Develop WooCommerce

The official WooCommerce development blog

WooCommerce 3.4.1 fix release notes — May 29, 2018

WooCommerce 3.4.1 fix release notes

WooCommerce 3.4.1 is available. ~61 commits made it into this release and the full changelog is below.

* Fix - Fix webhook admin filtering URLs. #20236
* Fix - Add missing wp_unslash calls to product data meta box to prevent quote characters being escaped on save. #20235
* Fix - Display price filter widget in LTR mode on RTL sites. #20221
* Fix - Refactor WC_Coupon constructor to allow for passing in coupon objects. #20193
* Fix - Path field in advanced CSV importer was broken due to an esc_url call. #20191
* Fix - Prevent shipping method instances trying to save settings on non-instance screens. #20217
* Fix - Wrapper function to get full mysql version string with mariadb handling. #20231
* Fix - woocommerce_pagination had some extra white space. #20214
* Fix - If a file size cannot be read, ignore range headers to prevent offsite downloads being 0kb. #20205
* Fix - Allow HTML when using `wc_attribute_label()`. #20202
* Fix - Update address-i18n.js to prevent appending multiple "(optional)" labels. #20195
* Fix - Check plugin properties exist when listening to auto_update_plugin hook. #20234
* Fix - Add extra checks in `get_canonical_package_rate_ids` to prevent notices. #20237
* Fix - Fix infinite loop with importing tax rates. #20253
* Fix - Echo attribute label for "empty" default option. #20256
* Fix - Fix download sample tax rates URL format. #20272
* Fix - Product properties should not be accessed directly PHP notice when calling `wc_get_product_attachment_props`. #20282
* Fix - If flexslider is disabled, gallery images also need to trigger photoswipe on click. #20290
* Fix - Product import file uploads on windows servers. #20273
* Fix - Fix variation attribute selection via the cart page/query string. #20293
* Fix - Add greater specificity to required styling in 2017 theme. #20296
* Enhancement - Export legacy paypal meta data in personal data exporter. #20200
* Enhancement - Improve performance of `wc_update_340_states` update routine to help prevent timeouts. #20241
* Dev - Remove red styling for PHP notice if using > 5.6. #20294
* Dev - Add an action hook after printing the cart item name. #20190
* Localization - Use "payment tokens" terminology in exports. #20197


Download the latest release of WooCommerce here or venture over to Dashboard → Updates to update your plugins from WordPress.

As usual, if you spot any other issues in WooCommerce core please log them in detail on Github, and to disclose a security issue to our team, please submit a report via HackerOne here. Comments on this post are closed.

WooCommerce 3.4 RC2 — May 22, 2018

WooCommerce 3.4 RC2

WooCommerce 3.4.0 RC2 is available for testing. We’ve fixed the following issues specific to 3.4 functionality:

  • Incorrectly closed table row in WP Admin. #20091
  • Fixed tooltip styling when outside label. #20084
  • Remove full stop after action name. #20087
  • Fixed terms and conditions preview when the terms and conditions option is unset.
  • Change token export format to match WordPress 4.9.
  • Updated some missing template file versions.
  • Use GET in external product form so query strings are preserved.
  • Escape and decode ampersands correctly for external products.
  • Preview checkout without a dummy product to prevent conflicts.
  • Remove . from strings for checkbox settings.
  • Data erasers; target shop_order only and added filters for 3rd parties.
  • Remove legacy PayPal meta data from orders.
  • When cleaning up CSV import, only remove product taxonomies. #20094

And we’ve added the following to the changelog as it affects older versions also:

* Tweak - In CSV exports, wrap cell in ' rather than just prepending to escape values. #20041
* Tweak - Add JS listeners for reloading/reinitializing order items in edit-order page. #20082
* Fix - When duplicating variation, set the date to null. #20083
* Fix - Fix rounding of line items for orders to match cart. #20086
* Fix - Remove hardcoded border in email template. #20090
* Fix - Prevent autofocus on checkout. #20123
* Fix - Recalc taxes if address changes in API. #20137
* Dev - Made wc_query_string_form_fields handle strings. #20162
* Localization - Fix missing Bahrain country code. #20061

To test WooCommerce 3.4.0 RC2, you can use our WooCommerce Beta Tester plugin or you can download the release candidate here (zip).

