kawaiipunk/laipower
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

updated plugin ActivityPub version 8.3.0

Browse Source
This commit is contained in:
KawaiiPunk
2026-06-03 21:28:46 +00:00
committed by Gitium
parent a4b78ec277
commit 6fe182458a
340 changed files with 43232 additions and 7568 deletions
Download Patch File Download Diff File Expand all files Collapse all files

434
wp-content/plugins/activitypub/readme.txt
View File

@ -1,14 +1,14 @@
=== ActivityPub ===
Contributors: automattic, pfefferle, mattwiebe, obenland, akirk, jeherve, mediaformat, nuriapena, cavalierlife, andremenrath
Tags: OStatus, fediverse, activitypub, activitystream
Requires at least: 6.4
Tested up to: 6.8
Stable tag: 5.8.0
Requires PHP: 7.2
Tags: fediverse, activitypub, indieweb, activitystream, social web
Requires at least: 6.5
Tested up to: 6.9
Stable tag: 8.3.0
Requires PHP: 7.4
License: MIT
License URI: http://opensource.org/licenses/MIT
The ActivityPub protocol is a decentralized social networking protocol based upon the ActivityStreams 2.0 data format.
Connect your site to the Open Social Web and let millions of users follow, share, and interact with your content from Mastodon, Pixelfed, and more.
== Description ==
@ -16,7 +16,7 @@ Enter the fediverse with **ActivityPub**, broadcasting your blog to a wider audi
https://www.youtube.com/watch?v=QzYozbNneVc
With the ActivityPub plugin installed, your WordPress blog itself function as a federated profile, along with profiles for each author. For instance, if your website is `example.com`, then the blog-wide profile can be found at `@example.com@example.com`, and authors like Jane and Bob would have their individual profiles at `@jane@example.com` and `@bobz@example.com`, respectively.
With the ActivityPub plugin installed, your WordPress blog itself functions as a federated profile, along with profiles for each author. For instance, if your website is `example.com`, then the blog-wide profile can be found at `@example.com@example.com`, and authors like Jane and Bob would have their individual profiles at `@jane@example.com` and `@bob@example.com`, respectively.
An example: I give you my Mastodon profile name: `@pfefferle@mastodon.social`. You search, see my profile, and hit follow. Now, any post I make appears in your Home feed. Similarly, with the ActivityPub plugin, you can find and follow Jane's profile at `@jane@example.com`.
@ -59,38 +59,20 @@ This plugin connects your WordPress blog to popular social platforms like Mastod
= What is "ActivityPub for WordPress" =
*ActivityPub for WordPress* extends WordPress with some Fediverse features, but it does not compete with platforms like Friendica or Mastodon. If you want to run a **decentralized social network**, please use [Mastodon](https://joinmastodon.org/) or [GNU social](https://gnusocial.network/).
*ActivityPub for WordPress* adds Fediverse features to WordPress, but it is not a replacement for platforms like Friendica or Mastodon. If you're looking to host a decentralized social network, consider using [Mastodon](https://joinmastodon.org/) or [Friendica](https://friendi.ca/).
= What if you are running your blog in a subdirectory? =
= Why "ActivityPub"? =
In order for webfinger to work, it must be mapped to the root directory of the URL on which your blog resides.
The name ActivityPub comes from the two core ideas behind the protocol:
**Apache**
* Activity: It is based on the concept of activities, like "Create", "Like", "Follow", "Announce", etc. These are structured messages (usually in [ActivityStreams](https://www.w3.org/TR/activitystreams-core/) format) that describe what users do on the network.
* Pub: Short for publish or publication. It refers to the fact that this is a publish-subscribe (pub-sub) protocol — one user can "follow" another, and receive their published activities.
Add the following to the .htaccess file in the root directory:
Put together, ActivityPub is a protocol for publishing and subscribing to activities, which enables decentralized social networking — where different servers can interact and users can follow each other across the Fediverse.
RedirectMatch "^\/\.well-known/(webfinger|nodeinfo)(.*)$" /blog/.well-known/$1$2
= How do I solve… =
Where 'blog' is the path to the subdirectory at which your blog resides.
