What's new in WordPress 5.3.2
Dec 18, 2019
- Date/Time: Ensure that get_feed_build_date() correctly handles a modified post object with invalid date.
- Uploads: Fix file name collision in wp_unique_filename() when uploading a file with upper case extension on non case-sensitive file systems.
- Media: Fix PHP warnings in wp_unique_filename() when the destination directory is unreadable.
- Administration: Fix the colors in all color schemes for buttons with the .active class.
- Posts, Post Types: In wp_insert_post(), when checking the post date to set future or publish status, use a proper delta comparison.
New in WordPress 5.3.1 (Dec 16, 2019)
- Security updates:
- Four security issues affect WordPress versions 5.3 and earlier; version 5.3.1 fixes them, so you’ll want to upgrade. If you haven’t yet updated to 5.3, there are also updated versions of 5.2 and earlier that fix the security issues.
- Props to Daniel Bachhuber for finding an issue where an unprivileged user could make a post sticky via the REST API.
- Props to Simon Scannell of RIPS Technologies for finding and disclosing an issue where cross-site scripting (XSS) could be stored in well-crafted links.
- Props to the WordPress.org Security Team for hardening wp_kses_bad_protocol() to ensure that it is aware of the named colon attribute.
- Props to Nguyen The Duc for discovering a stored XSS vulnerability using block editor content.
- Maintenance updates:
- Administration: improvements to admin form controls height and alignment standardization (see related dev note), dashboard widget links accessibility and alternate color scheme readability issues (see related dev note).
- Block editor: fix Edge scrolling issues and intermittent JavaScript issues.
- Bundled themes: add customizer option to show/hide author bio, replace JS based smooth scroll with CSS (see related dev note) and fix Instagram embed CSS.
- Date/time: improve non-GMT dates calculation, fix date format output in specific languages and make get_permalink() more resilient against PHP timezone changes.
- Embeds: remove CollegeHumor oEmbed provider as the service doesn’t exist anymore.
- External libraries: update sodium_compat.
- Site health: allow the remind interval for the admin email verification to be filtered.
- Uploads: avoid thumbnails overwriting other uploads when filename matches, and exclude PNG images from scaling after upload.
- Users: ensure administration email verification uses the user’s locale instead of the site locale.
New in WordPress 5.3 (Nov 13, 2019)
- WordPress 5.3 “Kirk”:
- Introducing our most refined user experience with the improved block editor in WordPress 5.3! Named “Kirk” in honour of jazz multi-instrumentalist Rahsaan Roland Kirk, the latest and greatest version of WordPress is available for download or update in your dashboard.
- 5.3 expands and refines the block editor with more intuitive interactions and improved accessibility. New features in the editor increase design freedoms, provide additional layout options and style variations to allow designers more control over the look of a site.
- This release also introduces the Twenty Twenty theme giving the user more design flexibility and integration with the block editor. Creating beautiful web pages and advanced layouts has never been easier.
- Block Editor Improvements:
- This enhancement-focused update introduces over 150 new features and usability improvements, including improved large image support for uploading non-optimized, high-resolution pictures taken from your smartphone or other high-quality cameras. Combined with larger default image sizes, pictures always look their best.
- Accessibility improvements include the integration of block editor styles in the admin interface. These improved styles fix many accessibility issues: color contrast on form fields and buttons, consistency between editor and admin interfaces, new snackbar notices, standardizing to the default WordPress color scheme, and the introduction of Motion to make interacting with your blocks feel swift and natural.
- For people who use a keyboard to navigate the dashboard, the block editor now has a Navigation mode. This lets you jump from block to block without tabbing through every part of the block controls.
- Expanded Design Flexibility:
- WordPress 5.3 adds even more robust tools for creating amazing designs.
- The new Group block lets you easily divide your page into colorful sections.
- The Columns block now supports fixed column widths.
- The new predefined layouts make it a cinch to arrange content into advanced designs.
- Heading blocks now offer controls for text and background color.
- Additional style options allow you to set your preferred style for any block that supports this feature.
- Introducing Twenty Twenty:
- As befits a theme called Twenty Twenty, clarity and readability is also a big focus. The theme includes the typeface Inter, designed by Rasmus Andersson. Inter comes in a Variable Font version, a first for default themes, which keeps load times short by containing all weights and styles of Inter in just two font files.
- Improvements for Everyone Automatic Image Rotation:
- Your images will be correctly rotated upon upload according to the embedded orientation data. This feature was first proposed nine years ago and made possible through the perseverance of many dedicated contributors.
- Improved Site Health Checks:
- The improvements introduced in 5.3 make it even easier to identify issues. Expanded recommendations highlight areas that may need troubleshooting on your site from the Health Check screen.
- Admin Email Verification:
- You’ll now be periodically asked to confirm that your admin email address is up to date when you log in as an administrator. This reduces the chance of getting locked out of your site if you change your email address.
- Date/Time Component Fixes:
- Developers can now work with dates and timezones in a more reliable way. Date and time functionality has received a number of new API functions for unified timezone retrieval and PHP interoperability, as well as many bug fixes.
- PHP 7.4 Compatibility:
- WordPress 5.3 aims to fully support PHP 7.4. This release contains multiple changes to remove deprecated functionality and ensure compatibility. WordPress continues to encourage all users to run the latest and greatest versions of PHP.
New in WordPress 5.2.4 (Oct 15, 2019)
- Security Updates:
- Props to Evan Ricafort for finding an issue where stored XSS (cross-site scripting) could be added via the Customizer.
- Props to J.D. Grimes who found and disclosed a method of viewing unauthenticated posts.
- Props to Weston Ruter for finding a way to create a stored XSS to inject Javascript into style tags.
- Props to David Newman for highlighting a method to poison the cache of JSON GET requests via the Vary: Origin header.
- Props to Eugene Kolodenker who found a server-side request forgery in the way that URLs are validated.
- Props to Ben Bidner of the WordPress Security Team who discovered issues related to referrer validation in the admin.
New in WordPress 5.2.3 (Sep 5, 2019)
- Props to Simon Scannell of RIPS Technologies for finding and disclosing two issues. The first, a cross-site scripting (XSS) vulnerability found in post previews by contributors. The second was a cross-site scripting vulnerability in stored comments.
- Props to Tim Coen for disclosing an issue where validation and sanitization of a URL could lead to an open redirect.
- Props to Anshul Jain for disclosing reflected cross-site scripting during media uploads.
- Props to Zhouyuan Yang of Fortinet’s FortiGuard Labs who disclosed a vulnerability for cross-site scripting (XSS) in shortcode previews.
- Props to Ian Dunn of the Core Security Team for finding and disclosing a case where reflected cross-site scripting could be found in the dashboard.
- Props to Soroush Dalili (@irsdl) from NCC Group for disclosing an issue with URL sanitization that can lead to cross-site scripting (XSS) attacks.
- In addition to the above changes, we are also updating jQuery on older versions of WordPress. This change was added in 5.2.1 and is now being brought to older versions.
New in WordPress 5.2.2 (Jun 19, 2019)
- This maintenance release fixes 13 bugs and adds a little bit of polish to the Site Health feature that made its debut in 5.2.
New in WordPress 5.2.1 (May 21, 2019)
- This maintenance release fixes 33 bugs, including improvements to the block editor, accessibility, internationalization, and the Site Health feature introduced in 5.2.
New in WordPress 5.2 (May 8, 2019)
- Version 5.2 of WordPress, named “Jaco” in honor of renowned and revolutionary jazz bassist Jaco Pastorius, is available for download or update in your WordPress dashboard. New features in this update make it easier than ever to fix your site if something goes wrong.
- There are even more robust tools for identifying and fixing configuration issues and fatal errors. Whether you are a developer helping clients or you manage your site solo, these tools can help get you the right information when you need it.
- Site Health Check:
- Building on the Site Health features introduced in 5.1, this release adds two new pages to help debug common configuration issues. It also adds space where developers can include debugging information for site maintainers.
- PHP Error Protection:
- This administrator-focused update will let you safely fix or manage fatal errors without requiring developer time. It features better handling of the so-called “white screen of death,” and a way to enter recovery mode, which pauses error-causing plugins or themes.
- Accessibility Updates:
- A number of changes work together to improve contextual awareness and keyboard navigation flow for those using screen readers and other assistive technologies.
- New Dashboard Icons:
- Thirteen new icons including Instagram, a suite of icons for BuddyPress, and rotated Earth icons for global inclusion. Find them in the Dashboard and have some fun!
- Plugin Compatibility Checks:
- WordPress will now automatically determine if your site’s version of PHP is compatible with installed plugins. If the plugin requires a higher version of PHP than your site currently uses, WordPress will not allow you to activate it, preventing potential compatibility errors.
New in WordPress 5.1.1 (Mar 19, 2019)
- This security and maintenance release introduces 14 fixes and enhancements, including changes designed to help hosts prepare users for the minimum PHP version bump coming in 5.2.
- This release also includes a pair of security fixes that handle how comments are filtered and then stored in the database. With a maliciously crafted comment, a WordPress post was vulnerable to cross-site scripting.
- WordPress versions 5.1 and earlier are affected by these bugs, which are fixed in version 5.1.1. Updated versions of WordPress 5.0 and earlier are also available for any users who have not yet updated to 5.1.
New in WordPress 5.1 (Feb 25, 2019)
- Site Health:
- With security and speed in mind, this release introduces WordPress’s first Site Health features. WordPress will start showing notices to administrators of sites that run long-outdated versions of PHP, which is the programming language that powers WordPress.
- When you install new plugins, WordPress’s Site Health features will check them against the version of PHP you’re running. If the plugin requires a version that won’t work with your site, WordPress will keep you from installing that plugin.
- Editor Performance:
- Introduced in WordPress 5.0, the new block editor continues to improve. Most significantly, WordPress 5.1 includes solid performance improvements within the editor. The editor should feel a little quicker to start, and typing should feel smoother.
