Some great stuff I’ve learnt from WordCamp Europe 2022

The first WordCamp Europe to take place physically after the beginning of the pandemic, WordCamp Europe 2022 took place just a few days ago in Porto, Portugal, drawing between 2000 and 3000 attendees eager to meet in person after such a long time, generating an amount of energy and excitement not seen in years.

In addition to the contributor day on the first day (which received over 800 contributors, making it the biggest contributor day in WordPress history), this year included 26 talks and 18 workshops, and it ended with a Q&A with WordPress creator Matt Mullenweg and Executive Director of the WordPress project Josepha Haden Chomphosy.

How I wish I could’ve been there! As I couldn’t attend physically, at least I attended virtually, watching all the videos of the presentations and learning from all the wonderful speakers. And I can truly say, there was so much good stuff! I’m impressed with the quality of many of the talks, and so decided to write a summary article about them.

For this write-up, I’ve picked 5 of the presentations I liked the most, and summarized their most important insights:

• Security lessons learned from 2021, by Victor Santoyo
• Is podcasting the future of WordPress?, by Richard Midson
• Accessibility for dyslexia, by Maja Benke
• Creating a paid newsletter subscription in WordPress, by Laura Nelson
• Enhancing performance in an open-source CMS ecosystem by Felix Arntz

By the time this article is published, the individual videos with the talks are not online yet, so I linked to the YouTube live stream instead, at the point in time when each presentation starts.

I hope you enjoy these talks, and learn from them!

Security lessons learned from 2021

Victor Santoyo describes the security lessons learned from 2021, to help us prevent an infection during the current and upcoming year. Here is the video.

Sucuri makes a review of all the thousands of websites they clean annually, and compiles a report with the types of attacks produced and an analysis of where the trend is going. This talk gives us an overview of the most important items in the report. It’s important to note that the numbers in the report are not necessarily representative of the wider state of WordPress, since these concern websites that people asked Sucuri to either fix or inspect.

The first finding is that vulnerable plugins and extensions account for far more website compromises than out-of-date, core CMS files. Over half of websites, regardless of the platform, had their CMS software outdated. There were websites using all different CMSs which were out of date; concerning WordPress, at 50.3%, it’s still doing better than the other open source CMSs.

Here we focus on the plugins that make it likely for the website to be infected:

Among them, there’s TimThumb in second position, and that’s a security issue from over 10 years ago! This issue has already been covered extensively, and yet this problem still happens, demonstrating that websites are not being upgraded.

Considering how popular plugins are, ranking them by number of active installations, WooCommerce comes on the first position:

There’s nothing specifically wrong with these plugins, but because they are popular, they are commonly targeted by attackers attempting to produce the biggest impact.

Let’s explore next the methods that attackers are using. In 2021, 20.27% of remediated websites contained a hacktool, used for creating DDoS attacks, defacing websites, being part of a botnet, spamming, and others.

AnonymousFox is a malware to attack websites that use cPanel, allowing the attacker to gain access into the cPanel admin. Usage of this malware has been very prominent last year, and it’s on the rise, so it will be very common this year and next year too. As WordPress is the most popular CMS, it’s only natural that this malware is used for targeting WordPress sites. As the point of attack is cPanel, victims would not even know that their websites had been compromised. It may be only when trying to log-in and not being able to that they’d find out.

AnonymousFox allows the attacker to receive a reset email for the admin account and thus gain access to the cPanel. Once compromised, the website will have installed malicious folders containing scripts to attack the site, make it part of a botnet, execute credit card theft, and others. You need to look into your directory structure and identify these unexpected folders to be aware that you’ve been compromised.

To revert the changes once we’ve been attacked, we must apply the following measures:

Ransomware is also very popular and on the rise. It works by encrypting the infected website’s files and databases, upon which the attackers demand for money to get it decrypted back. The issue is not just the ransomware, but also the defacement produced on the website. However, we must note that the website files and database have not been destroyed or corrupted, only encrypted, so the data is still there.

