Skip to:

BuddyPress 2.9.3 Security and Maintenance Release

Published on January 26th, 2018 by Boone Gorges

BuddyPress 2.9.3 is now available. This is a security and maintenance release. We strongly encourage all BuddyPress sites to upgrade as soon as possible.

The 2.9.3 release addresses two security issues:

  • A dynamic template loading feature could be used in some cases for unauthorized file execution and directory traversal. Reported by James Golovich.
  • Some permissions checks and path validations in the attachment deletion process were hardened. Reported by RIPSTech and Slava Abakumov of the BuddyPress security team.

These vulnerabilities were reported privately to the BuddyPress team, in accordance with WordPress’s security policies. Our thanks to all reporters for practicing coordinated disclosure.

In addition, 2.9.3 includes a change that fixes the ability to install legacy bbPress 1.x forums. Please note that legacy forum support will be removed altogether in BuddyPress 3.0; see the announcement blog post for more details.

BuddyPress 2018 Survey

Published on December 1st, 2017 by @mercime

What would you like BuddyPress to focus on in 2018? The core team has ideas of where BuddyPress can expand on and your input is important to harness the time and resources of an all-volunteer crew.

The survey will take 10-15 minutes to complete. Be assured that we will not publish your name, email address, nor IP address when we post the results of this survey at

Thank you for your time and cooperation. Your feedback will help us improve BuddyPress for you.

=> Take the 2018 BuddyPress Survey

BuddyPress 2.9.2 Security and Maintenance Release

Published on November 2nd, 2017 by Boone Gorges

BuddyPress 2.9.2 is now available. This is a security and maintenance release. We strongly encourage all BuddyPress sites to upgrade as soon as possible.

The 2.9.2 release addresses five security issues:

  • A Cross Site Request Forgery (CSRF) vulnerability was fixed in the interface used by admins to perform certain actions related to sitewide notices. Reported by J.D. Grimes.
  • Some uses of serialized data were judged to need hardening. Reported by John James Jacoby of the BuddyPress security team.
  • An open redirect was fixed on the user edit screens. Reported by Yasin Soliman (ysx).
  • An unauthorized information disclosure vulnerability was fixed in an AJAX handler. Reported by J.D. Grimes.
  • A Cross Site Scripting (XSS) vulnerability was fixed in the avatar upload interface. Reported by Ronnie Skansing.

These vulnerabilities were reported privately to the BuddyPress team, in accordance with WordPress’s security policies. Our thanks to all reporters for practicing coordinated disclosure.

In addition, 2.9.2 includes a change that improves compatibility with the upcoming WordPress 4.9 release, by removing the call to a newly deprecated hook.

BuddyPress 2.9.1 Security Release

Published on August 23rd, 2017 by Paul Gibbs

BuddyPress 2.9.1 is now available. This is a security and maintenance release. We strongly encourage all BuddyPress sites to upgrade as soon as possible.

We fixed two regressions introduced in 2.9:

  • Groups: fix group description truncation length on group screen.
  • Profiles: fix avatar quality when requesting avatar sizes larger than the user’s uploaded avatar.

Importantly, BuddyPress 2.9.1 and earlier versions were affected by the following security issue:

  • Cross-site request forgery (CSRF) in the XProfile administration Dashboard panel.

These vulnerabilities were reported privately by Ronnie Skansing. Our thanks to Ronnie for reporting security issues in accordance with WordPress’ security policies.

BuddyPress 2.9.0 – ‘La Lombarda’

Published on July 31st, 2017 by Hugo Ashmore

BuddyPress is happy to announce the immediate availability of it’s latest release 2.9 ‘La Lombarda’ available for download or updatable from your WordPress install plugin directory.

This release features a range of improvements and updates for both core functionality and templates.

Amongst a range of improvements and enhancements:

  • BP legacy templates are updated for aria labels to bring a vastly improved level of accessibility to layouts.
  • In line with current practises anchor title attributes are replaced with an enhanced version usable for all devices, BP Tooltips now provides pop up title requirements on mouse hover or keyboard focus.
  • Provide the capability to edit the Group slug: now site admins may edit the group name and the permalink in the dashboard.
  • Prevent group invites being sent to users that have already received one.
  • Uploading of profile images in mobile devices improved as well as better handling of files with non ASCII characters.
  • Email links to private message threads now re-direct logged out users to the login screen, logged in users are directed to message thread.
  • New template tag bp_group_link()
  • Add an order_by parameter for activity queries.

You can see the full set of changes on our codex page Version 2.9.0

Comments & feedback
Please report any issues to the Buddypress Support Forum or open a ticket on our Trac development home.

Buddypress is a volunteer project and the core team acknowledges the contributions from everyone listed below that helped to bring 2.9 to the community.

La Lombada
This release is named after what is thought to the oldest and thus first Italian restaurant in the UK established circa 1922 in Aberdeen.

BuddyPress 2.9.0 Release Candidate 1

Published on July 14th, 2017 by Hugo Ashmore

Today sees BP 2.9.0 move to The final testing phase Release Candidate 1.

This is the last chance to test out this release and report back any issues found before final release in approximately two weeks time.

Any issues found can be reported to our trac ticket home , or raised on the support forum.

Amongst other improvements and fixes to look out for are:

  • Fixing display of older activity comments.
  • Correction of message when removing friends that are not friends.
  • Group invites – omit sending to previously invited members.
  • Profile image upload fix for IE Edge breaksIOS fix.
  • Correct issue with hidden group & CSS specificity.
  • URL compatibility for LightSpeed.
  • Fix inability resizing of member avatar for cyrillic character filenames.

For a full list of commits see 2.9 tickets A full changelog will be available when we release the final version.

You can download the plugin to test from the WP repo BP 2.9.0-RC1 or grab a copy from our SVN repo.

A reminder to all theme developers that there are changes to template markup that could effect layouts and ask that they check their themes carefully, the changes are listed below along with changelog links; again any issues or problems please report as soon as possible to the BP trac or slack channel.

Template changes

In this release there are a number of improvements to templates that add a level of improved a11y performance and markup changes for better semantics & Standards.

Theme authors may want to pay particular attention to changes to profile field visibility links and the profile field descriptions where significant markup changes are made that effect positioning of these elements – changesets for these are r11617 & r11618

Nouveau – new template pack

If you’re looking for Nouveau as we mentioned in the beta2 announcement we have delayed the release of this new template pack to ensure it receives as much code checking & refinement as possible and we’ll be looking to probably package this as it’s own release shortly after 2.9 is released.

We thank you in advance for all testing and reports and it need not be mentioned but please don’t run Beta or RC releases in a production environment only on test installs.

The BuddyPress team.

BuddyPress 2.9.0 Beta 2

Published on June 24th, 2017 by Hugo Ashmore

Today sees BP 2.9 move to Beta 2 ( Beta 1 skipped for technical reasons ) testing phase and we would request all plugin authors, theme developers and other interested parties test out this release and feedback any issues found to our trac ticket home , or raise on the support forum.

Amongst other improvements and fixes to look out for are:

  • Fixing display of older activity comments.
  • Correction of message when removing friends that are not friends.
  • Group invites – omit sending to previously invited members.
  • Profile image upload fix for IE Edge breaksIOS fix.
  • Correct issue with hidden group & CSS specificity.
  • URL compatibility for LightSpeed.
  • Fix inability resizing of member avatar for cyrillic character filenames.

For a full list of commits see 2.9 tickets A full changelog will be available when we release the final version.

You can download the plugin to test from the WP repo BP 2.9.0-beta2 or grab a copy from our SVN repo.

Template changes

In this release there are a number of improvements to templates that add a level of improved a11y performance and markup changes for better semantics & Standards.

Theme authors may want to pay particular attention to changes to profile field visibility links and the profile field descriptions where significant markup changes are made that effect positioning of these elements – changesets for these are r11617 & r11618

Nouveau – new template pack

While we were definitely aiming for release of this feature for 2.9, the necessary final fixes and feature enhancements along with the necessary code reviews were going to prove very tight to get finished in time and would have likely meant a degree of rushing. We have decided that as this is such a major new feature, the first new theme in many years and that expectations will be high for it that we should not rush to put out a product that might be even slightly sub optimal.

However fear not we are very concerned that the project is focussed on through the last stages of 2.9 and has primary focus during the next release cycle to ensure an early completion.

It is further proposed that we’ll actually release Nouveau in a much shorter release cycle as 3.0, this way we can get an early release and not have the project just sitting in trunk until the end of the year.