Think you’ve found a bug? Please post in detail to Github.

The final version of 3.4 is due for release tomorrow, May 23rd 2018. Huge props to everyone who has sent feedback about this release so far or found bugs.

WooCommerce 3.4 GDPR features — May 4, 2018

WooCommerce 3.4 GDPR features

Last month we blogged about the way we were approaching GDPR in WooCommerce. We’re happy to be able to say that most of these features are now ready in WordPress 4.9.6 (beta), and we’ve finished our work in WooCommerce core also.

This post summarises the changes and features you’ll find in our 3.4 release scheduled to drop May 23rd.

Personal data exporter

WordPress 4.9.6 includes both the ability to export personal data associated with an email address to a HTML file. WooCommerce 3.4 will add to the generated export file, exporting the following data:

  • Customer address/account information
  • Orders associated with the given email address
  • Download permissions and logs associated with the given email address

To ensure requests are genuine, 4.9.6 includes a requests table and confirmation email to verify the request. The verification flow consists of the following steps:

  1. Add an email address or username.
  2. The user is notified via email with a confirmation link.
  3. The confirmation link is used and the request is marked “confirmed”.
  4. Admin triggers an email to the user which contains a link to download their personal data.
Slack - A8C 2018-05-03 18-20-52.png
Export requests table


Personal data files can also be manually generated by the admin and downloaded. The file itself is a simple HTML file, zipped.

Slack - A8C 2018-05-02 15-47-00.png
A sample export file


WordPress exports it’s own data in the same way, so things such as media files, posts, and comments/reviews are also taken care of!

Personal data eraser

Like the exporter, the eraser allows you to verify requests are legitimate before fulfilling them. It uses the same verification/email/requests system as the exporter.


Remove Personal Data ‹ WordPress — WordPress 2018-05-02 15-50-56.png

We understand this can be slightly more complicated with stores because you may need to keep data for other reasons, such as tax compliance or compliance with other laws.

With that in mind, we have made some of our erasure routines optional:

WooCommerce settings ‹ WordPress — WordPress 2018-05-02 15-53-02.png


These settings are off by default.

Additionally, if you ever delete a user manually, we’ve improved our cleanup functions so that the following data is removed along with the user:

  • Payment tokens
  • Addresses
  • Orders (are converted into guest orders)

And if you need to manually anonymise orders in bulk for a user you can search for them in admin and use the new “remove personal data” bulk action:

Monosnap 2018-05-02 15-56-46.png


This keeps the order around, but removes all personal data and converts the order into a guest order.

Data retention settings

To help reduce the amount of personal data that’s stored, WooCommerce 3.4 allows you to define how long you want to retain data that is no longer needed for order processing:


Slack - A8C 2018-05-02 15-10-17.png

These settings are found in WooCommerce > Settings > Accounts and privacy.

  • Failed, pending, and canceled orders which get cleaned up will be moved to the trash.
  • Completed orders which get cleaned up will be anonymized so sales stats are unaffected.
  • Inactive accounts will be deleted. An inactive account is one which has not been logged in to, or which has not placed orders, for the specified time.

If enabled, cleanup will run via a daily cron job. Inactive accounts are tracked using meta data, and only subscribers/customer accounts are removed. An upgrade routine will set all account last active times to the time you updated to 3.4.

Checkout page display options

To reduce the amount of personal data stored you can turn off some optional fields you may not require for processing.

Customize: Checkout – WordPress 2018-05-02 14-45-13.png


Additionally, you can now change the terms and conditions checkbox text to meet your needs:

Slack - A8C 2018-05-02 14-47-09.png


Both of these options can be found in the Customiser (Appearance > Customizer > WooCommerce > Checkout) and the preview is live so you can see what effects these changes will have on your checkout before hitting publish.

