool for many reasons, and would be 1000% better for a majority of wordpress sites as a generator of pages rather than a dynamic machine.

            I envision it as a server side tool, even better with the rest api.. spitting out static pages – no more security headaches. Lots of theme choices, quick to make broad changes from anywhere in the world.

            It may not be the right tool for what most are using it for – but it could be converted into a more useful tool I believe.

            Of course static sites can have contact forms, shops and private sections. I would think most shops would want to be more dynamically driven, however I have several “static” sites that have all those features.

            For sites that need comments something would need to be figured out – but there are plenty of options out there already, and most are moving comments to other 3rd parties or just killing them off anyway, I would guess it’s really only 5% of the WP installs that really need WP’s php to run at all for the functionality they actually use.

            • so you can use 3rd party services for contact, shops and comments. This means that not only you have 4 different areas in which you need to admin your site, but also in 3 of those you give up your freedom and just have to be happy with whatever features are provided in the exact way they are provided. And yet you complain about wordpress not giving you the freedom of using your preferred defaults while you can fully customize how it works to fit your needs.

              Then you are happy about the REST API although it is just another face of the XML-RPC and Oembed functionality with almost the same problems.

              I totally get where you are coming from but the end result you reach just doesn’t compute.

        • We’ve successfully built a static WordPress generator for one of our clients (one of the top 50 software company in the world) who wanted to use WordPress for a large collaborative site but couldn’t accept the security risk. This site is online now and serving people in at least thirty countries. Foliovision continue to maintain it.

          There are many, many considerations one must keep in mind to keep AJAX functioning and the site experience smooth. On the other hand, it does run fast and secure.

          Certainly too much time and trouble for a smaller site owner. Of the alternatives, static site generator for WordPress or cleaned up BusinessPress, forking WordPress for real use by small publishers. Right now WordPress has become a never ending security alert coupled with

          I’m not sure who exactly Mark K represents but if he is the unofficial voice for WordPress core development, it’s time for that fork now. I’ve rarely seen such disregard and disdain for the small publisher or less technical web developers as in his posts.

          I would say our primary responsibility is to protect those people (who thanks to the thousands of developers like Foliovision) have bought into the WordPress hype. A misunderstanding within the WordPress court (one can’t exactly call it a democracy) is that vanilla WordPress should include all the features which WordPress.com wants.

          WordPress.com’s version should have as many bells and whistles as Automattic needs. WordPress.org’s main version should be as secure and safe as possible with infrequent changes which could break a website (I’d say once a year should be a maximum).

          Trying to conflate WordPress.org for WordPress.com’s marketing requirements has started to rip this open source project apart.

  11. It would be cool if we have some kind of dedicated page “future extended changelog” on wordpress.org where are next features (changes) explained with pros/cons and how they become to the core also with more details why this will happen.
    With better communication between leaders and community – users we can avoid some confusing feelings.
    Be more “open source” can help and maybe even brings more contributors.

    • The wordpress development model do not support this kind of lists. The usual development goals at kickoff are progressive enhancements (I think that for 4.4 it is mainly to improve shortcode security). Anything which is *new* is developed as a featured plugin with no official target version and “asks” to be merged into core when the developers think it is core worthy. Some featured plugins never make it into core, for some (REST API is great example) it takes more then one main release cycle to get to the point in which they re considered being worthy.

      So basically no one knows fully what will actually be in the release until it goes into beta. People that want to know what is going on before that need to at least follow the “make core” site.

  12. @Mark K – re – https://wptavern.com/wordpress-4-4-streamlines-content-sharing/comment-page-1#comment-100407

    “3rd party services for contact, shops and comments.” .. “you have 4 different areas in which you need to admin your site, but also in 3 of those you give up your”


    There are many options.. with some sites a simple coffeecup software formbuilder will create a nice contact form you can add to your static site – it has a few options, but the standard is a bit of code that calls a seperate php chunk to handle the contact form. There are other ways.. no wordpress needed, no 3rd party needed.

    I do not advocate that people use third party systems for comments, however we see more and more that places are indeed doing so for money reasons.. disquss comments, livefyre? and the like – I hate that option, however there have been many discussions about more than more places either axing comments completely or pushing them off to third parties, not so much a server tuning issue or security, but more to do with comment quality and moderation from what I have seen. I think the latest big news with this was Vice dot com..

    I agree that handing off things like these to third parties has it’s own set of risks. However I have one friend that make t-shirts and sells online and off – he is actually much better off ditching wordpress for a static site – use the 3rd party payapal shopping cart code and taking email or contact form stuff – definitely safer given the updates and security issues that wordpress has brought with it.

    A big place like walmart – they probably want to keep as much of that kind of thing in house – but then they have a budget that can put a lot of eyes on the security of all the cogs running the online machine. Your average wordpress user not so much.

    I do not make the 3rd party comment / shopping sacrifices for many reasons, and I think places like Vice doing so are just lame, however I would bet a huge amount of wordpress users would be better off going static and handing off a few chunks of processing to others who handle security more often.

    • Man (?) you are just saying what I do. There are usages for which wordpress is too bloated/not friendly enough. WordPress is just a piece of code not a religion, and god will not strike anyone down for not using it.

      The caveat which cause most people to end using wordpress, even for things that are not a perfect match, is time to market and cost. Hand coding anything is just that more expensive and time consuming, and then your coder goes away and you are left alone with no maintenance and upgrade path (which happens also with wordpress, but with hand coded you usually end up depending on the coder much much more).

      • It doesn’t have to be this way. WordPress.org could start focusing on minimum functionality, with as many options turned off as possible, with low velocity change in the stable branch.

        A stable branch updated no more than once a year would be a good start.

        Alas, the lunatics (cutting edge experimental new technology junkies) are running the asylum. A lot of people are making a lot of money on updates and fixes and new versions. The unnecessary maintenance are make work projects. This is cruel and unfair to the small publishers, individual weblog voices. Either end users are spending dozens of hours per year micro-managing these issues or spending many hundreds to thousands of dollars to have someone else make the pain go away.