- Multisite Metadata:
- 5.1 introduces a new database table to store metadata associated with sites and allows for the storage of arbitrary site data relevant in a multisite / network context.
- Cron API:
- The Cron API has been updated with new functions to assist with returning data and includes new filters for modifying cron storage. Other changes in behavior affect cron spawning on servers running FastCGI and PHP-FPM versions 7.0.16 and above.
- New JS Build Processes:
- WordPress 5.1 features a new JavaScript build option, following the large reorganisation of code that started in the 5.0 release.
- Miscellaneous improvements include:
- Updates to values for the WP_DEBUG_LOG constant
- New test config file constant in the test suite, new plugin action hooks
- Short-circuit filters for wp_unique_post_slug(), WP_User_Query, and count_users()
- A new human_readable_duration function
- Improved taxonomy metabox sanitization
- Limited LIKE support for meta keys when using WP_Meta_Query
- A new “doing it wrong” notice when registering REST API endpoints
New in WordPress 5.0.3 (Jan 10, 2019)
- 15 block editor related bug fixes and improvements have been added to bundled themes. Make sure to update these for an improved block editing experience.
- 2 block editor related internationalization (I18N) bugs have been fixed
- Users with JavaScript disabled now see a notice when attempting to use the block editor.
- A few PHP errors in the Customizer have been fixed.
- Some issues uploading common file types, like CSVs, have been fixed.
New in WordPress 5.0.2 (Dec 22, 2018)
- 45 total Block Editor improvements are included (14 performance enhancements & 31 bug fixes).
- 17 Block Editor related bugs have been fixed across all of the bundled themes.
- Some internationalization (i18n) issues related to script loading have also been fixed.
New in WordPress 5.0.1 (Dec 13, 2018)
- Karim El Ouerghemmi discovered that authors could alter meta data to delete files that they weren’t authorized to.
- Simon Scannell of RIPS Technologies discovered that authors could create posts of unauthorized post types with specially crafted input.
- Sam Thomas discovered that contributors could craft meta data in a way that resulted in PHP object injection.
- Tim Coen discovered that contributors could edit new comments from higher-privileged users, potentially leading to a cross-site scripting vulnerability.
- Tim Coen also discovered that specially crafted URL inputs could lead to a cross-site scripting vulnerability in some circumstances. WordPress itself was not affected, but plugins could be in some situations.
- Team Yoast discovered that the user activation screen could be indexed by search engines in some uncommon configurations, leading to exposure of email addresses, and in some rare cases, default generated passwords.
- Tim Coen and Slavco discovered that authors on Apache-hosted sites could upload specifically crafted files that bypass MIME verification, leading to a cross-site scripting vulnerability.
New in WordPress 5.0 (Dec 10, 2018)
- We’ve made some big upgrades to the editor. Our new block-based editor is the first step toward an exciting new future with a streamlined editing experience across your site. You’ll have more flexibility with how content is displayed, whether you are building your first site, revamping your blog, or write code for a living.
- The new block-based editor won’t change the way any of your content looks to your visitors. What it will do is let you insert any type of multimedia in a snap and rearrange to your heart’s content. Each piece of content will be in its own block; a distinct wrapper for easy maneuvering. If you’re more of an HTML and CSS sort of person, then the blocks won’t stand in your way. WordPress is here to simplify the process, not the outcome. We have tons of blocks available by default, and more get added by the community every day.
- This new editing experience provides a more consistent treatment of design as well as content. If you’re building client sites, you can create reusable blocks. This lets your clients add new content anytime, while still maintaining a consistent look and feel.
- Introducing Twenty Nineteen, a new default theme that shows off the power of the new editor.
New in WordPress 4.9.8 (Aug 3, 2018)
- Most users will now be presented with a notice in their WordPress dashboard. This “Try Gutenberg” is an opportunity for users to use the Gutenberg block editor before it is released in WordPress 5.0.
- In WordPress 4.9.8, the callout will be shown to the following users:
- If Gutenberg is not installed or activated, the callout will be shown to Admin users on single sites, and Super Admin users on multisites.
- If Gutenberg is installed and activated, the callout will be shown to Contributor users and above.
- If the Classic Editor plugin is installed and activated, the callout will be hidden for all users.
- You can learn more by reading “Try Gutenberg” Callout in WordPress 4.9.8.
- Privacy fixes/enhancements:
- This release includes 18 Privacy fixes focused on ensuring consistency and flexibility in the new personal data tools that were added in 4.9.6, including:
- The type of request being confirmed is now included in the subject line for all privacy confirmation emails.
- Improved consistency with site name being used for privacy emails in multisite.
- Pagination for Privacy request admin screens can now be adjusted.
- Increased the test coverage for several core privacy functions.
New in WordPress 4.9.7 (Jul 6, 2018)
- Taxonomy: Improve cache handling for term queries.
- Posts, Post Types: Clear post password cookie when logging out.
- Widgets: Allow basic HTML tags in sidebar descriptions on Widgets admin screen.
- Community Events Dashboard: Always show the nearest WordCamp if one is coming up, even if there are multiple Meetups happening first.
- Privacy: Make sure default privacy policy content does not cause a fatal error when flushing rewrite rules outside of the admin context.
New in WordPress 4.9.6 (May 18, 2018)
- The European Union’s General Data Protection Regulation (GDPR) takes effect on May 25. The GDPR requires companies and site owners to be transparent about how they collect, use, and share personal data. It also gives individuals more access and choice when it comes to how their own personal data is collected, used, and shared.
- It’s important to understand that while the GDPR is a European regulation, its requirements apply to all sites and online businesses that collect, store, and process personal data about EU residents no matter where the business is located.
- You can learn more about the GDPR from the European Commission’s Data Protection page.
- We’re committed to supporting site owners around the world in their work to comply with this important law. As part of that effort, we’ve added a number of new privacy features in this release.
New in WordPress 4.9.4 (Feb 8, 2018)
- We added the ability for WordPress to self-update, keeping your website secure and bug-free, even when you weren’t available to do it yourself.
New in WordPress 4.9.2 (Jan 17, 2018)
- JavaScript errors that prevented saving posts in Firefox have been fixed.
- The previous taxonomy-agnostic behavior of get_category_link() and category_description() was restored.
- Switching themes will now attempt to restore previous widget assignments, even when there are no sidebars to map.
New in WordPress 4.9.1 (Nov 30, 2017)
- Use a properly generated hash for the newbloguser key instead of a determinate substring.
- Add escaping to the language attributes used on html elements.
- Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.
- Remove the ability to upload JavaScript files for users who do not have the unfiltered_html capability.
New in WordPress 4.9 (Nov 21, 2017)
- Version 4.9 of WordPress, named “Tipton” in honor of jazz musician and band leader Billy Tipton, is available for download or update in your WordPress dashboard. New features in 4.9 will smooth your design workflow and keep you safe from coding errors.
- Featuring design drafts, scheduling, and locking, along with preview links, the Customizer workflow improves collaboration for content creators. What’s more, code syntax highlighting and error checking will make for a clean and smooth site building experience. Finally, if all that wasn’t pretty great, we’ve got an awesome new Gallery widget and improvements to theme browsing and switching.
- Draft and Schedule Site Design Customizations:
- Yes, you read that right. Just like you can draft and revise posts and schedule them to go live on the date and time you choose, you can now tinker with your site’s design and schedule those design changes to go live as you please.
- Collaborate with Design Preview Links:
- Need to get some feedback on proposed site design changes? WordPress 4.9 gives you a preview link you can send to colleagues and customers so that you can collect and integrate feedback before you schedule the changes to go live. Can we say collaboration++?
- Design Locking Guards Your Changes:
- Ever encounter a scenario where two designers walk into a project and designer A overrides designer B’s beautiful changes? WordPress 4.9’s design lock feature (similar to post locking) secures your draft design so that no one can make changes to it or erase all your hard work.
- A Prompt to Protect Your Work:
- Were you lured away from your desk before you saved your new draft design? Fear not, when you return, WordPress 4.9 will politely ask whether or not you’d like to save your unsaved changes.
- Syntax Highlighting and Error Checking? Yes, Please:
- You’ve got a display problem but can’t quite figure out exactly what went wrong in the CSS you lovingly wrote. With syntax highlighting and error checking for CSS editing and the Custom HTML widget introduced in WordPress 4.8.1, you’ll pinpoint coding errors quickly. Practically guaranteed to help you scan code more easily, and suss out & fix code errors quickly.
- Sandbox for Safety:
- The dreaded white screen. You’ll avoid it when working on themes and plugin code because WordPress 4.9 will warn you about saving an error. You’ll sleep better at night.
- Warning: Potential Danger Ahead:
- When you edit themes and plugins directly, WordPress 4.9 will politely warn you that this is a dangerous practice and will recommend that you draft and test changes before updating your file. Take the safe route: You’ll thank you. Your team and customers will thank you.
- The New Gallery Widget:
- An incremental improvement to the media changes hatched in WordPress 4.8, you can now add a gallery via this new widget. Yes!
- Press a Button, Add Media:
- Want to add media to your text widget? Embed images, video, and audio directly into the widget along with your text, with our simple but useful Add Media button. Woo!
- More Reliable Theme Switching:
- When you switch themes, widgets sometimes think they can just move location. Improvements in WordPress 4.9 offer more persistent menu and widget placement when you decide it’s time for a new theme.
- Find and Preview the Perfect Theme:
- Looking for a new theme for your site? Now, from within the Customizer, you can search, browse, and preview over 2600 themes before deploying changes to your site. What’s more, you can speed your search with filters for subject, features, and layout.
- Better Menu Instructions = Less Confusion:
- Were you confused by the steps to create a new menu? Perhaps no longer! We’ve ironed out the UX for a smoother menu creation process. Newly updated copy will guide you.
- Customizer JS API Improvements:
- We’ve made numerous improvements to the Customizer JS API in WordPress 4.9, eliminating many pain points. (Hello, default parameters for constructs! Goodbye repeated ID for constructs!) There are also new base control templates, a date/time control, and section/panel/global notifications to name a few. Check out the full list.