Privacy policy page

WordPress 4.9.6 includes a privacy page setting as well as a mechanism for plugins to suggest content. WooCommerce adds some suggested content of it’s own.

Edit Page ‹ WordPress — WordPress 2018-05-02 15-07-08.png


Other plugins can do the same which should allow you to piece together a policy which applies to your users.

Privacy policy snippets

If you define a privacy policy page, it’s useful to be able to link to that page where needed. WooCommerce will output notices and links to the privacy policy in two locations:

  1. Account registration form
  2. Checkout form

The notice in the case of the checkout is shown above the place order button automatically:

Slack - A8C 2018-05-02 14-52-38.png


Both notices can be customised in WooCommerce > Settings > Accounts and privacy or the Customiser.

Slack - A8C 2018-05-02 14-51-19.png


Changes to log files

We’ve made some changes to our logging system in core, as well as revised what data gets logged.

  • We’ve done an audit of our usage of logs in WooCommerce and removed any unnecessary personal information from the logs. Notably:
    • Webhook logs no longer log the webhook body and response unless WP_DEBUG mode is turned on. This avoids personal information sent with webhooks being logged to the server.
    • PayPal debug logging no longer logs the personal data sent to PayPal and masks it out. The setting itself now includes a disclaimer that it should be used for debug purposes only and should be disabled when complete.
    • For PayPal specifically, payer email/name is no longer logged within order meta – this information can be found using the transaction ID and visiting the PayPal website instead.
  • When PayPal debugging logging is turned off, the logs are purged.
  • Logs will now rotate daily, and log files will be deleted after 30 days by default. A filter can be used (woocommerce_logger_days_to_retain_logs) to extend this if needed. The cleanup is performed using a cron job.

These changes apply to both file based logging, and database based logging, which are both options within WooCommerce core.

Closing comments…

The above features will require both WooCommerce 3.4 and WordPress 4.9.6. Both will be released before the May 25th GDPR deadline. If you’re interested in testing WooCommerce 3.4, see our beta announcement here.

Thanks for testing!


How we’re tackling GDPR in WooCommerce core — April 10, 2018

How we’re tackling GDPR in WooCommerce core

Stronger rules on data protection from May 2018 mean citizens have more control over their data.

GDPR is coming, and we’re working hard to get new tools in WooCommerce core to help store owners comply. If you’re not familiar with GDPR yet, Hannah wrote a great introduction to GDPR on the main WooCommerce blog which you can read to get caught up.

It’s important to note that this new law doesn’t just apply to stores in the EU – this applies globally to stores that sell products to EU residents.

We’re currently building new tools into our upcoming 3.4 release to help store owners deal with GDPR requests and surface things such as privacy policies on the checkout. Some of the tools are built already, or are in progress, notably:

  • Improvements to the checkout in, which include:
    • Better formatting for inline descriptions should someone which to include just in time privacy text next to fields, and some simple tools to toggle non-critical fields off to avoid unnecessary data collection.
    • Custom terms and conditions text, and control over the checkbox + label itself.
    • In progress personal data export and bulk order anonymize in
  • We’ve cleared up wording around the tracker in the Wizard to ensure it’s compliant.
Improved terms and conditions display on checkout

Open GDPR issues can be tracked here. One thing not yet completed is personal data export, which is arguably the most important thing we need to assist store owners with. To solve this, we’re working to bring these tools to WordPress core. Read on for the details.

The road to WordPress core compliance

Rather than create something proprietary, or specific to WooCommerce, our team is focussing on WordPress core contributions so that all users and plugins can benefit from a single, unified system in WordPress itself. We feel this is the most effective use of everybody’s time.

To that end, we’ve started on several new screens and functions for WP core which (if approved) will facilitate user requests and create export files of personal data.

Here are a few of the tickets we’re actively contributing to:

Way for users (and guests) to request personal data and/or removal

Managing requests, for example requests for personal data, needs some kind of UI or system to track who did the request, the status of the request, and the date of the request. GDPR requires that requests are responded to within 30 days.