Building Bridges between Students and Educators in Nepal

Published on May 30th, 2017 by @mercime
This is a guest post by Arjun Bhattarai (aju29), Founder and Developer of He is currently working towards a Masters degree in Economics.

Peer reviewed by @boonebgorges logged in is the first and largest community website for students of Nepal with 9,700 registered members and 50,000 subscribers. The site helps students find answers to popular courses and colleges by acting as a bridge between the students and educators/educational organizations.


I started working on this side project in December 2014. I remembered I had very little information about courses and colleges I could choose from after finishing Higher Secondary level back in 2011. There were no websites that could readily help students to explore the various opportunities available in Nepal. There are still a lot of students in Nepal who have been brain-fed that studying abroad is the one and only option to be successful. My vision was to change this mindset among the young students of Nepal by informing them about the abundant opportunities and options available within the country.

The goal for creating StudentsNepal is to increase communication among different students with different educational backgrounds while helping them to learn all sorts of information and get hold of educational resources. Communication and interaction are the core values of StudentsNepal and these are the features that help the platform stand out from rest of the educational websites. BuddyPress and bbPress have helped us to achieve these values in a cost effective and efficient way. The beauty of these plugins is that our members can create content and help to rank us higher with search engines.


The investment to create was very low, a fraction of my pocket money during my final years in college. It is now one of the top educational portals of Nepal. Since WordPress was so easy to master, my dev team and I were able to use most of our free time to create initial content and other valuable resources for our visitors – students, parents, and educators – rather than spending time/money coding from scratch or buying a proprietary platform.

Before choosing BuddyPress, I researched open-source social network scripts and platforms. My shortlist included WordPress (BuddyPress), Joomla (JomSocial), and Drupal (social modules). It was clear to me, after reading a lot of support forum posts and articles, that the BuddyPress/WordPress combo was the way to move forward with my dream. I am really happy about this choice today. The other heavyweight plugins that I added were GravityForms, Sucuri, bbPress, and MyCred plus other smaller plugins for specific tasks.

Customizations & Improvements

1. Login and Registration Pages
We found out that the default login and registration pages made it difficult for members to log in and have kept site visitors from registering. We resolved the issues by installing the Gravity Forms plugin and adding log in integration via Facebook, Twitter, or Google+ as well as making the registration page more user-friendly.

studentsnepal login screen

2. Newsletters
I thought about adding a newsletter because I loved the way some of the blogs I subscribed to sent organized information and recent activities of the blog in a beautiful email format. I decided to add an optin form to start collecting names and emails 2 to 3 months after launching the site. During the first 6 months, only first names and emails were collected with the popup optin form. Later, I changed the optin forms to collect email addresses and phone numbers. I have been using the free package of mailmunch for optin forms (popups) and Amazon AWS for sending newsletters. The newsletter contains scholarship notices for different universities/colleges, student stories, youth events, and other useful academic information.

The newsletters have become one of the most popular features for the community. We did a lot of testing for the positioning and timing of the popup to get the most sign ups. StudentsNepal had around 20,000 subscribers by the end of 2015. The number of subscribers started growing after I inserted the forms in all the subdomains. (,,, After 3 years, the site has 50,000+ subscribers.

Currently, StudentsNepal sends 1 newsletter per week, and my dev team and I are planning to make it 2 newsletters per week. We had invited students and educators/institutions to contribute content for the newsletters and the response has been just great! Students, particularly, submit generously and regularly to benefit other members, subscribers, and online visitors.

In addition, this project has also helped me connect with lots of awesome individuals and similar-minded startup owners.

3. Design and CSS tweaks
Out of the box, BuddyPress has a plain and simple design and interfaces which can be customized easily. At the end of the day, the features and performance are what matters most to my users whether on mobile, tablet, or desktop. For me, due to extensibility and ease of customization, BuddyPress reigns as king when it comes to a free open source script for a social network.

Forums Archive

4. Upgrading Servers was on a shared hosting plan when I launched it in 2014. It took around 3 to 4 months to cross the benchmark of 500 visitors/day. After getting articles indexed in search engines and started getting higher ranks, StudentsNepal started getting a lot of visitors (especially from Google). Mid-2015 we upgraded to VPS hosting when the website’s articles and contents started getting listed on the 1st page of search engines and it started getting a couple of thousand visitors daily. Based on my experience, it’s a good decision to get a shared hosting plan while the site was starting out and then upgrade to more powerful hosting plan when data showed the increases in user engagement and participation.