        Even someone at the center of the WordPress ecosphere like Jeff Chandler went through months of experimentation to put together a working and user friendly comment system (Postmatic is working nicely for WP Tavern I should add). Like him I weep for our brave open source project but even more for our clients whom we’ve put on the upgrade merry-go-round.

        Remember our original shared mission is “democratise publishing through Open Source and GPL software”, not 1. to build software empires, 2. corrupt free-standing sites with built-in SAAS or 3. bankrupt small publishers.

        The only person with the sway to say stop, this is enough, we have to focus on security and stability for those millions of small publishers and companies who have entrusted with us with their web presence is Matt Mullenweg.

        Unfortunately there’s nothing to indicate that such a call is forthcoming. I am torn between telling our clients to flee WordPress before their sites are hacked or break yet again on unfinished and clumsy database updates or standing and fighting for a better WordPress which takes into account first the clients/users and second the core developers. Core developers urge to bleed on the cutting edge of technology should not splatter blood all over all of our clients.

        How would a more user friendly and secure WordPress look (apart from a stable branch with annual updates)? DJ Steve’s list is a good starting point for features which would be gathered in a single “Advanced Functionality” settings screen with most of the options off by default:

        * Disable google font loading
        * Disable emoji stuff loading
        * Disable oembed
        * Disable ping-o-matic (as you launch a site it pings out sending googlebot and hack bots the exact url of your test bed install)
        * Disable Gravatar
        * Disable sending sub-site users the contact email and ip addresses of commenters with multi-site setup
        * Disable XMLRPC
        * Disable unlimited password guesses for login

        There is a better way. And it’s a stable branch of WordPress along with a cutting edge/experimental version for the technorati. I’m sure I’ll have sites on both branches (personal sites on experimental, client sites on stable). I am just one voice, but from my conversations with other developers and publishers, there are millions more who dream of the stable and minimalist WordPress we were promised at the beginning of the project.

        Will we ever be heard?

  13. Sounds like a really cool idea. I like the oembeds that YouTube, Vimeo, and Twitter use. I just don’t read enough other blogs for them to really make an impact on my own.

    Is there goIng to be any theme modifications required for this to be streamlined?

  14. Before this goes much further, Americans need to pay attention to the global user base and the laws of different regions.

    Following several court cases there now exists in the European Union laws against automatic opt-in for ALL things web related, and the proposal for oEmbed certainly falls under these, because they are an unsolicited modification of a pre-existing product.

    If just one user in the EU objects strongly enough to the automatic usage of the functions in the OP, then the WordPress devs could find themselves in the European Court … and the devs would lose.

    Think about providing an “off by default” methodology is all I’m saying.

    • My comment above is more in response to this Jeff. I share your grief.

      A small technical note. Is it possible to get lists back for comments? Both DJ Steve and my comments are much more difficult to read without that formatting. I’d be fine with either html or Markdown (bilingual at this point) but some way to add lists for clarity.

    • As it should. This conversation (and a few others recently) are showing that wordpress development seems to be diverging from user need, and that is never a good thing.

      Mark’s attitude on this one is to me a summary of the problem: “we know better, do it our way or else”. This new content sharing is certainly valid for SOME wordpress installs, but for others it’s the worst possible thing: More code that can go wrong to add functionality that they aren’t interested in. That Mark (and core developers in general) seem unable to grasp that WordPress is not being used only in one way makes it very hard to have the discussion at all.

      The results? More plug in bloat, as we are required to add ANOTHER plug in to disable core features that aren’t really core. Wouldn’t this functionality be better as a plugin, rather than as a force?

      The discussion of HTML static pages is a pretty common one. Many sites are not very dynamic, updating weekly, monthly, or even almost never (in the case of corporate image sites). Converting the output of wordpress into static pages lowers the overhead required to generate those pages for each viewer. Yes, caching would help, yes, there are plug ins for that, but some prefer to avoid the security risks and the system load inherent in running WordPress to generate a site that isn’t changing very quickly.

      Which brings up for me the final point: page caching and reduction of system load is something that would be great for even basic users. Lowering the overhead to run wordpress would seem to be a very good, very core concept. Yet, all of that functionality is in a plug in. Instead, we get emojis, a comment system which appears to be intentionally shackled, and other “core” improvements that aren’t improving things for everyone. Why should these things be outside of the core, but not emojis?

      Yes, it’s enough to make you very sad indeed.

  15. Wouldn’t of been easier to make this function a plugin? That way updates don’t have to be core and it could be used on a as needed basis?

    Just a thought

    • I sincerely hope he doesn’t. ;)

      Note: I’m not on the core team, all points and views are mine and mine alone.

      Every time the core developers discuss and extend WordPress the following happens.

      Complaint: the Core Devs are out of touch with reality (Ha! Nope, not true.).
      Complaint: This will kill WordPress. WWWicks or RoundSpace will win (not for these reasons they wont).
      Complaint: [Feature X] is why we need someone else in charge making the decisions. (It’s GPL code. See Lyceum and feel free to fork. That’s not a slap in the face my writing that, that’s exactly WHY it’s GPL’ed code.)
      Complaint: I think the Core Team is doing it wrong and they wont listen to me. (Yes, because accusing people of ill will and “being real” without any manners or social graces works so well.)
      [ Insert random Jetpack/Matt/Automattic vitriol HERE and I’m pissed off about my past life ]

      I really like that last one, it covers so much. ;)

      It’s fine to disagree with anyone. It’s just that the repetitive knee jerk reaction from the same commenters isn’t a dialog. It’s a litany of complaints and it never goes anywhere.

      There are ways to participate but that still means you wont get what you want.

      *Takes deep breath*

      New software features drive development and keeps stagnation at bay. There are always ways to disable those features, the complaints are that some don’t like those ways.

      • I’m sorry but this feels like another dose of Core Developer arrogance Jan. No, we (people developing websites for clients, small publishers trying to maintain their own stable sites) don’t like the new features being shoved down our throat. We’ve been complaining about it for years now (and the XML RPC fiasco this year is exactly why we complained about that at the time as well).

        What the heck is wrong with simple checkboxes to enable and disable features? This is just common sense.

        I articulated above a very clear way of dividing WordPress into stable and experimental, which would solve issues for everybody. I conceded I would have sites in both branches.

        It is cruel and abusive to force all small publishers to go through four major point updates per year to satisfy core developers’ egos. WordPress is coasting on the good work done in the Alex King era before Automattic and WordPress.com became another ‘too big to fail’ entity.

        Yes, you are holding us all (I’ve got a million dollars of money and code invested in WordPress, not to mention what our clients have invested) hostage. Holding people hostage and forcing them to pay down your code debt does not bode well for the WordPress project.

        Will the core developers ever listen to users? Based on your snarky post, it seems not.

        Now apparently like in Mao’s China or Hitler’s Germany, we are not to complain about our voices not being heard. Wow.

        • Excuse me for a moment.

          Jeff? Don’t worry, I’m good and this is just me trying to reign in some basic intentional misunderstanding. ;)

          Back to the discussion.

          I’m sorry but this feels like another dose of Core Developer arrogance Jan

          Yeah. No sorry, you’re still wrong. I’m not on the core team and your name calling isn’t useful. But I do hope that somehow you’ll come around.

          No, we (people developing websites for clients, small publishers trying to maintain their own stable sites) don’t like the new features being shoved down our throat.

          Right. So how do you manage your customers expectations? What service do you bring to the table for them? What differentiates you from them taking their business somewhere else?

          You are in the business of using opensource platforms to make a living. Welcome! It’s a fun market. But everything that you’re complaining about (new features) is manageable.


          There is nothing being forced down anyone’s throats.

          You keep talking but what are you actually doing about this to solve your problem? Have you considered offering a plugin to your customers that deactivates every feature you personally dislike? How far would it be for you to add a plugin that puts those check boxes in?

          Yes, you are holding us all (I’ve got a million dollars of money and code invested in WordPress, not to mention what our clients have invested) hostage.

          Still not true. See above. Though the “hostage” reference is colorfully over the top.

          Will the core developers ever listen to users? Based on your snarky post, it seems not.

          I’m not on the core team, I’m on the Support Team and when you reply to my comments please limit your disparaging tone to me personally.

          You could easily manage your problem. Instead you choose to hijack any conversation into… I don’t even know what this is anymore.

          You can manage this for your customers.

          You can contribute in a meaningful way.

          You choose to go on about this in the comments.

          That’s all fine but to anyone reading all this circular and rampant negativity I only have this to say:

          Get involved.

          Treat the existing members with respect.

          Talk to people as you would wish to be spoken to.

          Try an persuade people to your point of view and be prepared to not get what you wanted.

          That’s how communities work and WordPress is no exception. You’re not making a case, you’re just going off into a diatribe.

          (Yes, I’m doing that too but I really hope people read this exchange and become productive. The comments do not have to suck.)

          Now apparently like in Mao’s China or Hitler’s Germany, we are not to complain about our voices not being heard. Wow.

          Seriously? You’re the Voice of The People now?

          While you may attract a vocal following, these comments and negativity of yours does not represent this community.

          • Jan I hear hear what you are saying. However I’m still in more with Alec’s viewpoint on these issues. This has become a continuation of issues I started to get vocal about in the recent posts about the new upcoming default theme, and it’s a very similar situation with the recent post and comments about killing xmlrpc.

            As many of us struggle to keep running our businesses, there appears to be a huge disconnect with the many that run wordpress.org code bases sites and the core team / wp support / wordpress dot com / auttomatic people.

            I do not see any of those on that side of fence saying they are listening or trying to understand where we are coming from. We get terse statements ‘add a plugin’ – ‘fork it’ – it’s free don’t use it – and those awesome hip things like ‘add that value to your’

            Man I want to add value, but I spend most of my time updating, unbloating, patching, defending, and unhacking. Seriously.

            I have a couple of clients that can not afford for me to add value by adding a maintenance program to fix upcoming vulnerabilities, deflate code, explain how they need to notify their customers of breaches, the fact that an auto-update just sucked their privacy away to third parties without my knowledge – they may want lega insurance if some EU or germany privacy things are violated by a wordpress update – stuff like that.

            They can not afford to pay me to hand code them a complete site – selling them on a wordpress setup is hard enough with wix and webs and intuit pushing free sites, sites for $20..

            You and I know a $20 wix site is not as good as a wordpress site in most cases, and I know that a hand coded bootstrap based site is better then most WP sites.

            I had to call a client and explain the details of how their WP was hacked, and even after spending an immense amount of time cleaning it – exploit code remained in their htacess file that redirected only visitors that came from mobile devices to another site that installed bot net malware. – How do I sell them – err add value – I fixed this, after 12 hours of work.. here;s a bill you did not expect.. then next week – oh there is this akismet thing auto-installed on your site – you can’t afford to use the service, but it’s there by default.. and it has an exploit in the wild.. so not you have to pay me to update it for ya..

            If I was going to add value it would be converting wordpress sties to static html and be done with it.

            People here are at least offering compromise ideas.. if you are going to shove new bonus features down our throat please give us an option to turn them off without having to add plugins – I think that is a fair thing to ask – yet the quoted statement from the core team is that people are too stupid and wp is too cluttered for end user choice like an option to remove some things with a click.

            I did see that the team decided to open up the 2016 theme to masses faster in response to being called out on the issues. Hoo-ray for that.