To help with this, we’re creating a requests system within WordPress to deal with this.

What the requests UI may look like

The UI shown above has been submitted as a patch in #43481. The basic flow in the v1 is as follows:

  1. User makes request via contact form or some other method of contact.
  2. Admin adds the request via the WordPress dashboard.
  3. User verifies the request.
  4. Admin triggers a response to the request e.g. by sending the data they requested.
  5. Request is either kept for tracking purposes, or removed.

To ensure the user is really who they say they are (remember emails can be spoofed!) we created a mechanism whereby WordPress will send a confirmation email to the user with a link they can click to confirm any action. This is similar to the “change password” flow in WordPress, but more general. This has been submitted via #43443.

s31c4pdznjnmauozSpark%20-%20Inbox%202018-03-05%2017-32-34.png (746×507) 2018-03-05 18-14-40.png

Requests can be tracked and can have the following statuses:

  • Pending
  • Confirmed
  • Failed
  • Completed

Thats it! If merged, we’ll move on to the ‘next steps’ column which will include buttons and links to send export files and so on to the requester.

The personal data export system

The next part to this is the actual export file generation. This will export all personal data tied to a specific email address in a human readable format.

How this works technically is:

  • A WordPress endpoint is hit, and a filter is ran to gather a list of data exporters from various plugins and core itself.
  • Each data exporter is called and the exporter from each plugin returns personal data based on a given email address.
  • Exporters support pagination, and each call is done in a separate request to prevent timeouts.
  • All of the data is appended to an export file. This is then served to the admin.

The main trac ticket for this is #43438. This fires the actions and filters for plugins to use. This prototype works with our in progress implementation in WooCommerce here.

Another related ticket is #43440 which puts WordPress comment data into the export.

Finally, #43551 improves how the export is served to the admin; as a HTML file within a zip file which is portable and human readable!

A sample export file

What else is being worked on in WordPress core?

Some other tools being made inside WordPress include:

If you’re keen on contributing, all GDPR issues in WordPress itself are tagged in trac here.

There are also lots of discussions taking place in WordPress Slack in the #gdpr-compliance room. Join us!

WooCommerce 3.3.4 fix release notes — March 20, 2018

WooCommerce 3.3.4 fix release notes

WooCommerce 3.3.4 is now available. ~30 commits made it into this release and the full changelog is below.

* Fix - Fixed undefined index after running setup wizard two times on fresh install.
* Fix - wc_get_loop_class; force columns to be a minimum of 1.
* Fix - Added loading spinner to WC panels in menu admin. 
* Fix - Use relative scheme for AJAX endpoint to avoid errors when using a mix of HTTP and HTTPS.
* Fix - Fix SelectWoo templateSelection property.
* Fix - Layered nav support on unsupported theme archives.
* Fix - Prevent full refresh when editing store notice in the customizer.
* Fix - Only append tax label in email content if taxes are enabled.
* Fix - More reliable Jetpack detection.
* Fix - Check if product has weight before calculate weight total in cart.
* Fix - Correctly handle default ordering on the search page.
* Fix - Fix default product category handling in installer.
* Fix - Properly check slugs when updating attributes.
* Fix - Use gallery thumbnail size for variation image switcher.
* Fix - Clear subcategory cache when updating product categories.
* Fix - Round fractional cents when out of base.
* Fix - Inherit 'is variation' from existing attribute during csv import.
* Fix - Set is_shortcode loop prop when outputting subcategories.
* Fix - Reload gateways after updating the order.
* Tweak - Use wc_get_default_products_per_row as the default for product shortcodes.
* Tweak - Add post_excerpt to product search.
* Tweak - Update the description of the user tracking notice in the onboarding wizard.
* Tweak - Add extra data in order mobile view (status and date).
* Tweak - Add profile link to order screen.


Download the latest release of WooCommerce here or venture over to Dashboard → Updates to update your plugins from WordPress.

As usual, if you spot any other issues in WooCommerce core please log them in detail on Github, and to disclose a security issue to our team, please submit a report via HackerOne here. Comments on this post are closed.