Matt Robinson

> But the problem is that using `call_user_func` does not prevent from grabbing passwords: It's worth thinking about this feature a bit more then, and if we can't produce a...

Plugins on the WP repository are scanned and while I don't know, I suspect that any plugin that plugs `wp_hash_password()` is carefully checked. I understand what you are both saying...

I don't have any massive reservations about including peppering provided it doesn't easily surface passwords in the core code. Perhaps the solution is to hard code the pepper key to...

@xxsimoxx - mock up looks good, is that something you can implement? The string would have to be in a PHP file rather than the database.

I made that function public for local testing but left it as private, do you think it needs to be permanently changed?

I've added a change to `Gruntfile.js` so that hello.php is attempted to be copied during builds and this will also ensure only listed plugins are added to future builds.

I used the test code as posted above, amended slightly to allow me to test locally without permalinks or https connection. This test was run on the latest develop code....

I'd suggest we remove / replace Hello Dolly, I've never particularly been a fan.

Any change here would need to account for the build steps. wp-tinymce.js is a dynamic and built file created during core code build: https://github.com/ClassicPress/ClassicPress/blob/be5c1e8c20eacf38c6467f5798957628068de27c/Gruntfile.js#L759-L773 There is no unminified file and...

I have been testing with a Media category called `media` and in Safari I have managed to upload files without a Media category selected and I've also noted that the...