This chart analyzes what types of attacks have risen over the previous 2 years:

Analyzing the trends, the biggest jump, and especially for WordPress, concerns credit card skimmers, which are scripts used to steal credit card information from within an eCommerce site. Some highlights are:

• Credit card skimmers have increased significantly from previous years and the behavior has become more targeted. A growing number of credit card theft has been occurring on independent websites where the store has set up their own eCommerce website
• Over 25% of all new PHP malware signatures generated in 2021 were for credit card skimmers
• In 2021, 34.5% of websites infected with a credit card skimmer were running WordPress

WordPress is prominently and increasingly being attacked due to its having a big percentage of the CMS market share, and due to the easiness to set-up an eCommerce store with it, thus making it an obvious target for attackers. 2 out of 3 inspected websites that had a credit card skimmer detected were running on WordPress, while the year before had been 1 in 3. So that’s a big jump in a short period of time. And it’s foreseen that it’ll become more common still.

These final screenshots show the summary of results for 2021, and the forecast for 2022:

Is podcasting the future of WordPress?

Richard Midson analyzes the current popularity of podcasting, and connects podcasting with the future of WordPress. Here is the video.

By April 2020, COVID had shut down the world, but also presented opportunities: the usage of Zoom exploded, commuters did not have to commute, and also podcasts mushroomed: 885,000 new podcasts were launched in 2020 (whereas only 300,000 had been launched in 2019). This is an opportunity too big to ignore.

These podcasts were about sports, cooking, literary events, or any niche community out there, not dissimilar to the explosion of WordPress blogs back in the day. People are increasingly resorting to podcasting, particularly in places where their local media is quite limited. Some other numbers include:

• Spotify reported that 1.2 million new podcasts were added in 2020
• 80 million people listen to a weekly podcast in the USA and, according to statistics, it could soon climb to 160 million
• Globally, there are 40 million new podcast listeners per year
• South Korea has double the percentage of new podcast listeners per year than the USA
• Compared to English podcasts, Hindi podcasts have increased 14 times faster, and Spanish podcasts 7 times faster

Concerning the business side, research indicates that podcasting may become a $94.88 billion industry by 2028.

This growth happens because podcasts are engaging. Listeners trust the presenters (and the ads they present) more than from any other medium, and the listening engagement is over 5 hours per person per week. Podcasting around the world is also growing because of more availability of data, and because the software and tools to create podcasts have become easier to use.

The big broadcasters are moving in, but they are looking for the big numbers. So they will not focus on the small topics, suck as knitting or debugging JavaScript code, leaving these niche domains free for anyone to claim for themselves. And these niche topics can be very rewarding. For instance, 2.59 million people took part in scuba diving in 2020, the year of COVID. That’s a very big niche. If your podcast can catch even a small percentage of that, it can become very big indeed.

There’s an opportunity here. What do we do about this, in the WordPress ecosystem?

We need to make sense of what podcasting needs. Podcasters do not need just to create the podcast and that’s it, but they have bigger goals, and that’s where WordPress can particularly fit in. Among others, podcasters will need to:

• Set-up a shop to sell merchandise
• Create and publish the content associated with the podcast
• Set-up mailing lists, and ask the listeners to come back to the podcast again and again

Podcasters can grab their listeners’ attention with the podcast, but with WordPress they can turn that attention into action. Podcasting can be used as a means to get traffic to your website, to get people into your funnel, not unlike blogging does.

Many WordPress plugins have been created to satisfy niche topics. For instance, in the WordPress plugin directory there are several plugins that help organize sermons online. When creating a site managing sermons, which plugin should be used? Even though a generic plugin can do, as these plugins target this specific need, website creators will very likely give them a shot first.

The opportunity is that the same can happen concerning podcasting. Anyone can create a podcasting plugin, or even tweak the UI of an existing plugin, to embrace a specific niche market for podcasting.

WordPress can manage all of your content, including your podcasts. Indeed, thanks to the growing availability of data around the world, and CDNs, it’s easy to host the podcast files and distribute them through your site.

The best way to grab people’s attention is to make things easy. The new breed of podcasters are not prepared to spend a lot of time setting-up 10 or more plugins, integrating external APIs, and other tasks, as to be able to podcast. A successful podcasting plugin must then make it simple to organize the whole process in a single, easy step.

Let’s next analyze: Is podcasting the future of WordPress?