**Nginx**
Add the following to the site.conf in sites-available:
location ~* /.well-known {
allow all;
try_files $uri $uri/ /blog/?$args;
}
Where 'blog' is the path to the subdirectory at which your blog resides.
If you are running your blog in a subdirectory, but have a different [wp_siteurl](https://wordpress.org/documentation/article/giving-wordpress-its-own-directory/), you don't need the redirect, because the index.php will take care of that.
= What if you are running your blog behind a reverse proxy with Apache? =
If you are using a reverse proxy with Apache to run your host you may encounter that you are unable to have followers join the blog. This will occur because the proxy system rewrites the host headers to be the internal DNS name of your server, which the plugin then uses to attempt to sign the replies. The remote site attempting to follow your users is expecting the public DNS name on the replies. In these cases you will need to use the 'ProxyPreserveHost On' directive to ensure the external host name is passed to your internal host.
If you are using SSL between the proxy and internal host you may also need to `SSLProxyCheckPeerName off` if your internal host can not answer with the correct SSL name. This may present a security issue in some environments.
We have a **How-To** section in the [docs](https://github.com/Automattic/wordpress-activitypub/tree/trunk/docs/how-to) directory that can help you troubleshoot common issues.
= Constants =
@ -98,8 +80,7 @@ The plugin uses PHP Constants to enable, disable or change its default behaviour
* `ACTIVITYPUB_REST_NAMESPACE` - Change the default Namespace of the REST endpoint. Default: `activitypub/1.0`.
* `ACTIVITYPUB_EXCERPT_LENGTH` - Change the length of the Excerpt. Default: `400`.
* `ACTIVITYPUB_SHOW_PLUGIN_RECOMMENDATIONS` - show plugin recommendations in the ActivityPub settings. Default: `true`.
* `ACTIVITYPUB_MAX_IMAGE_ATTACHMENTS` - Change the number of attachments, that should be federated. Default: `3`.
* `ACTIVITYPUB_MAX_IMAGE_ATTACHMENTS` - Change the number of attachments, that should be federated. Default: `4`.
* `ACTIVITYPUB_HASHTAGS_REGEXP` - Change the default regex to detect hashtext in a text. Default: `(?:(?<=\s)|(?<=<p>)|(?<=<br>)|^)#([A-Za-z0-9_]+)(?:(?=\s|[[:punct:]]|$))`.
* `ACTIVITYPUB_USERNAME_REGEXP` - Change the default regex to detect @-replies in a text. Default: `(?:([A-Za-z0-9\._-]+)@((?:[A-Za-z0-9_-]+\.)+[A-Za-z]+))`.
* `ACTIVITYPUB_URL_REGEXP` - Change the default regex to detect urls in a text. Default: `(www.|http:|https:)+[^\s]+[\w\/]`.
@ -108,6 +89,7 @@ The plugin uses PHP Constants to enable, disable or change its default behaviour
* `ACTIVITYPUB_DISABLE_REWRITES` - Disable auto generation of `mod_rewrite` rules. Default: `false`.
* `ACTIVITYPUB_DISABLE_INCOMING_INTERACTIONS` - Block incoming replies/comments/likes. Default: `false`.
* `ACTIVITYPUB_DISABLE_OUTGOING_INTERACTIONS` - Disable outgoing replies/comments/likes. Default: `false`.
* `ACTIVITYPUB_DISABLE_REMOTE_CACHE` - Disable remote media caching (avatars, media, emoji). Default: `false`. Replaces `ACTIVITYPUB_DISABLE_SIDELOADING` from 7.9.1.
* `ACTIVITYPUB_SHARED_INBOX_FEATURE` - Enable the shared inbox. Default: `false`.
* `ACTIVITYPUB_SEND_VARY_HEADER` - Enable to send the `Vary: Accept` header. Default: `false`.
@ -129,250 +111,204 @@ For reasons of data protection, it is not possible to see the followers of other
== Changelog ==
### 5.8.0 - 2025-04-24
### 8.3.0 - 2026-05-18
#### Security
- Block a recently compromised JavaScript dependency from being installed during builds.
#### Added
- An option to receive notification emails when an Actor was mentioned in the Fediverse.
