Definition: GDPR

GDPR stands for General Data Protection Legislation. It is a European Union (EU) law that came into effect on 25th May 2018. GDPR governs the way in which we can use, process, and store personal data (information about an identifiable, living person). It applies to all organisations within the EU, as well as those supplying goods or services to the EU or monitoring EU citizens. Therefore it is essential for businesses and organisations to understand explicitly what GDPR means. It is the legislative force established to protect the fundamental rights of data subjects whose personal information and sensitive data is stored in organisations. Data subjects will now have the right to demand subject access to their personal information, and the right to demand that an organisation destroys their personal information. These regulations will affect most sectors within business, from marketing to health services. Therefore, to avoid the crippling fines administered by the Information Commissioner’s Office (ICO) it is essential to become GDPR compliant.

GDPR Key Principles:

  • Lawfulness, transparency and fairness
  • Only using data for the specific lawful purpose that it was obtained, the most lenient of which is legitimate interests
  • Only acquiring data that we strictly need
  • Ensuring any data we possess is accurate
  • Storage limitation
  • Integrity and confidentiality
  • Accountability

Why Is GDPR Important?

Primarily GDPR is important since it provides a single set of rules for all EU organisations s to adhere to, thus giving businesses a level playing field and making the transfer of data between EU countries quicker and more transparent. It also empowers EU citizens by giving them more control over the ways in which their personal data is used. Prior to introducing the new GDPR legislations, the European commission found that a mere 15% of citizens felt that they had complete control over the information that they provided online. With such low trust amongst the general public it is clear that consumer habits will ultimately be affected. Measures to rebuild this confidence, through introduction and proper implementation of GDPR, are expected to increase trade. Thorough implementation of data protection policies and staff education are important as non-compliance could result in a data breach. The Information Commissioner’s Office (ICO) can issue fines of up to 4% of your annual turnover or €20 million, whichever is greater, in the event of a serious data breach. Data protection training is a necessity in mitigating the risk of data breaches.

Source and more details: https://www.delta-net.com/knowledge-base/compliance/gdpr/what-is-gdpr-in-simple-terms/

Full legal text of GDPR: https://gdpr-info.eu/

Several Critical Vulnerabilities Patched in UserPro WordPress Plugin

On May 1, 2023, the Wordfence Threat Intelligence team began the responsible disclosure process for multiple high and critical severity vulnerabilities they discovered in Kirotech’s UserPro plugin, which is actively installed on more than 20,000 WordPress websites.

Firewall rules were released by Wordfence in May and July. Wordfence states that they have no evidence to suggest that these vulnerabilities were known or targeted during this period, nor have we seen any evidence that they are currently being targeted.

We made an initial attempt to contact Kirotech, the vendor of UserPro, on May 1, 2023, but we did not receive a response until May 10, 2023, after many additional attempts. After providing full disclosure details, the developer released the first patch on July 27, 2023, and the final patch on October 31, 2023.

We urge users to update their sites to the latest patched version of UserPro, which is version 5.1.5 at the time of this writing, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2023/11/several-critical-vulnerabilities-including-privilege-escalation-authentication-bypass-and-more-patched-in-userpro-wordpress-plugin

It’s Still Easy for Anyone to Become You at Experian

In the summer of 2022, KrebsOnSecurity documented the plight of several readers who had their accounts at big-three consumer credit reporting bureau Experian hijacked after identity thieves simply re-registered the accounts using a different email address. Sixteen months later, Experian clearly has not addressed this gaping lack of security. I know that because my account at Experian was recently hacked, and the only way I could recover access was by recreating the account.

Entering my SSN and birthday at Experian showed my identity was tied to an email address I did not authorize.

I recently ordered a copy of my credit file from Experian via annualcreditreport.com, but as usual Experian declined to provide it, saying they couldn’t verify my identity. Attempts to log in to my account directly at Experian.com also failed; the site said it didn’t recognize my username and/or password.

A request for my Experian account username required my full Social Security number and date of birth, after which the website displayed portions of an email address I never authorized and did not recognize (the full address was redacted by Experian).