            Seeing this many statements recently from the “Voices of the ‘Elite’ People” that are so terse, non-listening, and discounting of the many that are out there selling others on wordpress.. I guess the writings on the wall – it is indeed time for us to do something different.

            I guess those of us who just want wordpress without the bloat and lack of options need to fork and go static. I should of done this over a year ago – it would of saved me an immense about of time – I’ve spent more time applying updates the past two years than I have blogging.

            I see there is a make ‘wordpress go totally static plugin’ in the repo – that appears to not work very well. Maybe we can get something like that actually working. This will fix most of my user’s issue – and certainly add a a lot of value!
            (more privacy, less security problems, better performance – looks like BloatPress – hums like pure html)

            I suppose some of our installs will still need some of the dynamic functionality – so it seems a fork is long overdue.

            I can do some hosting and I can donate some cash to the cause. I’m only 22% through my php course, but I imagine it would not be hard to pull out the stuff that pings wordpress org servers looking for updates and instead checks elsewhere.

            • Jan I hear hear what you are saying.

              That’s good and I appreciate you writing that. Thanks. ;)

              This has become a continuation of issues I started to get vocal about in the recent posts about the new upcoming default theme, and it’s a very similar situation with the recent post and comments about killing xmlrpc.

              Those really are separate items but I can see that you’re concerned.

              People here are at least offering compromise ideas.

              I’m sorry, but I don’t see that. Not at all.

              The core team follows a well stated philosophy and every single feature that is being added can be turned off.

              What seems to be in dispute is that how that can be accomplished. Some insist that that happens via a check box and that the default for new features is to be “off”.

              Regarding the check box, there is agreement. A plugin is a type of admin check box. It really is trivial to implement that. As designers and developers everyone here knows or can find out how simple that is. Just look at the code as I’m sure you may have done already.

              What’s not in agreement is the insistence to do that the admin pages. It’s not a compromise when the core team reverse a decision about that. The middle ground already exists in the API and yes, that’s a plugin.

              The API isn’t that hard and those plugins show you exactly how that works.

              Seeing this many statements recently from the “Voices of the ‘Elite’ People” that are so terse, non-listening, and discounting of the many that are out there selling others on wordpress.. I guess the writings on the wall – it is indeed time for us to do something different.

              I just finished attending WordCamp NYC (and it was great) and I can tell you this: there’s no elites in the community. Honest. It’s all regular folks working together to make WordPress better for everyone.

              The core team is transparent and you can see that via their blog.

              Visit https://make.wordpress.org/core/ and read the transcripts of the Slack sessions. It’s good reading and provides real insight to the whole development process.

              There are ways to get involved with that team, but please keep in mind again: sometimes the other people involved won’t see it your way. That doesn’t mean they’re arrogant, mean or even obtuse. It just means they’re following a design or goal that has already been established.

            • Thanks for sharing your experience, DJ Steve. Mine is remarkably similar. We build sophisticated websites with important additional functionality. Those issues with updates breaking sites and gratuitous security vulnerabilities (XML-RPC, Jetpack: gratuitous as for most sites including the functionality is mainly or entirely unused) have made our job miserable.

              Like you, I like to provide value to our clients, not ding them again and again for security and update issues. I’m in this to build a better world. At one point, contributing to WordPress seemed a good path to that end. Less and less.

              Seeing clients occasionally forced to shut down their websites due to maintenance issues makes me very sad: this happened again last week. It’s like renovating your house every year: some people do it, but it’s enormously wasteful. Especially in a down year. Imagine being forced to do so.

              We do participate in make.wordpress.org/core/ though we don’t have time for Slack. When we’ve discovered and documented performance or structural issues we’ve often not found a very sympathetic ear. Of the core team, Mark Jaquith seems by far both the most astute.

              In any case, right now dealing with core developers basically asking the drag racers to build you a family car. As is evident from both Jan and Mark K’s writing, they enjoy promoting their hardliner stance more than helping developers build secure and stable websites. There isn’t much use talking when no one is listening.

              WordPress has gone so far off the rails that it now makes sense to pay $50/month/site for hosting a low traffic site just to avoid being hacked and to have reasonably competent support somewhat available (WP Engine). The Rainmaker Platform offer at $900 or $1500/year even makes sense: WordPress which works (and with a clean and useful dashboard). This is what our lovely free blog and CMS tool to which we have all been contributing, many of us for nearly a decade, has come to. A long way from “democratizing publishing”.

              I started this post to answer you about static WordPress. We’ve been through this debate before. Moveable Type 2.6 was static, while WordPress was dynamic. Static indeed was very high performance. The tradeoffs in terms of functionality are enormous though. A developer can do so much more with a dynamic website. Modern websites have a lot of moving pieces. Forcing them back through a static funnel will create a lot of pain. I remain convinced that a stripped down WordPress is the best way forward. It avoids throwing out hundreds of thousands of man hours of great coding (there were many who contributed over the years who do not share the drag racer attitude of the current core). Done properly we can even retain compatibility with most themes (not with the builder parts of them which are bundled trouble for the most part). A theme cleaner could probably be written. Most well written plugins should run as written or require minimal modification.

              I’d rather some kind of compromise could be reached with both a stable and an experimental branch of WordPress under the same roof. Forking implies a certain duplication of effort and waste as those of us who lived through Mambo to Joomla remember. Still, if attaining stability and security requires forking, then it’s a price worth paying. Copyblogger have basically created their private fork already.

              While there was more heat than light in JD’s post, one good notion would be to use the API to turn off all these features. I will look into using the API in my initial BusinessPress (codename for now) plugin to allow the user to turn off as many features as the API will allow. This will at least fast track the development and reduce the amount of code needed.

  16. FWIW
    I’ve been a digital media developer for 25 years but I am new to WP. About 1.5 years ago I helped establish a non-profit organization who’s website requirements include event registration, membership, and online courseware. As I consulted trusted sources for how to build such a website, WP was recommended by several people. We hired a developer to get our initial site established and I have been learning about how WP works as time permits.

    Over the course of my career I’ve worked with several of the popular operating systems, learned several computer languages and provided a lot of basic computer support of non-technical professionals (my clients).

    At first I hated WP as it is so much less efficient than straightforward coding. Operationally, it reminds me of the bad ol’ days of the early OS’s. For example the plugin conflicts/troubleshooting/vendor blame/ remind me of the early days of both the Mac and Windows – what a drag to have to deal with that again… But over time I have begun to appreciate what WP has to offer – the extensibility and support community to help meet our diverse needs. It is in some ways an OS unto itself.

    So with that background, here is my 2 cents. It’s clear that WP has evolved from a popular blogging platform to a powerful, if chaotic CMS. But as an IT professional using WP to manage an organization, the issues of performance and security, as listed in djsteveb’s first post, are basic functions that I need to be aware of and manage. As for newbies or 95% of users (is that estimate based on any studies?), if, during WP install, they are presented with a series of options/checkboxes, with short explanations, they will at least be aware of important issues which are inherent in using WP. These issues exist and will affect the performance and security of their site whether they manage them or not. As with all things software, they can choose to explore these issues further if they are interested. In a world where more IT professionals are using WP as a primary tool, it doesn’t make sense to me to have to maintain a knowledge base about group of plugins in order to manage important core features. From my perspective, you’ve built this basic house, but if I want to be able to close the doors I need the hinge plugin – please assume that I want to close the doors to some of my rooms.

    I understand that there needs to be a balance to what is placed on an advanced options page, but to me, relying on plugins to manage fundamental options doesn’t seem like a logical architecture.

    That said, I do appreciate that WP is available. Thanks for the huge effort in creating and maintaining it.

  17. I was weeping at the nature of this conversation. I didn’t think that a post about a new feature in WordPress would generate a 65+ comment thread which mostly consists of arguments made in the last 7 years where people claim it’s time to fork WordPress or turn it into something it’s not.

    Although some valid points are made, they’re overshadowed by the vitriol thrown at each other in disagreements and for godsakes, yet another comment thread where Mao and Hitler is mentioned. How can anyone take anything a person says seriously when those two are mentioned in a freaking comment thread about WordPress.

    I don’t know why we can’t simply discuss the feature at hand and stay focused on it. Instead, we have calls for options to remove and delete everything in WordPress. It seems to me that the people who are always being negative nancies have their own agendas for their own clients and the rest of the ecosystem be damned.

    I used to enjoy the comment section on the Tavern when we could all engage in meaningful conversations about the software without it getting personal. I don’t have the time or energy to get involved in the comments as much as I’d like to because it’s like stepping into a UFC match. The person with the most time to type out paragraphs wins which shouldn’t be the case.

    I’ve been extremely lax in policing comments here and I’ve tried to take steps to help steer conversations in a positive direction. Unfortunately, I’ve failed to do so and this thread is evidence of it.

    My patience is gone and I see I’m going to have to take drastic actions to make the comment section a place where meaningful discourse happens again.

    In the future, don’t rehash arguments and don’t make up excuses about why you can’t be the change you want WordPress to be. It’s easier now than ever to contribute to WordPress and it’s getting easier all the time.

    • I can point a finger primarily at one individual who starts the comments down this road. But I won’t. My Captain Obvious uniform is at the cleaners.

      I heard Jan was “leaving comments” on “a site” this morning and I nailed who the other person was and which of the millions of WPsites in a few hundred milliseconds, which indicates a history of comment abuse.

    • Jeff I understand your position, and apologize if I any of my comments have put you into a tough position. I have some more thoughts on ways for comments to be made better / easier – but have not had time to blog them. I will try to get those put into digital paper and invite you to take a gander on those thoughts / idea. Stick with it man, the long comment drama ebbs and flows – and once a few solid arguments are made a few times a small group of commenters will start to just shorten the rebuttal to a few words and it will be understood – like statements like free and is beer, stuff like that.

      Not saying that I would use Mao as an argument or saying that others shoud, I would like to point out that in this particular case it is kind of relevant in that many do feel a similar way about how decisions are made and forced upon the masses – and not all the other stuff that surrounds the death and such that most of us think of when those names come up – I also noted that when I was looking at a plugin and researching the team behind it – that I noticed that team was in a country I was unfamiliar with,I think Slovia or something – and I think we need to also take pause and consider that people in part of the world may have a different way of interpreting statements like that. I am sure that people in the US have a different mental / emotional understanding of events that occurred with all that and people who were closer to it one different sides may be different.

      doesn’t mean that phrases that bring up what many would consider hate speech need to be allowed – after all it’s your tavern.. maybe the old boingboing policy of dis-emvowel-ing some portions of comments would be helpful..

      In one of my communities we have an issue pop up on occasion when UK visitors use words like fag.. those are generally opportunities to educate – however we do have one consistent troll who knows it’s an issue and constantly tried to use the word in various ways to stir controversy and get attention – and so the moderation fro such does get tricky, and that person has been asked to consider the audience and change his language.

      Moderation is hard, and global cultural difference do not make it any easier. I have more examples – but I will post them elsewhere and invite you to check them there is you like.

    • My patience is gone and I see I’m going to have to take drastic actions to make the comment section a place where meaningful discourse happens again.

      Just make sure you don’t make it a place for only saying “amen” at the end of a sermon. That sort of yes-man mentality is a significant part of the issue at hand for WordPress.

      • I know what you’re saying and I realize there’s a tough balancing act that comes with moderating and maintaining a community. I’m not going to outright ban people for disagreeing or not towing an imaginary line.

        • tbh I think you have only two choices here, either leave the section open or close it entirely.

          The moment you start policing is the moment that the “democracy” is gone. You might not like everything said here, but that is the price you pay of being the bullhorn for WordPress.