- Enable direct linking to Help Tabs.
- Fallback embed support for Fediverse content that lacks native oEmbed responses.
- Support for all media types in the Mastodon Importer.
- Allow site administrators to post from third-party apps on behalf of the site's blog account.
- Store content warnings from posts published through third-party ActivityPub apps so they federate correctly.
#### Changed
- Added WordPress disallowed list filtering to block unwanted ActivityPub interactions.
- Mastodon imports now support blocks, with automatic reply embedding for conversations.
- Tested and compatible with the latest version of WordPress.
- Updated design of new follower notification email and added meta information.
- Update DM email notification to include an embed display of the DM.
- Updated notification settings to be user-specific for more personalization.
- Improve compatibility with newer Fediverse servers by recognizing the FEP-3b86 Object Intent link when resolving remote follow and other intent endpoints.
- Improve compatibility with newer Fediverse servers by recognizing the standardized FEP-3b86 follow link for remote follows.
- Refresh bundled scripts to pick up the latest WordPress component updates.
- Stagger background data processing after plugin updates to reduce server load on hosts running many sites.
#### Fixed
- Add support for Multisite Language Switcher
- Better check for an empty `headers` array key in the Signature class.
- Include user context in Global-Inbox actions.
- No more PHP warning when Mastodon Apps run out of posts to process.
- Reply links and popup modals are now properly translated for logged-out visitors.
- Allow third-party apps connected to your site to look up Fediverse users by their handle (like @user@example.com).
- Fix ActivityPub blocks and widgets failing to load on cross-origin embeds (such as WordPress.com sites) due to a missing nonce header in the CORS allow-list.
- Fix a JavaScript console error that could appear on pages with the Follow, Reactions, Followers, Following, or Remote Reply blocks.
- Fix posting an Undo of a Follow through the outbox API failing with a server error or silently leaving the follow in place.
- Prevent a PHP warning during the monthly statistics backfill when an outbox item disappears between lookup steps.
- Prevent private outbox items authored by the site account from being visible to logged-out visitors at their permalink URLs.
- Prevent the site's follower and following lists from being visible to logged-out visitors when the social graph is set to private.
- Reduce database overhead on sites with many deleted posts by moving the tombstone registry to its own storage.
- Set a real author on posts created via the blog actor outbox so they no longer appear without a byline.
- Silence the upcoming WordPress 7.0 deprecation warning about `data-wp-on-async` by switching the plugin's interactive blocks to the new `withSyncEvent()` helper.
### 5.7.0 - 2025-04-11
### 8.2.1 - 2026-05-01
#### Security
- Hardened how the inbox processes large recipient lists in incoming activities.
#### Fixed
- Fix monthly and annual Fediverse Stats emails being sent more than once per period when the scheduler ran multiple times.
### 8.2.0 - 2026-04-27
#### Security
- ActivityPub REST endpoints no longer advertise credentialed cross-origin access. Browser-based clients using OAuth bearer tokens continue to work as before.
- Aligned the deprecated signature verifier's clock tolerance with the supported verifiers.
- Blocked additional reserved IPv6 ranges from outbound request safety checks.
- Decoded percent-encoded forms in the follower sync authority before the safety check.
- Fail closed when an OAuth request can't be tied to a client IP, instead of sharing one rate-limit bucket.
- Hardened input handling for incoming federated activity types.
- Hardened outbound request handling for third-party app connections and live activity streams.
- Hardened outbound request safety to cover IPv6-only third-party hosts.
- Per-IP rate limits now only trust the actual TCP peer by default, so an attacker on a directly-exposed site cannot bypass the cap by spoofing X-Forwarded-For or similar proxy headers. Sites behind a trusted reverse proxy (Cloudflare, Akamai, nginx) can opt the relevant header back in via the new "activitypub_client_ip_sources" filter.
- Reject follower sync requests targeted at internal-network hosts at the route layer.
- Required signatures on HEAD requests to peer-only endpoints.
#### Changed
- Development tooling: require PHPUnit 9.6.33 or newer (security fix CVE-2026-24765). No runtime impact for end users.
- OAuth public clients must now use PKCE by default, matching OAuth 2.1. Site operators can relax this via the activitypub_oauth_require_pkce filter if legacy clients need to connect.
- Returned the standard rate-limit response from the OAuth token endpoint when too many requests are sent.
#### Fixed
- Delete activities no longer bypass signature verification on endpoints that explicitly require it.
- OAuth token revocation now verifies the caller owns the token being revoked.
- Tighten HTTP signature verification: narrow the clock-skew window, reject signatures that carry no freshness timestamp, and cap unreasonable expiry times. Peers that sign without a Date or creation timestamp will no longer verify.
- Trim dev-only configuration files from the plugin release package.
### 8.1.1 - 2026-04-22
#### Added
- Advanced Settings tab, with special settings for advanced users.
- Check if pretty permalinks are enabled and recommend to use threaded comments.
- Reply block: show embeds where available.
- Support same-server domain migrations.
- Upgrade routine that removes any erroneously created extra field entries.
- Added the `activitypub_post_object_type` filter so plugins can override the federated object type (Note, Article, Page) for a post.
#### Changed
- Add option to enable/disable the "shared inbox" to the "Advanced Settings".
- Add option to enable/disable the `Vary` Header to the "Advanced Settings".
- Configure the "Follow Me" button to have a button-only mode.
- Importers are loaded on admin-specific hook.
- Improve the troubleshooting UI and show Site-Health stats in ActivityPub settings.
- Increased compatibility with Mobilizon and other platforms by improving signature verification for different key formats.
- Always flush rewrite rules at the end of a plugin migration so that users upgrading across multiple versions do not miss a flush.
#### Fixed
- Ensure that an `Activity` has an `Actor` before adding it to the Outbox.
- Fixed some bugs and added additional information on the Debug tab of the Site-Health page.
- Follow-up to the reply block changes that makes sure Mastodon embeds are displayed in the editor.
- Outbox endpoint bug where non-numeric usernames caused errors when querying Outbox data.
- Show Site Health error if site uses old "Almost Pretty Permalinks" structure.
- Sites with comments from the Fediverse no longer create uncached extra fields posts that flood the Outbox.
- Transformers allow settings values to false again, a regression from 5.5.0.
- Fix the Fediverse stats widget on sites where the REST namespace is remapped, such as WordPress.com.
- Harden the reactions API response so stored author names and URLs cannot introduce markup or non-HTTP schemes into the JSON output.
- Stop hiding posts that contain a federated reply block from the main blog listing and the admin post list on sites that do not use the Posts and Replies block.
### 5.6.1 - 2025-04-02
#### Fixed
- "Post Interactions" settings will now be saved to the options table.
- So not show `movedTo` attribute instead of setting it to `false` if empty.
- Use specified date format for `updated` field in Outbox-Activites.
### 8.1.0 - 2026-04-21
#### Security
- Add rate limiting to app registration to prevent abuse.
- Fix blog actor outbox exposing private activities to unauthenticated visitors.
- Restrict localhost URL allowance to local development environments only.
- Verify that the signing key belongs to the same server as the activity actor.
### 5.6.0 - 2025-04-01
#### Added
- Added a Mastodon importer to move your Mastodon posts to your WordPress site.
- A default Extra-Field to do a little advertising for WordPress.
- Move: Differentiate between `internal` and 'external' Move.
- Redirect user to the welcome page after ActivityPub plugin is activated.
- The option to show/hide the "Welcome Page".
- User setting to enable/disable Likes and Reblogs
- Add a "Posts and Replies" tab bar for author archives that filters between posts and replies, similar to Mastodon's profile view.
- Add a liked collection to actor profiles, showing all posts the actor has liked.
- Add a seasonal starter pattern that suggests sharing Fediverse stats when creating a new post in December and January.
- Add a stats block that displays annual Fediverse statistics as a card on the site and as a shareable image on the Fediverse, with automatic color and font adoption from the site's theme.
- Added `activitypub_pre_get_by_id` filter to allow plugins to register custom virtual actors resolved by ID.
- Add EXIF metadata support for image attachments using Vernissage namespace.
- Add new Fediverse Following Page and Profile Page block patterns.
