Now Available: WordPress 6.6

WordPress 6.6 has been released. In keeping with WordPress version numbering convention, 6.6 is a major release.

WordPress 6.6 brings a number of enhancements, including:

  • New design tools.
  • Updates to the publish flow.
  • Modern pattern management for Classic Themes.
  • API refinements and more.

Learn more about the highlights of WordPress 6.6.

For more details about this release (including specific changes), please see the announcement post and Field Guide.

Questions

If you have any questions related to this release, please open a support ticket, and we will be happy to assist.

New Release: Plugin Vulnerability notifications

We’re excited to announce plugin vulnerability notifications on WordPress VIP, enabling rapid triage and response from your teams, and enhancing your site’s security.

Effective immediately, key members of your team will automatically receive emails for HIGH and CRITICAL plugin vulnerabilities, ensuring you can take prompt action on essential security concerns. This critical notification feature is called “Important Alerts”.

Want more comprehensive coverage? Opt in to receive notifications for any vulnerabilities. All delivered through your preferred channels—Slack, Google Chat, Microsoft Teams, a webhook, or email.

We care deeply about the security of your applications running on the WordPress VIP Platform. One of the key methods we utilize to keep your application secure is vulnerability detection.

The VIP platform scans for vulnerabilities before deployment and at regular intervals after deployment, keeping you informed of vulnerabilities found. We scan the code in every pull request for known vulnerabilities before it is deployed, reporting results in easy to read GitHub comments. Deployed code is scanned for newly discovered vulnerabilities, reported on the VIP Dashboard plugins panel where you can easily create a pull request to update the plugin and fix the issue. 

Today, we’re adding notifications of all newly uncovered vulnerabilities discovered in your plugins. You can choose a combination of Slack, Google Chat, or Microsoft Teams, a general-purpose webhook URL, or an email address as destinations for plugin vulnerability notifications

If we find a vulnerability with a severity of HIGH or CRITICAL, we will proactively push an Important Alert. Important Alerts are automatically emailed to all your Organization Administrators. You can easily add additional destinations from the array of supported communications channels, ensuring critical messages always reach the right members of your team or are routed to your own on-call management systems.

To manage your destinations for important alerts:

  1. For any organization choose “Notifications” from the left hand menu
  2. Choose “Manage Alerts” from the “Important Alerts” area near the top of the screen
  3. …from the “Important Alerts” panel the customer can add new or existing destinations, and remove any destinations previously added

To subscribe to newly discovered plugin vulnerabilities for an organisation or application:

  1. For any organization or any application environment choose “Notifications” from the left hand menu
  2. “Add Notification” and choose “Plugin Vulnerabilities”, then configure your notification as usual

If you have any questions or concerns related to this upcoming change, please open a support ticket and we will be happy to assist.

Reminder: VIP CLI Media Import Changes

As communicated previously, we’ve made some changes to the VIP CLI to enhance our media import toolvip import media [options] [command]

These changes are available on VIP CLI versions 3.1.0 and above. We had also mentioned that the prior versions of the media import tool will be deprecated, and will cease to function, starting July 15, 2024.

Please upgrade to the latest version of the media import tool by updating your VIP CLI installation. You can find more information on this in our documentation: https://docs.wpvip.com/vip-cli/installing-vip-cli/#update-vip-cli

Parse.ly Plugin 3.16: New Release and Default Version

We are happy to announce that version 3.16 of the Parse.ly plugin will become available in VIP staging environments on Tuesday, July 9, 2024. Before using it in production, we recommend testing the new release in staging.

This release will become the default in production on Tuesday, July 16, 2024, and all non-pinned environments will be auto-upgraded to this version. These changes do not affect customers who don’t use wp-parsely, or use an integration method outside of mu-plugins.

Release highlights

This release focuses on enhancements to Smart Linking, as well as a providing a GUI for controlling access to the Content Helper’s AI features. It is also complemented by numerous bug fixes and smaller enhancements.

Smart Linking enhancements

  • Users can now review Smart Links before adding them to posts. This is done through a dialog that allows users to preview and approve or reject every Smart Link suggestion individually.
  • Using the same dialog, users can manage the post’s Smart Links at any time, as well as inspect inbound and outbound links.
  • We’ve included a handful of bug fixes related to Smart Linking in this release, including a fix to prevent duplicate Smart Links.

Content Helper AI feature permissions

  • It’s now possible to control access to the Content Helper’s AI features per User Role. For example, administrators can choose to limit access to Smart Linking to Editors only, and disable Title Suggestions for everyone.
  • Permission settings are currently available for Smart Linking, Title Suggestions, and Excerpt Suggestions. Permissions can be configured quickly and easily, using the Content Helper tab in the plugin’s Settings page. Custom User Roles are supported.
  • If needed, all the Content Helper features using AI can be disabled with a single click.

Call for Testing: Jetpack 13.6-beta

Jetpack 13.6-beta is available now for testing and the download link is available here

Jetpack 13.6 will be deployed to VIP on Wednesday, July 17, 2024*. The upgrade is expected to be performed at 17:00 UTC (1:00PM ET).

*This deployment date and time are subject to change if issues are discovered during testing of the Jetpack release.
A full list of changes is available in the commit log.

What is being added or changed?

Enhancements

  • Newsletter: Add ability to manage the newsletter byline appearance.

Improved compatibility

  • Offline Mode: do not display Jetpack’s outbound SSL notice when in Offline mode.

Bug fixes

  • AI Assistant: Disable extensions when AI Assistant block is hidden.
  • Publicize: Fix a race condition with refreshing the active social connections.

What do I need to do?

We recommend the below:

As you’re testing, there are a few things to keep in mind:

  • Check your browser’s JavaScript console and see if there are any errors reported by Jetpack there.
  • Use Query Monitor to help make PHP notices and warnings more noticeable and report anything you see.

Questions?

If you have any questions, related to this release, please open a support ticket and we will be happy to assist. 

Custom Deployments are now available

Get ready to embrace more flexibility and ownership with the VIP’s newest feature: Custom Deployments.

You may have previously heard of this capability as Bring Your Own Repository. Today, we’re excited to launch it as Custom Deployments, a game-changing tool that empowers your team with even greater independence and control over your development process. 

Custom Deployments liberate you with options beyond our provided GitHub repository, enabling you to send us a deployment-ready artifact directly through the VIP-CLI. It’s our way of putting the reins back in your hands – prepare your code exactly how you want it, and let us handle the rest.

How to get started

Note: This feature is currently only available for WordPress sites. It may be extended to Node applications in the future if there is sufficient interest.

  1. To enable on the VIP Dashboard, go to your target application, then on the sidebar, navigate to ��Code” > “Repository” and select “Custom Deployment”
  2. Generate and store the token for Custom Deployment
  3. Run the following command and replace the variables with values relevant to your application and file:
WPVIP_DEPLOY_TOKEN=<token> vip @<app-name>.<env> app deploy <pathToZipOrTarFile> --message <commitMessage>

The VIP-CLI command is available on all versions higher than 3.4.1. You can change your application deployment method per environment and a switch back to “Default Deployment” will automatically deploy the latest version from the wpcomvip GitHub repository. 

Preparing the deployment file

To ensure we can deploy the provided code, you need to provide a zip or tar file containing a parent folder containing all the files from your repo in the same format as the WordPress skeleton. 

Automating this with GitHub Actions

When we talked with customers, a highly requested feature was to have more control over the deployment process by allowing the use of GitHub Actions. We created a reusable action that can now be integrated into your development and deployment workflow. 

For more information, visit our Custom Deployments Guide, which will assist you through every stage of the process.

Supply-Chain Attack via 3rd-Party Polyfill.io

A supply-chain attack in the CDN for the 3rd-party Polyfill.js library was announced today, affecting 100k sites globally. This library enables certain functionality in older, unsupported browsers and is not part of the WPVIP platform or WordPress. This code would only exist on your site if it has been explicitly included in your theme or plugins.

This supply-chain attack was first reported by Sansec here.

All impacted VIP customers have been notified individually.

What actions should I take?
You can search for polyfill.io in your repo(s) and remove the related code if it is no longer needed, or switch to a trusted mirror provided by Fastly or Cloudflare. Please see the below announcements regarding the mirrors provided by those services:

https://community.fastly.com/t/new-options-for-polyfill-io-users/2540
https://blog.cloudflare.com/polyfill-io-now-available-on-cdnjs-reduce-your-supply-chain-risk

What does this mean for my site(s)?
Removing or replacing the related code should not impact your site’s usability for most users. According to the original author of the Polyfill.io library, it is no longer needed by modern browsers, so in most cases, you can safely remove it.

WPVIP has deployed a platform-level mitigation for customers using the core WordPress enqueue scripts APIs. This disables loading of scripts from polyfill.io and cdn.polyfill.io on those sites. WPVIP urges all customers to review their usage of Polyfill.js from the polyfill.io service and remove it or switch to a trusted mirror as outlined above.

Call for Testing: WordPress 6.6 RC1

The WordPress 6.6 Release Candidate 1 is now available on WordPress VIP. Use the Software Management page to update your non-production sites to WordPress 6.6 for testing.

What’s Changing?

WordPress 6.6 RC1

Testing this release candidate is the next step in preparing your site for the WordPress 6.6 release slated for July 16, 2024.

How to test WordPress 6.6

Local Environment

Ensure VIP-CLI is updated:
npm update -g @automattic/vip

Update environment:
vip dev-env update --slug SITENAME

Non-production

Alternatively, you may update a non-production site to WordPress 6.6 RC1 now.

Within the Software Management section of the VIP Dashboard, you can select your non-production environment and change the WordPress version to “6.6″ within the “Testing” section.

Testing is vital to polishing the release during the Release Candidate and a great way to contribute. ✨

Not for Production Environments

WordPress VIP does not recommend using Release Candidate or Beta versions in production environments. Any sites that have managed updates will automatically be updated to WordPress 6.6 when released on July 16.

Questions?

If you have testing feedback or questions related to this release, please open a support ticket, and we will be happy to assist.