With a community of 9,700 registered members, 50k subscribers, and around 150k visitors/month, I am happy to say that our site runs smoothly with nary a downtime on all devices. If you install BuddyPress, you will need a bit more power on your server.

Fast Forward

Future plans for include moving the Shopping and Jobs sections to separate domains and setting up a new site for online classes. I am testing Woocommerce, WP Job Manager, and Moodle for the other projects to expand our services to the community.

If you are creating a site for any niche community and are not sure on which platform to choose, I definitely suggest using WordPress with BuddyPress. These have a lot of stable and robust add-on plugins to help you create awesome and feature-rich communities. is the first website of its nature in Nepal and it has garnered a lot of media attention and praise. I received a lot of positive and encouraging messages from educators and students in Nepal for creating this platform. I’m just glad that the services provided by the site have been very helpful to so many Nepalese students as well to those who would like to study in Nepal.

Thanks to WordPress and BuddyPress for making this site possible. If you want to learn more about the site or the other customizations implemented, please feel free to contact me. Also, I can help you promote your social network or other related websites with a guest post in the blog section of 😀

Arjun Bhattarai Arjun Bhattarai is a member of the Association of Chartered Certified Accountants (ACCA) and is currently working towards MA (Economics) at Tribhuwan University, Nepal. Apart from writing and playing with code, he loves swimming and watching sci-fi videos.
Links: Facebook, Linkedin


Naturkontakt, Organising Sweden’s Largest Environmental NGO

Published on May 15th, 2017 by @mercime
This is a guest post by Alexander Berthelsen (lakrisgubben) from the Swedish WordPress agency Klandestino AB.

Peer reviewed by @boonebgorges

Naturkontakt front page

Naturkontakt (Nature contact) is the home for members of the Swedish Society for Nature Conservation (SSNC), Sweden’s largest environmental NGO with over 200,000 members. This is a private site where SSNC members can read and publish internal news about the organisation, take part in forum discussions, and join or create groups to help them organise their work. Members of SSNC can create WordPress user accounts using their membership numbers from the organization’s CRM (Customer Relationship Management) software.


Naturkontakt has been around since the 90’s, powered by FirstClass. By 2010, that platform had become outdated and its market share was declining. This led some members to write proposals to find a new platform. Their goal was to select a platform which would serve as a hub for all the different aspects of SSNC’s mission and vision. These include “spreading knowledge, charting environmental threats, proposing solutions, and influencing politicians and authorities, both nationally and internationally. Under democratic forms, we work regionally in 24 county branches and locally in 270 community branches.”

Moving to WordPress

In 2011, SSNC acted on their decision to set up a new web-based platform for internal communications and contacted us at Klandestino to work on this project. After evaluating different platforms, we chose WordPress. Some deciding factors include WordPress’ open source licensing, our experience working with the platform, and the plethora of different plugins that extended WordPress to make it suitable for online communities.

The first iteration of the new Naturkontakt site was launched in 2011, powered by WordPress and WP Symposium. This was quite a while ago but as I recall (plus email logs), the choice stood between BuddyPress and WP Symposium. At that time, WP Symposium already had a forums component while BuddyPress lacked a solid forum integration. Remember that this was the time of the stand-alone bbPress forums which took a tortuous and unstable route to integrate to both WordPress and BuddyPress.

bbPress 2.0 to the Rescue

A year after we launched the new site, we undertook an evaluation which revealed some pain points. To name a few, WP Symposium had limited extensibility, some security issues, and major problems with performance. With those challenges in mind, we researched again into other community solutions for WordPress. By that time, the new bbPress 2.0 plugin was available and it worked very well with BuddyPress.

It was an easy decision to switch from WP Symposium to BuddyPress and bbPress. The major tasks were the arduous migration of data and continuous testing. This new set up has stood the test of time, we’re really pleased with it. The BuddyPress-bbPress combination gave us a running start with forums, groups, profiles, and messages, which are some of the required pieces of functionality needed on Naturkontakt.  

Profile page

Further development of Naturkontakt 2.0 led to the introduction of multisite features to the community. Fortunately, BuddyPress works very well in a multisite environment. Each local organisation (group) of SSNC could have their own subsite to publish news.

To make this work as smoothly as possible, we wrote custom plugins for the following functionalities:

  • Many-to-many relationships between groups and subsites. For example, the group coordinating work on forest issues could be connected to the subsite publishing news about forest issues.
  • File archives for groups so that members can upload and version docs, PDFs, images, etc.
  • Sitewide search, a plugin that indexes all content from the entire multisite network into a “ghost” site to make it possible to have a centralised search throughout the entire network and blog/archive pages that lists posts from all sites.
  • A drag and drop front page workflow where the editors of the site can search for and list articles from all sites on the network on the main site front page.

This second version of Naturkontakt was released in late 2012. Since then, the basic functionalities have remained more or less the same. The site did get a facelift a few years ago when we focused on making the site work better on phones and tablets.

Blog Archive

Going forward with PHP 7

Last year, after a month of capacity/speed problems, a new evaluation showed that some long-delayed upgrades had to be made. We started a new project to focus mainly on stability and speed improvements. We finished the project just right before this article was written.

We implemented the following improvements:

  • Combed through the codebases. We searched for deprecated functions and places where custom functionality could be replaced with newly added functionality from BuddyPress, WordPress, and bbPress. We decreased the number of active plugins by a third because of the new features that had been rolled into the above-mentioned projects.
  • Switched over to Elasticsearch/ElasticPress. Our custom sitewide search has served its purpose well. However, since it’s only been used on this platform its development has fallen behind. And compared to new technologies such as Elasticsearch it didn’t cut the mustard. By switching to Elasticsearch we have offloaded a lot of the most expensive queries currently done by WordPress to a server/platform that’s fine-tuned for that kind of work.
  • Upgraded to PHP 7. This was the last part of the project. We’ve seen major improvements in the response time from the server, on average about 50%-70% decrease in response times! That is, of course, very important on a dynamic site such as for any community where static page caching often isn’t an option.

In conclusion

Our stats show the continued growth of the SSNC community, even though the competition from Facebook can be really hard. One of the major advantages of using WordPress, BuddyPress, and bbPress is that SSNC owns its own data.

Of course, there are always things to improve on. When we completed the recent project to improve performance, despite limited budgets and time constraints, we were all satisfied and hopeful that the site will be around for many more years. We also expect that upcoming development work will be focused more on the user interaction elements of the site, hopefully by building upon and extending the great work that has gone into BP Nouveau. <3

To end on a personal note I’d like to thank all of the wonderful contributors to BuddyPress who have welcomed me into the community and helped me along with trac tickets and patches. Beyond my satisfaction with Naturkontakt and working with SSNC (whom I share a lot of political views with), and the functionality that BuddyPress has provided for the project, the best part of having worked on this site is that I also feel that I’ve become part of a community that tries to do something constructive about the unpleasant grip that Facebook has over our personal and professional lives.

lakrisgubben Alexander Berthelsen and his two colleagues are co-owners of the web development co-operative Klandestino AB. Based in the suburbs of Stockholm, Sweden they mainly do WordPress work with a focus on NGO’s and member organisations. Alexander spends most of his five-for-the-future time on making small contributions to BuddyPress.


Largest Turkish Recipe Site Spiced Up with BuddyPress

Published on May 8th, 2017 by @mercime
This a guest post by Mustafa Uysal (m_uysl). He is from Turkey and works as a full-stack developer at

Peer reviewed by @boonebgorges

nefisyemektarifleri site is the largest Turkish recipe sharing platform in the world. It has more than 290,000 recipes that reach millions of users every single day. NefisYemekTarifleri is a unique platform that uses WordPress and BuddyPress for all its applications — desktop, mobile web, Android, iOS, and AndroidTV.

Current status:

  • 290k+ recipes, ~500 new recipes from different authors per day
  • ~2.2M+ registered users with ~2.6M xprofile_data, 24M+ usermeta
  • ~4M native apps download, ~1M active usage
  • ~100TB CDN BW usage per month
  • 3M+ BuddyPress activities and ~4M+ notifications
  • 300k+ search requests per day

We use ElasticPress to handle 10M+ requests. To scale this platform, we use various tools which we share at Stackshare. We share some of our stats on Twitter #nytstats.