- Add OAuth server metadata and registration endpoint discovery to actor profiles.
- Add real-time streaming for inbox and outbox updates via Server-Sent Events (SSE).
- Add support for Block, Add (pin post), and Remove (unpin post) activities via Client-to-Server API.
- Add support for check-in activities posted via compatible apps.
- Add support for importing Starter Packs in both the Pixelfed and Mastodon formats.
- Add tags.pub integration to supplement tag timelines with posts from across the Fediverse.
- Support for ActivityPub Client-to-Server (C2S) protocol, allowing apps like federated clients to create, edit, and delete posts on your behalf.
#### Changed
- Logged-out remote reply button markup to look closer to logged-in version.
- No longer federates `Delete` activities for posts that were not federated.
- OrderedCollection and OrderedCollectionPage behave closer to spec now.
- Outbox items now contain the full activity, not just activity objects.
- Standardized mentions to use usernames only in comments and posts.
- Block patterns for follow, following, and profile pages are now only suggested when editing pages.
- Fix notification pagination when using Enable Mastodon Apps: use date-constrained queries instead of truncating the shared notification pool, and expose `$limit`, `$before_date`, and `$after_date` as additional filter arguments so third-party handlers can fetch the correct window.
- Improve the pre-publish format suggestion panel with clearer messages and a confirmation after applying a format.
- Podcast episodes now respect the configured object type setting instead of always being sent as "Note".
- Show reaction action buttons even when a post has no reactions yet.
#### Fixed
- Changelog entries: allow automating changelog entry generation from forks as well.
- Comments from Fediverse actors will now be purged as expected.
- Importing attachments no longer creates Outbox items for them.
- Improved readability in Mastodon Apps plugin string.
- No more PHP warnings when previewing posts without attachments.
- Outbox batch processing adheres to passed batch size.
- Permanently delete reactions that were `Undo` instead of trashing them.
- PHP warnings when scheduling post activities for an invalid post.
- PHP Warning when there's no actor information in comment activities.
- Prevent self-replies on local comments.
- Properly set `to` audience of `Activity` instead of changing the `Follow` Object.
- Run all Site-Health checks with the required headers and a valid signature.
- Set `updated` field for profile updates, otherwise the `Update`-`Activity` wouldn't be handled by Mastodon.
- Support multiple layers of nested Outbox activities when searching for the Object ID.
- The Custom-Avatar getter on WP.com.
- Use the $from account for the object in Move activity for external Moves
- Use the `$from` account for the object in Move activity for internal Moves
- Use `add_to_outbox` instead of the changed scheduler hooks.
- Use `JSON_UNESCAPED_SLASHES` because Mastodon seems to have problems with encoded URLs.
- `Scheduler::schedule_announce_activity` to handle Activities instead of Activity-Objects.
- ActivityPub endpoints that surface comment, reply, like, share, and remote-reply metadata now honor the parent post's visibility setting.
- Added validation for SSE access tokens passed via query parameter.
- Fix account migration (Move) not working when moving back to an external account.
- Fix a fatal error during activity delivery when the outbox item has been deleted.
- Fix a fatal error when receiving activities with a non-string language property.
- Fix a fatal `array_keys(null)` in `Comment::get_comment_type_slugs()` that could take down any request where a third-party plugin transitioned a custom comment type before `add_comment_type()` had been called.
- Fix a missing script dependency notice on the admin page in WordPress 6.9.1 and later.
- Fix BuddyPress @mention filter corrupting Fediverse Followers and Following blocks.
- Fix cleanup jobs silently doing nothing on sites where purge retention options were not set.
- Fix comments on remote posts being incorrectly held in moderation.
- Fix double-encoded HTML entities in post titles on the Fediverse Stats dashboard.
- Fixed an issue where quote authorization stamps could reference unrelated posts.
- Fixed double-encoding of special characters in comment author names on updates.
- Fixed emoji shortcode replacement to handle special characters in emoji names correctly.
- Fix fatal error when other plugins hook into the user agent filter expecting two arguments.
- Fix Fediverse Preview showing the standard web view instead of the ActivityPub preview for draft posts.
