New in version 4.3.1
September 15th, 2015
- WordPress versions 4.3 and earlier are vulnerable to a cross-site scripting vulnerability when processing shortcode tags (CVE-2015-5714). Reported by Shahar Tal and Netanel Rubin of Check Point.
- A separate cross-site scripting vulnerability was found in the user list table. Reported by Ben Bidner of the WordPress security team.
- Finally, in certain cases, users without proper permissions could publish private posts and make them sticky (CVE-2015-5715). Reported by Shahar Tal and Netanel Rubin of Check Point.
New in version 4.3.0 (August 18th, 2015)
- New Features:
- Menus in the Customizer
- Formatting Shortcuts
- Site Icons
- Better Passwords
- Other improvements:
- A smoother admin experience – Refinements to the list view across the admin make your WordPress more accessible and easier to work with on any device.
- Comments turned off on pages – All new pages that you create will have comments turned off. Keep discussions to your blog, right where they’re supposed to happen.
- Customize your site quickly – Wherever you are on the front-end, you can click the customize link in the toolbar to swiftly make changes to your site.
New in version 4.2.4 (August 4th, 2015)
- This release addresses six issues, including three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site, which were discovered by Marc-Alexandre Montpas of Sucuri, Helen Hou-Sandí of the WordPress security team, Netanel Rubin of Check Point, and Ivan Grigorov. It also includes a fix for a potential timing side-channel attack, discovered by Johannes Schmitt of Scrutinizer, and prevents an attacker from locking a post from being edited, discovered by Mohamed A. Baset.
New in version 4.2.3 (July 23rd, 2015)
- A critical cross-site scripting vulnerability, which could allow anonymous users to compromise a site.
New in version 4.2.2 (May 7th, 2015)
- The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file. To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it. Reported by Robert Abela of Netsparker.
- WordPress versions 4.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. WordPress 4.2.2 includes a comprehensive fix for this issue.
New in version 4.2.1 (April 27th, 2015)
- This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately. A few hours ago, the WordPress team was made aware of a cross-site scripting vulnerability, which could enable commenters to compromise a site. The vulnerability was discovered by Jouko Pynnönen.
New in version 4.2 (April 24th, 2015)
- An easier way to share content
- Extended character support
- Switch themes in the Customizer
- Even more embeds
- Streamlined plugin updates
- utf8mb4 support
- Shared term splitting
- Complex query ordering
New in version 4.1.2 (April 22nd, 2015)
- In WordPress 4.1 and higher, files with invalid or unsafe names could be uploaded. Discovered by Michael Kapfer and Sebastian Kraemer of HSASec.
- In WordPress 3.9 and higher, a very limited cross-site scripting vulnerability could be used as part of a social engineering attack. Discovered by Jakub Zoczek.
- Some plugins were vulnerable to an SQL injection vulnerability. Discovered by Ben Bidner of the WordPress security team.
New in version 4.2 RC1 (April 16th, 2015)
- We’ve made more than 140 changes since releasing Beta 4 a week and a half ago.
New in version 4.2 Beta 3 (March 29th, 2015)
- Removed Shiny Installs functionality due to concerns about the activation workflow. Please test the remaining “Shiny Updates” functionality from both the Plugins > Add New and Plugins screens to ensure in-line updating still works as well as before.
- Fixed an issue with the Comments Quick Edit layout breaking on smaller screens. Please test on your mobile devices.
- Improved accessibility of login screen errors. Screen reader users: please let us know if you encounter any issues.
- Refined the emoji compatibility script to only load on the front- and back-end if the browser requires it. If you’re using a legacy web browser, please test.
- Fixed several issues in Press This with inserted images being improperly linked to locations other than the source site. Go ahead, “press” a site with images on the page and tell us if the image links aren’t working as you’d expect.
- Standardized the time display format in a variety of admin screens, switching to 24-hour notation where a.m. or p.m. are not specified. Please let us know if you notice you notice anything amiss!
- Various other bug fixes.
New in version 4.2 Beta 2 (March 20th, 2015)
- Added support for entering FTP and SSH credentials when updating plugins in-place. FTP and SSH users, please test!
- Improved cross-browser support for emoji throughout WordPress. If you’re using an older web browser, please tell us if you have problems using emoji.
- Further refined Press This authoring with auto-embedded media and better content scanning. We’d love to know how auto-embeds work for you.
- Added a constructor and improved method consistency in WP_Comment_Query. Developers: if you’re extending WP_Comment_Query, please let us know if you run into any issues.
- Various bug fixes. We’ve made more than 70 changes in the last week.
New in version 4.1.1 (February 19th, 2015)
- This maintenance release fixes 21 bugs in version 4.1.
New in version 4.1 (December 19th, 2014)
- Version 4.1 of WordPress, named “Dinah” in honor of jazz singer Dinah Washington, is available for download or update in your WordPress dashboard. New features in WordPress 4.1 help you focus on your writing, and the new default theme lets you show it off in style.
- Introducing Twenty Fifteen:
- Our newest default theme, Twenty Fifteen, is a blog-focused theme designed for clarity.
- Twenty Fifteen has flawless language support, with help from Google’s Noto font family.
- The straightforward typography is readable on any screen size.
- Your content always takes center stage, whether viewed on a phone, tablet, laptop, or desktop computer.
- Distraction-free writing:
- Sometimes, you just need to concentrate on putting your thoughts into words. Try turning on distraction-free writing mode. When you start typing, all the distractions will fade away, letting you focus solely on your writing. All your editing tools instantly return when you need them.
- The Finer Points:
- Choose a language:
- Right now, WordPress 4.1 is already translated into over forty languages, with more always in progress. You can switch to any translation on the General Settings screen.
- Log out everywhere:
- If you’ve ever worried you forgot to sign out from a shared computer, you can now go to your profile and log out everywhere.
- Vine embeds:
- Embedding videos from Vine is as simple as pasting a URL onto its own line in a post. See the full list of supported embeds.
- Plugin recommendations:
- The plugin installer suggests plugins for you to try. Recommendations are based on the plugins you and other users have installed.
- Under the Hood:
- Complex Queries:
- Metadata, date, and term queries now support advanced conditional logic, like nested clauses and multiple operators — A AND ( B OR C ).
- Customizer API:
- The customizer now supports conditionally showing panels and sections based on the page being previewed.
- < title > tags in themes:
- add_theme_support( 'title-tag' ) tells WordPress to handle the complexities of document titles.
- Developer Reference:
- Continued improvements to inline code documentation have made the developer reference more complete than ever.
New in version 4.0.1 (November 20th, 2014)
- Three cross-site scripting issues that a contributor or author could use to compromise a site. Discovered by Jon Cave, Robert Chapin, and John Blackbourn of the WordPress security team.
- A cross-site request forgery that could be used to trick a user into changing their password.
- An issue that could lead to a denial of service when passwords are checked. Reported by Javier Nieto Arevalo and Andres Rojas Guerrero.
- Additional protections for server-side request forgery attacks when WordPress makes HTTP requests. Reported by Ben Bidner (vortfu).
- An extremely unlikely hash collision could allow a user’s account to be compromised, that also required that they haven’t logged in since 2008 (I wish I were kidding). Reported by David Anderson.
- WordPress now invalidates the links in a password reset email if the user remembers their password, logs in, and changes their email address. Reported separately by Momen Bassel, Tanoy Bose, and Bojan Slavković of ManageWP.
New in version 4.1 Beta 1 (November 17th, 2014)
- Our beautiful new default theme, Twenty Fifteen. It’s a clean, mobile-first, blog-focused theme designed through simplicity.
- A new distraction-free writing mode for the editor. It’s enabled by default for beta, and we’d love feedback on it.
- The ability to automatically install new language packs right from the General Settings screen (available as long as your site’s filesystem is writable).
- A new inline formatting toolbar for images embedded into posts.
- Improvements to meta, date, comment, and taxonomy queries, including complex (nested, multiple relation) queries; and querying comment types (#12668).
- A single term shared across multiple taxonomies is now split into two when updated. For more, see this post, #5809, and #30335.
- A new and better way for themes to handle title tags.
New in version 4.0 (September 5th, 2014)
- Manage your media with style
- Working with embeds has never been easier
- Focus on your content
- Finding the right plugin
New in version 4.0 RC1 (August 28th, 2014)
- In RC 1, we’ve made refinements to what we’ve been working on for this release. Check out the Beta 1 announcement post for more details on those features. We hope to ship WordPress 4.0 next week, but we need your help to get there. If you haven’t tested 4.0 yet, there’s no time like the present. (Please, not on a production site, unless you’re adventurous.)
New in version 3.9.2 (August 7th, 2014)
- Fixes a possible but unlikely code execution when processing widgets (WordPress is not affected by default), discovered by Alex Concha of the WordPress security team.
- Prevents information disclosure via XML entity attacks in the external GetID3 library, reported by Ivan Novikov of ONSec.
