Big news today: MarsEdit 4 is out of beta and available for download from the MarsEdit home page and the Mac App Store. This marks the end of a long development period spanning seven years, so it’s a great personal relief to me to finally release it. I hope you enjoy it.

MarsEdit 4 brings major improvements to the app including a refined new look, enhanced WordPress support, rich and plain text editor improvements, automatic preview template generation, and much more. Read more here:

What’s New in MarsEdit 4.

MarsEdit 4 also brings a new sales approach that aims to unify the trial, purchase, and upgrade experience between the Mac App Store and direct-licensed versions of the app. The app is free to download and can be used full-featured for a 14 day trial period.

After the trial expires, all features of the app continue to work except for actions that update published content on the web. This ensures that all of MarsEdit’s powerful offline features, including download/archiving of posts, can be used in perpetuity for free.

Anybody who purchased MarsEdit 3 on June 1, 2017, or later, is entitled to a free update to MarsEdit 4. Anybody who purchased MarsEdit 3 earlier than June 1 is entitled to a discounted $24.95 upgrade. This applies to Mac App Store users as well! Because MarsEdit 4 embraces the Mac App Store’s in-app purchase model, the app can use a downloaded copy of MarsEdit 3 to validate a discounted or free upgrade to MarEdit 4, as appropriate.

There’s a lot to say about MarsEdit 4 and I’ll talk more about the improvements in separate blog posts after the dust settles. In the mean time, I hope you download the app, enjoy the work I’ve done, and if you’re feeling generous, help spread the word about the release.

Thanks!

I have tested all Red Sweater’s apps against macOS 10.13 High Sierra, and as far as I am aware there are no issues. All of my apps are compatible with the update. Enjoy!

Over the past few months I’ve received a handful of support inquiries from MarsEdit customers who have trouble logging into their WPEngine-hosted WordPress blog, after initially typing the wrong username or password into MarsEdit’s authentication panel.

Normally when MarsEdit tries to connect to a blog, it reacts to authentication failures by putting up a simple panel prompting for a username and password. In some cases, where the authentication challenge seems to be coming from a higher level than the blog itself, MarsEdit prompts with a different panel, suitable for supplying HTTP protocol-level authentication.

MarsEdit distinguishes between WordPress-level authentication and HTTP-level authentication by the simple fact that WordPress always returns HTTP status 200, even when a user is authenticated. The failure to authenticate is expressed in a valid XMLRPC response, and since the response is valid, it warrants a 200 “Success” HTTP status result.

In the process of debugging this problem, I observed that some of my customers were getting authentication failure responses from their self-hosted WordPress blogs, in which the HTTP Status Code was not 200, but 403 instead. Slowly, but surely, I came to understand that each of these affected customers was running on WPEngine.

Finally, with the help of a customer who shared my eagerness to get to the bottom of the problem, I was able to trace the behavior to a custom WordPress that is installed by WPEngine on behalf of all of their customers. It’s called the “wpengine-common” plugin. My customer was kind enough to send me a copy of the plugin files from within his WordPress installation. Guess what I found inside the plugin?

function wpe_login_failed_403() {

	// Don't 403 when the login comes 
	// through an Ajax request
	if ( defined( 'DOING_AJAX' ) && DOING_AJAX ) {
		return;
	}

	status_header( 403 );
}
add_action( 'wp_login_failed', 'wpe_login_failed_403' );

This bit of code overrides the standard WordPress login failure, forcing a 403 status code when one occurs. From what I can gather, the intent is to raise the visibility of WordPress login failures so that security packages that monitor for attempts to break into sites can log the attempts and potentially warn users and/or WPEngine about the risk of an intrusion. That’s a great motive, but it has an undesirable consequence for clients of the WordPress API.

Any client of the WordPress API is liable to interpret a 403 status code as an authentication failure outside the scope of WordPress itself. It may assume there is no blog at all to connect to, or it may assume as MarsEdit does, that there is a second level of authentication required to gain access to the server, before gaining access to WordPress.

