While not quite under the tree, one of my Xmas toys this holiday season has been version 3.8 of WordPress, nicknamed “Parker” in keeping with the trend of naming it after Jazz musicians.
It’ll probably be a while until we see WordPress “Atzmon,” but in the meantime, in honour of WP3.8’s namesake, here’s some Charlie Parker (above) for your listening pleasure for the duration of this post. Now maybe take Drinkify.org’s suggestion and crack a bottle of merlot as well. I have. Sorted? Good. Let’s hit it.
Inside the CMS (what I’m looking at right now) is a vast improvement over versions past. Instead of the old shading effects and overly photoshopped feel there is a sleek, uncluttered system with high-contrast colours and clear typography. There’s sparse use of images in the design, which makes it look crisper, run faster and look much cleaner. This was long overdue. When Apple gives up gradients before you do, you’re officially running late.
- Really damned responsive: This one is well ahead of the curve. I use mobiles, pads and desktop machines to update websites, and it’s nice when you have a site that looks good to visitors no matter the device, but it’s fantastic to have a CMS that’s completely responsive.
- Better typeface: Across the system, Arial has been dumped for Google’s Open Sans which, is much easier on the eyes (almost to the point I don’t need the specs, but not quite). For iconography, instead of little image files, it’s using Dashicon icon font characters, which means they’ll load faster and look better no matter your screen.
- A cleaner wysiwyg: It now looks like something that’s part of the CMS instead of a bolted-on piece of 3rd party kit. It’s also running quicker and has a typeface and spacing that makes it much easier to stare at and bang the keys in.
- Custom admin colour schemes: This may seem superficial, but if you spend a good amount of your time looking at different website back ends in different tabs on the same browser, being able to quickly tell one from the other comes in handy.
- Smarter password strength checker: This was introduced a bit ago, but made prominent in 3.8, and is quite useful in multi-contributor sites.
What went wrong
Very little. If you use WP’s new default them Twentyfourteen with the standard Jetpack plugin then you’ll have noticed there was a compatibility issue in which featured posts stopped showing up. This has yet to be fixed in the standard download, but is patched in the developer version. Not quite sure why that wouldn’t be pushed to a standard release, though.
Embedding media was really improved in earlier versions of WP, but I notice WMA files still give it some problems in some browsers. This one, for example may be buggy depending on what you’re looking at it with. I normally avoid Microsoft-first formats, but they’re unfortunately still pretty widely used.
There’s a lot already in WP, and pretty much anything can be added with a plugin or a bit of coding (including the items below), but here’s what I think should be dumped into the core.
- Two step verification option: Nice one with the password checker. Being able to set up stronger login access would be even better.
- Move some stuff out of Jetpack and into the core: I get that Jetpack brings a lot of tat from WordPress.com to DIY sites. Groovy. Love it. Maybe you want to connect to that cloud and maybe you don’t. But some elements in Jetpack don’t really require a connection to WordPress.com to work. An RSS feed widget should be standard. Custom styling, conditional sidebar stuff, none of that requires cloud computing.
- Add a GPG encryption option to the default contact form: You get these forms with Jetpack, but it would be great if they had some extra security built in.
- Anchor links option in the wysiwyg: Because sometimes I like to let people cut to the chase.
- More control over how many posts appear per page: This is still really basic in the CMS. On the home page you may want 5 posts, but you may want 10 to appear on an archive. You may just want the headlines to show up if someone clicks a category. The “Reading” settings in WP remains an overlooked area for development.
Locking WordPress down
WordPress is the most widely used CMS on the planet. It’s the open source web software success story, but with ubiquity comes challenges. Even with a vast development community keeping this CMS strong, there are countless hackers looking for holes to exploit. I find WP to be a fairly secure platform for most uses, but it can be toughened up. If you’re looking for more industrial strength, consider using a mix of these four:
- Wordfence Security: Anti-virus and Firewall security. The free version will probably give you a lot to start with before you need to decide if it’s worth upgrading to pro.
- Akismet: Comes standard to fight the comment spam. Use it.
- CryptX: This is a clever thing that scans your site for any email addresses and hides them from spambots while still keeping them clickable to users.
- WP DoNotTrack: Whenever you add a new plugin or design theme to your site, it’s generally a good idea to sift through the files and check for litter such as third-party tracking code, cookies, etc. This plugin promises to do that, which is helpful because you don’t have to check just the first time you install new code, but each time it updates as well. Still, you should pop in and see what’s going on with your code on occasion.
- Custom Author Byline: This isn’t a security plugin, per se, but it has a clear safety advantage: You can easily have a multi-contributor site without giving more people access to your CMS. Fewer people with access means fewer passwords floating around in the wild.
You can take matters further by also adopting some of WordPress’ own suggestions, found in “Hardening WordPress“. Most of these ideas are worth considering, or at least understanding what can happen if you don’t use them.
If your site has any sort of interactivity or communication functionality, you owe it to your site visitors and yourself to add an SSL certificate on the server. This doesn’t have to do with WordPress, but is about taking some steps to keep things personal. If you’re using contact forms, consider ones that feature GPG encryption integration:
- SimpleSecure offers a basic contact form and it’s simple to set up to start receiving encrypted messages. It’s actively supported and offers a quick, no-nonsense way upping your site messaging privacy.
- wp2pgpmail has free and pro versions, but I’ve found both to take a bit more set up and be slightly buggy and not play well with design, but it’s got some nice options and the encryption works as advertised.
Yes, SSL is encrypting activity, but adding this layer to your forms can keep messages private as they’re pinged and copied from server to server until they land in your email inbox.
As an aside, if you’ve just updated to WP3.8, you may want to delete some needless files. You don’t need these four files after the installation is complete: license.txt; readme.html; wp-config-sample.php and (in wp-admin) install.php. Surplus files add up, and keeping track that each one isn’t offering a hole into your site takes time. There’s nothing inherently wrong with any of these, but it’s good to keep the clutter down and make sure each file is doing some lifting to justify its existence.
I’ve been using WordPress for about 11 years now, and staring at CMS things slightly longer. After a while they all start looking similar, so it was a great surprise to click the “update” button on the ol’e 3.7 site and see something this original and improved upon appear. Okay, my glass is empty now so that’s all.