- Adds protections against brute attacks against CSRF tokens, reported by David Tomaschik of the Google Security Team.
- Contains some additional security hardening, like preventing cross-site scripting that could be triggered only by administrators.
New in version 4.0 Beta 1 (July 14th, 2014)
- Previews of embedding via URLs in the visual editor and the “Insert from URL” tab in the media modal. Try pasting a URL (such as a WordPress.tv or YouTube video) onto its own line in the visual editor. (#28195, #15490)
- The Media Library now has a “grid” view in addition to the existing list view. Clicking on an item takes you into a modal where you can see a larger preview and edit information about that attachment, and you can navigate between items right from the modal without closing it. (#24716)
- We’re freshening up the plugin install experience. You’ll see some early visual changes as well as more information when searching for plugins and viewing details. (#28785, #27440)
- Selecting a language when you run the installation process. (#28577)
- The editor intelligently resizes and its top and bottom bars pin when needed. Browsers don’t like to agree on where to put things like cursors, so if you find a bug here, please also let us know your browser and operating system. (#28328)
- We’ve made some improvements to how your keyboard and cursor interact with TinyMCE views such as the gallery preview. Much like the editor resizing and scrolling improvements, knowing about your setup is particularly important for bug reports here. (#28595)
- Widgets in the Customizer are now loaded in a separate panel. (#27406)
- We’ve also made some changes to some formatting functions, so if you see quotes curling in the wrong direction, please file a bug report.
New in version 3.9.1 (May 9th, 2014)
- This maintenance release fixes 34 bugs in 3.9, including numerous fixes for multisite networks, customizing widgets while previewing themes, and the updated visual editor. We’ve also made some improvements to the new audio/video playlists feature and made some adjustments to improve performance.
New in version 3.9 (April 22nd, 2014)
- Improved visual editing
- Edit images easily
- Drag and drop your images
- Gallery previews
- Do more with audio and video
- Live widget and header previews
- Stunning new theme browser
New in version 3.8.3 (April 15th, 2014)
- The “Quick Draft” tool on the dashboard screen was broken in the 3.8.2 update. If you tried to use it, your draft would disappear and it wouldn’t save. While we doubt anyone was writing a novella using this tool, any loss of content is unacceptable to us.
- We recognize how much trust you place in us to safeguard your content, and we take this responsibility very seriously. We’re sorry we let you down.
- We’ve all lost words we’ve written before, like an email thanks to a cat on the keyboard or a term paper to a blue screen of death. Over the last few WordPress releases, we’ve made a number of improvements to features like autosaves and revisions. With revisions, an old edit can always be restored. We’re trying our hardest to save your content somewhere even if your power goes out or your browser crashes. We even monitor your internet connection and prevent you from hitting that “Publish” button at the exact moment the coffee shop Wi-Fi has a hiccup.
- It’s possible that the quick draft you lost last week is still in the database, and just hidden from view. As an added complication, these “discarded drafts” normally get deleted after seven days, and it’s already been six days since the release. If we were able to rescue your draft, you’ll see it on the “All Posts” screen after you update to 3.8.3. (We’ll also be pushing 3.8.3 out as a background update, so you may just see a draft appear.)
New in version 3.9 RC1 (April 9th, 2014)
- TinyMCE received a major update, to version 4.0. Any editor plugins written for TinyMCE 3.x might require some updates. (If things broke, we’d like to hear about them so we can make adjustments.)
- WordPress 3.9 now uses the MySQLi Improved extension for sites running PHP 5.5. Any plugins that made direct calls to mysql_* functions will experience some problems on these sites.
New in version 3.8.2 (April 9th, 2014)
- Pass along additional information when processing pingbacks to help hosts identify potentially abusive requests.
- Fix a low-impact SQL injection by trusted users. Reported by Tom Adams of dxw.
- Prevent possible cross-domain scripting through Plupload, the third-party library WordPress uses for uploading files. Reported by Szymon Gruszecki.
New in version 3.9 Beta 3 (March 31st, 2014)
- New features like live widget previews and the new theme installer are now more ready for prime time, so check ‘em out.
- UI refinements when editing images and when working with media in the editor. We’ve also brought back some of the advanced display settings for images.
- If you want to test out audio and video playlists, the links will appear in the media manager once you’ve uploaded an audio or video file.
- For theme developers, we’ve added HTML5 caption support (#26642) to match the new gallery support (#26697).
- The formatting function that turns straight quotes into smart quotes (among other things) underwent some changes to drastically speed it up, so let us know if you see anything weird.
New in version 3.9 Beta 2 (March 24th, 2014)
- Rendering of embedded audio and video players directly in the visual editor.
- Visual and functional improvements to the editor, the media manager, and theme installer.
- Various bug fixes to TinyMCE, the software behind the visual editor.
- Lots of fixes to widget management in the theme customizer.
New in version 3.9 Beta 1 (March 12th, 2014)
- We updated TinyMCE, the software powering the visual editor, to the latest version. Be on the lookout for cleaner markup. Also try the new paste handling — if you paste in a block of text from Microsoft Word, for example, it will no longer come out terrible. (The “Paste from Word” button you probably never noticed has been removed.) It’s possible some plugins that added stuff to the visual editor (like a new toolbar button) no longer work, so we’d like to hear about them (#24067). (And be sure to open a support thread for the plugin author.)
- We’ve added widget management to live previews (the customizer). Please test editing, adding, and rearranging widgets! (#27112) We’ve also added the ability to upload, crop, and manage header images, without needing to leave the preview. (#21785)
- We brought 3.8′s beautiful new theme browsing experience to the theme installer. Check it out! (#27055)
- Galleries now receive a live preview in the editor. Upload some photos and insert a gallery to see this in action. (#26959)
- You can now drag-and-drop images directly onto the editor to upload them. It can be a bit finicky, so try it and help us work out the kinks. (#19845)
- Some things got improved around editing images. It’s a lot easier to make changes to an image after you insert it into a post (#24409) and you no longer get kicked to a new window when you need to crop or rotate an image (#21811).
- New audio/video playlists. Upload a few audio or video files to test these. (#26631)
New in version 3.8.1 (January 24th, 2014)
- Version 3.8.1 is a maintenance releases that addresses 31 bugs in 3.8, including various fixes and improvements for the new dashboard design and new themes admin screen. An issue with taxonomy queries in WP_Query was resolved. And if you’ve been frustrated by submit buttons that won’t do anything when you click on them (or thought you were going crazy, like some of us), we’ve found and fixed this “dead zone” on submit buttons.
New in version 3.8 (December 13th, 2013)
- WordPress has gotten a facelift. 3.8 brings a fresh new look to the entire admin dashboard. Gone are overbearing gradients and dozens of shades of grey — bring on a bigger, bolder, more colorful design!
- Modern aesthetic:
- The new WordPress dashboard has a fresh, uncluttered design that embraces clarity and simplicity.
- Clean typography:
- The Open Sans typeface provides simple, friendly text that is optimized for both desktop and mobile viewing. It’s even open source, just like WordPress.
- Refined contrast:
- We think beautiful design should never sacrifice legibility. With superior contrast and large, comfortable type, the new design is easy to read and a pleasure to navigate.
- We all access the internet in different ways. Smartphone, tablet, notebook, desktop — no matter what you use, WordPress will adapt and you’ll feel right at home.
- High definition at high speed
- WordPress is sharper than ever with new vector-based icons that scale to your screen. By ditching pixels, pages load significantly faster, too.
- WordPress just got a colorful new update. We’ve included eight new admin color schemes so you can pick the one that suits you best.
- The new themes screen lets you survey your themes at a glance. Or want more information? Click to discover more. Then sit back and use your keyboard’s navigation arrows to flip through every theme you’ve got.
- Smoother widget experience:
- Drag-drag-drag. Scroll-scroll-scroll. Widget management can be complicated. With the new design, we’ve worked to streamline the widgets screen.
- Have a large monitor? Multiple widget areas stack side-by-side to use the available space. Using a tablet? Just tap a widget to add it.
- Turn your blog into a magazine:
- Create a beautiful magazine-style site with WordPress and Twenty Fourteen. Choose a grid or a slider to display featured content on your homepage. Customize your site with three widget areas or change your layout with two page templates.
- With a striking design that does not compromise our trademark simplicity, Twenty Fourteen is our most intrepid default theme yet.
New in version 3.8 Beta 1 (November 22nd, 2013)
- The new admin design, especially the responsive aspect of it. Try it out on different devices and browsers, see how it goes, especially the more complex pages like widgets or seldom-looked-at-places like Press This. Color schemes, which you can change on your profile, have also been spruced up.
- The dashboard homepage has been refreshed, poke and prod it.
- Choosing themes under Appearance is completely different, try to break it however possible.
- There’s a new default theme, Twenty Fourteen.
- Over 250 issues closed already.
New in version 3.7.1 (October 30th, 2013)
- Images with captions no longer appear broken in the visual editor.
