Develop WC

The official WooCommerce development blog

WooCommerce 2.6.3 Fix/Security Release Notes — July 19, 2016

WooCommerce 2.6.3 Fix/Security Release Notes

The WooCommerce 2.6.3 fix/security release is now available. You can download it on or as an automatic update in your administration panel.

~104 commits made it into this release fixing several minor issues and a potential security issue. The main fixes/updates are as follows.

  • Securify reported an issue with the way captions were shown within PrettyPhoto. Due to double-escaping, captions could be treated as HTML allowing for XSS attacks. However, this would require the admin to upload a malicious image to exploit. The affected template files were patched and the version numbers bumped.

  • There was an issue with layered nav counts when used in conjunction with search.
  • We added transient based caching to the comment count functions to improve page loading speed in admin.

The full changelog for 2.6.3 is below.

* Fix - Security - Escape captions in product-thumbnail and product-image templates (template versions have been bumped).
* Fix - Fixed how we calculate shipping tax rates when using more than one tax class.
* Fix - When duplicating product variations, set title, name, and guid.
* Fix - Normalized 'read more' buttons.
* Fix - Add to cart notices for grouped products.
* Fix - Do not sanitize passwords in the settings API.
* Fix - Handle shipping zone location range conversion during update (dashes to ...).
* Fix - Always remove commas while processing flat rate costs.
* Fix - Ensures account page layout is only applied to desktop-sized displays.
* Fix - When getting layered nav counts, take search parameters into consideration.
* Fix - Free shipping show/hide javascript.
* Fix - Strip hash characters when exporting reports.
* Fix - Use permission id to revoke access to downloads to prevent removing wrong rows.
* Fix - When duplicating product variations, set title, name, and guid.
* Fix - Set more appropriate default rounding precision based on currency decimal places.
* Fix - Fix message styles for empty carts.
* Fix - Fixed the load of the WC_Email_Customer_On_Hold_Order class.
* Fix - Don't perform cart update on search submit.
* Dev - API - Added support for WP REST API with custom URL prefixes.
* Dev - API - Delete variations when deleting a variable product.
* Dev - API - Fixed how we check for product types.
* Dev - Added woocommerce_cart_id filter.
* Dev - Add shortcode name param to shortcode_atts function calls.
* Dev - Post custom data when fetching a variation via ajax.
* Dev - Include child prices in grouped_price_html filter.
* Dev - Allow filtering of variation stock quantity.
* Dev - Added $_product argument to 'woocommerce_restock_refunded_item' hook.
* Dev - Added a filter hook for the wc_ajax endpoint url.
* Tweak - Include account page link in new customer account emails.
* Tweak - Updated all URLs from to
* Tweak - Cache the result of WC_Comments::wp_count_comments() in a transient (improves performance).

If you spot any further issues, please report them to us in detail on GitHub so the development team can review – comments on this post are closed.

WooCommerce 2.6.2 Fix Release Notes — June 30, 2016

WooCommerce 2.6.2 Fix Release Notes

The WooCommerce 2.6.2 fix release is now available. You can download it on or as an automatic update in your administration panel.

~140 commits made it into this release fixing several minor issues and making some smaller tweaks. The main fixes/updates are as follows.

  • We’ve made the password reset process redirect to the form and set a cookie containing the reset token and username to prevent password tokens being leaked via the page’s referer headers.
  • Some users didn’t like the change showing ‘in stock’ when not managing stock levels. Due to this we’ve made it so ‘in stock’ in hidden when not managing stock levels, but ‘out of stock’ is shown when that status is explicitly set.
  • We’ve improved the coupon logic so that product coupons not valid for the current cart are not applied, rather than just having no discount value.
  • We’ve made some tweaks the descriptions on the zones screen, and made it so zones can match postcodes without having a country assigned to them. Also, if no locations are set on a zone, it will now be listed as being for ‘everywhere’.
  • To allow my account page tabs to be disabled without code, you can now set the endpoint value to a blank string.

The full changelog for 2.6.2 is below.

