GDPR compliance is hard: the WordPress edition

When my friend Georgie commented on my post about Talk.CSS, she told me that her comment wasn’t visible to her as awaiting moderation after submission, although she assumed that it had posted successfully based on the fact that the URL in her browser’s address bar had changed. This was new to me: I could’ve sworn the moderation notice was always visible because I’d tested it thoroughly when developing the theme for blog.NOVALISTIC 5.0 “Veldin”.

We couldn’t find any leads so we left it as it was. Two weeks later, this morning, she sent me links to this support forum topic, posted around the same time we first ran into this issue, and to this Stack Overflow question which was asked just a few hours ago. The asker self-answered with the following:

Apparently the solution was to have the “Save my name, email, and website in this browser for the next time I comment.” checkbox selected in order for the message to show up.

So you have to have the GDPR checkbox to be checked in order to have the comment and message appearing before approval.

Sorry for bothering.

(Yes, I’m including that last line here, and no, I didn’t edit it out, because I simply don’t see the point in making a fuss over it.)

So, it dawned on me, the issue was twofold:

  1. My theme was missing a critical privacy element for GDPR compliance; namely, a checkbox that indicates the user’s consent to their browser remembering their details in a cookie (yes, you do need explicit consent for anything a user submits that you might store either on your server or in a cookie now).

  2. WordPress 4.9.6, the latest release that adds GDPR compliance elements, is failing to display the comment moderation notice when the user submitting a comment has not given this consent, presumably as an unintended side effect of being a little too conservative (not that I’m saying that’s a bad thing!).

If your WordPress theme has a custom comment form implementation (i.e. the comment form is provided by a custom callback rather than the built-in comment_form() template), you’ll need to add the new cookie consent checkbox. The only important bit is the name attribute, whose value must be wp-comment-cookies-consent. Here’s what mine looks like:

<form class="feedback" action="<?php echo site_url( '/wp-comments-post.php' ); ?>" method="post">
    <!-- ... -->
    <p><label><input type="checkbox" name="wp-comment-cookies-consent"<?php if ( ! empty( $commenter['comment_author_email'] ) ) echo ' checked'; ?>> Remember my name, email and website for future comments</label></p>
    <p><button type="submit">Post Comment</button>
<?php comment_id_fields(); ?></p>
<?php do_action( 'comment_form', $post->ID ); ?>

As with the rest of the comment form fields, you don’t need any additional plumbing for this to work. As long as the checkbox is present in your comment form, when the user checks it off WordPress will correctly set the cookie and notify the user if their comment is awaiting moderation.

Wait, what? So if the user doesn’t allow the cookie to be created, they don’t get notified?

That’s right. An oversight in the implementation of this feature means that since WordPress won’t remember the user’s details, it won’t be able to determine that the comment that it just received was theirs and display it to them along with the moderation notice. Privacy, am I right?

No worries though, the developers have been made aware of this since before WordPress 4.9.6 was released, as it was reported on the WordPress Trac at least two months ago. Understandably, they punted this issue to 4.9.7 in order to get the important stuff (GDPR compliance tools) out in a timely fashion (4.9.6 was released on May 17, which happens to be exactly one month ago at the time I’m writing this). Hopefully a fix for this issue will be shipped soon.

Talk.CSS #28, my first CSS meetup

Yesterday I went to Talk.CSS, a small-ish local (Singapore-based) CSS meetup that takes place once a month. It’s my first developer meetup in years — the last I went to was A Conversation with Matt Mullenweg in June 2014, at which I met him during his Asia Pacific tour; check out my friend Georgie’s blog post about meeting him as well! — and my first ever meetup with a focus on just CSS. I had only just learned of its existence early this month, and needless to say it piqued my interest indeed and I wanted to check it out.

Well… I ended up sitting on the fence for several weeks, as I’m not really one for meetups, which explains why I hadn’t been to any in nearly 4 years. But, ultimately, the very fact that I had been to developer meetups before (and you know how much I love CSS) was what made me decide to go for it. So off to WeWork I went! (It was my first time there, too.)

As I was pretty focused on the content, I didn’t take any photos worth publishing here, nor did I tweet much myself, so instead here’s a written summary and some other tweets in lieu of my own.

Updates to my privacy policy

Today the General Data Protection Regulation (GDPR) becomes enforceable. This regulation governs how companies and websites may process and store personal data, and your rights as a user to your own personal data.

I’ve now updated my privacy policy to be compliant with the GDPR. It should now be clearer and more precisely spell out what sort of data my website may collect, what I do, and don’t do, with it, and the control you have over the permission you give me to do so and what happens to it after it’s been collected and/or stored. Hopefully it hasn’t become too wordy as a result!

I encourage you to take a couple of minutes to peruse it. Let me know in the comments here if there’s anything you’d like clarified or I might have missed.

I know I haven’t posted since the end of March (and the end of the last annual MVP renewal cycle), but I’m still actively contributing to Stack Overflow and tweeting, and I do indeed have exciting new stuff in the works.

Reflections on writing a personal blog as a Microsoft MVP

Today is the deadline for all Microsoft MVPs to update their profiles with their latest contributions, before the annual renewal cycle begins. It’ll be my first time through the rigorous process, and only time will tell if I’ll make the cut for another year!

If you’ve somehow been following blog.NOVALISTIC since the launch of NOVALISTIC 5.0 “Veldin” back in the tail end of 2015, you may have noticed two things:

  1. Posts have been extremely sporadic, averaging out on a rather low frequency over the course of 24 months.
  2. Posts have so far remained sporadic, but with a noticeable change in topics frequently covered, over the last quarter.