- CodeMirror available for use in your themes and plugins:
- We’ve introduced a new code editing library, CodeMirror, for use within core. CodeMirror allows for syntax highlighting, error checking, and validation when creating code writing or editing experiences within your plugins, like CSS or JavaScript include fields.
- MediaElement.js upgraded to 4.2.6:
- WordPress 4.9 includes an upgraded version of MediaElement.js, which removes dependencies on jQuery, improves accessibility, modernizes the UI, and fixes many bugs.
- Roles and Capabilities Improvements:
- New capabilities have been introduced that allow granular management of plugins and translation files. In addition, the site switching process in multisite has been fine-tuned to update the available roles and capabilities in a more reliable and coherent way.
New in WordPress 4.8.2 (Oct 25, 2017)
- $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Slavco
- A cross-site scripting (XSS) vulnerability was discovered in the oEmbed discovery. Reported by xknown of the WordPress Security Team.
- A cross-site scripting (XSS) vulnerability was discovered in the visual editor. Reported by Rodolfo Assis (@brutelogic) of Sucuri Security.
- A path traversal vulnerability was discovered in the file unzipping code. Reported by Alex Chapman (noxrnet).
- A cross-site scripting (XSS) vulnerability was discovered in the plugin editor. Reported by 陈瑞琦 (Chen Ruiqi).
- An open redirect was discovered on the user and term edit screens. Reported by Yasin Soliman (ysx).
- A path traversal vulnerability was discovered in the customizer. Reported by Weston Ruter of the WordPress Security Team.
- A cross-site scripting (XSS) vulnerability was discovered in template names. Reported by Luka (sikic).
- A cross-site scripting (XSS) vulnerability was discovered in the link modal. Reported by Anas Roubi (qasuar).
New in WordPress 4.8.1 (Sep 4, 2017)
- Administration:
- #40982 - Permalink Settings: custom structure field keyboard trap
- Build/Test Tools:
- #41327 - Bump Akismet External - 4.9 Edition
- Comments:
- #40975 - 'Empty Spam' and 'Empty Trash' comment buttons not displayed on mobile
- Customize:
- #40978 - Customizer Panel Footer border missing
- #40981 - Customizer: Menus: it is far too easy to mistakenly delete a menu because the "Delete Menu" link and the "Add Items" button are too close together
- #41158 - Increase tinymce panel z-index
- #41410 - Set `'filter' => 'content'` on starter content "business info" widget
- Embeds:
- #41019 - oEmbed: Update VideoPress oEmbed URL
- #41048 - `WP_oEmbed_Controller::get_proxy_item()` should remove `_wpnonce` from cached `$args`
- #41299 - oEmbed proxy fails to forward maxwidth and maxheight params
- General:
- #41056 - WP-API JS Client: Settings is incorrectly registered as a collection
- Media:
- #41231 - media-views.js: Cannot read .length of undefined (this.controller.$uploaderToggler.length)
- REST API:
- #38964 - Add filter to allow modifying response *after* embedded data is added
- #40886 - REST API: PUT requests fail on Nginx servers when fancy permalinks aren't enabled
- Taxonomy:
- #41010 - wp_get_object_terms() returns duplicate terms if more than one taxonomy is given in args
- TinyMCE:
- #41408 - TinyMCE: Images with link and caption look "broken" when selected
- Widgets:
- #40907 - Introduce widget dedicated for HTML code
- #40935 - Facebook Video Works On Preview But Not On Theme
- #40951 - New Text Widget - Switching Between Visual/Text Editor Strips Out Code
- #40960 - Widgets: The Text widget should respect the “Disable the visual editor when writing” setting
- #40972 - TinyMCE editor in Text widget does not have RTL contents
- #40974 - Updated text widget do not save text (when using paste)
- #40977 - Widgets: Query param for `loop` added for non-hosted external videos
- #40986 - Widgets: text widget and media widgets cannot be edited in accessibility mode
- #41021 - Text widget does not show Title field or TinyMCE editor
- #41361 - Text widget can raise JS error if customize-base is enqueued on widgets admin screen
- #41386 - Text Widget - Wording - Legacy Mode 4.8.1 beta
- #41392 - Theme styles for Text widget do not apply to Custom HTML widget
- #41394 - Text widget: Rename legacy mode to visual mode and improve back-compat for widget_text filters
New in WordPress 4.7.5 (May 19, 2017)
- Insufficient redirect validation in the HTTP class. Reported by Ronni Skansing.
- Improper handling of post meta data values in the XML-RPC API. Reported by Sam Thomas.
- Lack of capability checks for post meta data in the XML-RPC API. Reported by Ben Bidner of the WordPress Security Team.
- A Cross Site Request Forgery (CSRF) vulnerability was discovered in the filesystem credentials dialog. Reported by Yorick Koster.
- A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files. Reported by Ronni Skansing.
- A cross-site scripting (XSS) vulnerability was discovered related to the Customizer. Reported by Weston Ruter of the WordPress Security Team.
New in WordPress 4.7.4 (Apr 21, 2017)
- This release contains 47 maintenance fixes and enhancements, chief among them an incompatibility between the upcoming Chrome version and the visual editor, inconsistencies in media handling, and further improvements to the REST API.
New in WordPress 4.7.3 (Mar 7, 2017)
- Cross-site scripting (XSS) via media file metadata. Reported by Chris Andrè Dale, Yorick Koster, and Simon P. Briggs.
- Control characters can trick redirect URL validation. Reported by Daniel Chatfield.
- Unintended files can be deleted by administrators using the plugin deletion functionality. Reported by xuliang.
- Cross-site scripting (XSS) via video URL in YouTube embeds. Reported by Marc Montpas.
- Cross-site scripting (XSS) via taxonomy term names. Reported by Delta.
- Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources. Reported by Sipke Mellema.
New in WordPress 4.7.2 (Jan 27, 2017)
- The user interface for assigning taxonomy terms in Press This is shown to users who do not have permissions to use it.
- WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability.
- A cross-site scripting (XSS) vulnerability was discovered in the posts list table.
New in WordPress 4.7.1 (Jan 15, 2017)
- Remote code execution (RCE) in PHPMailer – No specific issue appears to affect WordPress or any of the major plugins we investigated but, out of an abundance of caution, we updated PHPMailer in this release.
- The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API.
- Cross-site scripting (XSS) via the plugin name or version header on update-core.php.
- Cross-site request forgery (CSRF) bypass via uploading a Flash file.
- Cross-site scripting (XSS) via theme name fallback.
- Post via email checks mail.example.com if default settings aren’t changed.
- A cross-site request forgery (CSRF) was discovered in the accessibility mode of widget editing.
- Weak cryptographic security for multisite activation key.
New in WordPress 4.7 (Dec 6, 2016)
- Presenting Twenty Seventeen:
- A brand new default theme brings your site to life with immersive featured images and video headers.
- Twenty Seventeen focuses on business sites and features a customizable front page with multiple sections. Personalize it with widgets, navigation, social menus, a logo, custom colors, and more. Our default theme for 2017 works great in many languages, on any device, and for a wide range of users.
- Your Site, Your Way:
- WordPress 4.7 adds new features to the customizer to help take you through the initial setup of a theme, with non-destructive live previews of all your changes in one uninterrupted workflow.
- To help give you a solid base to build from, individual themes can provide starter content that appears when you go to customize your brand new site. This can range from placing a business information widget in the best location to providing a sample menu with social icon links to a static front page complete with beautiful images. Don’t worry – nothing new will appear on the live site until you’re ready to save and publish your initial theme setup.
- Edit Shortcuts:
- Visible icons appear to show you which parts of your site can be customized while live previewing. Click on a shortcut and get straight to editing. Paired with starter content, getting started with customizing your site is faster than ever.
- Video Headers:
- Sometimes a big atmospheric video as a moving header image is just what you need to showcase your wares; go ahead and try it out with Twenty Seventeen. Need some video inspiration? Try searching for sites with video headers available for download and use.
- Smoother Menu Building:
- Many menus for sites contain links to the pages of your site, but what happens when you don’t have any pages yet? Now you can add new pages while building menus instead of leaving the customizer and abandoning your changes. Once you’ve published your customizations, you’ll have new pages ready for you to fill with content.
- Custom CSS:
- Sometimes you just need a few visual tweaks to make your site perfect. WordPress 4.7 allows you to add custom CSS and instantly see how your changes affect your site. The live preview allows you to work quickly without page refreshes slowing you down.
- PDF Thumbnail Previews:
- Managing your document collection is easier with WordPress 4.7. Uploading PDFs will generate thumbnail images so you can more easily distinguish between all your documents.
- Dashboard in your language:
- Just because your site is in one language doesn’t mean that everybody helping manage it prefers that language for their admin. Add more languages to your site and a user language option will show up in your user’s profiles.
- Introducing REST API Content Endpoints:
- WordPress 4.7 comes with REST API endpoints for posts, comments, terms, users, meta, and settings.
- Content endpoints provide machine-readable external access to your WordPress site with a clear, standards-driven interface, paving the way for new and innovative methods of interacting with sites through plugins, themes, apps, and beyond. Ready to get started with development?
- Even More Developer Happiness:
- Post Type Templates:
- By opening up the page template functionality to all post types, theme developers have even more flexibility with the WordPress template hierarchy.
- More Theme API Goodies:
- WordPress 4.7 includes new functions, hooks, and behavior for theme developers.
- Custom Bulk Actions:
- List tables, now with more than bulk edit and delete.
- WP_Hook:
- The code that lies beneath actions and filters has been overhauled and modernized, fixing bugs along the way.
- Settings Registration API:
- register_setting() has been enhanced to include type, description, and REST API visibility.
- Customize Changesets:
- Customize changesets make changes in the customizer persistent, like autosave drafts. They also make exciting new features like starter content possible.
