Wordpress expert.
1998 stories

Gutenberg Accessibility Audit Postponed Indefinitely

1 Share
photo credit: pollascc

Discussion surrounding Gutenberg’s independent accessibility audit is heating up. Two weeks ago, Matthew MacPherson, who was named WordPress 5.0’s new accessibility lead, proposed the audit and agreed to it being performed by an independent third party. The audit had gained strong support among accessibility contributors and others following the ticket.

After soliciting detailed proposals from four companies, MacPherson has since rescinded the offer to coordinate the audit at this time and it seems he was unaware that he didn’t have the authority to authorize it in the first place.

“For at least the time being, Automattic has decided to forgo conducting an Accessibility audit on Gutenberg,” MacPherson said. He cited the following reasons:

  1. “an audit will not be actionable given our release timeline, because…
  2. the audit will not affect release timing, so…
  3. it would be more prudent to explore an audit on a less rushed timeline in the future”

MacPherson apologized for “getting hopes up and then failing the community” on this particular issue. He is supportive of getting an audit but it is not a priority to complete before Gutenberg’s merge proposal.

“I’m hopeful we’ll explore an audit going forward, but unfortunately it will not happen before the merge proposal and thus I’m closing this issue as a won’t fix,” MacPherson said. “I would still like to blog about the state of Gutenberg accessibility, both the good and the bad. We’re making some improvements to keyboard navigation, color contrast, focus behavior, and date/color-pickers just this week.”

Those following the ticket were disappointed in the decision and several heated replies have been hidden and/or moderated. The issue has since been locked and unlocked several times since the announcement that Automattic has decided to forgo the audit.

“Literally every person with disabilities who has tested Gutenberg, both recently and at the outset, has flagged blocking issues as to why it’s not accessible,” Accessibility team member Amanda Rush said. “And user testing is just as important to accessibility as is WCAG 2.0 level AA compliance.”

Because MacPherson said the decision came from Automattic, dissidents on the other side of the issue are saying that the company is acting in its own interests, as the decision was delivered without much explanation beyond an audit not fitting into Gutenberg’s timeline.

“The idea of accessibility being punted to meet a release deadline is what people have been worried about for over a year, and those concerns have not been alleviated,” Morten Rand-Hendriksen said during a recent Accessibility team meeting on Slack before the audit was post-poned. “A clear message about what would happen should the audit come back with substantial issues and recommendations would greatly improve communication and take some of the tension out of the conversation in my opinion.”

In response to one contributor asking how the audit might affect Gutenberg’s timeline, MacPherson said he doesn’t have veto power over the release, nor does he have the data to make that assessment.

“I’m still not convinced there are sufficient Accessibility issues that prevent a release,” MacPherson said. “If the second point changes, I’ll relay that info. I plan to be an advocate, but I don’t set the timelines and I also don’t have solid data around accessibility. That’s the point of the audit: so we can speak from a place of hard data.”

An independent accessibility audit would have revealed whether the team’s current perceptions of Gutenberg’s lack of accessibility are accurate or inflated. It would also give the team’s new leadership the data he needs in order to make the most accurate recommendations regarding its readiness for the world. Kevin Hoffman advocated for pushing on with the audit regardless, in case WordPress 5.0 comes on a later timeline.

“The January 22, 2019 date would allow more than three months between today and the release of 5.0 to complete an audit and take action,” Hoffman said. “The reasons above suggest that we cannot get an audit completed and significantly improve accessibility in three months time. If true, that is all the more reason to start the process now and respond to the audit by fixing as many issues as we can before 5.0 releases.

“The idea that the timeline will become less rushed after 5.0 (when it’s in the hands of real-world users who need it most) makes no sense at all.”

While Twitter’s court of public opinion cannot answer the question of whether or not Gutenberg is accessible, an independent audit would give contributors a good shot at resolving the most critical issues.

“I really like the idea of a professional audit, though I don’t recall us ever doing one of these in WordPress, certainly not a condition for a release,” Gutenberg merge lead Gary Pendergast said. “I’d love to see something like it happen at some point. WordPress has always tried to get most of the way there on accessibility by sticking to common patterns and semantics, with the difference covered by key efforts of volunteers everyone on the Accessibility team doing testing and filing actionable bug reports. Gutenberg’s move to being an entirely JavaScript-based application has made it harder to apply those patterns, but we can work together to establish new patterns, a new baseline.”

Although there is no precedent for it, in this instance where Automattic’s perception of the editor’s accessibility differs wildly from that of the community, an outside audit might mitigate some of the conflict surrounding the issue.

Pendergast said that despite best intentions and prioritizing accessibility, there is a possibility the Gutenberg team may not be able to deliver an “acceptable UX for assistive technology users by the time 5.0 is released.”

“I’m sorry,” Pendergast said. “Despite the best intentions of everyone on the Gutenberg team, we haven’t done enough. I can honestly say that accessibility has always been a priority, but it hasn’t been a high enough priority, and we’ve done a poor job of communicating where accessibility has been improved. I mentioned some of those improvements in my earlier comment, but those improvements are of no benefit if we haven’t hit the baseline accessible experience.”

The challenge of building in accessibility at the design stage, instead of retrofitting it after the fact, is one that WordPress is still struggling to get right in the Gutenberg era. Accessibility experts with React skills are few and far between, so it’s not easy to get fixes for all the issues testers are finding.

“In some meetings we’ve discussed how to make accessibility integrated in the design process (design in its broader sense) since the beginning,” Accessibility specialist Andrea Fercia said during the team’s most recent meeting on Slack. “This is certainly an area were our communication and knowledge sharing should improve.”

Read the whole story
Share this story

Introducing Twenty Nineteen

1 Share

Gutenberg grants users an unprecedented level of freedom to customize their site’s layout and design. In order to fully achieve their vision, users will need a new generation of flexible themes, built to take advantage of the creative freedom that Gutenberg offers.

With that in mind, WordPress 5.0 will launch with a brand new default theme: Twenty Nineteen. The theme will be be led by @allancole, supported by @kjellr as a design coach.

Twenty Nineteen Theme, Blog Post Example
Twenty Nineteen Theme, Homepage Example

Full page mockups: Low-resHigh-res
InVision prototypes: Post Desktop, Post Mobile, Homepage Desktop, Homepage Mobile

At the core of Twenty Nineteen is its simple, sophisticated typography. The theme’s aesthetic is minimal and non-prescriptive, allowing the theme to work well in a variety of applications. For example: it is effective as an minimal, typography-driven blogging theme, but can also be adapted for use as a static business website.

Twenty Nineteen will ship with full Gutenberg support. It will include both front and back-end styles, so that users can be fully confident in their site’s appearance when they hit publish.

Twenty Nineteen Theme, Gutenberg Editor Styles Mockup


As mentioned in the release plan, WordPress 5.0 will be released on November 19th, 2018, so this is a faster-than-usual theme build. The first release candidate is estimated for the end of October, so we’ll want to have a working version of the theme ready by then. Because of time limitations we may remove Twenty Nineteen from 5.0 if it is not ready in time for launch.

Get Involved

If you are interested in contributing, please be sure to follow this blog. During the design and development process, there will be weekly half-hour meetings every Tuesday at 16:00 UTC in #core-themes, beginning today, October 16, 2018.

Theme development will happen on GitHub and in the interest of time, an in-progress version of the theme code has been uploaded here: https://github.com/WordPress/twentynineteen. Once the theme is stable, it will be merged into core and the GitHub repo will be depreciated.

Some notes:

  • The theme is based on both _s and the gutenberg-starter-theme.
  • SASS is used in some key areas which has been helpful for keeping styles in-sync between the Gutenberg editor, and the front-end experience. This is not usual for a default theme and open to debate.
  • There is plenty of work left to do too and issues will be created in the coming days to help guide the process.

Learn more

If you’re interested in learning more about default themes, you can read the following posts:

Read the whole story
Share this story

What’s new in core-privacy

1 Share

Below is a summary of the discussion from this week’s #core-privacy chat. You can read the chat in its entirety in Slack. This summary highlights current work and also provides a view into how this relatively new team is working together to further privacy awareness following the success of its V1 GDPR-specific focus.

Ticket milestone changes

As a result of 4.9.9 being removed from the schedule in favor of a Gutenberg only 5.0 release, 25 core-privacy tickets scheduled for 4.9.9 have been punted to either 5.0.1, 5.1, or Future Release. These included some which were already committed to trunk and backported to 4.9.9, as well as some marked commit which will not be shipped with 5.0. Each ticket will be reviewed and evaluated for release with either 5.0.1 or 5.1. Each ticket can be re-milestoned when the scopes and timelines of these releases become more clear.

Impacted tickets include #44038, #44044, #44051, #44081, #44084, #44135, #44175, #44179, #44267, #44314, #44550, #44621, #44644, #44669, #44674, #44677, #44707, #44723, #44761, #44822, #44833, #44901, #43438, #44233, and #44236.

The component’s focus until post-Gutenberg will shift to the (currently) 31 bug tickets, with a goal of marking at least 75% of them as ready for commit.

@allendav and @desrosj will also use the feature and enhancement freeze to address #43895, which aims to properly organize the privacy code introduced in 4.9.6 within the codebase.

A full list of privacy tickets can be found in Trac.

Bug scrubs are led by @desrosj every Monday. The next one will be held October 15, 2018 at 15:00 UTC in the #core-privacy room on Slack.

Future major release

There was agreement that advocating for Privacy to be a focus for a future major release (possibly 5.2) would be very helpful to land the features outlined in the V2 roadmap. The timing of two pieces of legislation of particular interest would potentially coincide with that release schedule, allowing those features to be shipped prior to the effective dates.


The V2 roadmap moves beyond the enhancements and fixes to the V1 GDPR privacy tools to address general areas of privacy and data protection outside legal requirements. Its scope includes:

  • Core privacy features
    • Gravatar privacy controls
    • Embed privacy controls
  • Plugin privacy
    • For administrators
    • For developers
  • Consent and logging
  • WP-CLI support
  • Multisite support

This week, those in attendance agreed to add two upcoming privacy issues within legal requirements – the US California Consumer Privacy Act (CCPA), and the EU ePrivacy Directive overhaul – to the roadmap. It is anticipated that these two pieces of privacy legislation will create the most obligations for WordPress site administrators in 2019. Team members will continue to monitor each law carefully. Once the specific requirements are announced by each respective government, a discussion of what functionality may need to be created to allow site administrators to meet their requirements well ahead of compliance deadlines will be had.

@idea15 is the lead for monitoring and evaluation of privacy legislation. @idea15 and @riankinney are working on an analysis of CCPA.

They are also monitoring other privacy legislation, including individual US state requirements as well as that of countries like Brazil, to anticipate possible future work.

Gutenberg review

@allendav is reviewing Gutenberg for any potential privacy issues stemming from CDNs, telemetry, or other issues, and will document his findings. Please make him aware of any concerns. He also welcomes privacy evaluations of Gutenberg from non-Automattic testers for transparency’s sake.

#45057 is currently the only Gutenberg blocker from a Privacy standpoint.

Cross-platform privacy working group

At Drupal Europe, @idea15 and Chris Teitzel from the Drupal core privacy team gained enthusiastic support from Dries Buytaert for a proposed cross-platform privacy working group. This group would create a forum for the core privacy teams from all major open source CMS projects (WordPress, Drupal, Joomla, Typo3, etc), to engage, share resources, compare experiences, and periodically meet in person to discuss privacy issues on the social, legal, and code levels. The group, which would be run through the Drupal community structure, may receive some funding. @idea15 will update the WordPress core privacy team in the next fortnight with news.

Group meta issues

  • Our current weekly office hours time of 1500 UTC on Wednesdays does not work for most participants. If you are interested in attending the weekly office hour meetings, please fill out this Doodle poll to identify a better time.
  • The component will be more diligent about posting agendas and meeting summaries on the Make core blog. New contributors are encouraged to volunteer, as this is a great way to get involved. @desrosj, @idea15, and @allendav will ensure these are posted when there are no volunteers for that week.
  • The team will discuss and choose team reps, in response to a discussion during the weekly Core dev chat of whether the core-privacy group is a team in addition to a component and focus.
  • @allendav will research more privacy-conscious document and collaboration tools outside Google docs.

Next Meeting

The next office hours will be held on October 17, 2018 at 15:00 UTC in the #core-privacy room on Slack.

Read the whole story
Share this story

WordCamp for Publishers Seeks Host City for 2019

1 Share

WordCamp For Publishers’ distributed organizing team is looking for a new host city in 2019. The industry-focused camp gathers together professionals who use WordPress to manage publications. This year’s successful event hosted speakers who highlighted important topics, such as ethics in journalism, the open web, AMP, Gutenberg, and communication between tech and editorial teams.

The inaugural edition of this camp was held in Denver (2017), followed by Chicago this year. A few people on social media have lobbied for cities like Los Angeles and Detroit, but the decision rests on the availability of local organizers to handle the logistics of the event. These duties include facilitating venue coordination, swag delivery, and other things that need to happen on the ground.

Based on the call for host city applications, it seems that applicants do not need a large team behind them, since there’s already an existing organizing team. Applicants need only the availability to coordinate local preparations.

Individuals or teams who are interested to host the event in 2019 can submit an application. Organizers said they have a preference for cities that are “underrepresented media markets” where attendees may not see as many of these types of events.

Read the whole story
Share this story

WordPress Database Upgrade Phishing Campaign

1 Share
WordPress Database Upgrade Phishing Campaign

We have recently been notified of phishing emails that target WordPress users. The content informs site owners that their database requires an update and looks like this:

The email’s appearance resembles that of a legitimate WordPress update message, however the content includes typos and uses an older messaging style. Another suspicious item in the content is the deadline. WordPress wouldn’t define deadlines without a valid explanation, and hosting providers wouldn’t either (if you believed the email was from them).

Continue reading WordPress Database Upgrade Phishing Campaign at Sucuri Blog.

Read the whole story
Share this story

Massive WordPress Redirect Campaign Targets Vulnerable tagDiv Themes and Ultimate Member Plugins

1 Share
Massive WordPress Redirect Campaign Targets Vulnerable tagDiv Themes and Ultimate Member Plugins

This August, we’ve seen a new massive wave of WordPress infections that redirect visitors to unwanted sites.

When redirected, users see annoying pages with random utroro[.]com addresses and fake reCAPTCHA images. The messages and content try to convince visitors to verify and subscribe to browser notifications without disclosing the purpose of this behavior.

Alternative redirect URLs include:


Injected Scripts

The injected malware involves a script from one of the following two sites: cdn.eeduelements[.]com and cdn.allyouwant[.]online.

Continue reading Massive WordPress Redirect Campaign Targets Vulnerable tagDiv Themes and Ultimate Member Plugins at Sucuri Blog.

Read the whole story
Share this story
Next Page of Stories