* Fix - Set max index length on woocommerce_payment_tokenmeta table for utf8mb4 support.
* Fix - is_available check for legacy shipping methods.
* Fix - wc_add_to_cart_message() when non-array is passed.
* Fix - Maximum coupon check should allow the 'maximum' value.
* Fix - Product coupon logic to avoid applying non-applicable coupons.
* Fix - Potential notices when leaving out 'default' field for shipping instances.
* Fix - wp_cache_flush after term meta migration/update.
* Fix - wc_add_to_cart_message() when non-array is passed.
* Fix - woocommerce_redirect_single_search_result type check was incorrect.
* Fix - Javascript show/hide of option in free shipping method.
* Fix - Convert ellipsis to three periods when saving postcodes.
* Fix - Prevent get_terms returning duplicates.
* Fix - Removed non-existent country (Netherlands Antilles) from
* Fix - Grouped product range display when child is free.
* Fix - Remove discount when checking free shipping min amount.
* Fix - Prevent blocking the same element multiple times on cart page.
* Fix - Don't sync ratings right after a new comment to prevent rating sync whilst rating meta does not exist yet.
* Fix - Fix product RSS feeds when using shop base.
* Fix - woocommerce_local_pickup_methods comparison by stripping instance IDs before the check.
* Fix - During password resets, use cookie to store reset key and user login to avoid them being exposed in the URL/referer headers.
* Dev - API - Fixed variable product stock at product level.
* Dev - CLI - Introduces woocommerce_cli_get_product_variable_types filter.
* Dev - Allow notices to be grouped on checkout after certain events.
* Tweak - Made customer pay link display if order needs_payment() rather than checking pending status.
* Tweak - Zones - Wording clarifications.
* Tweak - Zones - Match zones with postcodes but no country.
* Tweak - Zones - Match zones with no regions as 'everywhere'.
* Tweak - Added view_admin_dashboard cap for disabling the admin access restriction in custom roles.
* Tweak - Revised stock display based on feedback to hide 'in stock' message if stock management is off and only show available on backorder if notifying customer.
* Tweak - Allow external product SKUs.
* Tweak - PT (Portugal) and JP (Japan) postcode formats.
* Tweak - Sort products from the [product_category] shortcode by menu order.
* Tweak - Improve wc_orders_count() performance by running a query to count only posts of the given status.
* Tweak - To allow my account page tabs to be disabled without code, you can now set the endpoint value to a blank string.

If you spot any further issues, please report them to us in detail on Github so the development team can review – comments on this post are closed.

WooCommerce Connect moves into Alpha 2 — June 27, 2016

WooCommerce Connect moves into Alpha 2

For the last couple months, since the first Alpha release, we’ve been diligently working on WooCommerce Connect.

We’re excited to announce that we have more features you can exercise in the latest Alpha release. WooCommerce Connect now supports:

    • Real-time rate requests for Canada Post as well as USPS
    • Merchant defined custom packaging as well as Flat Rate USPS packaging
    • A “Self-Help” style debug dashboard to help you see how all the WooCommerce Connect services you are using are doing at a glance

ICYMI – Connect is a new architecture for integrating services with WooCommerce. We’re taking advantage of a SaaS-style Automattic-hosted server to do the heavy lifting and have created a new Calypso-style interface. More on the project here.

Maybe you tried the first Alpha, or maybe you were waiting to see what came next – either way we’d like to welcome you to testing this latest iteration.

Join us in building the future of WooCommerce

Release Highlights

This second Alpha release of WooCommerce Connect works with recently released WooCommerce 2.6 and with Jetpack to bring hassle free USPS and Canada Post rates to WooCommerce Shipping Zones.

Since this is an alpha version, there’s a lot we plan to add, change and enhance. Please take care – this early pre-release code should not be used on production sites.

At this time, WooCommerce Connect is delivered as a feature plugin, and the grand plan is to roll out Connect into a future WooCommerce core release.

For developers, this is an great opportunity to:

      • see the future of WooCommerce development
      • see examples of incorporating React into WooCommerce administration
      • see how we’re using JSON schemas provided by the WooCommerce Connect servers to drive the layout and composition of the forms for shipping services – making adding features much less likely to require plugin updates
      • see examples of how to extend the WP REST API and Shipping Zones in WooCommerce 2.6

Alpha 2 Testing

Alpha 2 is out today. Subsequent alphas will be released if needed and we’ll post on this blog if this happens.

If all goes to plan, Beta will begin during Summer of 2016.

If you’d like to help test, sign-up to be a tester – we’d love to hear from you!

WooCommerce 2.6.1 fix release notes — June 16, 2016

WooCommerce 2.6.1 fix release notes

The WooCommerce 2.6.1 fix release is now available. You can download it or as an automatic update in your administration panel.

~43 commits made it into this release fixing several minor issues and making some small tweaks to things such as the updater. The main fixes/updates are as follows.

  • Our background updater relies on a wp_remote_post to call itself and on some installs (such as those behind a security plugin or password) this may fail. As a fallback we also have a cron job, however, we’ve discovered some user’s sites do not have working cron (!) causing the updater to never run. To combat this, 2.6.1 includes a a manual ‘run updater’ link in the notice which will trigger the update.
  • Users using commas in their currency and creating orders manually in the backend were seeing totals miscalculated. This has been resolved.
  • A use case where items are free, but shipping was paid, was not supported by the PayPal Standard gateway. This has been fixed by sending shipping as a line item when this occurs.
  • We’ve fixed support for ‘skus’ on our shortcodes.
  • We’ve fixed layered nav counts when WP term splitting has not kicked in yet (causing term_ids to differ from term_taxonomy_ids).
  • Theme devs take note, we updated the content-product.php and content-product_cat.php  in 2.6 to handle the loop classes differently, but forgot to bump the template version. We’ve done that now. You may need to update your versions to match.

The full changelog for 2.6.1 is below.

* Fix - Added missing localized format for line taxes in orders screen to prevent total miscalculation in manual orders.
* Fix - Improved the hour and time fields validation pattern on the orders screen.
* Fix - PayPal does not allow free products, but paid shipping. Workaround by sending shipping as a line item if it is the only cost.
* Fix - SKUs prop on products shortcode.
* Fix - Layered nav counts when term_id does not match term_taxonomy_id (before splitting).
* Fix - Fixed referer links from cart messages in WP 4.4.
* Fix - Fix the showing/hiding of panels when terms do not exist by using wc_get_product_types() for retrieving product types.
* Dev - content-product.php and content-product_cat.php contained the wrong version.
* Dev - Show "matching zone" notice on the frontend when shipping debug mode is on.
* Dev - Restored missing WC_Settings_API::init_form_fields() method to prevent potential errors in 3rd party gateways.
* Dev - API - Fixed returned data from product images (changed title to name).
* Dev - API - Fixed products schema for grouped_products.
* Dev - API - Fixed products attribute options when contains ,.
* Tweak - Hide 'payment methods' screen if no methods support it.
* Tweak - If shipping method count changes, reset to default.
* Tweak - Avoid normalization of zone postcodes so wildcard matching can be performed on postcodes with spaces. E.g. SP1 *
* Tweak - Allow max_fee in addition to min_fee in flat rate costs fields.
* Tweak - Wrap order_schema_markup() output in hidden div in case script tag is stripped.

If you spot any further issues, please report them to us in detail on Github so the development team can review – comments on this post are closed.


Say hello to WooCommerce 2.6 “Zipping Zebra” — June 14, 2016

Say hello to WooCommerce 2.6 “Zipping Zebra”

Today we’re excited to announce WooCommerce 2.6 “Zipping Zebra” has been released into the wild. 2.6 has been in beta since the end of April, development for ~5 months, and has had over 1700 commits from 25 contributors.

This time round there has been a major focus on APIs, shipping, and account pages which ticks some items off of our 2016 core wishlist.


Introducing Shipping Zones

Shipping Zones are groups of locations to which you ship products. You can group multiple continents, countries, states, and zip codes into a ‘zone’ and then add shipping methods to each.

2016-06-10 at 14.09.png
Example of zones

As an added bonus, methods supporting zones can be used as many times as you need, for example, you can now create multiple flat rates within a zone – something which was previously limited to one without an extension such as table rates.

2016-06-10 at 14.14.png
Multiple flat rates in a single zone

We made a more detailed post about Shipping Zones which you can read here.

For 3rd party shipping methods, Shipping Zones are opt-in. Core shipping methods support zones,  but 3rd party methods need to declare support. For developers, the shipping API docs are inside our wiki. If a method does not support zones, it will continue to work globally as it always has.

Users of the WooThemes Table Rate Shipping and Flat Rate Box shipping should install the latest versions of those extensions for compatibility. Zones will be migrated to the new system during the 2.6 upgrade routine.

The new WooCommerce REST API

We’ve released a new WooCommerce REST API based on the WordPress REST API. This means WooCommerce now uses the WP REST API scaffolding layer and follows the same standards meaning it can be extended by plugins to add new data points or authentication methods.

The new API supports orders, customers, products, coupons, taxes, reports, and webhooks, both individually and in batches. We’ll be extending this with additional endpoints in 2.7.

If you’re a developer, our REST API docs have been updated for the new API and can be read here.

Previous versions of the API (v1, v2, and v3) are still present in core and will continue to function as normal.

You can read more about the new API here.

Improved account pages

Older versions of WooCommerce had a single account page which listed all data; orders, downloads, saved cards etc. This was not very organised and could grow with extensions.

To fix this, we’ve built a new endpoint/tab based account page with sections you can navigate through.

Tabbed account page in Storefront

You can read more about the new account page here.

AJAX cart page

The cart page operations now use AJAX (updating item quantities, removing cart items, applying coupons, and updating shipping options).

Read more about the AJAX cart here.

Everything else…

There have been lots of tweaks and smaller changes since 2.5, so the best place to look at these would be in our changelog and for adventurous developers, the comparison on Github.

To highlight a few of those changes:

  • Developers will have access to our new Payment Tokens API which standardized the way in which tokens are stored and displayed. This wiki article explains usage for devs.
  • There are now some on-hold status order emails.
  • We’ve worked on our layered nav system in 2.6 adding new functionality (now you can filter products by ratings) and improving performance for all layered nav queries.
  • We’ve moved custom term meta implementation to WP Term Meta which was introduced in 4.4.
  • There is a new wc_get_orders() function to get order objects and ids instead of direct get_posts() calls.
  • We’ve added the ability for shipping methods to store meta data to the order in the same way line items can.

Upgrading to 2.6

Some notes for people upgrading to 2.6. Aside from ensuring your extensions and theme are compatible and you’ve made backups:

  1. You’ll need to be running WordPress 4.4 or above – we’ve bumped the minimum requirement.
  2. If you’re running table rate shipping or flat rate box shipping authored by WooThemes, ensure you’re running the latest versions and the WC 2.6 data update will migrate any existing rates and zones.
  3. If you’re using Simplify Commerce you’ll be prompted to install the new version from as it is now a separate plugin and deprecated in WC core.
  4. The data upgrader prompt will run updates in the background. If your site is not accessible or password protected there may be a delay for the cron-based fallback to run.


Template Changes in 2.6

With most new releases, updates to template files are needed in order to add or change functionality. When we make a major change, the template version is incremented. Themes which bundle these templates may need to update them to reflect core.

The following template files had their versions bumped in 2.6.0:

  • single-product/review.php – Added hooks to support the following new templates:
    • single-product/review-rating.php
    • single-product/review-meta.php
  • order/order-details.php – Fix to only get purchase note if product exists.
  • myaccount/my-account.php – New action hooks to support tabbed navigation and the following new template files:
    • myaccount/dashboard.php 
    • myaccount/downloads.php
    • myaccount/view-order.php
    • myaccount/payment-methods.php
    • myaccount/orders.php
    • myaccount/navigation.php
  • myaccount/my-downloads.php – Deprecated.
  • myaccount/my-orders.php – Deprecated.
  • myaccount/form-add-payment-method.php – Added tabbed naviation.
  • myaccount/form-edit-address.php – Added tabbed naviation.
  • myaccount/form-edit-account.php – Added tabbed naviation.

How we tested 2.6

Since April 22nd 2016 we’ve had 4 beta versions and 2 release candidates giving ample warning to developers to test. We’ve also posted on Twitter, Facebook, and our dev blog.

According to Github API, RC1 was downloaded ~250 times, and our betas a total of 1,951 times by testers.

Internally we’ve been testing the RC on We have also tested all WooThemes extensions for compatibility, and had our 3rd party devs do the same.

Thanks to everyone who contributed, tested, and translated this release and we hope you all enjoy using it!


Get every new post delivered to your Inbox.

Join 7,266 other followers