          Your blog stopped being your blog when you agreed to becoming Matt’s personal newspaper…

        • @Piet
          The only reason some people might mistake WPTavern for Matt’s personal newspaper as you put it is the fact that trolls and axe-grinders have been giving free rein to go on and on and on about their misgivings at the expense of on-topic, civil discussion.

          And then it turns into a platform for a select few malcontents. There has been far too liberal a policy regarding trolling and agenda-driven and systematic patterns of complaining.

          Turn the worst of those comments off and maybe we can see other people feel more welcomed to put in their thoughts – whatever their angle – making the place a bit more representative of the community or as you put it, more democratic.

          And there comes a point when frequent readers tune out certain comment authors when the complaining becomes repetitive, is filled with FUD, histrionic reactions, willful manipulation of the facts and so on. And it becomes more and more evident that there is just a general unwillingness to treat other people with a charitable, fair, constructive mindset and see things from multiple sides.

          But I’m all with you Piet. Comments like yours and others make this look like Matt’s personal newspaper, because such as thing would precisely attract trolls and critics. Remove those comments and we have a nicer Tavern for all.

  18. I think this is a very handy feature to be able to quickly share and embed posts and content across the web. I would have no issue with someone embedding my content in their site using this system as I know that it will be linked back to me site as well as share my content. I look forward to trying it out.

  19. @Jan – re

    ” A plugin is a type of admin check box. It really is trivial to implement that. As designers and developers everyone here knows or can find out how simple that is. Just look at the code as I’m sure you may have done already.”

    I hear what you are saying. May I offer you a couple different views to consider.

    It is not trivial – and that language / thought process is exactly why I used Elite in my quotes earlier. I’m not trying to be mean / rude – I’m trying to get you guys to see beyond your not-so-walled gardens you regular guys get to live / work in.

    example – xmlrpc – I realized the need to disable it. I go to the wp-repo start looking. There are a bunch of plugins that say they do it. Which ones work with 4.3? Which ones have flaws? Which ones are trustworthy? I spend a lot of time reading descriptions, support threads, looking for details. Which ones actually turn it off in a way that actually keeps my server from accepting the requests and making to hit sql and returning something? I finally chose one (not sure it does what I need it to do).

    The server I need to add to first has a dozen WP sites on it – and security on that server does not allow for wp backend ‘add new’.. I have to download, unzip – and ftp files in.. then go to dashboard – enable. Thank goodness I’m at home with cable connection and not in emergency need of this when at my GF’s place, which does not – and ther I can’t hotspot either as it gets one bar of service on the “edge” (not even 2g) network!

    I can do all this – but it is NOT trivial. And I consider myself a fairly advanced WP user.

    Years ago I got my mom and two aunts using wordpress – they are actually pretty fluent with a lot of things WP. However you should see their eyes gloss over when I explain who xmlrpc is being used by hackers, how we need to rush to disable, how it needs to be done – yet my two aunts use jetpack – so we can’t there.. So.. I have to do more research. I find that jetpack has a module that can help with this brute force thing.. and explain that needs to be turned on. One aunt has not idea what I mean, so I have to login to her wp and dig through a ton of jetpack settings I know nothing about.

    I find it, get it turned on – I heard around the tavern this works – however not knowing how it works- I wonder if it’s protecting from a successful login, but not stopping the server from getting hammered by requests and sql queries – even if they never get a successful login, I still have to watch how much hammering of our php on this server is an issue.

    Yeah – it’s kind of an admin checkbox – but it’s not.

    Now all this is with a situation in which I was lucky to be enlightened about fairly early in the “this is current issue in the wild” process.

    During previous WP upgrades I was not aware that WP was installing extra third party stuff – and had unknowingly sacrificed the privacy of my visitors and my crew. Only when I saw my siters hang slow and noticed a waiting for google… in the little bottom of browser – I freaked – has my site been hacked? why is my site waiting for google? I have never and will never install anything google.. had to dig.. whoa! It’s not hacked it’s a sneaky auto add feature..

    Got to plugin repo – search- repeat process above.

    I found out from others about the emoji stuff being added – dang it. Wish I had known on install of update not weeks later – repeat proces above.

    I have more details and several examples.. but trying not to stress out Jeff with too many paragraphs.. Time to start bloggin’ again I see.

    On a lighter note, I wonder if the oembed thing would let me write a long details post about my experiences, and come to the comments here at the tavern and post an excerpt with links to my blog? Will that iframe work in comments?

    LOL – that might save Jeff some paragraphs to read.. but some may change what they wrote and then what appears on Tavern may be an issue – a trusted embed okay option in comment moderation?

    I am seeing people use this embed thing on one of my BP sites – it appears tumblr has this exact thing, and people are using the embed thing to auto-pull a pic and some text from their tumblr system and post on the activity of my BP thing – not sure I like it – but I guess I see where the team got the idea –

    I don’t think it will be long before people use it in that manner to post a gif of kittens – then come back a month later change their post to show something evil – and I have no idea if it could be used to get links from the embedded site for shady SEO – or if Ggl or some other setting in embed thing can block such abuse.. it’s a new possible attack vector I have not thought enough about..

    If I embed a chunk from Tavern on my site – and later Tavern is hacked and they add nuclear exploit to all files served.. and 1,000 sites have Tavern post embedded, and those 1,000 sites get 10,000 visitors per day..

    Maybe the sandboxed mode stops this. I’m just trying to make sites and blog, not sure I’ll ever know enough php and enough about WP to really know how it all works.

    random thoughts – Sorry Jeff – I think about WP too much. If I should of divided this comment – grr. I don’t know.

    • trying to keep it short, forgot this par “Just look at the code as I’m sure you may have done already.”

      No, if I looked at the code I would not understand it – even if I understood the php within, I would now understand the other parts of WP and what it was affecting. Since it’s in the repo I would trust that the WP peeps have looked to see it is safe – and the community at large would mention in support thread if there was an issue.