BuddyPress for a Growing User Base is turning 10 years old this August and has been using BuddyPress for the last 5 years. According to my boss, “BuddyPress has helped a lot to increase our user base.”

Our platform is community-driven, i.e., all the recipes come from our users. The membership and number of recipes submitted have increased dramatically since we started using BuddyPress. The users feel more welcome because they have their “own space” where they can easily add their avatars, cover images, post their recipes, and share other social media links. BuddyPress has enabled users to engage more with other registered members as well as invite new users to the site. Our editorial team spends a majority of their time editing user recipe submissions.

Currently, we are using all BuddyPress core components except Friends and Groups. Thankfully, r-a-y‘s BuddyPress Followers plugin is a great replacement to the built-in Friends component.

Customized BuddyPress Features


Our notification system is quite different from the standard BuddyPress notifications. It supports push and web push notifications and works async over the message queue.

Site notifications schema

There are a lot of activities which can trigger notifications. There were and are many instances when we send notifications to tens of thousands users every day. For example, when one author with thousands of “followers” publishes a new recipe, it took a long time to send a simple notification like, “Hi there! Jane Doe published a new recipe, take a look!” Consider when we have 10 authors with many followers publishing new recipes at the same time.

In the early days, we created a custom `nyt_bp_add_notification` script which called BuddyPress’ own notification that added a function for bulk messaging. We found out that it was causing lags on our slave MySQL servers because the impact on the disk IO was dramatic. Our solution was a new custom script, `nyt_bp_add_bulk_notification`, which inserts data directly to database (as a bulk SQL query). By the way, we highly recommend Percona’s PMM for catching performance hogs.

At the end of 2016, we migrated from to our self hosted parse for push notifications. After which, we used web-push-php for the web push notifications.

Cover Image

We decided to replace the built-in cover image feature and create our own Facebook-inspired UI which was more user-friendly. The feedback has been quite positive from our members.

New cover image UI

Features of our new cover image UI:

  • A user can directly upload a cover image by clicking on an icon on top of the cover image area.
  • The full-size image is saved behind the scenes.
  • Quick image resizing after the image upload has completed.
  • A user can change image position via drag-drop.
  • The full path and image coordinates are recorded as meta.


The Messaging component is active but not fully open for the end users. We will make this available for everyone when we’ve completed our mobile app integration. This is how we are setting this up for our site:

  • All messages have to be between two people, we canceled group messaging.
  • When someone you are not following sends a message, that message is marked as “pending”. You also “block” that person.
  • Fluent messaging: all conversations between two people use the same thread.


Cache: We hated touching BuddyPress directly, but we had to hack core file to fix memory issues. (We have submitted a patch that reduces memory usage for BP#7130)

Messaging, reimagined: We made some necessary changes a bit in a hacky way on the messaging component. Changing messaging behavior was not easy and there are some edge cases we have to monitor and address.

Limit notifications: Only allow 200 notifications per user, WordPress’ cron cleans up on a daily basis.

API Endpoints: We had to be careful on managing API endpoints, addressing the mobile apps a bit differently than web, especially when you do caching inside the device.

Long-running process: MQ workers are long-running PHP scripts and they caused memory problems on production after a while. We fixed this issue with stop_the_insanity.

In the Works

Following are some of the features we have in queue:

  • Upgrading BuddyPress, of course
  • Elasticsearch integration over ElasticPress. (We haven’t tried it yet but Pascal already wrote some code we can start playing with.)
  • User suggestion to follow a member.
  • Activity improvements (currently, just acting like feed).
  • PHP 7.1 upgrade with dockerizing all the things. (Still using different versions of PHP)

BuddyPress allows us to build one of the largest niche communities in the world. Fortunately for everyone, BuddyPress is being maintained by developers who are active contributors to WordPress core. Our thanks to all BuddyPress contributors, especially the BP core team.

Mustafa Uysal Mustafa Uysal of also runs his own company, SKOP. He’s a plugin developer who enjoys solving tough problems and making things faster and scalable. He’s also a workaholic and was interested in archery once upon a time. Mustafa is one of the WordPress Translation Editors for the Turkish language.
Links: Twitter, Github,, Linkedin, Instagram, My Blog, and nefisyemektarifleri


Skip to toolbar