WordPress 5.9.1 released. REST or AJAX? Plugin dependency feature plugin. Testing, security, new themes and CSS standards. PHP benchmarks and more.

Core News

A WordPress 5.9.1 Maintenance Release is out, so make sure your sites are updated. There are quite a lot of bug fixes in this release — over 80!

For a digest of everything happening in core this week, see This Week at WordPess.org for February 21.

Dev Notes

Matt Shaw tackles the question of whether you should be using the WordPress REST API instead of AJAX. He compares the pros and cons of each possible approach, including benchmarks that examine speed and responsiveness.

Whichever you choose, Matt cautions that “the REST API and admin-ajax.php still depend on the quality and integrity of the active plugins or themes.”

Andy Fragen details a feature plugin project he is proposing for managing plugin dependencies in the WordPress updater. This idea goes back to a TRAC ticket opened nine years ago by the late Alex Mills. It already has some comments and discussion going.

Andy outlines two approaches to managing plugins that require plugins. Each has subtle differences which he calls “starting points.” At the moment I would embrace either one! A core solution to plugin dependencies would help set and keep standards.

We’re looking forward to how this project progresses.

Jason Bahl has written a tutorial on end-to-end tests for your WordPress plugins. It uses Puppeteer, Jest, and Github Actions. Jason’s tutorial also shows how to set up a GitHub Workflow (AKA GitHub Action) that will run the tests when a Pull Request is opened.

Jason also published a video walking through the setup for end-to-end tests for WPGraphQL.

David C. Zentgraf has a detailed post on what every programmer “absolutely, positively needs to know” about encodings and character sets to work with text.

Tom McFarlin shares how you can programmatically authenticate a user in WordPress — as long as you have a verified user ID for them.


Jetpack Scan security researcher Marc Montpas discovered a severe vulnerability in UpdraftPlus that could grant attackers access to privileged information in the database. As Sarah Gooding reports, the patch was pushed out via a forced auto-update.

It’s rare, but not extremely rare, to see a security-related update pushed out via a forced auto-update. Likely this time around it was the extent of the problem plus the install base of the plugin — more than a million sites — that hadn’t updated to the latest version.

It would be nice to see some guidelines in writing to explain when and how the decision for a forced update is made. It might be a “you know it when you see it” scenario, but when it comes to security, standards and expectations should be clear.


Mark Root-Wiley envisions a path toward standardizing CSS for WordPress designs and layouts. He notes that “now is a critical moment to find a path that meets the needs of WordPress core development without sacrificing the needs of 3rd-party themes and plugins.”

Mark proposes a four-point plan: Consistent CSS classes, stateful CSS classes, design tokens, and CSS utility classes:

“With a streamlined and transparent approach to design, core development will have a self-documenting, easy-to-understand set of tools for implementing future designs.”

Rich Tabor has released a new WordPress block theme called Wabi for writers and publishers. Each post can have one of six different accent color. All of them can be modified within the new Global Styles interface.

Rich’s blog is currently running Wabi.

Skatepark is a new WordPress theme “designed for modern events and organizations” by Mel Choyce-Dwan.

PHP Performance

Salman Ravoof delivers some benchmarks for PHP 7.2, 7.3, 7.4, 8.0, and 8.1 on the Kinsta blog. These five different PHP versions were tested across 14 unique PHP platforms and configurations for WordPress, Drupal, Joomla, and Laravel.

Kinsta finds that only 50.6% of WordPress sites are running on supported PHP versions. Salman believes lack of education, compatibility issues, and reluctant WordPress hosting providers are the main causes for this.

In terms of overall speed on WordPress installs, PHP 8.0 and 8.1 have proven to be faster than previous versions. PHP 8.1 is the fastest in all benchmarks. Another reason to upgrade sooner than later:

“With support for PHP 7.4 ending soon in late 2022, you should plan to move your sites to PHP 8.0 and above as soon as possible.”

Plugin Updates

Advanced Custom Fields version 5.12 is available with ACF Blocks compatibility for WordPress 5.9 and WordPress 5.8.

Aurooba Ahmed has released QuickPost, “a little button that lets you create and duplicate posts right from the WordPress Block Editor.”

TrustedLogin has adopted the Remove Dashboard Access and Support Me plugins created by Drew Jaynes. These plugins are installed on over 50,000 sites.

Strattic has acquired WP2Static, which was developed by Leon Stafford. Leon is joining Strattic and will continue to maintain the plugin, which makes WordPress generate a static file-based site.

Strattic will “support keeping WP2Static and its add-ons open source.”

Questions Asked and Lessons Learned

Brian Casel shares some things he learned from the sale of his Productize course business, a 7-year side-business.

“I still believe [productized services are] the path of least resistance for anyone looking to level up from being a freelancer to a business that can scale. It helped me bootstrap and grow into SaaS. It powers amazing service businesses for many others.”

Eric Karkovack wonders if many of the features WordPress is gaining are for non-designers and will push freelancers away. Eric believes freelancers are vital to growth:

“Without the right balance, there is a potential to squeeze out those of us in the mid-range of the market… we’re not at that point just yet. However, the decisions that are made within the next few years could have a huge impact on freelancers.”

Nyasha Green shares her response to those who ask, “Are WordPress developers real developers?” It depends how you define “developer.” There’s plenty of space in the WordPress community for a variety of different “developers.”

Allie Nimmons asks how to be an effective advocate for diversity in WordPress. She recounts the good, bad, and unintended consequences of calling out WCEU for an apparent lack of diversity in its organizers. Allie now has some suggestions such as this one:

“Communicat[e] … intentions first. […] Bring to the forefront what you hope to accomplish with your advocacy before bringing up tough questions.”