There are 60 million blogs and 2 million podcasts, so that’s only around 3%. It’s much harder to create a podcast than a blog. So podcasting will not replace blogging. But the market for podcasting is growing, so we can also get into this market.

Currently there’s no clear market leader for podcasting (as much as WordPress is for blogging, or YouTube is for videos). There are companies attempting to become the main podcasting platform, and WordPress can also become the one. It can certainly satisfy the needs, since WordPress provides an infinitely scalable platform. So, within the next 1 to 3 years, the actions taken by the WordPress community could define its influence with podcasting, whether it becomes a popular option or gets left behind by the alternatives.

What can we do about it? Here are some ideas:

The main task is to bring awareness that WordPress can be used for podcasting. In particular, podcasters who are already using WordPress can talk about their experiences. Also, if you own a blog, you can also create a podcast. You don’t need to be a presenter; you only need to be you. If you want to learn about podcasting you can google it, as there are thousands of tutorials out there to help you.

The main takeaways concerning WordPress and podcasting are:

Podcasting is not the future of WordPress. But it could be a major part of it. WordPress is meant to democratize publishing. But there’s even a bigger mission: to democratize communication.

Everyone has a part to play to help bring awareness, and attempt to bring even more creators (artists, financial analysts, farmers, etc) to create their content using WordPress.

Accessibility for dyslexia

Maja Benke explains how to make our sites accessible for dyslexia. Here is the video.

Maja is dyslexic herself, so this is a very personal talk for her. Indeed, many people are dyslexic: 9 to 12% of the population (the number can change depending on the country and language, because the language can have an impact on dyslexia), and over 80% of people with some learning disability are dyslexic.

Dyslexia is a learning disability, and it’s a spectrum, meaning that it’s not the same for every dyslexic person, with each of them suffering in a different way (and the solution for each of them will also be different). Intelligence on dyslexic people is no different than in the average population. However, as the brain works differently, they will encounter difficulties in certain areas. For instance, they find it difficult to write words upon hearing them, and process written words into meaningful words upon reading them. This doesn’t mean dyslexic people are illiterate, only that they have trouble processing the information. Dyslexia does not grow away.

Dyslexia has negative side-effects on people, such as making them sensible to high contrast and producing a bad short-term memory, but also grants some positive side-effects, as making them creative and good at logical and conceptual thinking (due to the fact that their brains operate in a different way), and as such we will find that many mathematicians, designers and developers are dyslexic.

In addition to the difficulty of processing text while reading it and writing dictated text, dyslexia also produces words to be often spelled differently, easily overlooked (which is particularly problematic when the overlooked word is “not”, as it completely changes the meaning of the sentence), more difficult to understand (particularly double negations, such as “I don’t disagree” being more difficult to understand than “I agree”), and words and even lines in the paragraph get swapped.

It is not easy for a dyslexic person to explain the effects to a non-dyslexic person, so fortunately there is the Funkify extension for Chrome that helps us experience the web and interfaces through the eyes of people with dyslexia and other abilities and disabilities.

The dyslexia can be more or less problematic depending on different factors, including the time of the day, the energy and stress level of the person, and the environment (how noisy or comfortable it is). When there are blinking elements, it can be really hard to focus.

Let’s explore the tools that can help dyslexic people.

Concerning reading on paper, a colored foil (such as yellow or orange) can help reduce the contrast of the page, and a ruler can help magnify the text, and provide a focus on the line being read.

On digital, several tools can help:

• Using different color modes: light/sepia/dark mode
• Speech output for text can read the text to you
• Dictate text instead of writing
• The Firefox Reader mode (and browser extensions) allows to change the layout of the page, including colors, font size, font family, and width of the layout
• Text shortcuts in device settings can help avoid writing (and spelling mistakes)

As not everyone is using a tool (for instance, they may not own the computer they are currently using), it’s important to design our websites for dyslexia. Let’s see what we can do.

Concerning fonts:

• Font style: at least 16px
• Line-height: at least 1.5
• Use readable font families
• Don’t use uppercase or italic, as it’s harder to read
• Make sure similarly-looking characters are easy to tell apart: "I", "l" and "1", "0" and "O", "g" and "q", "B" and "8", and others
• Use a font family designed specially for dyslexia (possibly as a secondary option), such as Open Dyslexic and Atkinson Hyperlegible

Concerning layouts:

• Reduce the width of the layout to between 400px and 700px optimally
• Use white space generously so eyes can rest
• Don’t use text blocks, loosen them a bit (eg: with white spaces) to make them more inviting for reading
• Have a clear layout: first the headline, then sub-headline and description, and then the content, otherwise it becomes confusing
• Don’t use justify for content, as the space between text changes, making it harder to read, and don’t center text for long sentences, as there’s no line to orientate the person

Concerning colors:

• The contrast must be high but not so high, or there will be people (depending on their cognitive spectrum) who won’t be able to read it
• Background should not be white, better off-white
• Font not black, better dark grey, dark blue or similar
• Avoid contrasts using pure colors, such as red text on a green background, which is hard to read
• Offer dark mode as an option instead of using it directly, as not everyone can read from it

Let’s explore next what we can do concerning content creation for dyslexia, to make sure that people can read the text.

• Don’t assume knowledge: if there’s some knowledge the reader needs to know to understand the text, mention it
• Place the most important information at the beginning: don’t force people to read the whole article and only at the end is the information they need, as reading for dyslexic people takes a lot of energy
• Summarize content concisely and as briefly as possible
• Loosen up text with text elements: heading, lists, quotations
• Allow the text to be scanned by using meaningful sub-headers

Concerning sentences:

• One piece of information per sentence
• Use short paragraphs
• Meaningful links and buttons: “click here” has no meaning, so placing the link there makes it confusing, especially with screen readers
• Avoid foreign words and filler words, as they add noise and make it more difficult to focus on the meaningful content
• Use active language
• Plain language can help, by describing things in easier ways, reducing complexity

Concerning abbreviations:

• Common abbreviations can help with reading, but make sure they are spelled correctly
• Abbreviations should otherwise be avoided, or explained clearly in the text in advance
• Don’t write out numbers as words, better as digits
• Don’t write things like “n8” for “night” or “u” for “you”

Concerning composition:

• Don’t use only text, as it can be hard to understand: support text with visual elements, such as images, videos, gifs and emojis
• Create graphics and diagrams to visualize complex facts
• Mark sarcasm and irony with emojis or gifs

Concerning gifs:

• Don’t let gifs run in an endless loop, because the animation’s movement can be distracting
• Animations/blinking elements/popups must be possible to deactivate
• Write alt text

Concerning audio/video:

• Offer content not only in text, but also as audio or video
• Add transcription, close captions and subtitles to make the video content accessible to other users as well

Please notice that these items are useful not only for people with dyslexia, but other people as well, such as learners of a different language.

Let’s analyze next what we can do when developing for dyslexia. Concerning HTML5 and settings:

• Mark up content areas and text properly, so that tools such as screen readers work properly
• Use the language tag; for instance, text in German must be given the German tag, or a screen reader might use a voice in English to read it, which is hard to understand
• Search fields should tolerate typos, as dyslexic people may not notice typos and then they will be frustrated with no search results
• Offer animations in slow motion (by default) or avoid them
• Respect the “no motion” device settings
• Offer dark mode, or adopt the system settings

Let’s see what we can do concerning collaboration with dyslexic colleagues and contributors:

• Summarize conversations when handing over a ticket, as these can be really long and take a lot of energy to process
• Don’t force others to read out loud
• Make sure colleagues can work without distraction, as neuroatypical people can get distracted easily
• Be respectful; for instance, don’t point out spelling mistakes, as these will happen, and in any case there’s software that can fix these automatically

Creating a paid newsletter subscription in WordPress

Laura Nelson explains how we can create a paid newsletter subscription in WordPress. Here is the video.

A paid newsletter uses the subscription model, to send emails on a regular schedule with content that’s exclusive or not readily available elsewhere.

Convenience plays a part in why people will pay for content to be delivered to them on a regular basis. As there are hundreds, if not thousands, of pieces of content that a person can read on any single day, the paid newsletter will deliver exactly the content that the person wants to read, directly to their inbox without them having to look for it.

Let’s see some examples:

• Heated was launched in 2019 to discuss issues concerning climate change. It’s proven so successful that it has allowed its author, Emily Atkin, to work full time on it, earning her a six-figure income from thousands of subscribers at u$d8/month or u$d75/year
• Daily Coding Problem operates on the freemium model, providing coding challenges that may be asked during job interviews, and the corresponding solutions only to paying subscribers; at u$d9/month or u$d90/year, it achieved u$d2000 monthly recurring revenue in its first few months
• Jack’s Flight Club also operates on the freemium model, researching and providing information on great promos for flying and, for the paying subscribers, delivering the best deals; it starts at £3.25/month, and it has over 1 million subscribers over the UK and Europe

It’s not only important what a paid newsletter is, but also what it is not: a series of sales or promotional emails. Nobody will pay for that.

Why would you want to create a paid newsletter? You could benefit from:

• Relationships with your customers or community
• Establishing yourself as a thought leader or expert in a specific field, and allowing you to build a reputation
• Recurring revenue: you sell it once, and you get an income from it continuously

How much could you earn from it? It depends. You’ll need to consider:

• Industry: is a newsletter suitable?
• Exclusivity: can the information you’re sharing be obtained elsewhere?
• Value: are you providing any value? Is it worth paying for?
• Audience: do you have an existing network, or you’re building one from scratch? Is email the right channel to reach them?
• Competition: is someone else charging for similar content or, even worse, giving it away for free?
• Churn: you won’t be able to keep all of your subscribers forever

Here’s how it could look:

A benefit of newsletters is that the volume of work will not increase as your list gets bigger. So it doesn’t matter if you have 10 subscribers or 10000, it’s just 1 email that you need to work on.

What can you write about? Here are some ideas:

• Long-form content/journalism
• Exclusive deals
• Educational content
• Digital downloads
• Analysis and opinion
• Webinar access
• Early access to new features/content
• Reports and research

How to create a paid newsletter in WordPress? These 3 tools provide a way (additional WooCommerce extensions, such as for payment gateways, may also be needed):

• WooCommerce (free)
• MailPoet (free)
• WooCommerce subscriptions (commercial extension)

In the video, Laura gives a demonstration using these 3 tools. The website hosting the newsletter looks like this:

We create a segment in MailPoet to create a group of subscribers to receive the newsletter:

We create the content of the newsletter in the editor:

Finally we send the newsletter:

On the subscriber’s inbox, the newsletter looks like this:

On top of that, there are several extras you can add for your paid newsletter:

• WooCommerce memberships
• Fast checkout
• “My account” page for your subscribers

Why use WordPress instead of alternative options such as Substack or Patreon? Because, with WordPress:

• Everything’s in one place: not only the newsletter content, but also the website
• You can run it alongside your existing business/website
• Familiar tools and interface
• You own your newsletter business
• It can work out cheaper

Finally, these are some tips for managing a successful paid newsletter:

• Make a plan, as preparing the content can take time
• Use an email sending service, make sure your emails land in the person’s inbox and not spam
• Proactively ask for feedback, asking subscribers what works and what not
• Never use a no-reply email address, or subscribers will get the impression they can’t talk to you
• Monitor your stats
• Only deliver what you promised
• Make it easy to say goodbye

Enhancing performance in an open-source CMS ecosystem

Felix Arntz shares about the efforts being undertaken to enhance performance in an open-source CMS ecosystem. Here is the video.

What is the current state of performance in CMSs, and how has it evolved over the past years? Looking at core web vitals we can get an idea:

WordPress sites have notably improved over the last couple of years, enhancing its score by 104%. However, the improvement is low compared to other, proprietary CMSs: in the same period, Duda improved 282%, and Wix had a massive performance improvement of 970%.

What’s the difference between open-source CMSs (such as WordPress) and proprietary CMSs (such as Wix and Shopify)? Open source CMSs:

• Have their source code public
• Are typically distributed, can be hosted anywhere
• Tend to be operated by some sort of foundation and maintained by volunteers
• Are not owned by a company

Proprietary CMSs, on the other hand, are private: they are owned, maintained and controlled usually by a single company.

The good core web vitals from all open source CMSs (including WordPress, Joomla, Drupal, Magento, and others) currently stands at 36.2%, which is a 69% improvement over two years before. Proprietary CMSs currently rank a better score at 44.1%, having improved over 300% in the last two years.

WordPress is still the most popular CMS in the planet, however when paying attention to the relative growth, it doesn’t look as good. While WordPress is still the fastest growing open source CMS, proprietary CMSs are growing faster:

Proprietary CMSs are leading in performance because they own and manage their own environment and use a controlled stack, which can be optimized to their specific needs. Open source CMSs on the other hand are distributed: you can host WordPress on any hosting provider and it must work on any of them, which makes it more challenging to provide enhancements, whether performance or of any other kind.

Another advantage for proprietary CMSs is their more controlled ecosystem, having a limited number of extensions available. This is due to the extensive processes required to have an extension approved. These process make it almost unfeasible for individuals to create their own extensions.

Finally, as proprietary CMSs are typically operated by a single company, this drastically reduces the amount of discussion needed to apply performance enhancements: decisions get made by some higher-up people, and then everyone in the company works on it. In WordPress, you need to advocate for new features for months and get plenty of buy-in before these get approved and merged into core.

WordPress allows you to do anything. This is wonderful, but it also means that any new feature must be extensively tested to make sure that it works everywhere, or at least that it doesn’t break anything, and that’s a humongous challenge. Proprietary CMSs do not have this same limitation.

But proprietary CMSs have been successful with performance not just because it’s easier for them, but also because they have made the right call, making performance their top priority. WordPress can learn from them: we must also prioritize performance and user experience. And we have finally started to do so, with the creation of the WordPress performance team in October 2021.

The WordPress performance team is a dedicated working group to tackle monitoring, enhancing, and promoting performance in WordPress core and its surrounding ecosystem. It materialized after the realization that only a handful of areas were producing the most negative impacts to the performance of WordPress, which means that by focusing on only a few areas we can produce great improvements.

Given the size of WordPress, increasing its performance also means increasing the performance of the web.

The performance team has the following goals:

• Improving performance at scale through WordPress core
• Facilitating decision making based on performance metrics
• Raising performance awareness in the ecosystem

The way to proceed and test the proposed new features is through the Performance Lab plugin, a collection of the modules enhancing performance, each of which should eventually be merged into WordPress core. The plugin allows to individually enable and test the modules, and provide feedback to further improve the solutions before they are merged into core.

The lifecycle of a performance module is:

1. Module proposal
2. Exploration and definition
3. Core feature proposal
4. Module implementation
5. Core merge proposal
6. Core patch
7. Core merge

Even though being so young, the performance team has already landed enhancements in the last two releases of WordPress:

• Enhanced lazy-loading performance in 5.9
• Taxonomy performance improvement in 6.0
• Caching improvements in 6.0

These enhancements were simple, yet they delivered great results to millions of sites that now load their pages faster.

The Performance Lab version 1.0.0 was released on April 2022, containing the following enhancements:

• WebP Uploads: Creates WebP versions for new JPEG image uploads if supported by the server
• WebP Support: Adds a WebP support check in Site Health status
• Audit Autoloaded Options (experimental): Adds a check for autoloaded options in Site Health status
• Audit Enqueued Assets (experimental): Adds a CSS and JS resource check in Site Health status
• Persistent Object Cache Health Check: Adds a persistent object cache check for sites with non-trivial amounts of data in Site Health status

Upcoming modules and developments include:

• The dominant color module, to show a backdrop color while the image is loading
• Improving the concept of making WebP be the default image format after the critical feedback provided by members of the community
• Provide more accurate responsive image sizes
• Release performance measuring tools, including a CI tool that analyses performance in front-end and back-end code and reports performance wins or regressions on each commit
• Create a WordPress plugin checker to suggest best practices to plugin developers

Being optimistic, in a couple of years, good core web vitals in WordPress could look like this:

Conclusion

The WordCamp Europe 2022 conference may be over, but I’m sure this one in particular will linger in the hearts and souls of many of the attendees for months to come, at least until WordCamp US 2022, which is the next big in-person conference to take place.

I couldn’t attend the conference, but I did enjoy it tremendously nevertheless, as the speakers delivered great-quality presentations that we could all watch online. In this article I picked 5 talks, but there are many more worth watching, so go check them out.