- Fix OAuth authentication failing for local development clients using localhost subdomains.
- Fix performance regression from reply-exclusion filter by skipping it for queries targeting non-ActivityPub post types.
- Fix Reader feed failing to load with newer WordPress versions.
- Fix remote actor avatars getting stuck on broken URLs when the original image becomes unavailable.
- Fix Site Health check showing an empty error message when the WebFinger endpoint is not reachable.
- Fix the Fediverse profile "Joined" date showing the oldest post date instead of when the site started federating.
- Fix the Fediverse profile showing an inflated post count by excluding incoming comments from the total.
- Fix Update handler using stale local actor data instead of the activity payload
- Improved HTTP Signature validation for requests with a missing Date header.
- Only allow S256 as PKCE code challenge method for OAuth authorization.
- Prevent third-party plugin UI elements and scripts from appearing in federated content.
- Require signed peer requests for the followers synchronization endpoint per FEP-8fcf.
- Show a styled error page instead of raw technical output when an OAuth application cannot be reached during authorization.
- Strip private recipient fields from all outgoing activities to prevent leaking private audiences.
- Sync ActivityPub blog actor settings via Jetpack.
- Use ap_actor post ID for remote account IDs instead of remapping URI strings.
- Use safe HTTP request for signature retry to prevent requests to private IP ranges.
- Validate emoji updated timestamps before storing them.
### 8.0.2 - 2026-03-17
#### Security
- Prevent non-public posts (drafts, scheduled, pending review) from being accessible via ActivityPub.
### 8.0.1 - 2026-03-11
#### Changed
- Simplify the follow page block pattern to avoid duplicate headings and improve accessibility.
#### Fixed
- Fix dark sidebar colors appearing incorrectly with non-default admin color schemes.
- Fix Fediverse Reactions block not aligning with post content in block themes.
- Fix new posts being marked as modified on load, which prevented Gutenberg's starter pattern modal from appearing.
### 8.0.0 - 2026-03-04
#### Security
- Prevent private recipient lists from being shared when sending activities to other servers.
### 5.5.0 - 2025-03-19
#### Added
- Added "Enable Mastodon Apps" and "Event Bridge for ActivityPub" to the recommended plugins section.
- Added Constants to the Site-Health debug informations.
- Development environment: add Changelogger tool to environment dependencies.
- Development environment: allow contributors to specify a changelog entry directly from their Pull Request description.
- Documentation for migrating from a Mastodon instance to WordPress.
- Support for sending Activities to ActivityPub Relays, to improve discoverability of public content.
- Add a help section to interaction dialogs explaining the Fediverse and why entering a profile is needed.
- Add a notice on the Settings page to easily switch from legacy template mode to automatic mode.
- Add a pre-publish suggestion that recommends a post format for better compatibility with media-focused Fediverse platforms.
- Add a Site Health check that warns when plugins are causing too many federation updates.
- Add backwards compatibility for the `ACTIVITYPUB_DISABLE_SIDELOADING` constant and `activitypub_sideloading_enabled` filter from version 7.9.1.
- Add bot account snippet that marks ActivityPub profiles as automated accounts, displaying a "BOT" badge on Mastodon and other Fediverse platforms.
- Add Cache namespace for remote media caching with CLI commands, improved MIME validation, and filter-based architecture.
- Add federation of video poster images set in the WordPress video block.
- Add Locale from Tags community snippet.
- Add optional Like and Boost action buttons to the Fediverse Reactions block, allowing visitors to interact with posts from their own server.
- Add pre-built Fediverse block patterns for easy profile, follow page, and sidebar setup.
- Add snippet for blockless fediverse reactions
- Add `wp activitypub fetch` CLI command for fetching remote URLs with signed HTTP requests.
#### Changed
- Documentation: expand Pull Request process docs, and mention the new changelog process as well as the updated release process.
- Don't redirect @-name URLs to trailing slashed versions
- Improved and simplified Query code.
- Improved readability for actor mode setting.
- Improved title case for NodeInfo settings.
- Introduced utility function to determine actor type based on user ID.
- Outbox items only get sent to followers when there are any.
- Restricted modifications to settings if they are predefined as constants.