I immediately suspected that Experian was still allowing anyone to recreate their credit file account using the same personal information but a different email address, a major authentication failure that was explored in last year’s story, Experian, You Have Some Explaining to Do. So once again I sought to re-register as myself at Experian.

The homepage said I needed to provide a Social Security number and mobile phone number, and that I’d soon receive a link that I should click to verify myself. The site claims that the phone number you provide will be used to help validate your identity. But it appears you could supply any phone number in the United States at this stage in the process, and Experian’s website would not balk. Regardless, users can simply skip this step by selecting the option to “Continue another way.”

Experian then asks for your full name, address, date of birth, Social Security number, email address and chosen password. After that, they require you to successfully answer between three to five multiple-choice security questions whose answers are very often based on public records. When I recreated my account this week, only two of the five questions pertained to my real information, and both of those questions concerned street addresses we’ve previously lived at — information that is just a Google search away.

Assuming you sail through the multiple-choice questions, you’re prompted to create a 4-digit PIN and provide an answer to one of several pre-selected challenge questions. After that, your new account is created and you’re directed to the Experian dashboard, which allows you to view your full credit file, and freeze or unfreeze it.

At this point, Experian will send a message to the old email address tied to the account, saying certain aspects of the user profile have changed. But this message isn’t a request seeking verification: It’s just a notification from Experian that the account’s user data has changed, and the original user is offered zero recourse here other than to a click a link to log in at Experian.com.

If you don’t have an Experian account, it’s a good idea to create one. Because at least then you will receive one of these  emails when someone hijacks your credit file at Experian.

And of course, a user who receives one of these notices will find that the credentials to their Experian account no longer work. Nor do their PIN or account recovery question, because those have been changed also. Your only option at this point is recreate your account at Experian and steal it back from the ID thieves!

In contrast, if you try to modify an existing account at either of the other two major consumer credit reporting bureaus — Equifax or TransUnion — they will ask you to enter a code sent to the email address or phone number on file before any changes can be made.

Reached for comment, Experian declined to share the full email address that was added without authorization to my credit file.

“To ensure the protection of consumers’ identities and information, we have implemented a multi-layered security approach, which includes passive and active measures, and are constantly evolving,” Experian spokesperson Scott Anderson said in an emailed statement. “This includes knowledge-based questions and answers, and device possession and ownership verification processes.”

Anderson said all consumers have the option to activate a multi-factor authentication method that’s requested each time they log in to their account. But what good is multi-factor authentication if someone can simply recreate your account with a new phone number and email address?

Several readers who spotted my rant about Experian on Mastodon earlier this week responded to a request to validate my findings. The Mastodon user @Jackerbee is a reader from Michican who works in the biotechnology industry. @Jackerbee said when prompted by Experian to provide his phone number and the last four digits of his SSN, he chose the option to “manually enter my information.”

“I put my second phone number and the new email address,” he explained. “I received a single email in my original account inbox that said they’ve updated my information after I ‘signed up.’ No verification required from the original email address at any point. I also did not receive any text alerts at the original phone number. The especially interesting and egregious part is that when I sign in, it does 2FA with the new phone number.”

The Mastodon user PeteMayo said they recreated their Experian account twice this week, the second time by supplying a random landline number.

“The only difference: it asked me FIVE questions about my personal history (last time it only asked three) before proclaiming, ‘Welcome back, Pete!,’ and granting full access,” @PeteMayo wrote. “I feel silly saving my password for Experian; may as well just make a new account every time.”

I was fortunate in that whoever hijacked my account did not also thaw my credit freeze.  Or if they did, they politely froze it again when they were done. But I fully expect my Experian account will be hijacked yet again unless Experian makes some important changes to its authentication process.

It boggles the mind that these fundamental authentication weaknesses have been allowed to persist for so long at Experian, which already has a horrible track record in this regard.

In December 2022, KrebsOnSecurity alerted Experian that identity thieves had worked out a remarkably simple way to bypass its security and access any consumer’s full credit report — armed with nothing more than a person’s name, address, date of birth, and Social Security number. Experian fixed the glitch, and acknowledged that it persisted for nearly seven weeks, between Nov. 9, 2022 and Dec. 26, 2022.

In April 2021, KrebsOnSecurity revealed how identity thieves were exploiting lax authentication on Experian’s PIN retrieval page to unfreeze consumer credit files. In those cases, Experian failed to send any notice via email when a freeze PIN was retrieved, nor did it require the PIN to be sent to an email address already associated with the consumer’s account.

A few days after that April 2021 story, KrebsOnSecurity broke the news that an Experian API was exposing the credit scores of most Americans.

More greatest hits from Experian:

2022: Class Action Targets Experian Over Account Security
2017: Experian Site Can Give Anyone Your Credit Freeze PIN
2015: Experian Breach Affects 15 Million Customers
2015: Experian Breach Tied to NY-NJ ID Theft Ring
2015: At Experian, Security Attrition Amid Acquisitions
2015: Experian Hit With Class Action Over ID Theft Service
2014: Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records
2013: Experian Sold Consumer Data to ID Theft Service

Source: https://krebsonsecurity.com/2023/11/its-still-easy-for-anyone-to-become-you-at-experian/

Warning: New Outlook sends passwords, mails and other data to Microsoft

“Microsoft steals access data” – When the well-known German IT portal “Heise Online” uses such drastic words in its headline, then something is up. If Microsoft has its way, all Windows users will have to switch to the latest version of Microsoft Outlook. But: Not only can the IMAP and SMTP access data of your e-mail account be transferred to Microsoft, but all e-mails in the INBOX can also be copied to the Microsoft servers, even if you have your mailbox with a completely different provider such as mailbox.org.

Main risk: Transferring your data to Microsoft “Synchronisation with the Microsoft server” – and everything is copied!

If you set up a new account in the software, Microsoft offers a supposed security function: It says that non-Microsoft accounts are synchronised with the Microsoft cloud and that copies of “emails, calendars and contacts are therefore synchronised between your email provider and Microsoft data centres”.

Anyone who reads this carefully may be perplexed, no question. But we all know how easy it is to agree to supposed banalities without reading them and to click away notices, especially when setting up software. In view of the drastic consequences of giving consent here, the warnings and explanations from Microsoft are probably too inconspicuous. Only a few users will realise that they are giving Microsoft comprehensive access to passwords, mail and more. Therefore, once again clearly:

Microsoft gets full access to mails, calendars and contacts!

But not only Windows users are at risk: Outlook versions for iOS, Mac and even Android are also affected, according to Heise.

mailbox.org warns against using the new Microsoft Outlook

mailbox.org warns its users: there is a high risk that sensitive data may be transmitted to Microsoft when using the new Outlook! And by the way: this compromised data includes not only emails, but also calendar and contact data.

For business customers, storing personal data in this way (albeit unintentionally) may constitute a GDPR offence that is subject to fines. After all, storing data in the Microsoft cloud legally constitutes data processing that requires the conclusion of an order data processing agreement (DPA) with Microsoft – and companies may have to identify this as such in their data protection declarations and in the data processing directory. It is irrelevant whether this is done intentionally by the company management or ultimately through the uninformed consent of an individual employee.

Our recommendation

Whether business or private: We strongly advise all our customers not to use the new Outlook! And we have the following alternatives for you:

  • Another e-mail client: We advise you to switch to the popular e-mail client “Thunderbird” on your computer. This is compatible with Windows and easy to set up. On mobile devices, there are a number of different IMAP mail clients, such as FairEmail and K9 Mail (which will also be called Thunderbird in the future).
  • Using the webmailer: As a mailbox.org customer, you can use our secure webmail portal at any time, which offers an excellent alternative to desktop email clients. In addition to mail, calendar and contacts, you also have secure access to files and Office documents – and your personal video conference with OpenTalk is just a click away.

We do everything we can to protect the security and privacy of your e-mail communication. But we also need your help: make sure you use apps from providers that respect and protect your privacy and security.

Update

The German Federal Commissioner for Data Protection and Freedom of Information, Ulrich Kelber, is also alarmed: On the social media network Mastodon, he described the data collection as “alarming” and announced his intention to pursue the issue at European level through the data protection authorities as early as next Tuesday.