That’s me broadening my horizons as a newly awarded Microsoft MVP after having focused all my efforts solely on Stack Overflow (not at its expense though, don’t worry!). It’s been a very slow start, for sure. I’m still adjusting to the process. Writing compelling content is not easy, but very rewarding especially when you are passionate about the subject matter.

But, I’m told, even when I’m starting small, every post counts. That’s why I’m still listing every technical post I’ve published on my MVP profile, even though I only really started this quarter. In fact, I’m listing this very entry too, since it’s about my site, and it does contain some technical content, so I figured I’d let Microsoft decide if it counts!

Anyway I digress. NOVALISTIC, on a fundamental level, is a personal site, a showcase for not only the work I’ve done and my passion in all things web, but also my other hobbies and interests, tech-related or otherwise. And blog.NOVALISTIC is an extension of that, not the other way around. In the nearly 11 years I’ve been blogging at this domain, I’ve always written about whatever I felt like writing at the time, because I had something to say about it. And if I didn’t feel like writing at all, I’d just… not write.

But that’s writing on a whim about anything I feel like; not writing concrete content to be consumed, learned from, and shared by a specific target audience, which is what I need to be doing if I want my technical content to be discovered and perused.

I spent the last week reflecting, reading articles online, and of course talking to fellow MVPs, and here’s what I’ve come to realize and embrace: I don’t need to sacrifice sharing about my other interests in favor of writing compelling technical content. Yes, it’s probably still a million times better if I can keep all my technical content on a separate domain or something. But running multiple separate sites is a pain especially for the expectations I have of my blog, which are not astronomical (remember, it’s a secondary aspect of my online presence, not the primary aspect).

I don’t care about having a large number of subscribers, I’m not going to try and eke out every last drop of SEO juice from each post (although I’m planning some significant changes to the overall layout to aid in that), and I don’t have to let other topics get in the way because individual posts reside in their own URLs for search engine crawlers to index, and for the good folks at Microsoft my technical content will always be aggregated on and accessible from my MVP profile.

For starters, I can afford to keep throwaway off-topic fluff to a minimum, because I kinda already do that. Years ago I used to make really short posts, known in the WordPress blogosphere as “asides” (to the extent that some themes, including one I made, even came with special formatting for them). You don’t really see those anywhere anymore, other than on Matt Mullenweg’s blog. Ask any web developer in this day and age what an “aside” is and they’ll tell you all about the HTML aside element.

What matters most to me is putting out content that’s useful to others, while still retaining my multi-disciplinary individuality that my site, and my blog, were meant to embody. Because these two goals don’t have to be mutually exclusive. The “content is king” mantra doesn’t have to be restricted to one category of topics. Any topic, work or play, can be made either an entertaining and/or educational read, or a waste of time.

And because my passion for all things web is one of the things that make me who I am. Both “just one” and “very much one”, if that makes sense. My tribute to Internet Explorer from 2016 is as heartfelt as it sounds, and HTML and CSS have been my lifeblood since I was little. But I’m more than just someone who loves the web platform. I love the web platform, I love sharing about it, and then some. That’s what, I feel, makes me an MVP, and I hope Microsoft agrees.

By the way… one of the emails I received from my regional MVP lead regarding the renewal cycle reminded me of a very timely coincidental thing I’ll be blogging about very soon (see what I did there?). Here’s a clue for fellow MVPs reading this: it has to do with Betsy Weber, or at least, one of her interests. Stay tuned!

So much for “the venerable OpenID”


Remember just three weeks ago I was ranting about how MDN assumes you use GitHub and forces you to use it to log in without providing any alternatives? Remember I mentioned “the venerable OpenID”?

Turns out it wasn’t so venerable after all. OpenID 2.0 was superseded by OpenID Connect (which is based on OAuth 2.0, a different kind of “auth”) some years ago, and providers have slowly been removing support for OpenID 2.0 over the last couple of years. Yesterday Stack Exchange was the latest to announce that they were dropping OpenID 2.0 support:

Stack Overflow was an early and strong supporter of OpenID. We built our sign up/log in flow around it. We were idealistic and had high hopes, but these hopes weren’t realized. Over the years people have wondered if OpenID is dead. We’ve had to remove support as OpenID providers pulled support or shut down.

The time has come to part ways. The reality is OpenID support has created a ton of complexity in our codebase and the number of users actively using OpenID simply don’t justify that cost. Users have spoken with their actions. You prefer Google, Facebook and Stack Exchange (aka email/PW) based account auth.

To be fair, even I don’t use OpenID to authenticate with Stack Exchange anymore. But that’s because several years ago, I switched from using my OpenID to authenticate with Stack Exchange, to using Stack Exchange as my primary OpenID provider. So, in a weird twist of irony, I’m impacted not in my access to Stack Exchange, but in my access to other sites via Stack Exchange OpenID.

Note that my change of provider had nothing to do with OpenID 2.0’s already ongoing demise; it was just a matter of moving to a provider I felt was more appropriate for my needs, since I’d stopped actively blogging @ I would continue using Stack Exchange OpenID for as long as OpenID 2.0 remained around, because Stack Exchange stated they’d continue supporting it for as long as they remained in existence as a company.

Of course, things are different now. With the OpenID 2.0 protocol being made obsolete by the OpenID Foundation itself, there really is no obligation for Stack Exchange to continue supporting their OpenID service. So I’m not going to accord them any blame. It’s entirely my fault for somehow completely missing the memo on this whole thing. Perhaps Stack Exchange’s decision to drop OpenID was the wake-up call I needed after all.

Good thing I’ll have the next quarter to work on migrating my accounts on sites where I’m using Stack Exchange OpenID to authenticate. I know that I can just switch back to OpenID, but let’s face it, it’s only a matter of time before Automattic follows suit.

Before I go, let me be clear on my views of all this: