What’s particularly frustrating about the poor video quality in Signal is to hear Moxie attack Telegram for privacy issues. Until Signal video call quality improves, Signal may as well not exist for video calls. The quality is too poor to use. The bad call quality has gone on so long, that it looks like it’s deliberate policy. The poor quality drives callers onto other platforms which are less secure.

[This post contains video, click to play]

Comparing Signal, Telegram and WhatsApp Security

What’s even more astonishing it to hear Western IT specialists who should know better suggest that WhatsApp is more secure than Telegram. Wassim Lalaoui from VLC writes:

Maybe better than Zoom, but clearly not better than WhatsApp. Telegram does not have E2EE for messages by default while on WhatsApp E2EE is mandatory

WhatsApp do claim E2EE security.

The reality is there have always been thousands of contractors who have direct access to WhatsApp data. WhatsApp has never kept their data locked up with user-only E2EE. While the data may be encrypted when it’s at rest, if everyone and their brother in a three-letter agency has the encryption keys, it’s not secure, is it?

Long before this lawsuit, the lack of security and E2EE was clear. Just from the public revelations over the last ten years, it’s been obvious that WhatsApp has always been leaky (many inconvenient European politicians have lost their mandate due to WhatsApp revelations). There are far fewer Telegram leaks.

The unknown if it’s due to Telegram not keeping all the data or just that 1. Telegram security is better, with encryption for most states including rest 2. the Telegram team is smaller and more trustworthy than the 1500+ contractors who had WhatsApp access.

There’s a footrace between Signal and Telegram over security (Signal leaks your connections and your frequency of communication but does not leak the actual content; Telegram has the data but does not leak it by default only under court order) but both are thousands of miles ahead of Zoom and WhatsApp and even Apple who leak all your data all the time as they are US-based and subject to the Patriot Act.

Telegram Security: the French Connection

Since Durov and his girlfriend were held hostage by the French in Paris for nine months (from 24 August 2024 to 15 March 2025), Telegram is less secure. The French arrest was to force Telegram to install some external backdoors and monitoring into Telegram, where there had been none before. How much user privacy did Durov give up? It’s not public knowledge yet. Today one can assume that with a court order, any significant Western government can obtain an individual’s Telegram communication. Proton Mail is no better. Proton’s track record is to give up communication when faced with a French/Swiss court order.

You can’t betray secrets you don’t know

Signal cannot leak what it doesn’t have (which is the actual content of the communication, the network they do have and you should assume Signal does leak the network activity: due to Patriot Act/US domicile/US citizens/past CIA money, Signal have to give up whatever they have).

Which is why it’s so very important that Signal video and audio call quality improve. Signal is the only messenger app where it’s likely that the interlocutors enjoy real privacy during calls.

Moxie: less interviews, less moaning and more action please. The reason Signal users flock to Telegram is not security, it’s that Telegram actually works.

Until Signal video call quality improves Moxie should not throw shade on Telegram

Post from: Foliovision

• keeping your users’ membership status in sync with payment gateway
• sending newsletters
• various background updates

There are three issues with WP-Cron:

1. WP-Cron does not run on a regular schedule, it can miss the scheduled jobs.
2. WP-Cron can also run too often and cause performance issues.
3. WP-Cron jobs can fail without notice.

Here’s how we fix these issues.

How to make WP-Cron reliable

WordPress (and PHP in general) does not have any robust way of running background jobs. WP-Cron simply depends on website visits, keeping track of last scheduled job execution date and time in the wp_options table and running the background jobs with HTTP calls.

Such execution of background jobs can become unreliable if:

• Your website is not getting visits around the clock consistently.
• You care about page load times and use a WordPress page cache plugin. WP-Cron will not run for cached hits.

So WP-Cron might just not be triggered often enough and can miss the schedule.

For this reason we trigger WP-Cron using the server operating system crontab for each website user every 5 minutes like this:

*/5 * * * * php public_html/wordpress/wp-cron.php >/dev/null 2>&1

Then we also add this to wp-config.php to make sure WordPress will no longer try to run WP-Cron on its own using HTTP:

define('DISABLE_WP_CRON', true);

How to avoid WP-Cron performance issues

As I mentioned above, sometimes there may not be frequent enough visits to your WordPress website to trigger the WP-Cron on a reliable schedule.

But the opposite can happen too: the WordPress Cron can even trigger too often. I was shocked to find that on one of our websites WP-Cron would run even 4 times per minute!

Here’s an excerpt from the web server access logs – the columns are time, request, response code and runtime. So we can see wp-cron.php not doing much, but doing it very often, even 4 times at 07:44:

[13/Jan/2026:07:39:08 +0000] "POST /wp-cron.php HTTP/1.1" 200 0.131
[13/Jan/2026:07:39:46 +0000] "POST /wp-cron.php HTTP/1.1" 200 0.001
[13/Jan/2026:07:40:04 +0000] "POST /wp-cron.php HTTP/1.1" 200 0.001
[13/Jan/2026:07:40:05 +0000] "POST /wp-cron.php HTTP/1.1" 200 0.001
[13/Jan/2026:07:40:45 +0000] "POST /wp-cron.php HTTP/1.1" 200 0.001
[13/Jan/2026:07:41:04 +0000] "POST /wp-cron.php HTTP/1.1" 200 0.004
[13/Jan/2026:07:41:05 +0000] "POST /wp-cron.php HTTP/1.1" 200 0.001
[13/Jan/2026:07:41:45 +0000] "POST /wp-cron.php HTTP/1.1" 200 0.001
[13/Jan/2026:07:42:06 +0000] "POST /wp-cron.php HTTP/1.1" 200 0.001
[13/Jan/2026:07:42:44 +0000] "POST /wp-cron.php HTTP/1.1" 200 0.001
[13/Jan/2026:07:43:04 +0000] "POST /wp-cron.php HTTP/1.1" 200 0.002
[13/Jan/2026:07:43:06 +0000] "POST /wp-cron.php HTTP/1.1" 200 0.001
[13/Jan/2026:07:43:45 +0000] "POST /wp-cron.php HTTP/1.1" 200 0.002
[13/Jan/2026:07:44:04 +0000] "POST /wp-cron.php HTTP/1.1" 200 0.001
[13/Jan/2026:07:44:05 +0000] "POST /wp-cron.php HTTP/1.1" 200 0.001
[13/Jan/2026:07:44:15 +0000] "POST /wp-cron.php HTTP/1.1" 200 0.002
[13/Jan/2026:07:44:44 +0000] "POST /wp-cron.php HTTP/1.1" 200 0.002
[13/Jan/2026:07:45:04 +0000] "POST /wp-cron.php HTTP/1.1" 200 0.001

Note: The query strings like ?doing_wp_cron=1768290304.8027579784393310546875 were omitted to improve readability.

The only time it actually did something was at 07:39:08 and it took 131 milliseconds to complete.

This situation improved once we just setup the crontab for all websites. Now the WordPress Cron jobs run in predictable intervals and do not create extra server load by running too often.

How to monitor WP-Cron failures

By default WP-Cron runs requests to /wp-cron.php using an HTTP request. So if there’s a PHP fatal error, it will be logged in your PHP error logs.

So while it’s not impossible to see if the WP-Cron has failed, it’s certainly not easy. An important part of your WordPress plugins’ background processing might be failing and you won’t know.

The technology to monitor our cron jobs is called FV Cron Status Page.

We simply send the output of our cron jobs to it using HTTP and then get alerted about errors using one of:

• Email
• Basecamp 3 Campfire
• Rocket.chat
• Teamwork PM

It does mean each cron job needs some adjustments though:

*/5 * * * * php public_html/wordpress/wp-cron.php 2>&1 | curl -X POST --data-urlencode "data=$(cat)" 'https://crons.foliovision.com/?name=wp_cron'

But we are on top of our cron jobs and know about any failures immediately. If the WP-Cron job fails with a PHP error, we get notified about the error.

FV Cron Status Page can be found on Github.

How to run WordPress Crons reliably

Post from: Foliovision

Later on, we let the ads show after the video as well, using Post-Roll ads.

Along the way we added the Mid-Roll ad placements for individual videos. You had to specify the exact time in seconds at which the ad should show.

That was too much work, so we added the “Global Mid-Roll” setting.

But in both cases, this Mid-Roll ad placement would only repeat the Pre-Roll ad.

Improved Mid-Roll Ad Management

That’s why the new FV Player VAST 8.0.28 gives you full control over which VAST ads should load for the Mid-Roll placements.

If you are upgrading from an older FV Player VAST version, you get a popup in your WordPress Admin Dashboard. It tells you how your existing Pre-Roll ads were copied into the new Mid-Roll ad placements, if you used that “Global Mid-Roll” setting before:

Notes

FV Player VAST also lets your ad server take over the Mid-Roll placements by using the VMAP standard of the VAST ads. In that case, simply enter your VMAP-enabled VAST ad link as the Pre-Roll and it will integrate properly.

We are also exploring the possibility of serving VAST ads for FV Player videos playing via Chromecast.

Configure Mid-Roll VAST ads with FV Player VAST

Post from: Foliovision

Martin and I would like to wish you and your loved ones a joyful holiday.

It’s been a fascinating year for technology with AI at the forefront. It’s like reliving the .com boom again.

While states deploy AI to destroy lives, many of us in business seek to harness AI to improve and accelerate our work. One tool which has helped us do more in 2025 is Perplexity Pro. Our feature article describes how we use Perplexity Pro as an instant encyclopaedic reference whether we are working on code or in DaVinci Resolve.

Until 31 December 2025, if you have Paypal you can enjoy a free year of Perplexity Pro. There’s a link in the article on how to claim your free year. The serious privacy concerns which affect AI generally also touch Perplexity. We explain how to work around them safely.

Merry Christmas and Peace on Earth

Post from: Foliovision

Perplexity is the most interesting of the AI projects to yet appear. Perplexity is unlike almost all the other AI projects in that at its core it is user interface, rather than capabilities. Perplexity is effectively like an iPod of AI. Just as the original iPod offered fewer features and less storage than the MP3 players with which it competed, but simply offered a better interface, so it is with Perplexity.

AI search is Google’s fault

The existence of Perplexity is mostly Google’s fault. Before Google sold its soul to the investors and turned its SERP results into a yard sale covered with huge billboards, there would have been little need of a Perplexity. One could go to Google search for something and get useful results. For more depth, just open up the best-looking references.

Instead, searching for anything on Google for the last five years, basically means getting about two or three good results on the first page, surrounded by about twenty-five ads, above, below, on the side and even in the middle of the SERPS. Worse than useless.

Google Alternatives: Kagi

Our other search tool at Foliovision is Kagi, where we pay about $10/month to search with clean results (no advertising) and the possibility to promote, demote and ban sites. In SERPS where we search regularly, the republishing sites are banned within a few days leaving fairly good results.

For now Kagi results are nothing like the mid-days of Google though, where the results were great and there was not much commercialisation. Kagi has been dependent on either the Bing or Google SERPs, they now claim to have their own independent index Teclis. Despite the promising rhetoric about small publishers, Teclis still includes too much publishing mill and AI content.

Google Alternatives: Brave Search

Brave browser is our primary browser, stepping in for adware/spyware Chrome. So we gave Brave Search a good try and use it sometimes (in private windows). While Brave Search is private, under the hood, it’s rebranded Bing. Not good enough.

How Perplexity changes the Search Game

To return to Perplexity, what the team at Perplexity have done is turn conventional search on its head. Instead of us doing the searching, opening ten URLs, scanning and collating the most useful information, Perplexity Pro opens up thirty SERP results, reads through them. After reading thirty pages, Perplexity’s agent compares what’s there with what is already in the AI model it’s using and then chooses which sources to use and then summarises those results as useful information.

Perplexity is astonishingly accurate. For complex queries, Perplexity is far more useful than Kagi. Kagi’s privacy model is better as Kagi promises to throw away most of the data almost right away and to anonymise the little bit they keep.

Perplexity Limitations

What Perplexity cannot do is code, as it won’t accept uploaded files and it won’t code anything for you. Perplexity is set up to just give you examples and tell you to code it yourself.

That said, you can give Perplexity a small chunk of bad code and ask what’s wrong. Perplexity will look around Stackoverflow, use its internal agent and give you a pretty good assessment as well as some sources to learn more about what it is you want to do.

Why Perplexity is especially useful to developers

So why is Perplexity such a useful tool for developers then?

Because we can simply ask questions about any technical domain or complex task and get an immediate summary of how the device/model works and how to adjust it. Perplexity is like having a full-time research assistant or like reading 1000 textbooks. Perplexity is like a second-brain, except one doesn’t have to do all the scrapbooking, browsing and annotating oneself.

Free Year of Perplexity Pro

Right now it’s the last week of the greatest free Perplexity offer (there were quite a few, some from Revolut, some from mobile phone companies, others from tech clubs) of them all. The offer is the first year of Perplexity Pro for free. And for this one, one needs only hold a Paypal account. Not a US Paypal account but any Paypal account.

It’s a very generous offer. Normally Perplexity Pro goes for $20/month and it’s worth it for knowledge workers. Perplexity’s motivation with this incredible offer is twofold. Perplexity is preparing for an IPO or buyout in the long term. To get the best possible valuation, Perplexity needs paying users. All of the free offers require adding a Payment method to one’s account so all of the free users are counted as paid users. This is trickery of course, as most paid users will go somewhere else.

I do expect retention to be unusually high, not in the usual 2 to 5% after a free trial but closer to 20%.

Perplexity has a few other tricks up its sleeve, with a very invasive personal assistant and a spyware browser Comet. I don’t recommend allowing Perplexity that much penetration into your life. Now is probably the time to talk about caveats with Perplexity’s main service, which will make most people stay far away from the personal assistant and/or browser.

Perplexity and Privacy

Perplexity never forgets so be very careful what you ask.

I’ve had Perplexity editorialise into new queries “With your preference for French cars” or “Your Peugeot” when I had not necessarily explained that we owned a Peugeot. Perplexity proudly knows that I own a Nikon Z9 based on my questions and that I edit with DaVinci Resolve and that I’m an expert WordPress developer. “Your expertise in WordPress means…”

All of that knowledge is fine. But it makes me very happy that I have not asked Perplexity much about medical conditions, certainly not about family matters (I did once ask about a six-year old mountain biker in BC, Crosby Zimmerman: Grok couldn’t find Crosby for me, and Crosby had disappeared from YouTube). Perplexity could guess that we have young mountain bikers at home. I’d stay away from any legal questions as well. Just the question reveals the vulnerability, however useful Perplexity would be in helping solve such issues.

Perplexity and Security

I’d also be very careful about some security questions and topics. Just knowing how your tech stack is set up would very useful to a state actor who wishes to penetrate your network. I’ve been a bit lax in this direction with too many detailed questions about how to de-Google an Android phone and about LineageOS.

My work in WordPress is no secret, nor are my editorial or photographic craft a guild secret.

And so it probably is with your professional work. To be able to get instant answers with detailed references is almost priceless. Pre-AI, it would have cost at least €500 and more like €1200/month to have an intern handy to do these information errands.

Alternatives

Perplexity’s competition like Claude, Grok or Merlin or recently ChatGPT can now search Google and give references for their answers. But like MP3 players, they do it just a bit worse. Grok is slow, the other hide their references or are simply clunky.

Grok has one informational super-power over Perplexity, which is the ability to search X.com for recent threads and posts. But that’s a story for another article.

For quick answers or step-by-step instructions, with proper references, Perplexity is the sauce. If you have Paypal, enjoy Perplexity free.

AI for Mobile Phone Users

All of you miserable iOS users out there struggling with Apple Intelligence can just add the Perplexity app and never think again about how Apple’s empty promises and misleading rhetoric.

As bad as privacy is with Perplexity, the privacy situation with Google is far worse. Android users should prefer Perplexity over Google. To enjoy any remnant of privacy on an Android phone, one should de-Google the phone and make sure to turn off and keep off any AI features which read your email and watch your screen and sort your contacts.

Perplexity Pro for Developers: an in-depth review with privacy guidelines

Post from: Foliovision

X tells you to use X Cards to adjust the way your posts appear when posted on X. Here’s the standard Summary Card appearance:

It does not display your image in a very attractive way, so there’s the Summary Card with Large Image as well:

And finally there is also the Player Card which can display video.

This is from the X Developer Platform documentation page for Player Card:

Video and audio clips have a special place on the Twitter platform thanks to the Player Card. By implementing a few HTML meta tags to your website and following the Twitter Developer Policy, you can deliver your rich media to users across the globe.

However it’s not exactly truth.

To create a valid Player Card you need to provide the player link using the twitter:player field. It should show the video player without too much distraction. We can provide exactly that using the FV Player Iframe Embedding.

But the behavior is different on X website and in the X mobile app and never perfect.

How does it show in web browsers

In a standard web browser (desktop or mobile) X will not actually show your player, you end up only getting small video thumbnail with a play icon:

Clicking the play icon simply open your webpage in a new browser tab. The video will not play on X.

How does it show in X mobile app

The situation is different in the iPhone mobile app. Here the actual iframe does load… but only when the post (tweet) is clicked.

Before that it appears as a text with no video thumbnail. How am I supposed to guess there’s a video?

It’a also impossible to click any link to get to your website.

The X mobile app does show which domain the iframe is loaded from. Tapping that will show the “Open in browser” button:

However clicking that only open the iframe URL and not the actual page with your video.

You would have to insert the same link twice in your X post (tweet).

So to compare the way Player Cards are shown in different environments:

How to share your website videos properly

For these reasons we decided to just use the Summary Card with Large Image. While it will never play the video, the big image looks very attractive and links to your website.

To make it obvious it’s a video, we overlay a play icon on top of the video splash image:

This will happen automatically in the FV Player version 8.2 which will be released when we finish more testing.

The other option of course is to upload your marketing videos to X directly.

How to share videos on X (Twitter)

Post from: Foliovision

While we want to keep it simple, we do not want to compromises on streaming performance or video download protection.

Why FV Coconut changed the CDN provider

That’s why in the early days we choose DigitalOcean Spaces for video storage and Bunny CDN for video streaming. The reason to make Bunny CDN part of the setup was that that DigitalOcean Spaces built-in CDN did not support URL signatures. Since FV Coconut comes with a setup wizard it was easy to set it all up and it did not matter if you have to use two services or one.

Later on the DigitalOcean Spaces CDN started to support URL signatures which was great news. We could stop using Bunny CDN which made the setup simpler. We also found that DigitalOcean Spaces CDN offers better overall performance with no slowdowns. Bunny CDN would occasionally run into issues as it had to pull files from DigitalOcean Spaces. So that was the price for mixing different service providers.

With DigitalOcean taking care of both video storage and streaming the situation seemed to be perfect.

Video Streaming Performance Improvement

However we found that the URL signatures slow down DigitalOcean Space CDN. Since the URL signatures are created when user starts playing the video, each user gets to stream the video using different set of URLs.

Here’s the first time user plays a video – notice all the cache misses when loading the HLS video segments:

The average load time for the HLS video segments above is 141 milliseconds.

When another user plays the video he will again get different URL signatures. The reason is that URL signatures change every second to keep the signature expiration time low.

So we decided to anchor the expiration times to the closest 4 hour time window. That way the streaming URLs only change once in 4 hours and if more users play the same video they will enjoy as faster video load times.

Here’s the loading of the HLS video segments with this improvement.

The average load time for the HLS video segments above is 79 milliseconds. That’s 44% improvement.

Did we lower the video protection?

We choose 4 hours as that’s more than enough if user is watching a 2 hour long video on mobile with some breaks. This allows user to watch the video for the full 2 hours and then seek back to the start of it, or watch it for an hour, then put the phone to sleep for 2 hours and continue.

It could be set much lower to say 15 minutes. FV Player Pro would detect that the video stream has expired and reload the video. But in general it’s better to keep it simper for the mobile users.

The core of the video download protection is in the HLS encryption. The URL signatures play a secondary role, so it’s not compromising the video protection.

The videos are still protected agains downloads with the automated video downloading tools.

How FV Player fixed the DigitalOcean Spaces CDN Caching

Post from: Foliovision

It’s quite telling that Discourse is preferred over bbPress, another one of the unloved children of WordPress who could have benefited from a tiny amount of the love and resources Matt Mullenweg squandered on Gutenberg.

A contributor KMH offered a very sensible insight. He mentioned that ClassicPress claims to be more secure than WordPress out of the box, but still requires an enormous amount of hardening to be secure. His suggestions for security issues to be incorporated are:

• enforce strong passwords
• limit login attempts to prevent brute forcing passwords
• change the table prefix
• change/hide the login URL from /wp-admin or /wp-login
• prevent usernames from being exposed
• add math captcha or 2FA to login
• block bad queries
• disable theme and plugin editors

These would be very sensible defaults for a WordPress alterantive to implement. Otherwise advanced developers like us all waste hours and hours implementing them by hand on every site we build. Less advanced users simply live dangerously or install exotic security plugins which take days to set up properly and still create problems. There is such a thing as too much security: image a house where there is a twelve-foot fence, plus three sets of doors each with three sets of locks on them. One could almost never leave the house or receive visitors. By building in enough security, ClassicPress makes publishers’ lives easier and their sites more secure.

More importantly, KMH questioned longstanding WordPress doctrine that “everything should be a plugin”. The ClassicPress team seems to have inherited from Automattic:

In that other thread most of the suggestions to close those exploits by default in the core were “declined” saying it should be handled by a plugin. I don’t really agree with that, I think it’s an opportunity for CP to be more secure than WP out-of-the-box without any plugins. Without admins having to change settings or install a hodgepodge of plugins, trusting they’ll be maintained, remain compatible, are coded rights, and won’t be the weak link that gets the site compromised.

Absolutely. Just make ClassicPress secure out of the box. Force publishers to disable essential security, not hunt for it. The whole WordPress “everything should be a plugin” doctine was wrong from the beginning. Crippled core has always been a way for Automattic:

1. to sell WordPress VIP (only real experts like Automattic, Pantheon, Foliovision and later Kinsta and WP Engine could run WordPress sites securely and fast, with millions of monthly visitors)
2. to push JetPack spyware on the WordPress community (remove so much functionality that if a less technical user wants to have Markdown or decent image management, s/he must install Automattic’s spyware, remember user data is revenue)
3. to make hosting on WordPress.com more attractive (the only place where one can inexpensively and successfully run a WordPress site is WordPress.com)

The WordPress.com advantage is more or less the truth at this point. If I had to run a hobby WordPress site, I’d properly put it on WordPress.com as I just don’t want to deal with the security and backup issues. Our commercial sites require between twenty and fifty plugins to run properly and securely. Of course most of these sites include quite a bit of advanced functionality which would be near impossible to run on WordPress.com. But if I were looking for the basics, including basic ecommerce, I’d run it on WordPress.com (or Squarespace) at this point. WordPress never grew up, and it was by design.

Returning to the plight of ClassicPress, it’s a project without an identity or a mission. In response to KMH, Founding Committee Member Tim Kaye just repeated the WordPress dogma about keeping WordPress/ClassicPress core crippleware:

Many of those things are handled by a good host. If we put them in core, there’d be a problem of two things trying to do the same thing, which is a recipe for disaster. That’s why they are better in plugins; if your host doesn’t provide them or you run your own server and don’t want to implement these things at server level, you can add a plugin to do so.

The incomplete and insecure out-of-the-box experience requires both a slough of plugins and an advanced hosting provider to run securely. When WordPress.org was still a group of like-minded developers helping one another and creating simple and free plugins which we could all use, the situation was tenable. Now the plugin situation is a used-car lot filled with hundreds of dodgy vendors, each of which offers free crippleware versions with telemetry now (yes Syad Balkhi I’m looking directly at you and the telemetry you added Pippin’s Easy Digital Downloads, telemetry which cannot be turned off and shares all of a site’s sales numbers directly with Balkhi).

ClassicPress needs a competitive advantage and there is one here for the taking.

Something clear like a “more secure WordPress” would be a good start. “No plugins required. We’ve got your back,” would be a good second act.

What’s so very annoying about WordPress is how Gutenberg and the page builder mania has made WordPress so much clunkier and less productive a CMS. I’d love to try to explain to people that ClassicPress is a high productivity CMS, not just a page builder but that’s probably too much thinking for the current publisher crowd who are far too interested in fiddling with blocks and not nearly interested enough in building out content quickly and efficiently.

Tim Kaye does mention that ClassicPress does a couple of security basics better:

First, ClassicPress uses a much stronger form of hashing than we inherited from WordPress. We use bcrypt instead of md5. Secondly, ClassicPress ships with a Pepper plugin. You can also download it from ClassicPress Pepper for Passwords | ClassicPress Plugin This is in addition to the built-in “salt” that has traditionally been added to the hashing mechanism.

Third, the ability to disable both Emoji and XML-RPC is built into ClassicPress. Just go to Settings -> General and scroll down to check the boxes to turn them off.

That’s a good start but not enough. Most of KMH’s suggested security measures should be in ClassicPress core. As KMH points out:

These measures should be in the core IMO. Especially with the mission statement asserting “We aim to provide a CMS that is…secure…” It doesn’t seem much more secure than WP, which isn’t very secure at all or we wouldn’t need a pile of third-party plugins just to secure it.

This is a great idea. One of the issues which annoys me so much about Automattic WordPress is intentional neglect of core functionality. Basics like a form system, basic SEO (something like our FV Simpler SEO, nothing complex), caching, performance improvements, an SMTP plugin – all of that should be built-in. In a simple and robust way.

That way if a forms plugin wishes to further enhance the WordPress forms logic, the path is straightforward. Use the existing functionality and build on top.

ClassicPress should abandon once and for all the deliberate crippling of the WordPresss CMS. Automattic has already locked up the broken car paradigm with subscription heated seats in the CMS space. ClassicPress should be secure and great, straight out of the box.

Out of the Box WordPress security vs ClassicPress

Post from: Foliovision

It’s a great feature if your website offers videos with multiple languages, as the user only has to pick his preferred language once.

Here’s the Edgar Allan Poe poem Raven presented in English, German and Spanish. Once you pick your audio track, you will be always getting it in the future.

[This post contains video, click to play]

We want to improve this further, so that we autodetect the language setting of the user’s browser to give him the right audio track right away.

This adds to the playback preferences which we already store for the users:

• Last video position for each video
• Last AB Loop start/end markers for a video

We store it in database so that if your logged in user goes from one device to another he can continue watching the video where he left off. For the non-logged in users it’s just stored in the browser localStorage.

There are also playback preferences which we only store in browser localStorage:

• Video quality
• Playback volume
• Playback speed
• Video subtitles language
• Video transcript language

The last two settings should be improved to be also saved in the database.

With the browser language detection we could be also showing subtitles automatically for non-english users.

Remembering the Audio Track Language

Post from: Foliovision

Constantly shifting feature set and high per site pricing are why many open source projects continue to use version 4.9.x of TinyMCE. This includes WordPress in its classic editor, so TinyMCE still has a large footprint. Some other notable projects include Mosaico email builder, AngularJS, BackDrop. Or in this case, The Newsletter Plugin.

The Newsletter plugin for WordPress is quite powerful. But the admin interface is quite complex and not particularly intuitive. A user must plan to take the time to learn how things work. It looks like The Newsletter author planned for users to create and edit their newsletters elsewhere and just paste the result into The Newsletter.

However, if a publisher regularly sends a newsletter it’s a lot easier to have a template inside The Newsletter plugin and just fill in the blanks there. The built-in editor is overfeatured. Instead of using the minimalist WordPress Classic editor, The Newsletter plugin included their own version of TinyMCE 4.9.11 (same version as WordPress but very different configuration.

This is how the editor looks like:

It’s clear that it has too many formating options, incuding Font Family, Font Sizes, the colors and also a whole menu from File, through Edit down to Table.

If your editor goes and uses copy-paste from something like Microsoft Word horrible HTML markup is added and your newsletters can never look good.

The improved configuration

This is how our improved editor looks like:

As you can see we got rid of the menu bar completely. The only useful thing in it is View -> Source code which we instead put to the toolbar.

For the toolbar we are only keeping:

• the block format dropdown (to let users pick headings)
• the link button
• bold, italic, strikethrough, alignment and lists
• the “Paste as text” button.

The “Paste as text” button is very important. We have it enabled by default to ensure no bad HTML is carried over from other browsers or word processors.