      I would use it as it appears to be the only reasonable option for my current situation . Aside from the other mentioned bigger steps (fork / don’t use wp / blah blah)

    • Hey djsteveb, it’s all good and I’ll try to be brief. ;)

      I can do all this – but it is NOT trivial. And I consider myself a fairly advanced WP user.

      Are you doing this because you need to or you think you need to? I’m not being pedantic or snarky. XML-RPC is a problem if you don’t have strong passwords. So is wp-login.php for the same reason and I don’t see people rushing to turn that off somehow.

      Despite the press, out of the box WordPress isn’t insecure. I’ve never used a “security” plugin. It’s not that I’m lucky, it’s that I maintain my software. Even that can be automated.

      If you want to disable XML-RPC (and I’m cool with that) then it’s just one line of code in a plugin or your theme’s functions.php file.

      add_filter( 'xmlrpc_enabled', '__return_false' );

      I had to look at a plugin to find it myself. I also knew it was one line in a plugin; I looked at it before.


      Note that I don’t disable XML-RPC myself. I know that there’s a ton of misinformation about XML-RPC and WordPress but there’s really no need to disable it if you take normal precautions about your passwords.

      During previous WP upgrades I was not aware that WP was installing extra third party stuff – and had unknowingly sacrificed the privacy of my visitors and my crew.

      I’m going to skip the privacy conversation and just point out that Emoji is a little more lines to disable but that’s simple too. Look at the source for this plugin.


      Otto wrote a plugin that will not only disabled them but replaced them with original the classic smileys.


      The point I am trying to make is that each time WordPress adds a new feature or enhancement, there is always a way to disable it in code, if you feel the need to do so.

      Yes, new features are enabled by default. Disabled features never get turned on and never get adopted. But there has never been a feature added that the core team felt was not good and secure. That includes the much maligned XML-RPC code.

      The oEmbed provider is targeted at the majority of the users. Just like RSS, people want to make their posts available for consumption. This is just a new cool way to do that.

      I will always support anyone who wants to disable features on their own site. Anyone on the support team would, it’s your site or in some cases thousands of sites. The support forums are a good place to ask. ;)


      But what I won’t support is someone taking their case and trying to apply it to everyone else. The design decisions that the core team make is based on helping the majority. Disabling these new features by default aren’t that.

      • XML-RPC is a problem if you don’t have strong passwords.

        FWIW, this is one of the reasons that the REST API doesn’t (and never will) accept username/password authentication without a plugin. (The other main reason is so we don’t support the give-your-password-to-everyone antipattern.)

        • @Ryan, To get an off-topic discussion even more off-topic, I don’t really get this claim about not using passwords for the REST API makes it magically not a security issue.. An oAuth token is just another way to express the user+password combo, and if the random number generation is not good enough then it will be possible to produce a rainbow table for all wordpress sites to use in brute force attacks against the oAuth token.

          But even if the token generation is great, it is still an additional attack vector, and with different authentication path (I assume) which means that unlike with XML-RPC current tools that handle brute force attacks (IP range base, login limit, etc) will not protect against attacks on that vector. So the end result might be a (maybe just slightly) less secure site.

          I hope that one of the things that will be done when the API itself will be integrated is to give any API which requires authentication (or maybe just the authenticator itself) a path which can be easily disabled in htaccess..
          Being able to disable it in WP core is nice, but there is no reason to waste CPU cycles to load core if I want the feature to be fully disabled.

          Which surprisingly bring me back to the main subject. oEmbed should also have an easy way to block it in the webserver level from the same reason of saving CPU time if I fully disable the feature.

      • think you need to? … XML-RPC is a problem if you don’t have strong passwords.

        Need to.

        Trying to be brief.
        hosting a friends wp site – it got hacked.
        cleaned the files. reinstalled. made strong pass – changed limit logins to 2 tries, 2 lockouts – 9600 hours. Had sucuri, a few other things. It gets hammered with failed attempts. I’m getting tons of notices. I’m looking up IPs, adding cidrs to htaccess deny.. I’m blocking countires from accessing the site – writing abuse complaints to ISPs.. this is going on for a few days. I stumble upon “IP GEO Block” – wow, made a HUGE difference.

        Two days later, tons of emails failed login attempts, blocks.. I’m going back to same thing looking up cidrs.. this botnet wanting back in to this site bad. I added firewall plugins, captchas, only allowed American IPs to get to xmlrpc and wp-login – I’m collectin passwords, and it was quite trippy to see them get 20 password attempts per ip even though settings were to allow only two. I went looking for help, suggested addons for plugins.. and eventually – deleted xmlrpc and indeed I did rush and delete login.php –

        1 problem solved. (until the next WO auto-update which I assume will replace those files and the bots will be back)

        Not all my sites get hammered like this so repeatedly – it usually only comes hard like that about 2 days a month. (Collecting the failed passwords from these is interesting)

        I have watched the most amazingly smart and adaptable group of hackers change tactics with everything .. trying to be brief.

        2nd problem – MySql

        A bit of a perfect storm, however, even though WP can run pretty solid when there is not too much bloat added with too many plugins, on a dedicated box.. A different site on that server was hacked – and these guys added about 5,000 html files in sub directories and got them indexed by baidu, naver and some other agressive places – it was getting hammered by these bots non stop and (ahrefs bots and others!) – even though I deleted all those files – WP was doing it’s dynamic ? string url thing – server is humming just serving tons of non-really there pages.. that’s another blocking adventure..

        While this is going on, the other wp sites are getting hammered with password guesses, and MySql starts to choke. I’m getting failed to connect, can’t even get in and work in the admin backend for periods of time – as there are hundreds of requests per domain name all coming in and attempting to be served like no tomorrow.

        Several others of sites have been hacked – even with more than average measures in place.

        For a while I saved a TON of sql resources by adding an htpssw / htaccess thing that host gator posted some time ago – it added an apache Auth to anyone trying to load wp-login – that was awesome – most bots blocked, no sql getting hammered..

        but then this xmlrpc thing started being used more and more – and I did not understand how they were getting past my auth – thing – thank goodness sucuri posted info about this and I was able to determine it needs to be dealt with.

        I appreciate your other info Jan – nice to see that. I would love to see wp Org put some of that info more prominent on the main pages there somewhere.. using wp org and the theme / plugin repo for years, and I only recently discovered the make.place.. after some posts on the Tavern here. I like to keep up with what’s coming to know how bad it’s going to break our sites. That dang title tag thing changing here lately is an interesting challenge. Things about themes needing to use the customizer, no theme options – important stuff!

        Love to see if more prominent in the places the average WP user is likely to visit. I stumbled upon them shaper and underscores only because of reading about some lawsuit.. I’d love to see themeshaper info posted prominently in the dot ORg / themes section! (of course once the tutorials are no longer outdated)

        I appreciate that the core team is trying to please a lot of people, and is open to new things – that is great. Honestly for most of the 100 or so WP sites I try to keep maintainedm we’d be fine with WP 1.5, or a static generator or something. We don’t need all the fancy things WP can do, but we do need a way to keep secure and lightweght, without keeping up with semi-hidden things wordpress (the google fonts thing threw me for a loop) – (xmlrpc used as password guesser) – then we’d have no WP sites running at all – and keeping up with these changes has been a challenge. Just about every new feature since 1.5 would of been better for us as plugin, not enabled – and never downloaded. We could use a lean press like the old branches I see some places doing(and noticed wp is kind of doing with some security patches for older versions).

        I am glad there are some heads up on these things posted at the Tavern – as it shows up in the dashboard. Thankful places like sucuri are doing their thing. So thankful for ip geo block these days, and looking forward to those bots going elsewhere and hammering everyone’s else’s stuff and leaving ours alone – lol.

        • Those are perfectly valid reasons and I totally appreciate why you want and need to disable XML-RPC.

          Tell you what though: we’ve well and truly gone all over the place in these comments. :P

          I think for someone who’s supporting lots of installations as you’ve described you might want to write your own short custom plugin. Something small with just a description and the PHP code to do those things you want. The API won’t change for years and your plugin won’t be parsing any inputs, just making those settings that you personally need and nothing else.

          I’m on the support team so this may sound canned: can you start a topic in the support forums about the settings you want to disable?


          And post that link to your topic here? What you want isn’t a lot of code to maintain. For example, the XML-RPC setting is only a few lines to make it readable.

          You’d take that small custom plugin, drop it into your installations, activate it and POOF! you’re done. It’s even easier with WordPress multisite, just drop the file into the mu-plugins directory.

          I can’t guarantee that I’ll be the one replying to your topic (Tuesdays are the worst for me) but I’m sure it will get some traction.

          About the new features that the Core team is adding: new features keeps the platform relevant and modern. The new features are added to solve a problem (the REST API is cool BTW). But they’re not always something that everyone will need, appreciate or want. With millions of installations how could they be?

          In your case (and others) a little code to maintain isn’t a bad solution. Let’s see if we can get something working for you, it will definitely help people out.

        • my 2 cents about “security” plugins and plugin security.

          Security plugins usually do not worth the electricity they use. They are more likely to harm your server than a security breach (maybe I am exaggerating a little….). Login limiter is an easy show case as it is very obvious the harm it does – for every failed login attempt it has to do a write to the DB which is the most expensive operation you can do. And then some of them go on and keep wasting resources by sending e-mals to you as if there is much you can do (you obviously can, but most admins can’t)

          If you have your own server you can try to integrate wordpress with fail2ban. There is a plugin for that but it still requires some server configuration, but it is always true that if you can block access in the web server config it is the better options, as all brute force protection can not protect you against a lucky first guess.

          As for securing plugins – just disable “direct” access to any php file under the wp-content directory. Plugins and themes that fail in that enviroment should not be used, as simple as that.

          Object caching can indirectly help as well by reducing the number of reads from the DB when you are being hammered on specific set of login names.

          Last thing to do is prevent any script execution on the uploads directory.
          This way even if you are hacked, which usually results in files added to the uploads directory, the server will not waste CPU on running malicious scripts.and be used as a spam getway (this of course assumes that all the other directories are RO)

          So why isn’t this all in core? I think that the default .htaccess can be made more secure but most of the items here are either specific to apache or require a control over the server resources, something that you don’t have at a shared hosting.

  20. That’s a nice feature and I wasn’t aware of it until Now. I will leave it enable because it gives a more advance impression to the users. Plus side is that it will make it easier and appealing for others to share our blog urls on there ones. Which can help get even more visitors :P

  21. Hey Core Team: I’m psyched about oembeds and am already building an entire site (about comment moderation best practices, go figure) around them! It’ll be great to have a syndication system which leaves the content in the hands of the owners but lets me display it beautifully.



      • Ooo, more positivity! I like.

        You know, in all the excitement about these comments I did the following.

        – Updated my main network for the 4.4-beta2. I use the WordPress Beta Tester plugin for that.

        – Created a test installation on another vhost on the same VPS running the same 4.4-beta2 code.

        – On the test installation I created a post and attempted to oEmbed a post from the real site. Didn’t work.

        – I attempted to add my real site as a oembed provider, no change.

        I may have to post in the Alpha/Beta sub-forum. ;) I will definitely try that new plugin.

      • Interesting idea, Hugh. I wonder how it might extend this to the front end for serving up little embed snippets to users that want to share your content. I could see that being useful for something like a movie review site: grab the review and put it on your own blog. Hrmmmmm.

        • Yeah – I’m working on that for v1.1 – going to have an option to give the embed code on the frontend (much like YouTube) so people can easily embed content. Just makes sense to have that available really.

  22. Cool feature!

    Like many features in WP, if one wants to disable, you just have to do the proper research on how to do it.


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: