Building Custom WordPress Themes with ACF

https://ift.tt/Cnrzk4D

#WordPressDevelopment #CustomThemes #AdvancedCustomFields #WebDevelopment #CleanCode #DigitalStrategy

If you are running a #WordPress site and are looking for options to get your content out and served elsewhere, I've written a WordPress #plugin that exports content to #GravCMS.

The newest build of the plugin generates a GravCMS plugin so you'll be able to use whatever Grav theme you'd like!

Posts export as #markdown pages
Other content includes media, taxonomy, categories, site metadata, users, and roles.

If you use #AdvancedCustomFields , those transfer too!

https://github.com/jgonyea/wp2grav_exporter

Si vous faites ce genre de contrastes dans le design d'une interface, sachez que pour les utilisateurs qui n'ont pas un écran de bonne qualité ou qui soit bien réglé, ou encore avec une vision imparfaite... c'est juste blanc sur blanc.

Pour pas le nommer #AdvancedCustomFields sur #Wordpress utilise ce niveau de contraste pour structurer son plugin (tableaux etc). C'est de la 💩.
Illisible. 2 millions d'utilisateurs. Pas foutu de faire un contraste à minima visible. 😤😤

https://www.siegemedia.com/contrast-ratio#%23eaecf0-on-white

Update: as expected, #AdvancedCustomFields now offers official support for installing the free version using Composer: https://www.advancedcustomfields.com/resources/installing-acf-with-composer/. #WordPress

Color me unsurprised that Dave Winer has sided with Matt #Mullenweg. 'Oh poor Matt, I know exactly what it feels like to be a person with perfectly pure motives who's being taken advantage of by worthless freeloaders.'

Dave, my dude: Poor Matt just executed a massive supply chain hack on every user of #AdvancedCustomFields. You gonna say you endorse that? (Knowing his history, I expect he would.)
#WordPress

http://scripting.com/2024/10/15/170749.html

So #Automattic didn't just fork #AdvancedCustomFields, they also forced-installed it on all WordPress sites that were using WordPress dot org as their plugin repo - which is virtually all WP sites.

This is beyond fucked up.

Yes, I get they had a legal right to do a fork. They had no ETHICAL right to switch my sites from one plugin to another, without a compelling security case, which let's be clear DID NOT EXIST.

I'll say it again: #Mullenweg is a living supply chain vuln & needs to go.
#ACF

Last word from me for a while on the WordPress / Automattic / WPEngine / ACF/SCF discussion, and how it intersects with software security, supply chains, and trustworthy computing.

https://scottarc.blog/2024/10/14/a-wordpress-hard-fork-could-be-made-painless-for-plugin-theme-developers/

#WP #WordPress #WPEngine #AdvancedCustomFields #SecureCustomFields #PHP #Mullenweg

For anyone who needs to install genuine #AdvancedCustomFields (the free version) using Composer: https://blog.goodbyeplease.com/2024/10/14/How-to-install-the-free-version-of-Advanced-Custom-Fields-with-Composer/

#WordPress

The popular ACF plugin listing has been taken over by WordPress amid a legal dispute with WP Engine. WordPress replaced it with a “forked” version, named Secure Custom Fields, citing safety guidelines, and sparking controversy among the WordPress community.
https://alternativeto.net/news/2024/10/wordpress-takes-control-of-popular-acf-plugin-in-very-controversial-move-against-wp-engine/

#ACF #AdvancedCustomFields #WordPress #WPEngine #Automattic #MattMullenweg

As I write this, the most recent big move by Matt Mullenweg in his ongoing dispute with WP Engine was to abuse his position to seize control of a WP Engine owned plugin, justifying this act with a security fix. This justification might, under other circumstances, be believable. For example, if WP Engine weren’t actively releasing security fixes.

Now, as I wrote on a Hacker News thread, I’d been staying out of this drama. It wasn’t my fight, I wasn’t deeply familiar with the lore of the players involved, etc.

BUT! This specific tactic that Mullenweg employed happens to step on the toes of some underappreciated work I had done from 2016 to 2019 to try to mitigate supply chain attacks against WordPress. Thus, my HN comment about it.

Mullenweg’s behavior also calls into question the trustworthiness of WordPress not just as a hosting platform (WP.com, which hosts this website), but also the open source community (WP.org).

The vulnerability here is best demonstrated in the form of a shitpost:

I do not have a crystal ball that tells me the future, so whatever happens next is uncertain and entirely determined by the will of the WordPress community.

Even before I decided it was appropriate to chime in on this topic, or had really even paid attention to it, I had been hearing rumors of a hard-fork. And that maybe the right answer, but it could be excruciating for WordPress users if that happens.

Regardless of whether a hard-fork happens (or the WordPress community shifts sufficient power away from Mullenweg and Automattic), this vulnerability cannot continue if WordPress is to continue to be a trustworthy open source project.

Since this is a cryptography-focused blog, I’d like to examine ways that the WordPress community could build governance mechanisms to mitigate the risk of one man’s ego.

Revisit Code-Signing

The core code, as well as any plugins and themes, should be signed by a secret key controlled by the developer that publishes said code. There should be a secure public key infrastructure for ensuring that it’s difficult for the infrastructure operators to surreptitiously replace a package or public key without possessing one of those secret keys.

I had previously begun work on a proposal to solve this problem for the PHP community, and in turn, WordPress. However, my solution (called Gossamer) wasn’t designed with GDPR (specifically, the Right to be Forgotten) in mind.

Today, I’m aware of SigStore, which has gotten a lot of traction with other programming language ecosystems.

Additionally, there is an ongoing proposal for an authority-free PKI for the Fediverse that appears to take GDPR into consideration (though that’s more of an analysis for lawyers than cryptography experts to debate).

I think, at the intersection of both systems, there is a way to build a secure PKI where the developer maintains the keys as part of the normal course of operation.

Break-Glass Security with FROST

However, even with code-signing where the developers own their own keys, there is always a risk of a developer going rogue, or getting totally owned up.

Ideally, we’d want to mitigate that risk without reintroducing the single point of vulnerability that exists today. And we’d want to do it without a ton of protocol complexity visible to users (above what they’d already need to accept to have secure code signing in place).

Fortunately, cryptographers already built the tool we would need: Threshold Signatures.

From RFC 9591, we could use FROST(Ed25519, SHA-512) to require a threshold quorum (say, 3) of high-trust entities (for which there would be, for example, 5) to share a piece of an Ed25519 secret key. Cryptographers often call these t-of-N (in this example, 3-of-5) thresholds. The specific values for t and N vary a lot for different threat models.

When a quorum of entities do coordinate, they can produce a signature for a valid protocol message to revoke a developer’s access to the system, thus allowing a hostile takeover. However, it’s not possible for them to coordinate without their activity being publicly visible to the entire community.

The best part about FROST(Ed25519, SHA-512) is that it doesn’t require any code changes for signature verification. It spits out a valid Ed25519 signature, which you can check with just libsodium (or sodium_compat).

Closing Thoughts

If your threat model doesn’t include leadership’s inflated ego, or the corruption of social, political, and economic power, you aren’t building trustworthy software.

Promises and intentions don’t matter here. Mechanisms do.

Whatever the WordPress community decides is their best move forward (hard forks are the nuclear option, naturally), the end result cannot be replacing one tyrant with another.

The root cause isn’t that Mullenweg is particularly evil, it’s that a large chunk of websites are beholden to only his whims (whether they realized it or not).

One can only make decisions that affects millions of lives and thousands of employees (though significantly fewer today than when this drama began) for so long before an outcome like this occurs.

If you aren’t immune to propaganda, you aren’t immune to the corruption of power, either.

But if you architect your systems (governance and technological) to not place all this power solely in the hands of one unelected nerd, you mitigate the risk by design.

(Yes, you do invite a different set of problems, such as decision paralysis and inertia. But given WordPress’s glacial pace of minimum PHP version bumps over its lifetime, I don’t think that’s actually a new risk.)

With all that said, whatever the WordPress community decides is best for them, I’m here to help.

https://scottarc.blog/2024/10/14/trust-rules-everything-around-me/

#AdvancedCustomFields #arrogance #automaticUpdates #Automattic #codeSigning #cybersecurity #ego #MattMullenweg #news #PKI #pluginSecurity #powerCorrupts #SecureCustomFields #security #softwareGovernance #supplyChain #supplyChainSecurity #supplyChainSecurity #technology #threatModels #trust #WordPress #WPEngine

Wrote about the fear, uncertainty, and doubt (FUD) campaign surrounding #AdvancedCustomFields and #WordPress and how it's harmful: https://blog.goodbyeplease.com/2024/10/13/Fear-uncertainty-and-doubt/

Good summary from @tnash on the #WordPress #AdvancedCustomFields situation: https://timnash.co.uk/advisory-advanced-custom-fields-changes/

If my workplace owns an #AdvancedCustomFields Pro license, does that mean, for the purposes of logging in to WordPress.org, we are "affiliated", "financially or otherwise," with WP Engine? Can I open a support ticket with someone to find out? #WordPress

En menudos líos se están metiendo últimamente WordPress.
La nueva es que han robado la URL del famoso plugin"Advanced Custom Fields" para potenciar un plugin propio llamado "Secure Custom Fields". Todo sin el preaviso ni consentimiento del autor original. Claro, y ahora los usuarios no puedes actualizarlo, entre otros problemas. Y todo esto después del mal llmado "fork", las denuncias públicas contra GoDaddy, etc.
#wordpress #advancedcustomfields

https://news.ycombinator.com/item?id=41825692

#Mullenweg #WordPress #ACF #WPEngine #AdvancedCustomFields #SecureCustomFields #photomatt

I wrote about the #WordPress #AdvancedCustomFields situation and trust issues: https://blog.goodbyeplease.com/2024/10/12/The-call-is-coming-from-inside-the-house/

In collaboration with their internal designer, I built retrofit company "EcoFurb" a bulletproof, easy to update WordPress theme using Advanced Custom Fields, replacing an old "Divi" powered site 😀
https://ecofurb.com/
#wordPress #webDevelopment #advancedCustomFields

I'm not familiar with JSON at all in any way.

I want to do this: https://shorturl.at/6u8Jj

Is there a way to use my CPT and ACF to enter the data on a new post in the CPT using ACF and output it to a JSON file like that tutorial?

#JSON #WordPress #GoogleMaps #AdvancedCustomFields #ACF