Source: https://mailbox.org/en/post/warning-new-outlook-sends-passwords-mails-and-other-data-to-microsoft

Unauthenticated SQL Injection Vulnerability Addressed in WP Fastest Cache 1.2.2

During an internal review of the WP Fastest Cache plugin, the WPScan team discovered a serious SQL injection vulnerability. This vulnerability may allow unauthenticated attackers to read the full contents of the WordPress database using a time‑based blind SQL injection payload.

Upon discovering the vulnerability, we promptly alerted the plugin development team, who released version 1.2.2 to fix the issue. It is crucial for administrators to ensure their WordPress installations are fully updated to safeguard against this vulnerability.

Source and more details: https://a8cteam5105.wordpress.com/blog/unauthenticated-sql-injection-vulnerability-addressed-in-wp-fastest-cache-1-2-2/

Possible site takeover through stolen API credentials in combination with SQLi – (MalCare <= 5.09)

MalCare uses broken cryptography to authenticate API requests from its remote servers to connected WordPress sites.

Requests are authentication by comparing a shared secret stored as plaintext in the WordPress database to the one provided by MalCare’s remote application.

This can allow attackers to completely take over the site because they can impersonate MalCare’s remote application and perform any implemented action, including, but not limited to:

  • Creating malicious admin users.
  • Uploading random files to the site.
  • Installing/Removing plugins.

This is exploitable if any of the below pre-conditions are given:

MalCare has received the full details of this vulnerability three months before this public release, and despite us offering (free) help, they subtly dismissed it because “supposedly” this is the industry standard for API authentication.

Note: WPUmbrella had the same conceptual vulnerability and fixed it within days.

Furthermore, concerns were raised, because the vulnerability requires a pre-condition that on its own, would be a vulnerability.

While this is true, the irony should be obvious here:

  • MalCare, being a Malware Scanner, is only “useful” if your site has been infected with Malware.
  • All Malware can read data from the database and steal the shared secret.
  • Instead of infecting sites with “actual” Malware, hackers can steal the API key and then remove the Malware.
  • ==> MalCare gives any Malware an undetectable, indefinite backdoor that can be used to reinfect sites repeatedly.

WPRemote and Blogvault have identical vulnerabilities because they all share 99% of their code.

Source: https://snicco.io/vulnerability-disclosure/malcare/site-takeover-through-stolen-api-credentials-in-combination-with-sqli-malcare-5-09

The Fake Browser Update Scam Gets a Makeover

One of the oldest malware tricks in the book — hacked websites claiming visitors need to update their Web browser before they can view any content — has roared back to life in the past few months. New research shows the attackers behind one such scheme have developed an ingenious way of keeping their malware from being taken down by security experts or law enforcement: By hosting the malicious files on a decentralized, anonymous cryptocurrency blockchain.

an image of a warning that the Chrome browser needs to be updated, showing several devices (phone, monitor, etc.) open to Google and an enticing blue button to click in the middle.

In August 2023, security researcher Randy McEoin blogged about a scam he dubbed ClearFake, which uses hacked WordPress sites to serve visitors with a page that claims you need to update your browser before you can view the content.

The fake browser alerts are specific to the browser you’re using, so if you’re surfing the Web with Chrome, for example, you’ll get a Chrome update prompt. Those who are fooled into clicking the update button will have a malicious file dropped on their system that tries to install an information stealing trojan.

Earlier this month, researchers at the Tel Aviv-based security firm Guardio said they tracked an updated version of the ClearFake scam that included an important evolution. Previously, the group had stored its malicious update files on Cloudflare, Guardio said.

But when Cloudflare blocked those accounts the attackers began storing their malicious files as cryptocurrency transactions in the Binance Smart Chain (BSC), a technology designed to run decentralized apps and “smart contracts,” or coded agreements that execute actions automatically when certain conditions are met.

Nati Tal, head of security at Guardio Labs, the research unit at Guardio, said the malicious scripts stitched into hacked WordPress sites will create a new smart contract on the BSC Blockchain, starting with a unique, attacker-controlled blockchain address and a set of instructions that defines the contract’s functions and structure. When that contract is queried by a compromised website, it will return an obfuscated and malicious payload.

“These contracts offer innovative ways to build applications and processes,” Tal wrote along with his Guardio colleague Oleg Zaytsev. “Due to the publicly accessible and unchangeable nature of the blockchain, code can be hosted ‘on-chain’ without the ability for a takedown.”

Tal said hosting malicious files on the Binance Smart Chain is ideal for attackers because retrieving the malicious contract is a cost-free operation that was originally designed for the purpose of debugging contract execution issues without any real-world impact.

“So you get a free, untracked, and robust way to get your data (the malicious payload) without leaving traces,” Tal said.

Attacker-controlled BSC addresses — from funding, contract creation, and ongoing code updates. Image: Guardio

In response to questions from KrebsOnSecurity, the BNB Smart Chain (BSC) said its team is aware of the malware abusing its blockchain, and is actively addressing the issue. The company said all addresses associated with the spread of the malware have been blacklisted, and that its technicians had developed a model to detect future smart contracts that use similar methods to host malicious scripts.

“This model is designed to proactively identify and mitigate potential threats before they can cause harm,” BNB Smart Chain wrote. “The team is committed to ongoing monitoring of addresses that are involved in spreading malware scripts on the BSC. To enhance their efforts, the tech team is working on linking identified addresses that spread malicious scripts to centralized KYC [Know Your Customer] information, when possible.”

Guardio says the crooks behind the BSC malware scheme are using the same malicious code as the attackers that McEoin wrote about in August, and are likely the same group. But a report published today by email security firm Proofpoint says the company is currently tracking at least four distinct threat actor groups that use fake browser updates to distribute malware.

Proofpoint notes that the core group behind the fake browser update scheme has been using this technique to spread malware for the past five years, primarily because the approach still works well.

“Fake browser update lures are effective because threat actors are using an end-user’s security training against them,” Proofpoint’s Dusty Miller wrote. “In security awareness training, users are told to only accept updates or click on links from known and trusted sites, or individuals, and to verify sites are legitimate. The fake browser updates abuse this training because they compromise trusted sites and use JavaScript requests to quietly make checks in the background and overwrite the existing website with a browser update lure. To an end user, it still appears to be the same website they were intending to visit and is now asking them to update their browser.”

More than a decade ago, this site published Krebs’s Three Rules for Online Safety, of which Rule #1 was, “If you didn’t go looking for it, don’t install it.” It’s nice to know that this technology-agnostic approach to online safety remains just as relevant today.

Source: https://krebsonsecurity.com/2023/10/the-fake-browser-update-scam-gets-a-makeover/

WordPress 6.4.1 Fixes a Critical cURL/Requests Bug

WordPress contributors have worked quickly over the past 24 hours to prepare a 6.4.1 maintenance release after a critical bug emerged from a change in the Requests library, causing problems with updates on servers running older versions of cURL.

Hosting companies began reporting widespread impact of the bug. Tom Sommer, from one of Denmark’s largest hosting companies, filed a GitHub issue outlining how the cURL timeouts were affecting sites:

  • #657 breaks downloads towards https://api.wordpress.org/ and many other sites when using Curl 7.29.0 (and perhaps other versions)
  • Error: RuntimeException: Failed to get url 'https://api.wordpress.org/core/version-check/1.7/?locale=en_US': cURL error 28: Operation timed out after 10000 milliseconds with 807 out of -1 bytes received.
  • It also causes issues with the REST API in Site Health with the error: REST API response: (http_request_failed) cURL error 28: Operation timed out after 10005 milliseconds with XXX out of XXX bytes received”
  • It also prevents WordPress plugin and core updates, basically anything that relies on the internal Curl handler in WordPress.

The issue became a top priority as it wasn’t clear how it would be possible for users to receive an update.

“Even if you fix this now the issue prevents any future auto-upgrade to a 6.4.1, since it breaks Curl requests, so the only way for people to update would be manually,” Sommer said. “The longer you wait, the bigger the problem will become.”

Nexcess reported tens of thousands of sites being affected by the bug. The issue was beyond what most users would be able to manually patch on their own, relegating hosts to figure out how to update their customers.

“All my websites locked after updating to WordPress 6.4,” Javier Martín González reported. “The ones without updates are working normally.”

The bug was also reported to be causing causing potential Stripe API, WP-Admin, and performance issues.

Liquid Web/Nexcess product manager Tiffany Bridge summarized how this problem emerged:

It looks like:

  • Someone reported a bug having to do with an interaction between his Intrusion Protection System and WordPress
  • They then submitted their own patch to WordPress
  • The project lead for that area asked the submitter to write tests, which he did not do
  • Then they merged the PR anyway, despite the lack of tests
  • Meanwhile hosts are all going to have to revert that change ourselves on our own fleets so that our customers can still have little things like core and plugin updates if we are running an affected cURL version. (7.29 confirmed, there may be others)

WordPress core contributors will have to get to the bottom of how this bug was allowed through, via a postmortem or other discussion to prevent this from happening on such a large scale in the future.

WordPress 6.4.1 updates the Requests library from version 2.0.8 to 2.0.9. as a hotfix release to mitigate the issue. It reverts the problematic change. Version 6.4.1 also includes fixes for three other separate issues. Automatic updates shipped out this evening for anyone with sites that support automatic background updates.

Source: https://wptavern.com/wordpress-6-4-1-fixes-a-critical-curl-requests-bug

Introducing Twenty Twenty-Four Theme

When it comes to designing a website, one size doesn’t fit all. We understand that every WordPress user has unique needs and goals, whether you’re an aspiring entrepreneur, a passionate photographer, a prolific writer, or a bit of them all. That’s why we are thrilled to introduce Twenty Twenty-Four, the most versatile default theme yet—bundled with WordPress 6.4 and ready to make it uniquely yours.

A theme for every style

Unlike past default themes, Twenty Twenty-Four breaks away from the tradition of focusing on a specific topic or style. Instead, this theme has been thoughtfully crafted to cater to any type of website, regardless of its focus. The theme explores three different use cases: one designed for entrepreneurs and small businesses, another for photographers and artists, and a third tailored for writers and bloggers. Thanks to its multi-faceted nature and adaptability, Twenty Twenty-Four emerges as the perfect fit for any of your projects.

As you dive into its templates and patterns, you will notice how the new Site Editor functionality opens up different pathways for building your site seamlessly.

Patterns at every step

Whether you’re looking to craft an About page, showcase your work, handle RSVPs, or design captivating landing pages, Twenty Twenty-Four has got you covered. Choose from an extensive collection of over 35 beautiful patterns to customize and suit your needs.

For the first time, this theme features full-page patterns for templates like homepage, archive, search, single pages, and posts. Some are exclusively available during the template-switching and creation process, ensuring you have the right options when you need them.

Moreover, you can take advantage of a variety of patterns for page sections, such as FAQs, testimonials, or pricing, to meet your site’s most specific requirements.

With this diverse pattern library, Twenty Twenty-Four offers a flexible canvas to quickly assemble pages without having to start from scratch—saving you time and energy in the creation process. Just let your creativity flow and explore the possibilities!

Screenshots of Twenty Twenty-Four patterns.

Site editing in its finest form

Twenty Twenty-Four ushers in a new era of block themes by bringing together the latest WordPress site editing capabilities. Discover newer design tools such as background image support in Group blocks and vertical text, providing an intuitive and efficient way to create compelling, interactive content.

Find image placeholders with predefined aspect ratio settings within patterns, allowing you to drop images that perfectly fill the space. To go one step further, make your visuals interactive by enabling lightboxes. Ideal for showcasing galleries or portfolio images, this feature allows your visitors to expand and engage with them in full-screen mode. Activate it globally for all images throughout your site or for specific ones.

For a smoother browsing experience on your site, you can disable the “Force page reload” setting in the Query Loop block. This allows the necessary content to be loaded dynamically when switching between different pages without needing a full-page refresh.

Elegance with purpose

Twenty Twenty-Four goes beyond versatility with a beautiful aesthetic inspired by contemporary design trends, giving your website a sleek and modern look. Key design elements include:

  • Cardo font for headlines: The Cardo font adds a touch of elegance to your site, creating a sophisticated visual experience.
  • Sans-serif system font for paragraphs: The sans-serif font ensures that your texts are cleaner and easier to read, enhancing overall readability.
  • Eight style variations: Twenty Twenty-Four presents a light color palette for a fresh and inviting appearance out-of-the-box, but you can customize it with seven additional style variations. Each includes fonts and colors carefully curated to work beautifully alongside the patterns and templates.
  • Sans-serif variations: Besides the default styles, the theme offers two additional sans-serif variations, providing more choices for your site’s typography.

Along with its design, Twenty Twenty-Four has been meticulously optimized for performance. This ensures that your website not only looks great but also delivers a fast and efficient user experience.

Explore Twenty Twenty-Four now

More information can be found in the following links:

The Twenty Twenty-Four theme was designed by Beatriz Fialho and made possible thanks to the passion and tireless work of more than 120 contributors.

Source: https://wordpress.org/news/2023/11/introducing-twenty-twenty-four/

WordPress 6.4 Introduces Twenty Twenty-Four Theme, Adds Lightbox, Block Hooks, and Improvements Across Design Tools

WordPress 6.4 “Shirley” was released today, named for famed American jazz pianist and singer Shirley Horn. This release introduces a new batch of writing and design tools that give users more powerful customization capabilities inside the editor. We covered most of the changes as they were released in the Gutenberg plugin and added to core, but here are a few of the highlights.

Lightbox

WordPress now has core support for loading images in a lightbox. It’s a simple, yet elegant “expand on click” feature that allows visitors to expand images to be full-screen without leaving the page. The lightbox can be enabled on a per-image basis or site-wide under Styles » Blocks » Images.

Redesigned Command Palette

The Command Palette has gotten a design refresh in 6.4 in order to accommodate a growing catalog of commands available to help users perform tasks more efficiently. Users can access the tool inside the Site Editor and the Post Editor alike, with specific contextual command options for saving time across both editing experiences.

image credit: WordPress 6.4 release page
List View Improvements

The List View continues to get improvements to make it more useful for getting a condensed overview of the content at a glance. WordPress 6.4 adds media previews for the Gallery and Image blocks in the List View. It also allows users to assign custom names for Group blocks, which are visible in the List View so they can be easily organized.

image credit: WordPress 6.4 release post
Block Hooks

Block Hooks are a new developer feature, originally introduced in Gutenberg 16.4 for auto-inserting blocks. Developers can specify a location where a block will be inserted, such as before or after a template. Users can then reposition the blocks after insertion using the editor tools.

Twenty Twenty-Four

WordPress 6.4 ships with a brand new default theme, Twenty Twenty-Four. It was designed to be a multi-purpose theme, suitable for building a wide range of websites, including blogs, businesses, and portfolios. The theme comes with more than 35 templates and patterns. Check out a live demo to see all the full-page patterns, section patterns, and style variations available in Twenty Twenty-Four. It includes three different fully-built site demos for blogger, photographer, and entrepreneur use cases.

image credit: WordPress 6.4 About Page

Other notable improvements in 6.4 include the following:

  • Writing enhancements with new keyboard shortcuts, smoother list merging, and improved toolbar experience for the Navigation, List, and Quote blocks
  • Organize patterns with custom categories, new advanced filtering for patterns in the inserter
  • Expanded design tools: background images in Group blocks, ability to maintain image dimensions consistent with placeholder aspect ratios, add buttons to the Navigation block, and more
  • Share patterns across WordPress sites by importing and exporting them as JSON files from the Site Editor’s patterns view

Check out the beautiful 6.4 release page to see all the major features highlighted. Under the hood there are also more than 100 performance-related updates and a range of accessibility improvements that create a more consistent experience in the site and post editors.

This is the last major release planned for 2023. It includes contributions from more than 600 people across 56 countries, with 170 first-time contributors.

WordPress 6.4 was led by an underrepresented gender release squad, which Release Lead Josepha Haden Chomphosy organized “to welcome and empower diverse voices in the WordPress open source project.” Together they shipped 1,150 enhancements and fixes available now in 6.4.

Source: https://wptavern.com/wordpress-6-4-introduces-twenty-twenty-four-theme-adds-lightbox-block-hooks-and-improvements-across-design-tools