- The Welcome page now uses WordPress's Settings API and the classic design of the WP Admin.
- Uses two-digit version numbers in Outbox and NodeInfo responses.
#### Removed
- Our version of `sanitize_url()` was unused—use Core's `sanitize_url()` instead.
- Improved active user counting for NodeInfo to include all federated content types and comments.
- Improve language map resolution to strictly follow the ActivityStreams spec.
- Superseded outbox activities are now removed instead of kept, reducing clutter in the outbox.
- The minimum required PHP version is now 7.4.
#### Fixed
- Ensured that Query::get_object_id() returns an ID instead of an Object.
- Fix a fatal error in the Preview when a post contains no (hash)tags.
- Fixed an issue with the Content Carousel and Blog Posts block: https://github.com/Automattic/wp-calypso/issues/101220
- Fixed default value for `activitypub_authorized_fetch` option.
- Follow-Me blocks now show the correct avatar on attachment pages.
- Images with the correct aspect ratio no longer get sent through the crop step again.
- No more PHP warnings when a header image gets cropped.
- PHP warnings when trying to process empty tags or image blocks without ID attributes.
- Properly re-added support for `Update` and `Delete` `Announce`ments.
- Updates to certain user meta fields did not trigger an Update activity.
- When viewing Reply Contexts, we'll now attribute the post to the blog user when the post author is disabled.
### 5.4.1 - 2025-03-04
#### Fixed
- Fixed transition handling of posts to ensure that `Create` and `Update` activities are properly processed.
- Show "full content" preview even if post is in still in draft mode.
### 5.4.0 - 2025-03-03
#### Added
- Upgrade script to fix Follower json representations with unescaped backslashes.
- Centralized place for sanitization functions.
#### Changed
- Bumped minimum required WordPress version to 6.4.
- Use a later hook for Posts to get published to the Outbox, to get sure all `post_meta`s and `taxonomy`s are set stored properly.
- Use webfinger as author email for comments from the Fediverse.
- Remove the special handling of comments from Enable Mastodon Apps.
#### Fixed
- Do not redirect `/@username` URLs to the API any more, to improve `AUTHORIZED_FETCH` handling.
### 5.3.2 - 2025-02-27
#### Fixed
- Remove `activitypub_reply_block` filter after Activity-JSON is rendered, to not affect the HTML representation.
- Remove `render_block_core/embed` filter after Activity-JSON is rendered, to not affect the HTML representation.
### 5.3.1 - 2025-02-26
#### Fixed
- Blog profile settings can be saved again without errors.
- Followers with backslashes in their descriptions no longer break their actor representation.
### 5.3.0 - 2025-02-25
#### Added
- A fallback `Note` for `Article` objects to improve previews on services that don't support Articles yet.
- A reply `context` for Posts and Comments to allow relying parties to discover the whole conversation of a thread.
- Setting to adjust the number of days Outbox items are kept before being purged.
- Failed Follower notifications for Outbox items now get retried for two more times.
- Undo API for Outbox items.
- Metadata to New Follower E-Mail.
- Allow Activities on URLs instead of requiring Activity-Objects. This is useful especially for sending Announces and Likes.
- Outbox Activity IDs can now be resolved when the ActivityPub `Accept header is used.
- Support for incoming `Move` activities and ensure that followed persons are updated accordingly.
- Labels to add context to visibility settings in the block editor.
- WP CLI command to reschedule Outbox-Activities.
#### Changed
- Outbox now precesses the first batch of followers right away to avoid delays in processing new Activities.
- Post bulk edits no longer create Outbox items, unless author or post status change.
- Properly process `Update` activities on profiles and ensure all properties of a followed person are updated accordingly.
- Outbox processing accounts for shared inboxes again.
- Improved check for `?activitypub` query-var.
- Rewrite rules: be more specific in author rewrite rules to avoid conflicts on sites that use the "@author" pattern in their permalinks.
- Deprecate the `activitypub_post_locale` filter in favor of the `activitypub_locale` filter.
#### Fixed
- The Outbox purging routine no longer is limited to deleting 5 items at a time.
- Ellipses now display correctly in notification emails for Likes and Reposts.