You can still hit the button to enable rich pasting, but it’s still restricted to basic HTML – enough to make sure your links and bold text is carried over.

We are sharing our configuration with the world to help other The Newsletter users. The improved configuration looks like this:

tinymce.init({
  height: 600,
  mode: "specific_textareas",
  editor_selector: "visual",
  statusbar: true,
  allow_conditional_comments: true,
  menubar: false,
  table_toolbar: "tabledeleterow",
  toolbar: "formatselect | link | pastetext | bold italic strikethrough | alignleft aligncenter | bullist numlist | code",
  block_formats: 'Paragraph=p;Header 1=h1;Header 2=h2;Header 3=h3;Header 4=h4',
  formats: {
      h1: {
        block: 'h1', styles: {
          fontSize: '', lineHeight: '', marginTop: '', marginBottom: ''
        }
      },
      h2: {
        block: 'h2', styles: {
          fontSize: '', lineHeight: '', marginTop: '', marginBottom: ''
        }
      },
      h3: {
        block: 'h3', styles: {
          fontSize: '', lineHeight: '', marginTop: '', marginBottom: ''
        }
      },
      h4: {
        block: 'h4', styles: {
          fontSize: '', lineHeight: '', marginTop: '', marginBottom: ''
        }
      },
      p: {
        block: 'p',
        styles: {
          'fontSize': '16px',
          'lineHeight': '24px',
          'marginTop': '17px',
          'marginBottom': '17px',
          'textAlign': 'left'
        }
      },
  },
  entity_encoding: "raw",
  image_advtab: true,
  image_title: true,
  paste_as_text: true,
  paste_plaintext_inform: false,
  plugins: "paste table fullscreen legacyoutput textcolor colorpicker link image code lists fullpage",
  relative_urls: false,
  convert_urls: false,
  remove_script_host: false,
  document_base_url: " /* The WordPress homepage URL is here */ ",
  content_css: [ /* They load their plugin editor CSS files here */ ]
});

The changes are:

• menubar: false is what removes the menu bar
• In table_toolbar we only kept tabledeleterow as we are not editing tables. We only use tables to create newsletter layout with best compatibility for bad email clients (Outlook).
• toolbar was customized to only include items which we need.
• Added paste plugin, along with paste_as_text: true and paste_plaintext_inform: false configuration variables – note that WordPress Classic Editor uses this plugin too
• Removed advlist from plugins, as it adds the “down” arrows to the list buttons, letting you customize the bullet styles
• We added the block_formats and formats configuration to control which block styles are available.
  • The P tag styles include what we need to style the basic text in our newsletters to ensure maximum compatibility.
  • The empty CSS attributes for headings ensure you can switch from paragraph to headings easily.

The downside is that this customization has to be done in the emails/editortinymce.php file of The Newsletter plugin, but we can probably replace that with a WordPress action hook for the menu.

Inserting images

One other change which is not included above is tweaking the tnp_media() function of The Newsletter which creates the image HTML when inserting images from the WordPress Media Library.

It sets the img variable like this:

var img = '<img src="proxy.php?url=' + url + '" style="width: ' + width + 'px; height: ' + height + 'px">';

That prevents proper image sizing in the newsletter, so instead of that we use our own inline styling – once again for maximum newsletter HTML compatibility:

var img = '<img src="proxy.php?url=' + url + '" style="border: 0; display: block; outline: none; text-decoration: none; height: auto; width: 100%; font-size: 13px; " />';

With these TinyMCE improvements, it’s possible for clients to efficiently build newsletters in the The Newsletter plugin with an existing The Newsletter template. Getting that template right is a story in itself. The short answer is that one should edit a The Newsletter template directly in the PHP.

Honestly The Newsletter plugin is not my favourite way to build a newsletter. The Sendy editor (CK Editor) is more to my taste. What one can’t beat with The Newsletter though is the direct integration with the WordPress user database. If your website is based on WordPress and your users log in, you already have a lightweight ready CRM (customer relationship management system) right there. This includes using a WordPress users based membership plugin like RCP, Easy Digital Downloads or WooCommerce members.

How to make tinyMCE plugin 4.9 more user-friendly and less dangerous

Post from: Foliovision