I don’t know what the ideal solution to this problem is, but it would be nice if WPEngine found another way to flag the potentially suspicious login attempts to their WordPress installations, that didn’t involve breaking the contract for how the WordPress XMLRPC API is supposed to behave. If you look again at the source code excerpt I pasted above, you’ll see there is a special case in place for “Ajax” requests. Presumably this is another use case where the unexpected 403 status response has caused trouble. In fact, if you Google for “wpe_login_failed_403”, you’ll find a number of simple WordPress plugins whose whole purpose is to disable the WPEngine 403 status behavior described here.

I am planning to work around the issue in MarsEdit somehow, but in the mean time if you are a WPEngine customer who also uses MarsEdit, you may run into problems when/if you enter your credentials wrong, or you try to connect again from MarsEdit after changing your password. You’ll see a different login panel speaking of things such as “second level of authentication”. If you run into this, you can get back on track by manually entering your correct username and password:

1. Click the blog in the left-hand side of MarsEdit’s main window.
2. Hold the option key down while clicking the “Blog” menu item at the top of the screen.
3. Select the “Enter Password…” menu item.
4. Enter your correct WordPress username and password.

As long as the username and password that are stored by MarsEdit in the keychain are correct, you should be able to connect to your WPEngine-hosted WordPress blog without any issue. Whenever they are incorrect, until I implement a workaround, or until WPEngine changes their plugin behavior, you will need to work around the problem in this manner.

It’s been over 7 years since MarsEdit 3 was released. Typically I would like to maintain a schedule of releasing major upgrades every two to three years. This time, a variety of unexpected challenges led to a longer and longer delay.

The good news? MarsEdit 4 is finally shaping up. I plan to release the update later this year.

Beta Release Overview

Because the update contains many new features that my patient users have been waiting to get their hands on, I want to give folks the option of trying it out early. I think the beta release is very stable, but you’ll have to forgive a few rough edges while I finish things up. If you want to give it a spin, click this link:

Download the MarsEdit 4 Public Beta

The beta release supports Mac OS X 10.10 or greater, though final system requirements are not yet set in stone. Users who own an existing license to MarsEdit 3 can run the MarsEdit 4 beta for free until the final version is released. Customers who purchase a new MarsEdit 3 license from the Red Sweater Store between now and the final release will be entitled to a free upgrade to MarsEdit 4. Unfortunately, the Mac App Store does not accommodate free or discounted upgrades.

If you decide to install the beta, please join us in the Red Sweater Slack team to discuss the upcoming release. As always, I welcome bug reports and other feedback via email as well.

Beta Release Details

So, what’s new in MarsEdit 4? I will write in more detail when the final release is done, but here’s a high level list of some of the things that have been added in the update so far:

• Editor Enhancements
  • Visual formatting bar – Select common formatting options with the mouse.
  • Typewriter Scrolling – View menu option to keep typing vertically centered.
  • Multimarkdown support – Enhanced functionality when previewing Markdown content.
  • Faster Preview filtering – Code-based Markdown and Convert Line Breaks filters.
  • Interactive image sizing – Rich text mode supports direct manipulation of image display size.
  • Improved “Split Post” UI – Splitter now presented inline in post content.
• WordPress-specific enhancements
  • Faster refresh times.
  • Featured Image support.
  • Post Format support.
  • Per-post Author editing support.
• Improved system integration. Now supports standard autosave and version history for locally saved drafts.
• Expanded post downloads. WordPress and Blogspot blogs can now be configured to download the entire history of posts instead of a recent subset.
• Automated preview templates. Click the “Download Template…” button from the template editor to automatically detect your blog’s theme.
• Safari App Extension. Active the “Send to MarsEdit” extension in Safari to easily create new drafts citing the page you are viewing.
• Application Sandbox. The app is now sandboxed for increased security.

On top of all these, there are numerous smaller changes that you may notice and appreciate. Please let me know if you decide to try the app, what you like, what you don’t like, and I’ll do what I can to continue improving the app both for the 4.0 final release, and beyond!