- Send Update-Activity when "Actor-Mode" is changed.
- Added delay to `Announce` Activity from the Blog-Actor, to not have race conditions.
- `Actor` validation in several REST API endpoints.
- Bring back the `activitypub_post_locale` filter to allow overriding the post's locale.
### 5.2.0 - 2025-02-13
#### Added
- Batch Outbox-Processing.
- Outbox processed events get logged in Stream and show any errors returned from inboxes.
- Outbox items older than 6 months will be purged to avoid performance issues.
- REST API endpoints for likes and shares.
#### Changed
- Increased probability of Outbox items being processed with the correct author.
- Enabled querying of Outbox posts through the REST API to improve troubleshooting and debugging.
- Updated terminology to be client-neutral in the Federated Reply block.
#### Fixed
- Fixed an issue where the outbox could not send object types other than `Base_Object` (introduced in 5.0.0).
- Enforce 200 status header for valid ActivityPub requests.
- `object_id_to_comment` returns a commment now, even if there are more than one matching comment in the DB.
- Integration of content-visibility setup in the block editor.
- Update CLI commands to the new scheduler refactorings.
- Do not add an audience to the Actor-Profiles.
- `Activity::set_object` falsely overwrites the Activity-ID with a default.
### 5.1.0 - 2025-02-06
#### Added
- Cleanup of option values when the plugin is uninstalled.
- Third-party plugins can filter settings tabs to add their own settings pages for ActivityPub.
- Show ActivityPub preview in row actions when Block Editor is enabled but not used for the post type.
#### Changed
- Manually granting `activitypub` cap no longer requires the receiving user to have `publish_post`.
- Allow omitting replies in ActivityPub representations instead of setting them as empty.
- Allow Base Transformer to handle WP_Term objects for transformation.
- Improved Query extensibility for third party plugins.
#### Fixed
- Negotiation of ActivityPub requests for custom post types when queried by the ActivityPub ID.
- Avoid PHP warnings when using Debug mode and when the `actor` is not set.
- No longer creates Outbox items when importing content/users.
- Fix NodeInfo 2.0 URL to be HTTP instead of HTTPS.
### 5.0.0 - 2025-02-03
#### Changed
- Improved content negotiation and AUTHORIZED_FETCH support for third-party plugins.
- Moved password check to `is_post_disabled` function.
#### Fixed
- Handle deletes from remote servers that leave behind an accessible Tombstone object.
- No longer parses tags for post types that don't support Activitypub.
- rel attribute will now contain no more than one "me" value.
- Accept incoming activities from servers that use standalone key objects for HTTP Signatures.
- Fix a crash on servers where WordPress uses FTP instead of direct file access for media caching.
- Fix a crash when receiving posts from certain federated platforms that send multilingual content.
- Fix automatic cleanup of old activities failing silently on sites with large numbers of outbox, inbox, or remote post items.
- Fix comment count to properly exclude likes, shares, and notes.
- Fix follow button redirect from Mastodon not being recognized.
- Fix modal overlay not covering the full screen on block themes.
- Fix outbox invalidation canceling pending Accept/Reject responses to QuoteRequests for the same post.
- Fix QuoteRequest handler to derive responding actor from post author instead of inbox recipient.
- Fix reactions block buttons inheriting theme background color on classic themes.
- Fix reactions block layout on small screens and remove unwanted button highlight when clicking action buttons.
- Fix signature verification rejecting valid requests that use lowercase algorithm names in the Digest header.
- Fix soft-deleted posts being served instead of a tombstone when the post is re-saved.
- Improve compatibility with federated services that use a URL reference for the actor's public key.
- Improve handling of all public audience identifiers when sending activities to followers and relays.
See full Changelog on [GitHub](https://github.com/Automattic/wordpress-activitypub/blob/trunk/CHANGELOG.md).
== Upgrade Notice ==
= 5.4.0 =
= 8.1.0 =
Note: This update requires WordPress 6.4+. Please ensure your site meets this requirement before upgrading.
See your year on the Fediverse with the new Stats feature, bringing your highlights together in one simple view you can share anywhere.
== Installation ==