New in WordPress 4.6.1 (Sep 7, 2016)
- WordPress versions 4.6 and earlier are affected by two security issues: a cross-site scripting vulnerability via image filename, reported by SumOfPwn researcher Cengiz Han Sahin; and a path traversal vulnerability in the upgrade package uploader, reported by Dominik Schilling from the WordPress security team.
New in WordPress 4.6 (Aug 16, 2016)
- Streamlined Updates:
- Don’t lose your place: stay on the same page while you update, install, and delete your plugins and themes.
- Native Fonts:
- The WordPress dashboard now takes advantage of the fonts you already have, making it load faster and letting you feel more at home on whatever device you use.
- Editor Improvements:
- Inline Link Checker:
- Ever accidentally made a link to https://wordpress.org/example.org? Now WordPress automatically checks to make sure you didn’t.
- Content Recovery:
- As you type, WordPress saves your content to the browser. Recovering saved content is even easier with WordPress 4.6.
- Under The Hood:
- Resource Hints:
- Resource hints help browsers decide which resources to fetch and preprocess. WordPress 4.6 adds them automatically for your styles and scripts making your site even faster.
- Robust Requests:
- The HTTP API now leverages the Requests library, improving HTTP standard support and adding case-insensitive headers, parallel HTTP requests, and support for Internationalized Domain Names.
- WP_Term_Query and WP_Post_Type:
- A new WP_Term_Query class adds flexibility to query term information while a new WP_Post_Type object makes interacting with post types more predictable.
- Meta Registration API:
- The Meta Registration API has been expanded to support types, descriptions, and REST API visibility.
- Translations On Demand:
- WordPress will install and use the newest language packs for your plugins and themes as soon as they’re available from WordPress.org’s community of translators.
- JavaScript Library Updates:
- Masonry 3.3.2, imagesLoaded 3.2.0, MediaElement.js 2.22.0, TinyMCE 4.4.1, and Backbone.js 1.3.3 are bundled.
- Customizer APIs for Setting Validation and Notifications:
- Settings now have an API for enforcing validation constraints. Likewise, customizer controls now support notifications, which are used to display validation errors instead of failing silently.
- Multisite, now faster than ever:
- Cached and comprehensive site queries improve your network admin experience. The addition of WP_Site_Query and WP_Network_Query help craft advanced queries with less effort.
New in WordPress 4.5.3 (Jun 22, 2016)
- WordPress versions 4.5.2 and earlier are affected by several security issues: redirect bypass in the customizer, reported by Yassine Aboukir; two different XSS problems via attachment names, reported by Jouko Pynnönen and Divyesh Prajapati; revision history information disclosure, reported independently by John Blackbourn from the WordPress security team and by Dan Moen; oEmbed denial of service reported by Jennifer Dodd from Automattic; unauthorized category removal from a post, reported by David Herrera from Alley Interactive; password change via stolen cookie, reported by Michael Adams from the WordPress security team; and some less secure sanitize_file_name edge cases reported by Peter Westwood of the WordPress security team.
- In addition to the security issues above, WordPress 4.5.3 fixes 17 bugs from 4.5, 4.5.1 and 4.5.2.
New in WordPress 4.5.2 (May 13, 2016)
- WordPress versions 4.5.1 and earlier are affected by a SOME vulnerability through Plupload, the third-party library WordPress uses for uploading files. WordPress versions 4.2 through 4.5.1 are vulnerable to reflected XSS using specially crafted URIs through MediaElement.js, the third-party library used for media players. MediaElement.js and Plupload have also released updates fixing these issues.
- Both issues were analyzed and reported by Mario Heiderich, Masato Kinugawa, and Filedescriptor from Cure53. Thanks to the team for practicing responsible disclosure, and to the Plupload and MediaElement.js teams for working closely with us to coördinate and fix these issues.
New in WordPress 4.5.1 (Apr 27, 2016)
- This release fixes 12 bugs, chief among them a singular class issue that broke sites based on the Twenty Eleven theme, an incompatibility between certain Chrome versions and the visual editor, and an Imagick bug that could break media uploads. This maintenance release fixes a total of 12 bugs in Version 4.5.
New in WordPress 4.5 (Apr 12, 2016)
- Inline Linking:
- Stay focused on your writing with a less distracting interface that keeps you in place and allows you to easily link to your content.
- Formatting Shortcuts:
- Do you enjoy using formatting shortcuts for lists and headings? Now they’re even more useful, with horizontal lines and < code >.
- Live Responsive Previews:
- Make sure your site looks great on all screens! Preview mobile, tablet, and desktop views directly in the customizer.
- Custom Logos:
- Themes can now support logos for your business or brand. Try it out with Twenty Sixteen and Twenty Fifteen in the Site Identity section of the customizer.
- Smart Image Resizing:
- Generated images now load up to 50% faster with no noticeable quality loss. It’s really cool.
- Selective Refresh:
- The customizer now supports a comprehensive framework for rendering parts of the preview without rewriting your PHP code in JavaScript.
- Script Loader Improvements:
- Better support has been added for script header/footer dependencies. New wp_add_inline_script() enables adding extra code to registered scripts.
- Better Embed Templates:
- Embed templates have been split into parts and can be directly overridden by themes via the template hierarchy.
- JavaScript Library Updates:
- jQuery 1.12.3, jQuery Migrate 1.4.0, Backbone 1.2.3, and Underscore 1.8.3 are bundled.
New in WordPress 4.4.2 (Feb 2, 2016)
- wp_list_comments ignores $comments parameter
- 4.4 Regression on Querying for Comments by Multiple Post Fields
- Pagination issue on front page after 4.4.1
- ModSecurity2 blocks Potential Obfuscated JavaScript in outbound anomaly
New in WordPress 4.4.1 (Jan 6, 2016)
- Emoji support has been updated to include all of the latest emoji characters, including the new diverse emoji! 👍🏿👌🏽👏🏼
- Some sites with older versions of OpenSSL installed were unable to communicate with other services provided through some plugins.
- If a post URL was ever re-used, the site could redirect to the wrong post.
New in WordPress 4.4 (Dec 9, 2015)
- New features in 4.4 make your site more connected and responsive. Clifford also introduces a new default theme, Twenty Sixteen.
- WordPress now takes a smarter approach to displaying appropriate image sizes on any device, ensuring a perfect fit every time. You don’t need to do anything to your theme, it just works.
- Now you can embed your posts on other WordPress sites. Simply drop a post URL into the editor and see an instant embed preview, complete with the title, excerpt, and featured image if you’ve set one. We’ll even include your site icon and links for comments and sharing.
- In addition to post embeds, WordPress 4.4 also adds support for five new oEmbed providers: Cloudup, Reddit Comments, ReverbNation, Speaker Deck, and VideoPress.
- Infrastructure for the REST API has been integrated into core, marking a new era in developing with WordPress. The REST API gives developers an easy way to build and extend RESTful APIs on top of WordPress.
- Infrastructure is the first part of a multi-stage rollout for the REST API. Inclusion of core endpoints is targeted for an upcoming release. To get a sneak peek of the core endpoints, and for more information on extending the REST API, check out the official WordPress REST API plugin.
- Terms now support metadata, just like posts. See add_term_meta(), get_term_meta(), and update_term_meta() for more information.
- Comment queries now have cache handling to improve performance. New arguments in WP_Comment_Query make crafting robust comment queries simpler.
- New WP_Term, WP_Comment, and WP_Network objects make interacting with terms, comments, and networks more predictable and intuitive in code.
New in WordPress 4.3.1 (Sep 15, 2015)
- WordPress versions 4.3 and earlier are vulnerable to a cross-site scripting vulnerability when processing shortcode tags (CVE-2015-5714). Reported by Shahar Tal and Netanel Rubin of Check Point.
- A separate cross-site scripting vulnerability was found in the user list table. Reported by Ben Bidner of the WordPress security team.
- Finally, in certain cases, users without proper permissions could publish private posts and make them sticky (CVE-2015-5715). Reported by Shahar Tal and Netanel Rubin of Check Point.
New in WordPress 4.3.0 (Aug 18, 2015)
- New Features:
- Menus in the Customizer
- Formatting Shortcuts
- Site Icons
- Better Passwords
- Other improvements:
- A smoother admin experience – Refinements to the list view across the admin make your WordPress more accessible and easier to work with on any device.
- Comments turned off on pages – All new pages that you create will have comments turned off. Keep discussions to your blog, right where they’re supposed to happen.
- Customize your site quickly – Wherever you are on the front-end, you can click the customize link in the toolbar to swiftly make changes to your site.
New in WordPress 4.2.4 (Aug 4, 2015)
- This release addresses six issues, including three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site, which were discovered by Marc-Alexandre Montpas of Sucuri, Helen Hou-Sandí of the WordPress security team, Netanel Rubin of Check Point, and Ivan Grigorov. It also includes a fix for a potential timing side-channel attack, discovered by Johannes Schmitt of Scrutinizer, and prevents an attacker from locking a post from being edited, discovered by Mohamed A. Baset.
New in WordPress 4.2.3 (Jul 23, 2015)
- A critical cross-site scripting vulnerability, which could allow anonymous users to compromise a site.
New in WordPress 4.2.2 (May 7, 2015)
- The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file. To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it. Reported by Robert Abela of Netsparker.
- WordPress versions 4.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. WordPress 4.2.2 includes a comprehensive fix for this issue.
New in WordPress 4.2.1 (Apr 27, 2015)
- This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately. A few hours ago, the WordPress team was made aware of a cross-site scripting vulnerability, which could enable commenters to compromise a site. The vulnerability was discovered by Jouko Pynnönen.
New in WordPress 4.2 (Apr 24, 2015)
- An easier way to share content
- Extended character support
- Switch themes in the Customizer
- Even more embeds
- Streamlined plugin updates
- utf8mb4 support
- JavaScript accessibility
- Shared term splitting
- Complex query ordering
New in WordPress 4.1.2 (Apr 22, 2015)
- In WordPress 4.1 and higher, files with invalid or unsafe names could be uploaded. Discovered by Michael Kapfer and Sebastian Kraemer of HSASec.
