Gutenberg blocks disabled, thoughts after I fixed it

Standard

When I first experienced Gutenberg when upgrading to WordPress 5 it was a terrible experience. The ‘+’ new block icon didn’t work, and I couldn’t figure out how to add any blocks. It gave me one to jam everything in.

It turns out I had the visual editor disabled in my user profile. I imagine I did that at some point in the past so I didn’t have to fight with TinyMCE but totally forgot about it.

Disable visual editor was disabling Gutenberg

After I enabled it, the blocks started working. Now, let me tell you what, Gutenberg is pretty awesome. I did my first post with multiple blocks and it made life so much easier.

I imagine it will greatly mess with the other page builders that go over the top, but Gutenberg definitely makes it feel more natural when adding long form content.

Advice for WordPress/Automatic/Gutenberg Team

Please, please, please, for the first time a user loads the editor page and has the visual editor disabled, show some sort of warning and just don’t show the ‘+’ new block button. It was extremely confusing and frustrating.

Gutenberg image block

WordPress Gutenberg

Aside

WordPress 5 + Gutenberg…. What happened?????

How do I add more blocks? How do I add links? How do I do anything with this? This is a disaster.

Update: Turns out “Disable the visual editor when writing”  in my user profile was checked and that kills all blocks.

WordPress Plugins Galore and How You Should Use Them

Standard

With WordPress it is so easy to install any plugin in their directory. Do a search for it and click “Install”. Whenever I am tasked with finding and fixing a hacked site it is almost always an issue with plugins.

One one particular site they had 2 “Hello Dolly” plugins installed. If you have ever used a fresh install WordPress includes 1 called Hello Dolly as an example plugin. You should always remove this plugin. There isn’t a security issue with it, but you should only have used plugins installed. This site had a bunch of unused plugins so there was no quick way to notice that a new one was added. The second Hello Dolly plugin was not active but the script was called from a remote server and was then used to send spam, lots and lots of spam.

Outdated Plugins

Many plugins get updates for security issues along with bug fixes and new features. A year a few of the very popular caching plugins had a critical security update. I still come across sites who haven’t updated them. When your site runs how you want very rarely do you bother to do updates or even login to the dashboard. Even before that there was the timthumb exploit. This script took your images and created thumbnails. While this wasn’t necessarily WordPress specific, it was used it tons of plugins and themes. I assume most of the plugins and themes released updates to fix the issue by either utilizing the built in uploading tools WordPress provides or upgrading to Timthumb 2.0 which fixed those holes.

Unused Plugins

Open a new window in your web browser and login to your WordPress site. Next go to the Plugins section and delete all the inactive plugins. Just because your plugin is not active does not mean it can’t do any harm. It just means WordPress won’t load any actions or filters it has setup.

Your plugins directory is usually located at /wp-content/plugins. If a hacker find an exploit in one of your installed plugins they already know where the file is. With the timthumb exploit stated above, attackers would send that file a malicious request and it would write it to the server. From there they could access whatever they needed to. Most the time it was to have the server you are on send spam. Your web host won’t like that. Not only would your site be hacked and need to be cleaned, but then the IP address of the server might get blacklisted for sending email and your web host will suffer from that if not caught soon enough.

Sending spam isn’t your problem, I get that. It’s just an example of what I often see. They can also modify your pages and posts. One I came across was inserting a link into every page. Another one added in advertisements to the bottom of every post. While ads might not be a bad thing, it would be nice if you got credit for them and to know they didn’t include anything malicious.

If you install a WordPress firewall plugin that emails you blocked requests you will eventually come across a request trying to exploit a plugin that you don’t have installed. These attackers build a list of WordPress sites and uses an automated process to try and exploit your site. If they find one great (for them), if not they just move on to the next site.

At the end of the day keep your plugins, themes and WordPress itself updated and remove unused plugins.