State of the Word, Gravatar Breaches, Log4J, Alexa Retires, Lawsuits, and More 🗞️ January 2022 WordPress News w/ CodeinWP

📆  This is the January 2022 edition of “This Month in WordPress with CodeinWP.” 

Hey there, WordPress fans. We hope you all enjoyed the holidays and are ready for an awesome year of WordPress in 2022.

But before 2021 ended, there were some notable WordPress news stories that deserve your attention.

Matt Mullenweg gave his annual State of the Word speech. It was primarily a virtual event, but there was a small studio audience. Beyond that, there was a Gravatar…breach? Well, there’s some debate about whether or not you can call it a “hack,” but your email address might have been exposed.

On the topic of vulnerabilities, much of the web was in a tizzy over a widespread vulnerability in log4j, but you probably don’t need to worry about that if you’re a WordPress user.

Let’s dig into all of the WordPress news for December 2021.

January 2022 WordPress News with CodeinWP

State of the Word 2021 goes on, largely online

Without a doubt, the biggest WordPress-specific news from December was the State of the Word 2021, the yearly speech in which Matt Mullenweg lays out how WordPress is doing and what its future is.

Matt usually delivers this speech at WordCamp US, but there was no in-person event again this year because of you know what. Instead, the event happened online and most people watched Matt’s speech via a livestream, though there was also a small live studio audience and a number of associated meetups and local events.

As is typically the case, Matt started off by detailing WordPress’ growth over the year.

Let’s start with the headline number from the keynote:

According to W3Techs, WordPress now powers more than 43% of all the websites on the internet, which is just a staggering statistic. This number grew over the year from 39% in December 2020.

However, WordPress was pretty much the only open-source tool to make gains, as Joomla and Drupal are shrinking while Shopify, Wix, and Squarespace are growing.

Matt poked a little fun at Wix, stating that WordPress grew “two Wix’s” this year since Wix’s market share is still less than 2%. Throwing some gibes at Wix seems fair after Wix’s marketing campaign that took shots at WordPress (and gave people free Bose headphones for some reason).

Beyond the cool WordPress statistics, here are some other highlights from the State of the Word 2021:

If you want to watch the full keynote yourself, you can find it on YouTube or watch the embedded video.

The Log4J vulnerability lights the internet on fire

If you pay attention to the internet at all, you might’ve heard about the vulnerability in Apache’s Java-based Log4j logging utility.

This vulnerability opened the potential for malicious actors to infiltrate a huge number of systems, which is why it even prompted a response from the US Government’s Cybersecurity & Infrastructure Security Agency (CISA).

So – let’s talk about what is probably the biggest question on your mind:

Does the log4j vulnerability affect WordPress sites?

There’s good news here – the log4j vulnerability is highly unlikely to affect WordPress sites directly.

WordPress is written in PHP, so a Java exploit isn’t a problem for WordPress users and the vast, vast majority of WordPress sites are not at any risk.

What’s more, this vulnerability doesn’t have anything to do with the Apache web server, which your web host might be using for WordPress.

The only potential issue is if you’re using some custom integration with a different tool that is vulnerable to log4j and that then spreads to your WordPress site.

But for most WordPress users, the log4j vulnerability isn’t something you need to worry about – it’s just a noteworthy event.

Did Gravatar get hacked? You be the judge

On December 6th, the popular Have I Been Pwned service tweeted about a data breach in Gravatar.

So – what was the data breach? Essentially, a security researcher was able to reverse engineer a person’s username and email address just by having their profile picture and its associated hash.

However, Gravatar had never notified users about any type of data breach.

Why’s that? Well, according to Automattic, the parent company of Gravatar, Gravatar was not “hacked” and this actually wasn’t a data breach (in their eyes) because the data was public and obtained via the misuse of their API rather than a “hack.”

To be honest…that kind of sounds like a hack, which this sarcastic tweet from Christopher Foster does a good job of pointing out:

That sounds like your data was accessed in a way you didn’t intend (if only there was a word for that), but you didn’t mean to be?

— Christopher Foster (@CF99)

Either way, users probably aren’t happy that their email addresses could be exposed just by leaving a comment on a site.

And this brings up an interesting question:

Should Gravatar be enabled by default on WordPress sites? I get the benefit of Gravatar – it’s much nicer to see real profile pictures than empty profile boxes.

But given that it’s a third-party service, it seems like something new WordPress users should officially opt in to, instead of requiring users to opt out if they don’t want to use Gravatar.

In fact, I’d wager that many casual users have no idea what Gravatar is and that their sites are connected to Gravatar in any way.

If you’re not familiar with Gravatar, it’s the Automattic-owned service that WordPress uses to generate profile pictures for registered users and commenters. If a person has set up their profile picture on Gravatar, that picture will automatically display whenever that person leaves a comment or registers for a WordPress account using the email address associated with their Gravatar account. It’s also used on many other services, such as Slack and GitHub.

If you don’t like the idea of loading avatar images from a third party, you have a number of great options. Here are some to get you started:

Publishers sue Google and Facebook over ad revenue

In a newly consolidated antitrust lawsuit, more than 30 companies that collectively own 200+ local newspapers are suing Google and Facebook, alleging that the two companies manipulated the digital ad market and caused local publishers to lose money.

The goal of the lawsuit is “to recover past damages to newspapers,” as Axios reports.

As part of the lawsuit, the companies allege that Google and Facebook colluded to maximize Google and Facebook’s take-home of advertising revenue (at the expense of local publishers).

This comes on the backs of another lawsuit from publishers with respect to Google AMP, which we got an unredacted look at in October 2021.

If you’ve been building websites for a while now, you probably remember the massive push to adopt Google’s AMP framework around 2016.

AMP content was supposed to load faster on mobile, thanks to a stripped-down code base and caching on Google’s servers.

Google also gave AMP content special placement in the mobile SERPs, as your site needed to be using AMP to show up in the “Stories” section. Side note – this is no longer the case, in part because of what I’ll discuss below.

Because of this push, a lot of publishers did adopt AMP…and now they also aren’t happy with Google, in large part because of details such as Google’s knowledge that publishers using AMP were getting ~40% less revenue and that AMP might not have actually made things faster (and that Google might have actively throttled non-AMP content).

Put these cases together and you can definitely notice a trend of publishers pushing back against large tech corporations. This is especially true of local media publishers, who are in tough straights with the shift to the digital economy.

Are these the last gasps of a slowly dying industry or will we see meaningful reforms over how large tech companies interact with media publishers? Well, I guess we’ll find out when we see how the lawsuits go.

Amazon retires Alexa for good…No – not that Alexa

Apologies for the clickbait headline…but December saw a retirement announcement of one enduring web property, Alexa.

No, I’m not talking about Amazon’s voice assistant. I’m talking about the web statistics and analytics platform called Alexa (though Amazon has been very precise in calling it “Alexa.com“).

Alexa.com was founded in 1996 and soon after acquired by Amazon in 1999. Side note – one of Alexa.com’s co-founders was Brewster Kahle, who’s probably more known for founding the Internet Archive and just generally being an advocate for a better internet.

Alexa is best known for its Alexa Rank metric, which measures a website’s general popularity versus other sites on the internet. A lot of sites proudly relied on and promoted this metric (though it’s fallen out of favor in recent years and has been overtaken by tools like SimilarWeb).

Though most people only paid attention to the Alexa Rank, Alexa also offered a number of other digital marketing and SEO tools such as a backlink checker, content explorer, competitive analysis, and more.

If you are one of those people actually using Alexa’s tools, you’ll be able to export all of your data and your existing subscription will continue working until the official retirement date. You won’t be able to create a new account, though.

When is Alexa.com’s official retirement date? As of now, Alexa will be officially retired on May 1, 2022.

Given that Amazon poached Alexa.com’s name for its voice assistant, I had a feeling that Alexa.com was not long for this world. However, I wasn’t sure if Amazon would cut it off or rebrand it into something else. Now, we have that answer.

That sums up our January 2022 WordPress news roundup. Anything we missed?

Don’t forget to join our crash course on speeding up your WordPress site. With some simple fixes, you can reduce your loading time by even 50-80%:

Layout and presentation by Karol K.

Or start the conversation in our Facebook group for WordPress professionals. Find answers, share tips, and get help from other WordPress experts. Join now (it’s free)!