- In WordPress 3.9 and higher, a very limited cross-site scripting vulnerability could be used as part of a social engineering attack. Discovered by Jakub Zoczek.
- Some plugins were vulnerable to an SQL injection vulnerability. Discovered by Ben Bidner of the WordPress security team.
New in WordPress 4.2 RC1 (Apr 16, 2015)
- We’ve made more than 140 changes since releasing Beta 4 a week and a half ago.
New in WordPress 4.2 Beta 3 (Mar 29, 2015)
- Removed Shiny Installs functionality due to concerns about the activation workflow. Please test the remaining “Shiny Updates” functionality from both the Plugins > Add New and Plugins screens to ensure in-line updating still works as well as before.
- Fixed an issue with the Comments Quick Edit layout breaking on smaller screens. Please test on your mobile devices.
- Improved accessibility of login screen errors. Screen reader users: please let us know if you encounter any issues.
- Refined the emoji compatibility script to only load on the front- and back-end if the browser requires it. If you’re using a legacy web browser, please test.
- Fixed several issues in Press This with inserted images being improperly linked to locations other than the source site. Go ahead, “press” a site with images on the page and tell us if the image links aren’t working as you’d expect.
- Standardized the time display format in a variety of admin screens, switching to 24-hour notation where a.m. or p.m. are not specified. Please let us know if you notice you notice anything amiss!
- Various other bug fixes.
New in WordPress 4.2 Beta 2 (Mar 20, 2015)
- Added support for entering FTP and SSH credentials when updating plugins in-place. FTP and SSH users, please test!
- Improved cross-browser support for emoji throughout WordPress. If you’re using an older web browser, please tell us if you have problems using emoji.
- Further refined Press This authoring with auto-embedded media and better content scanning. We’d love to know how auto-embeds work for you.
- Added a constructor and improved method consistency in WP_Comment_Query. Developers: if you’re extending WP_Comment_Query, please let us know if you run into any issues.
- Various bug fixes. We’ve made more than 70 changes in the last week.
New in WordPress 4.1.1 (Feb 19, 2015)
- This maintenance release fixes 21 bugs in version 4.1.
New in WordPress 4.1 (Dec 19, 2014)
- Version 4.1 of WordPress, named “Dinah” in honor of jazz singer Dinah Washington, is available for download or update in your WordPress dashboard. New features in WordPress 4.1 help you focus on your writing, and the new default theme lets you show it off in style.
- Introducing Twenty Fifteen:
- Our newest default theme, Twenty Fifteen, is a blog-focused theme designed for clarity.
- Twenty Fifteen has flawless language support, with help from Google’s Noto font family.
- The straightforward typography is readable on any screen size.
- Your content always takes center stage, whether viewed on a phone, tablet, laptop, or desktop computer.
- Distraction-free writing:
- Sometimes, you just need to concentrate on putting your thoughts into words. Try turning on distraction-free writing mode. When you start typing, all the distractions will fade away, letting you focus solely on your writing. All your editing tools instantly return when you need them.
- The Finer Points:
- Choose a language:
- Right now, WordPress 4.1 is already translated into over forty languages, with more always in progress. You can switch to any translation on the General Settings screen.
- Log out everywhere:
- If you’ve ever worried you forgot to sign out from a shared computer, you can now go to your profile and log out everywhere.
- Vine embeds:
- Embedding videos from Vine is as simple as pasting a URL onto its own line in a post. See the full list of supported embeds.
- Plugin recommendations:
- The plugin installer suggests plugins for you to try. Recommendations are based on the plugins you and other users have installed.
- Under the Hood:
- Complex Queries:
- Metadata, date, and term queries now support advanced conditional logic, like nested clauses and multiple operators — A AND ( B OR C ).
- Customizer API:
- The customizer now supports conditionally showing panels and sections based on the page being previewed.
- < title > tags in themes:
- add_theme_support( 'title-tag' ) tells WordPress to handle the complexities of document titles.
- Developer Reference:
- Continued improvements to inline code documentation have made the developer reference more complete than ever.
New in WordPress 4.0.1 (Nov 20, 2014)
- Three cross-site scripting issues that a contributor or author could use to compromise a site. Discovered by Jon Cave, Robert Chapin, and John Blackbourn of the WordPress security team.
- A cross-site request forgery that could be used to trick a user into changing their password.
- An issue that could lead to a denial of service when passwords are checked. Reported by Javier Nieto Arevalo and Andres Rojas Guerrero.
- Additional protections for server-side request forgery attacks when WordPress makes HTTP requests. Reported by Ben Bidner (vortfu).
- An extremely unlikely hash collision could allow a user’s account to be compromised, that also required that they haven’t logged in since 2008 (I wish I were kidding). Reported by David Anderson.
- WordPress now invalidates the links in a password reset email if the user remembers their password, logs in, and changes their email address. Reported separately by Momen Bassel, Tanoy Bose, and Bojan Slavković of ManageWP.
New in WordPress 4.1 Beta 1 (Nov 17, 2014)
- Our beautiful new default theme, Twenty Fifteen. It’s a clean, mobile-first, blog-focused theme designed through simplicity.
- A new distraction-free writing mode for the editor. It’s enabled by default for beta, and we’d love feedback on it.
- The ability to automatically install new language packs right from the General Settings screen (available as long as your site’s filesystem is writable).
- A new inline formatting toolbar for images embedded into posts.
- Improvements to meta, date, comment, and taxonomy queries, including complex (nested, multiple relation) queries; and querying comment types (#12668).
- A single term shared across multiple taxonomies is now split into two when updated. For more, see this post, #5809, and #30335.
- A new and better way for themes to handle title tags.
- Several improvements to the Customizer API, including contextual panels and sections, and JavaScript templates for controls.
New in WordPress 4.0 (Sep 5, 2014)
- Manage your media with style
- Working with embeds has never been easier
- Focus on your content
- Finding the right plugin
New in WordPress 4.0 RC1 (Aug 28, 2014)
- In RC 1, we’ve made refinements to what we’ve been working on for this release. Check out the Beta 1 announcement post for more details on those features. We hope to ship WordPress 4.0 next week, but we need your help to get there. If you haven’t tested 4.0 yet, there’s no time like the present. (Please, not on a production site, unless you’re adventurous.)
New in WordPress 3.9.2 (Aug 7, 2014)
- Fixes a possible but unlikely code execution when processing widgets (WordPress is not affected by default), discovered by Alex Concha of the WordPress security team.
- Prevents information disclosure via XML entity attacks in the external GetID3 library, reported by Ivan Novikov of ONSec.
- Adds protections against brute attacks against CSRF tokens, reported by David Tomaschik of the Google Security Team.
- Contains some additional security hardening, like preventing cross-site scripting that could be triggered only by administrators.
New in WordPress 4.0 Beta 1 (Jul 14, 2014)
- Previews of embedding via URLs in the visual editor and the “Insert from URL” tab in the media modal. Try pasting a URL (such as a WordPress.tv or YouTube video) onto its own line in the visual editor. (#28195, #15490)
- The Media Library now has a “grid” view in addition to the existing list view. Clicking on an item takes you into a modal where you can see a larger preview and edit information about that attachment, and you can navigate between items right from the modal without closing it. (#24716)
- We’re freshening up the plugin install experience. You’ll see some early visual changes as well as more information when searching for plugins and viewing details. (#28785, #27440)
- Selecting a language when you run the installation process. (#28577)
- The editor intelligently resizes and its top and bottom bars pin when needed. Browsers don’t like to agree on where to put things like cursors, so if you find a bug here, please also let us know your browser and operating system. (#28328)
- We’ve made some improvements to how your keyboard and cursor interact with TinyMCE views such as the gallery preview. Much like the editor resizing and scrolling improvements, knowing about your setup is particularly important for bug reports here. (#28595)
- Widgets in the Customizer are now loaded in a separate panel. (#27406)
- We’ve also made some changes to some formatting functions, so if you see quotes curling in the wrong direction, please file a bug report.
New in WordPress 3.9.1 (May 9, 2014)
- This maintenance release fixes 34 bugs in 3.9, including numerous fixes for multisite networks, customizing widgets while previewing themes, and the updated visual editor. We’ve also made some improvements to the new audio/video playlists feature and made some adjustments to improve performance.
New in WordPress 3.9 (Apr 22, 2014)
- Improved visual editing
- Edit images easily
- Drag and drop your images
- Gallery previews
- Do more with audio and video
- Live widget and header previews
- Stunning new theme browser
New in WordPress 3.8.3 (Apr 15, 2014)
- The “Quick Draft” tool on the dashboard screen was broken in the 3.8.2 update. If you tried to use it, your draft would disappear and it wouldn’t save. While we doubt anyone was writing a novella using this tool, any loss of content is unacceptable to us.
- We recognize how much trust you place in us to safeguard your content, and we take this responsibility very seriously. We’re sorry we let you down.
- We’ve all lost words we’ve written before, like an email thanks to a cat on the keyboard or a term paper to a blue screen of death. Over the last few WordPress releases, we’ve made a number of improvements to features like autosaves and revisions. With revisions, an old edit can always be restored. We’re trying our hardest to save your content somewhere even if your power goes out or your browser crashes. We even monitor your internet connection and prevent you from hitting that “Publish” button at the exact moment the coffee shop Wi-Fi has a hiccup.
- It’s possible that the quick draft you lost last week is still in the database, and just hidden from view. As an added complication, these “discarded drafts” normally get deleted after seven days, and it’s already been six days since the release. If we were able to rescue your draft, you’ll see it on the “All Posts” screen after you update to 3.8.3. (We’ll also be pushing 3.8.3 out as a background update, so you may just see a draft appear.)
New in WordPress 3.9 RC1 (Apr 9, 2014)
- TinyMCE received a major update, to version 4.0. Any editor plugins written for TinyMCE 3.x might require some updates. (If things broke, we’d like to hear about them so we can make adjustments.)
- WordPress 3.9 now uses the MySQLi Improved extension for sites running PHP 5.5. Any plugins that made direct calls to mysql_* functions will experience some problems on these sites.
New in WordPress 3.8.2 (Apr 9, 2014)
- Pass along additional information when processing pingbacks to help hosts identify potentially abusive requests.
- Fix a low-impact SQL injection by trusted users. Reported by Tom Adams of dxw.
- Prevent possible cross-domain scripting through Plupload, the third-party library WordPress uses for uploading files. Reported by Szymon Gruszecki.
New in WordPress 3.9 Beta 3 (Mar 31, 2014)
- New features like live widget previews and the new theme installer are now more ready for prime time, so check ‘em out.
- UI refinements when editing images and when working with media in the editor. We’ve also brought back some of the advanced display settings for images.
- If you want to test out audio and video playlists, the links will appear in the media manager once you’ve uploaded an audio or video file.
- For theme developers, we’ve added HTML5 caption support (#26642) to match the new gallery support (#26697).
- The formatting function that turns straight quotes into smart quotes (among other things) underwent some changes to drastically speed it up, so let us know if you see anything weird.
New in WordPress 3.9 Beta 2 (Mar 24, 2014)
- Rendering of embedded audio and video players directly in the visual editor.
- Visual and functional improvements to the editor, the media manager, and theme installer.
- Various bug fixes to TinyMCE, the software behind the visual editor.
- Lots of fixes to widget management in the theme customizer.
New in WordPress 3.9 Beta 1 (Mar 12, 2014)
- We updated TinyMCE, the software powering the visual editor, to the latest version. Be on the lookout for cleaner markup. Also try the new paste handling — if you paste in a block of text from Microsoft Word, for example, it will no longer come out terrible. (The “Paste from Word” button you probably never noticed has been removed.) It’s possible some plugins that added stuff to the visual editor (like a new toolbar button) no longer work, so we’d like to hear about them (#24067). (And be sure to open a support thread for the plugin author.)
- We’ve added widget management to live previews (the customizer). Please test editing, adding, and rearranging widgets! (#27112) We’ve also added the ability to upload, crop, and manage header images, without needing to leave the preview. (#21785)
- We brought 3.8′s beautiful new theme browsing experience to the theme installer. Check it out! (#27055)
- Galleries now receive a live preview in the editor. Upload some photos and insert a gallery to see this in action. (#26959)
- You can now drag-and-drop images directly onto the editor to upload them. It can be a bit finicky, so try it and help us work out the kinks. (#19845)
- Some things got improved around editing images. It’s a lot easier to make changes to an image after you insert it into a post (#24409) and you no longer get kicked to a new window when you need to crop or rotate an image (#21811).
- New audio/video playlists. Upload a few audio or video files to test these. (#26631)
New in WordPress 3.8.1 (Jan 24, 2014)
- Version 3.8.1 is a maintenance releases that addresses 31 bugs in 3.8, including various fixes and improvements for the new dashboard design and new themes admin screen. An issue with taxonomy queries in WP_Query was resolved. And if you’ve been frustrated by submit buttons that won’t do anything when you click on them (or thought you were going crazy, like some of us), we’ve found and fixed this “dead zone” on submit buttons.
New in WordPress 3.8 (Dec 13, 2013)
- WordPress has gotten a facelift. 3.8 brings a fresh new look to the entire admin dashboard. Gone are overbearing gradients and dozens of shades of grey — bring on a bigger, bolder, more colorful design!
- Modern aesthetic:
- The new WordPress dashboard has a fresh, uncluttered design that embraces clarity and simplicity.
- Clean typography:
- The Open Sans typeface provides simple, friendly text that is optimized for both desktop and mobile viewing. It’s even open source, just like WordPress.
- Refined contrast:
- We think beautiful design should never sacrifice legibility. With superior contrast and large, comfortable type, the new design is easy to read and a pleasure to navigate.
- We all access the internet in different ways. Smartphone, tablet, notebook, desktop — no matter what you use, WordPress will adapt and you’ll feel right at home.
- High definition at high speed
- WordPress is sharper than ever with new vector-based icons that scale to your screen. By ditching pixels, pages load significantly faster, too.
- WordPress just got a colorful new update. We’ve included eight new admin color schemes so you can pick the one that suits you best.
- The new themes screen lets you survey your themes at a glance. Or want more information? Click to discover more. Then sit back and use your keyboard’s navigation arrows to flip through every theme you’ve got.
- Smoother widget experience:
- Drag-drag-drag. Scroll-scroll-scroll. Widget management can be complicated. With the new design, we’ve worked to streamline the widgets screen.
- Have a large monitor? Multiple widget areas stack side-by-side to use the available space. Using a tablet? Just tap a widget to add it.
- Turn your blog into a magazine:
- Create a beautiful magazine-style site with WordPress and Twenty Fourteen. Choose a grid or a slider to display featured content on your homepage. Customize your site with three widget areas or change your layout with two page templates.
- With a striking design that does not compromise our trademark simplicity, Twenty Fourteen is our most intrepid default theme yet.
New in WordPress 3.8 Beta 1 (Nov 22, 2013)
- The new admin design, especially the responsive aspect of it. Try it out on different devices and browsers, see how it goes, especially the more complex pages like widgets or seldom-looked-at-places like Press This. Color schemes, which you can change on your profile, have also been spruced up.
- The dashboard homepage has been refreshed, poke and prod it.
- Choosing themes under Appearance is completely different, try to break it however possible.
- There’s a new default theme, Twenty Fourteen.
- Over 250 issues closed already.
New in WordPress 3.7.1 (Oct 30, 2013)
- Images with captions no longer appear broken in the visual editor.
- Allow some sites running on old or poorly configured servers to continue to check for updates from WordPress.org.
- Avoid fatal errors with certain plugins that were incorrectly calling some WordPress functions too early.
- Fix hierarchical sorting in get_pages(), exclusions in wp_list_categories(), and in_category() when called with empty values.
- Fix a warning that may occur in certain setups while performing a search, and a few other notices.
New in WordPress 3.7 (Oct 25, 2013)
- Updates while you sleep: With WordPress 3.7, you don’t have to lift a finger to apply maintenance and security updates. Most sites are now able to automatically apply these updates in the background. The update process also has been made even more reliable and secure, with dozens of new checks and safeguards.
- Stronger password recommendations: Your password is your site’s first line of defense. It’s best to create passwords that are complex, long, and unique. To that end, our password meter has been updated in WordPress 3.7 to recognize common mistakes that can weaken your password: dates, names, keyboard patterns (123456789), and even pop culture references.
- Better global support: Localized versions of WordPress will receive faster and more complete translations. WordPress 3.7 adds support for automatically installing the right language files and keeping them up to date, a boon for the many millions who use WordPress in a language other than English.
New in WordPress 3.7 Beta 2 (Oct 14, 2013)
- In Beta 2, we further increased the stability of background updates and also added about 50 bug fixes, including a fix for Internet Explorer 11 in the visual editor.
New in WordPress 3.7 Beta 1 (Oct 1, 2013)
- For WordPress 3.7 we decided to shorten the development cycle and focus on a few key improvements. We plan to release the final product in October, and then follow it in December with a jam-packed WordPress 3.8 release, which is already in development. Some of the best stuff in WordPress 3.7 is subtle — by design! So let’s walk through what we’d love for you to test, just in time for the weekend.
- Automatic, background updates. 3.7 Beta 1 will keep itself updated. That’s right — you’ll be updated each night to the newest development build, and eventually to Beta 2. We’re working to provide as many installs as possible with fast updates to security releases of WordPress — and you can help us test by just installing Beta 1 on your server and seeing how it works!
- When you go to Dashboard → Updates, you’ll see a note letting you know whether your install is working for automatic updates. There are a few situations where WordPress can’t reliably and securely update itself. But if it can, you’ll get an email (sent to the ‘Admin Email’ on the General Settings page) after each update letting you know what worked and what didn’t. If it worked, great! If something failed, the email will suggest you make a post in the support forums or create a bug report.
New in WordPress 3.6.1 (Sep 12, 2013)
- Block unsafe PHP unserialization that could occur in limited situations and setups, which can lead to remote code execution. Reported by Tom Van Goethem.
- Prevent a user with an Author role, using a specially crafted request, from being able to create a post “written by” another user. Reported by Anakorn Kyavatanakij.
- Fix insufficient input validation that could result in redirecting or leading a user to another website. Reported by Dave Cummo, a Northrup Grumman subcontractor for the U.S. Centers for Disease Control and Prevention.
New in WordPress 3.6 (Aug 2, 2013)
- The new Twenty Thirteen theme inspired by modern art puts focus on your content with a colorful, single-column design made for media-rich blogging.
- Revamped Revisions save every change and the new interface allows you to scroll easily through changes to see line-by-line who changed what and when.
- Post Locking and Augmented Autosave will especially be a boon to sites where more than a single author is working on a post. Each author now has their own autosave stream, which stores things locally as well as on the server (so much harder to lose something) and there’s an interface for taking over editing of a post, as demonstrated beautifully by our bearded buddies in the video above.
- Built-in HTML5 media player for native audio and video embeds with no reliance on external services.
- The Menu Editor is now much easier to understand and use.
New in WordPress 3.5.2 (Jun 22, 2013)
- Blocking server-side request forgery attacks, which could potentially enable an attacker to gain access to a site.
- Disallow contributors from improperly publishing posts, reported by Konstantin Kovshenin, or reassigning the post’s authorship, reported by Luke Bryan.
- An update to the SWFUpload external library to fix cross-site scripting vulnerabilities. Reported by mala and Szymon Gruszecki. (Developers: More on SWFUpload here.)
- Prevention of a denial of service attack, affecting sites using password-protected posts.
- An update to an external TinyMCE library to fix a cross-site scripting vulnerability. Reported by Wan Ikram.
- Multiple fixes for cross-site scripting. Reported by Andrea Santese and Rodrigo.
- Avoid disclosing a full file path when a upload fails. Reported by Jakub Galczyk.
New in WordPress 3.6 Beta 3 (May 16, 2013)
- Beta 3 contains about a hundred changes, including improvements to the image Post Format flow (yay, drag-and-drop image upload!), a more polished revision comparison screen, and a more quote-like quote format for Twenty Thirteen.
- As a bonus, we now have oEmbed support for the popular music-streaming services Rdio and Spotify (the latter of which kindly created an oEmbed endpoint a mere 24 hours after we lamented their lack of one).
New in WordPress 3.6 Beta 2 (Apr 30, 2013)
- The longer-than-usual delay between beta 1 and beta 2 was due to poor user testing results with the Post Formats UI. Beta 2 contains a modified approach for format choosing and switching, which has done well in user testing. We’ve also made the Post Formats UI hide-able via Screen Options, and set a reasonable default based on what your theme supports.
- There were a lot of bug fixes and polishing tweaks done for beta 2 as well, so definitely check it out if you had an issues with beta 1.
- Plugin developers, theme developers, and WordPress hosts should be testing beta 2 extensively. The more you test the beta, the more stable our release candidates and our final release will be.
New in WordPress 3.6 Beta 1 (Apr 5, 2013)
- Post Formats: Post Formats now have their own UI, and theme authors have access to templating functions to access the structured data.
- Twenty Thirteen: We’re shipping this year’s default theme in our first release of the year. Twenty Thirteen is an opinionated, color-rich, blog-centric theme that makes full use of the new Post Formats support.
- Audio/Video: You can embed audio and video files into your posts without relying on a plugin or a third party media hosting service.
- Autosave: Posts are now autosaved locally. If your browser crashes, your computer dies, or the server goes offline as you’re saving, you won’t lose the your post.
- Post Locking: See when someone is currently editing a post, and kick them out of it if they fall asleep at the keyboard.
- Nav Menus: Nav menus have been simplified with an accordion-based UI, and a separate tab for bulk-assigning menus to locations.
- Revisions: The all-new revisions UI features avatars, a slider that “scrubs” through history, and two-slider range comparisons.
New in WordPress 3.5.1 (Jan 25, 2013)
- Editor: Prevent certain HTML elements from being unexpectedly removed or modified in rare cases.
- Media: Fix a collection of minor workflow and compatibility issues in the new media manager.
- Networks: Suggest proper rewrite rules when creating a new network.
- Prevent scheduled posts from being stripped of certain HTML, such as video embeds, when they are published.
- Work around some misconfigurations that may have caused some JavaScript in the WordPress admin area to fail.
- Suppress some warnings that could occur when a plugin misused the database or user APIs.
- A server-side request forgery vulnerability and remote port scanning using pingbacks. This vulnerability, which could potentially be used to expose information and compromise a site, affects all previous WordPress versions. This was fixed by the WordPress security team. We’d like to thank security researchers Gennady Kovshenin and Ryan Dewhurst for reviewing our work.
- Two instances of cross-site scripting via shortcodes and post content. These issues were discovered by Jon Cave of the WordPress security team.
- A cross-site scripting vulnerability in the external library Plupload. Thanks to the Moxiecode team for working with us on this, and for releasing Plupload 1.5.5 to address this issue.
New in WordPress 3.5 (Dec 12, 2012)
- It’s the most wonderful time of the year: a new WordPress release is available and chock-full of goodies to delight bloggers and developers alike. We’re calling this one “Elvin” in honor of drummer Elvin Jones, who played with John Coltrane in addition to many others.
- If you’ve been around WordPress a while, the most dramatic new change you’ll notice is a completely re-imagined flow for uploading photos and creating galleries. Media has long been a friction point and we’ve listened hard and given a lot of thought into crafting this new system. 3.5 includes a new default theme, Twenty Twelve, which has a very clean mobile-first responsive design and works fantastic as a base for a CMS site. Finally we’ve spent a lot of time refreshing the styles of the dashboard, updating everything to be Retina-ready with beautiful high resolution graphics, a new color picker, and streamlining a couple of fewer-used sections of the admin.
New in WordPress 3.5 RC3 (Dec 5, 2012)
- Final UI improvements to the media manager.
- Better reporting for upload errors. Improvements for mobile, IE, and RTL languages.
- A cookie fix for sub-domain multi-site when installed in a sub-folder.
New in WordPress 3.5 RC2 (Dec 4, 2012)
- This will probably be the final release candidate before the official release of WordPress 3.5.
- This version has a completely new media library, Dashboard streamlining, new performance enhancements for Multisite, the ability to enable Multisite when installed in a subdirectory of the document root, and other features and enhancements.
New in WordPress 3.5 RC1 (Nov 30, 2012)
- The new Media Library has some of the most significant changes.
New in WordPress 3.5 Beta 2 (Oct 16, 2012)
- New workflow for working with image galleries, including drag-and-drop reordering and quick caption editing.
- New user interface for setting static front pages for the Reading Settings screen. (#16379)
- New image editing API. (#6821)
New in WordPress 3.5 Beta 1 (Sep 29, 2012)
- Changes coming in WordPress 3.5 include a simplified welcome screen, a new color picker, and HiDPI graphics (AKA "retina") throughout the Dashboard.
- WP_Query can now return posts in a specific order with the post__in parameter.
- New Posts and Comments APIs are available.
- There's now support for protcocol-relative links when enqueuing scripts and styles.
- Updates have been applied to SimplePie, jQuery, jQuery UI, and TinyMCE, and newly-added Underscore and Backbone libraries.
- A revamped Media Library is still in development.
New in WordPress 3.4 (Jun 14, 2012)
- The biggest change in 3.4 is the theme customizer which allows you to play around with various looks and settings for your current theme or one you’re thinking about switching to without publishing those changes to the whole world. For themes that support it, you can change colors, backgrounds, and of course custom image headers. We have more planned for the customizer down the road.
- Throughout the rest of the admin you’ll notice tweaks to make your everyday life easier. For example, if you have lots of themes we’ve made it quicker to browse them all at once without paging. We’ve made it possible to use images from your media library to populate custom headers, and for you to choose the height and width of your header images.
- We’ve expanded our embed support to include tweets: just put a Twitter permalink on its own line in the post editor and we’ll turn it into a beautiful embedded Tweet. And finally, image captions have been improved to allow HTML, like links, in them.
New in WordPress 3.3 Beta 1 (Oct 11, 2011)
- Media uploader
- Improved admin bar
- Fly out admin menus
New in WordPress 3.2 (Jul 5, 2011)
- The focus for this release was making WordPress faster and lighter. The first thing you’ll notice when you log in to 3.2 is a refreshed dashboard design that tightens the typography, design, and code behind the admin. (Rhapsody in Grey?) If you’re starting a new blog, you’ll also appreciate the fully HTML5 new Twenty Eleven theme, fulfilling our plan to replace the default theme every year. Start writing your first post in our redesigned post editor and venture to the full-screen button in the editing toolbar to enter the new distraction-free writing or zen mode, my personal favorite feature of the release. All of the widgets, menus, buttons, and interface elements fade away to allow you to compose and edit your thoughts in a completely clean environment conducive to writing, but when your mouse strays to the top of the screen your most-used shortcuts are right there where you need them. (I like to press F11 to take my browser full-screen, getting rid of even the OS chrome.)
- Under the hood there have been a number of improvements, not the least of which is the streamlining enabled by our previously announced plan of retiring support for PHP4, older versions of MySQL, and legacy browsers like IE6, which allows us to take advantage of more features enabled by new technologies. The admin bar has a few more shortcuts to your most commonly-used actions. On the comment moderation screen, the new approve & reply feature speeds up your conversation management. You’ll notice in your first update after 3.2 that we’ll only be updating the files that have changed with each new release instead of every file in your WordPress installation, which makes updates significantly faster on all hosting platforms. There are also some fun new theme features shown off by Twenty Eleven, like the ability to have multiple rotating header images to highlight all of your favorite photos.
New in WordPress 3.1.4 (Jul 1, 2011)
- This release fixes an issue that could allow a malicious Editor-level user to gain further access to the site. Thanks K. Gudinavicius of SEC Consult for bringing this to our attention. Version 3.1.4 also incorporates several other security fixes and hardening measures thanks to the work of WordPress developers Alexander Concha and Jon Cave of our security team.
New in WordPress 3.0.1 (Jul 30, 2010)
- This maintenance release addresses about 50 minor issues. The testing many of you contributed prior to the release of 3.0 helped make it one of the best and most stable releases we’ve had.
New in WordPress 3.0 (Jun 18, 2010)
- Arm your vuvuzelas: WordPress 3.0, the thirteenth major release of WordPress and the culmination of half a year of work by 218 contributors, is now available for download (or upgrade within your dashboard).
- Major new features in this release include a sexy new default theme called Twenty Ten. Theme developers have new APIs that allow them to easily implement custom backgrounds, headers, shortlinks, menus (no more file editing), post types, and taxonomies. (Twenty Ten theme shows all of that off.)
- Developers and network admins will appreciate the long-awaited merge of MU and WordPress, creating the new multi-site functionality which makes it possible to run one blog or ten million from the same installation.
- As a user, you will love the new lighter interface, the contextual help on every screen, the 1,217 bug fixes and feature enhancements, bulk updates so you can upgrade 15 plugins at once with a single click, and blah blah blah just watch the video. :) (In HD, if you can, so you can catch the Easter eggs.)
- The Future
- Normally this is where I’d say we’re about to start work on 3.1, but we’re actually not. We’re going to take a release cycle off to focus on all of the things around WordPress. The growth of the community has been breathtaking, including over 10.3 million downloads of version 2.9, but so much of our effort has been focused on the core software it hasn’t left much time for anything else. Over the next three months we’re going to split into ninja/pirate teams focused on different areas of the around-WordPress experience, including the showcase, Codex, forums, profiles, update and compatibility APIs, theme directory, plugin directory, mailing lists, core plugins, wordcamp.org… the possibilities are endless. The goal of the teams isn’t going to be to make things perfect all at once, just better than they are today. We think this investment of time will give us a much stronger infrastructure to grow WordPress.org for the many tens of millions of users that will join us during the 3.X release cycle.
- It Takes a Village
- I’m proud to acknowledge the contributions of the following 218 people to the 3.0 release cycle. These are the folks that make WordPress what it is, whose collaboration and hard work enable us to build something greater than the sum of our parts. In alphabetical order, of course.
New in WordPress 3.0 RC3 (Jun 12, 2010)
- There is a new menu_page_url() function that will make it easier to link between multiple admin option pages.
- The is_post_type() function has been renamed to post_type_exists() to make its purpose more clear and avoid confusion with the other is_*() conditional functions.
- Barring any unforeseen problems, this will likely be the last release candidate before the official 3.0 release.
New in WordPress 3.0 Beta 1 (Apr 6, 2010)
- This is an early beta. This means there are a few things we’re still finishing. We wanted to get people testing it this weekend, so we’re releasing it now rather than waiting another week until everything is finalized and polished. There’s a ton of stuff going on in 3.0, so this time we’re giving you a list of things to check out, so that we can make sure people are testing all the things that need it.
New in WordPress 2.9.2 (Feb 16, 2010)
- Thomas Mackenzie alerted us to a problem where logged in users can peek at trashed posts belonging to other authors. If you have untrusted users signed up on your blog and sensitive posts in the trash, you should upgrade to 2.9.2. As always, you can visit the Tools->Upgrade menu to upgrade.
New in WordPress 2.9 (Dec 19, 2009)
- Global undo/”trash” feature, which means that if you accidentally delete a post or comment you can bring it back from the grave (i.e., the Trash). This also eliminates those annoying “are you sure” messages we used to have on every delete.
- Built-in image editor allows you to crop, edit, rotate, flip, and scale your images to show them who’s boss. This is the first wave of our many planned media-handling improvements.
- Batch plugin update and compatibility checking, which means you can update 10 plugins at once, versus having to do multiple clicks for each one, and we’re using the new compatibility data from the plugins directory to give you a better idea of whether your plugins are compatible with new releases of WordPress. This should take the fear and hassle out of upgrading.
- Easier video embeds that allow you to just paste a URL on its own line and have it magically turn it into the proper embed code, with Oembed support for YouTube, Daily Motion, Blip.tv, Flickr, Hulu, Viddler, Qik, Revision3, Scribd, Google Video, Photobucket, PollDaddy, and WordPress.tv (and more in the next release).
- 2.9 provides the smoothest ride yet because of a number of improvements under the hood and more subtle improvements you’ll begin to appreciate once you’ve been around the block a few times. Here’s just a sampling:
- We now have rel=canonical support for better SEO.
- There is automatic database optimization support, which you can enable in your wp-config.php file by adding define('WP_ALLOW_REPAIR', true);.
- Themes can register “post thumbnails” which allow them to attach an image to the post, especially useful for magazine-style themes.
- A new commentmeta table that allows arbitrary key/value pairs to be attached to comments, just like posts, so you can now expand greatly what you can do in the comment framework.
- Custom post types have been upgraded with better API support so you can juggle more types than just post, page, and attachment. (More of this planned for 3.0.)
- You can set custom theme directories, so a plugin can register a theme to be bundled with it or you can have multiple shared theme directories on your server.
- We’ve upgraded TinyMCE WYSIWYG editing and Simplepie.
- Sidebars can now have descriptions so it’s more obvious what and where they do what they do.
- Specify category templates not just by ID, like before, but by slug, which will make it easier for theme developers to do custom things with categories — like post types!
- Registration and profiles are now extensible to allow you to collect things more easily, like a user’s Twitter account or any other fields you can imagine.
- The XML-RPC API has been extended to allow changing the user registration option. We fixed some Atom API attachment issues.
- Create custom galleries with the new include and exclude attributes that allow you to pull attachments from any post, not just the current one.
- When you’re editing files in the theme and plugin editors it remembers your location and takes you back to that line after you save. (Thank goodness!!!)
- The Press This bookmarklet has been improved and is faster than ever; give it a try for on-the-fly blogging from wherever you are on the internet.
- Custom taxonomies are now included in the WXR export file and imported correctly.
- Better hooks and filters for excerpts, smilies, HTTP requests, user profiles, author links, taxonomies, SSL support, tag clouds, query_posts and WP_Query
New in WordPress 2.8.5 (Oct 21, 2009)
- A fix for the Trackback Denial-of-Service attack that is currently being seen.
- Removal of areas within the code where php code in variables was evaluated.
- Switched the file upload functionality to be whitelisted for all users including Admins.
- Retiring of the two importers of Tag data from old plugins.
New in WordPress 2.8.4 (Aug 12, 2009)
- Yesterday a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password…
New in WordPress 2.8.3 (Aug 5, 2009)
- Unfortunately, I missed some places when fixing the privilege escalation issues for 2.8.1. Luckily, the entire WordPress community has our backs. Several folks in the community dug deeper and discovered areas that were overlooked. With their help, the remaining issues are fixed in 2.8.3. Since this is a security release, upgrading is highly recommended.
New in WordPress 2.8.2 (Jul 20, 2009)
- WordPress 2.8.2 fixes an XSS vulnerability. Comment author URLs were not fully sanitized when displayed in the admin. This could be exploited to redirect you away from the admin to another site.
New in WordPress 2.8.1 Beta 1 (Jun 22, 2009)
- Certain themes were calling get_categories() in such a way that it would fail in 2.8. 2.8.1 works around this so these themes won’t have to change.
- Dashboard memory usage is reduced. Some people were running out of memory when loading the dashboard, resulting in an incomplete page.
- The automatic upgrade no longer accidentally deletes files when cleaning up from a failed upgrade.
- A problem where the rich text editor wasn’t being loaded due to compression issues has been worked around.
- Extra security has been put in place to better protect you from plugins that do not do explicit permission checks.
New in WordPress 2.7 (Dec 11, 2008)
- The first thing you’ll notice about 2.7 is its new interface. From the top down, we’ve listened to your feedback and thought deeply about the design and the result is a WordPress that’s just plain faster. Nearly every task you do on your blog will take fewer clicks and be faster in 2.7 than it did in a previous version. (Download it now, or read on for more.)
- Next you’ll begin to notice the new features subtly sprinkled through the new interface: the new dashboard that you can arrange with drag and drop to put the things most important to you on top, QuickPress, comment threading, paging, and the ability to reply to comments from your dashboard, the ability to install any plugin directly from WordPress.org with a single click, and sticky posts.
- Digging in further you might notice that every screen is customizable. Let’s say you never care about author on your post listings — just click “Screen Options” and uncheck it and it’s instantly gone from the page. The same for any module on the dashboard or write screen. If your screen is narrow and the menu is taking up too much horizontal room, click the arrow to minimize it to be icon-only, and then go to the write page and drag and drop everything from the right column into the main one, so your posting area is full-screen. (For example I like hiding everything except categories, tags, and publish. I put categories and tags on the right, and publish under the post box.)
New in WordPress 2.7 RC2 (Dec 10, 2008)
- Nearly 150 bugs were fixed since RC 1, including improvements to the backend styling, RTL fixes, fixes for the core and plugin updaters for more hosting setups, tag and category API improvements, comment handling improvements, and many more. Barring the discovery of any major bugs, this may be the last release candidate before the official 2.7 release.
New in WordPress 2.7 RC1 (Dec 3, 2008)
- There have been numerous bugfixes since Beta 3, including all known major blocker issues.
- Also, the new icons for the admin menus have been incorporated.
New in WordPress 2.6.5 (Nov 26, 2008)
- This release fixes one security problem and three bugs.
- It is recommended that everyone upgrade.
- The security issue is an XSS exploit that fortunately only affects IP-based virtual servers running on Apache 2.x.
- Note that releases are skipping version 2.6.4 and jumping from 2.6.3 to 2.6.5 to avoid confusion with a fake 2.6.4 release that made the rounds.
- There is not and never will be a version 2.6.4.
New in WordPress 2.7 Beta 3 (Nov 16, 2008)
- Many PHP notice messages were cleaned up.
- A new design was made for Quick Edit.
- The Publish module was improved.
- Upload support was added for MS Office 2007+ file types.
- Improvements were made to checkbox range selections.
- Many other fixes and improvements were made to the admin interface.
New in WordPress 2.7 Beta 2 (Nov 6, 2008)
- Autosave fixes and automatic upgrade fixes were made.
- Some PHP warnings and notices were eliminated.
- Avatars were added to the Edit Users list.
- Rule fixes were rewritten for certain host setups.
- A first draft of the contextual help tab was written.
New in WordPress 2.7 Beta 1 (Nov 2, 2008)
- WordPress 2.7 has a newly redesigned administrative interface, the result of much user feedback and testing.
- New features include a built-in WP core upgrade function, plugin directory browser/installer, the ability for child themes to override individual template files, sticky posts, improved comment management, and much more.
New in WordPress 2.6.2 (Sep 9, 2008)
- Stefan Esser recently warned developers of the dangers of SQL Column Truncation and the weakness of mt_rand(). With his help we worked around these problems and are now releasing WordPress 2.6.2. If you allow open registration on your blog, you should definitely upgrade. With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password. The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password. Stefan Esser will release details of the complete attack shortly. The attack is difficult to accomplish, but its mere possibility means we recommend upgrading to 2.6.2.
- Other PHP apps are susceptible to this class of attack. To protect all of your apps, grab the latest version of Suhosin. If you’ve already updated Suhosin, your existing WordPress install is already protected from the full exploit. You should still upgrade to 2.6.2 if you allow open user registration so as to prevent the possibility of passwords being randomized.