- Allow some sites running on old or poorly configured servers to continue to check for updates from WordPress.org.
- Avoid fatal errors with certain plugins that were incorrectly calling some WordPress functions too early.
- Fix hierarchical sorting in get_pages(), exclusions in wp_list_categories(), and in_category() when called with empty values.
- Fix a warning that may occur in certain setups while performing a search, and a few other notices.
New in version 3.7 (October 25th, 2013)
- Updates while you sleep: With WordPress 3.7, you don’t have to lift a finger to apply maintenance and security updates. Most sites are now able to automatically apply these updates in the background. The update process also has been made even more reliable and secure, with dozens of new checks and safeguards.
- Stronger password recommendations: Your password is your site’s first line of defense. It’s best to create passwords that are complex, long, and unique. To that end, our password meter has been updated in WordPress 3.7 to recognize common mistakes that can weaken your password: dates, names, keyboard patterns (123456789), and even pop culture references.
- Better global support: Localized versions of WordPress will receive faster and more complete translations. WordPress 3.7 adds support for automatically installing the right language files and keeping them up to date, a boon for the many millions who use WordPress in a language other than English.
New in version 3.7 Beta 2 (October 14th, 2013)
- In Beta 2, we further increased the stability of background updates and also added about 50 bug fixes, including a fix for Internet Explorer 11 in the visual editor.
New in version 3.7 Beta 1 (October 1st, 2013)
- For WordPress 3.7 we decided to shorten the development cycle and focus on a few key improvements. We plan to release the final product in October, and then follow it in December with a jam-packed WordPress 3.8 release, which is already in development. Some of the best stuff in WordPress 3.7 is subtle — by design! So let’s walk through what we’d love for you to test, just in time for the weekend.
- Automatic, background updates. 3.7 Beta 1 will keep itself updated. That’s right — you’ll be updated each night to the newest development build, and eventually to Beta 2. We’re working to provide as many installs as possible with fast updates to security releases of WordPress — and you can help us test by just installing Beta 1 on your server and seeing how it works!
- When you go to Dashboard → Updates, you’ll see a note letting you know whether your install is working for automatic updates. There are a few situations where WordPress can’t reliably and securely update itself. But if it can, you’ll get an email (sent to the ‘Admin Email’ on the General Settings page) after each update letting you know what worked and what didn’t. If it worked, great! If something failed, the email will suggest you make a post in the support forums or create a bug report.
New in version 3.6.1 (September 12th, 2013)
- Block unsafe PHP unserialization that could occur in limited situations and setups, which can lead to remote code execution. Reported by Tom Van Goethem.
- Prevent a user with an Author role, using a specially crafted request, from being able to create a post “written by” another user. Reported by Anakorn Kyavatanakij.
- Fix insufficient input validation that could result in redirecting or leading a user to another website. Reported by Dave Cummo, a Northrup Grumman subcontractor for the U.S. Centers for Disease Control and Prevention.
New in version 3.6 (August 2nd, 2013)
- The new Twenty Thirteen theme inspired by modern art puts focus on your content with a colorful, single-column design made for media-rich blogging.
- Revamped Revisions save every change and the new interface allows you to scroll easily through changes to see line-by-line who changed what and when.
- Post Locking and Augmented Autosave will especially be a boon to sites where more than a single author is working on a post. Each author now has their own autosave stream, which stores things locally as well as on the server (so much harder to lose something) and there’s an interface for taking over editing of a post, as demonstrated beautifully by our bearded buddies in the video above.
- Built-in HTML5 media player for native audio and video embeds with no reliance on external services.
- The Menu Editor is now much easier to understand and use.
New in version 3.5.2 (June 22nd, 2013)
- Blocking server-side request forgery attacks, which could potentially enable an attacker to gain access to a site.
- Disallow contributors from improperly publishing posts, reported by Konstantin Kovshenin, or reassigning the post’s authorship, reported by Luke Bryan.
- An update to the SWFUpload external library to fix cross-site scripting vulnerabilities. Reported by mala and Szymon Gruszecki. (Developers: More on SWFUpload here.)
- Prevention of a denial of service attack, affecting sites using password-protected posts.
- An update to an external TinyMCE library to fix a cross-site scripting vulnerability. Reported by Wan Ikram.
- Multiple fixes for cross-site scripting. Reported by Andrea Santese and Rodrigo.
- Avoid disclosing a full file path when a upload fails. Reported by Jakub Galczyk.
New in version 3.6 Beta 3 (May 16th, 2013)
- Beta 3 contains about a hundred changes, including improvements to the image Post Format flow (yay, drag-and-drop image upload!), a more polished revision comparison screen, and a more quote-like quote format for Twenty Thirteen.
- As a bonus, we now have oEmbed support for the popular music-streaming services Rdio and Spotify (the latter of which kindly created an oEmbed endpoint a mere 24 hours after we lamented their lack of one).
New in version 3.6 Beta 2 (April 30th, 2013)
- The longer-than-usual delay between beta 1 and beta 2 was due to poor user testing results with the Post Formats UI. Beta 2 contains a modified approach for format choosing and switching, which has done well in user testing. We’ve also made the Post Formats UI hide-able via Screen Options, and set a reasonable default based on what your theme supports.
- There were a lot of bug fixes and polishing tweaks done for beta 2 as well, so definitely check it out if you had an issues with beta 1.
- Plugin developers, theme developers, and WordPress hosts should be testing beta 2 extensively. The more you test the beta, the more stable our release candidates and our final release will be.
New in version 3.6 Beta 1 (April 5th, 2013)
- Post Formats: Post Formats now have their own UI, and theme authors have access to templating functions to access the structured data.
- Twenty Thirteen: We’re shipping this year’s default theme in our first release of the year. Twenty Thirteen is an opinionated, color-rich, blog-centric theme that makes full use of the new Post Formats support.
- Audio/Video: You can embed audio and video files into your posts without relying on a plugin or a third party media hosting service.
- Autosave: Posts are now autosaved locally. If your browser crashes, your computer dies, or the server goes offline as you’re saving, you won’t lose the your post.
- Post Locking: See when someone is currently editing a post, and kick them out of it if they fall asleep at the keyboard.
- Nav Menus: Nav menus have been simplified with an accordion-based UI, and a separate tab for bulk-assigning menus to locations.
- Revisions: The all-new revisions UI features avatars, a slider that “scrubs” through history, and two-slider range comparisons.
New in version 3.5.1 (January 25th, 2013)
- Editor: Prevent certain HTML elements from being unexpectedly removed or modified in rare cases.
- Media: Fix a collection of minor workflow and compatibility issues in the new media manager.
- Networks: Suggest proper rewrite rules when creating a new network.
- Prevent scheduled posts from being stripped of certain HTML, such as video embeds, when they are published.
- Suppress some warnings that could occur when a plugin misused the database or user APIs.
- A server-side request forgery vulnerability and remote port scanning using pingbacks. This vulnerability, which could potentially be used to expose information and compromise a site, affects all previous WordPress versions. This was fixed by the WordPress security team. We’d like to thank security researchers Gennady Kovshenin and Ryan Dewhurst for reviewing our work.
- Two instances of cross-site scripting via shortcodes and post content. These issues were discovered by Jon Cave of the WordPress security team.
- A cross-site scripting vulnerability in the external library Plupload. Thanks to the Moxiecode team for working with us on this, and for releasing Plupload 1.5.5 to address this issue.
New in version 3.5 (December 12th, 2012)
- It’s the most wonderful time of the year: a new WordPress release is available and chock-full of goodies to delight bloggers and developers alike. We’re calling this one “Elvin” in honor of drummer Elvin Jones, who played with John Coltrane in addition to many others.
- If you’ve been around WordPress a while, the most dramatic new change you’ll notice is a completely re-imagined flow for uploading photos and creating galleries. Media has long been a friction point and we’ve listened hard and given a lot of thought into crafting this new system. 3.5 includes a new default theme, Twenty Twelve, which has a very clean mobile-first responsive design and works fantastic as a base for a CMS site. Finally we’ve spent a lot of time refreshing the styles of the dashboard, updating everything to be Retina-ready with beautiful high resolution graphics, a new color picker, and streamlining a couple of fewer-used sections of the admin.
New in version 3.5 RC3 (December 5th, 2012)
- Final UI improvements to the media manager.
- Better reporting for upload errors. Improvements for mobile, IE, and RTL languages.
- A cookie fix for sub-domain multi-site when installed in a sub-folder.
New in version 3.5 RC2 (December 4th, 2012)
- This will probably be the final release candidate before the official release of WordPress 3.5.
- This version has a completely new media library, Dashboard streamlining, new performance enhancements for Multisite, the ability to enable Multisite when installed in a subdirectory of the document root, and other features and enhancements.
New in version 3.5 RC1 (November 30th, 2012)
- The new Media Library has some of the most significant changes.
New in version 3.5 Beta 2 (October 16th, 2012)
- New workflow for working with image galleries, including drag-and-drop reordering and quick caption editing.
- New user interface for setting static front pages for the Reading Settings screen. (#16379)
- New image editing API. (#6821)
New in version 3.5 Beta 1 (September 29th, 2012)
- Changes coming in WordPress 3.5 include a simplified welcome screen, a new color picker, and HiDPI graphics (AKA "retina") throughout the Dashboard.
- WP_Query can now return posts in a specific order with the post__in parameter.
- New Posts and Comments APIs are available.
- There's now support for protcocol-relative links when enqueuing scripts and styles.
- Updates have been applied to SimplePie, jQuery, jQuery UI, and TinyMCE, and newly-added Underscore and Backbone libraries.
- A revamped Media Library is still in development.
New in version 3.4 (June 14th, 2012)
- The biggest change in 3.4 is the theme customizer which allows you to play around with various looks and settings for your current theme or one you’re thinking about switching to without publishing those changes to the whole world. For themes that support it, you can change colors, backgrounds, and of course custom image headers. We have more planned for the customizer down the road.
- Throughout the rest of the admin you’ll notice tweaks to make your everyday life easier. For example, if you have lots of themes we’ve made it quicker to browse them all at once without paging. We’ve made it possible to use images from your media library to populate custom headers, and for you to choose the height and width of your header images.
- We’ve expanded our embed support to include tweets: just put a Twitter permalink on its own line in the post editor and we’ll turn it into a beautiful embedded Tweet. And finally, image captions have been improved to allow HTML, like links, in them.
New in version 3.3 Beta 1 (October 11th, 2011)
- Media uploader
- Improved admin bar
- Fly out admin menus
New in version 3.2 (July 5th, 2011)
- The focus for this release was making WordPress faster and lighter. The first thing you’ll notice when you log in to 3.2 is a refreshed dashboard design that tightens the typography, design, and code behind the admin. (Rhapsody in Grey?) If you’re starting a new blog, you’ll also appreciate the fully HTML5 new Twenty Eleven theme, fulfilling our plan to replace the default theme every year. Start writing your first post in our redesigned post editor and venture to the full-screen button in the editing toolbar to enter the new distraction-free writing or zen mode, my personal favorite feature of the release. All of the widgets, menus, buttons, and interface elements fade away to allow you to compose and edit your thoughts in a completely clean environment conducive to writing, but when your mouse strays to the top of the screen your most-used shortcuts are right there where you need them. (I like to press F11 to take my browser full-screen, getting rid of even the OS chrome.)
- Under the hood there have been a number of improvements, not the least of which is the streamlining enabled by our previously announced plan of retiring support for PHP4, older versions of MySQL, and legacy browsers like IE6, which allows us to take advantage of more features enabled by new technologies. The admin bar has a few more shortcuts to your most commonly-used actions. On the comment moderation screen, the new approve & reply feature speeds up your conversation management. You’ll notice in your first update after 3.2 that we’ll only be updating the files that have changed with each new release instead of every file in your WordPress installation, which makes updates significantly faster on all hosting platforms. There are also some fun new theme features shown off by Twenty Eleven, like the ability to have multiple rotating header images to highlight all of your favorite photos.
New in version 3.1.4 (July 1st, 2011)
- This release fixes an issue that could allow a malicious Editor-level user to gain further access to the site. Thanks K. Gudinavicius of SEC Consult for bringing this to our attention. Version 3.1.4 also incorporates several other security fixes and hardening measures thanks to the work of WordPress developers Alexander Concha and Jon Cave of our security team.
New in version 3.0.1 (July 30th, 2010)
- This maintenance release addresses about 50 minor issues. The testing many of you contributed prior to the release of 3.0 helped make it one of the best and most stable releases we’ve had.
New in version 3.0 (June 18th, 2010)
- Arm your vuvuzelas: WordPress 3.0, the thirteenth major release of WordPress and the culmination of half a year of work by 218 contributors, is now available for download (or upgrade within your dashboard).
- Major new features in this release include a sexy new default theme called Twenty Ten. Theme developers have new APIs that allow them to easily implement custom backgrounds, headers, shortlinks, menus (no more file editing), post types, and taxonomies. (Twenty Ten theme shows all of that off.)
- Developers and network admins will appreciate the long-awaited merge of MU and WordPress, creating the new multi-site functionality which makes it possible to run one blog or ten million from the same installation.
- As a user, you will love the new lighter interface, the contextual help on every screen, the 1,217 bug fixes and feature enhancements, bulk updates so you can upgrade 15 plugins at once with a single click, and blah blah blah just watch the video. :) (In HD, if you can, so you can catch the Easter eggs.)
- The Future
- Normally this is where I’d say we’re about to start work on 3.1, but we’re actually not. We’re going to take a release cycle off to focus on all of the things around WordPress. The growth of the community has been breathtaking, including over 10.3 million downloads of version 2.9, but so much of our effort has been focused on the core software it hasn’t left much time for anything else. Over the next three months we’re going to split into ninja/pirate teams focused on different areas of the around-WordPress experience, including the showcase, Codex, forums, profiles, update and compatibility APIs, theme directory, plugin directory, mailing lists, core plugins, wordcamp.org… the possibilities are endless. The goal of the teams isn’t going to be to make things perfect all at once, just better than they are today. We think this investment of time will give us a much stronger infrastructure to grow WordPress.org for the many tens of millions of users that will join us during the 3.X release cycle.
- It Takes a Village
- I’m proud to acknowledge the contributions of the following 218 people to the 3.0 release cycle. These are the folks that make WordPress what it is, whose collaboration and hard work enable us to build something greater than the sum of our parts. In alphabetical order, of course.
New in version 3.0 RC3 (June 12th, 2010)
- There is a new menu_page_url() function that will make it easier to link between multiple admin option pages.
- The is_post_type() function has been renamed to post_type_exists() to make its purpose more clear and avoid confusion with the other is_*() conditional functions.
- Barring any unforeseen problems, this will likely be the last release candidate before the official 3.0 release.
New in version 3.0 Beta 1 (April 6th, 2010)
- This is an early beta. This means there are a few things we’re still finishing. We wanted to get people testing it this weekend, so we’re releasing it now rather than waiting another week until everything is finalized and polished. There’s a ton of stuff going on in 3.0, so this time we’re giving you a list of things to check out, so that we can make sure people are testing all the things that need it.
New in version 2.9.2 (February 16th, 2010)
- Thomas Mackenzie alerted us to a problem where logged in users can peek at trashed posts belonging to other authors. If you have untrusted users signed up on your blog and sensitive posts in the trash, you should upgrade to 2.9.2. As always, you can visit the Tools->Upgrade menu to upgrade.
New in version 2.9 (December 19th, 2009)
- Global undo/”trash” feature, which means that if you accidentally delete a post or comment you can bring it back from the grave (i.e., the Trash). This also eliminates those annoying “are you sure” messages we used to have on every delete.
- Built-in image editor allows you to crop, edit, rotate, flip, and scale your images to show them who’s boss. This is the first wave of our many planned media-handling improvements.
- Batch plugin update and compatibility checking, which means you can update 10 plugins at once, versus having to do multiple clicks for each one, and we’re using the new compatibility data from the plugins directory to give you a better idea of whether your plugins are compatible with new releases of WordPress. This should take the fear and hassle out of upgrading.
- Easier video embeds that allow you to just paste a URL on its own line and have it magically turn it into the proper embed code, with Oembed support for YouTube, Daily Motion, Blip.tv, Flickr, Hulu, Viddler, Qik, Revision3, Scribd, Google Video, Photobucket, PollDaddy, and WordPress.tv (and more in the next release).
- 2.9 provides the smoothest ride yet because of a number of improvements under the hood and more subtle improvements you’ll begin to appreciate once you’ve been around the block a few times. Here’s just a sampling:
- We now have rel=canonical support for better SEO.
- There is automatic database optimization support, which you can enable in your wp-config.php file by adding define('WP_ALLOW_REPAIR', true);.
- Themes can register “post thumbnails” which allow them to attach an image to the post, especially useful for magazine-style themes.
- A new commentmeta table that allows arbitrary key/value pairs to be attached to comments, just like posts, so you can now expand greatly what you can do in the comment framework.
- Custom post types have been upgraded with better API support so you can juggle more types than just post, page, and attachment. (More of this planned for 3.0.)
- You can set custom theme directories, so a plugin can register a theme to be bundled with it or you can have multiple shared theme directories on your server.
- We’ve upgraded TinyMCE WYSIWYG editing and Simplepie.
- Sidebars can now have descriptions so it’s more obvious what and where they do what they do.
- Specify category templates not just by ID, like before, but by slug, which will make it easier for theme developers to do custom things with categories — like post types!
- Registration and profiles are now extensible to allow you to collect things more easily, like a user’s Twitter account or any other fields you can imagine.
- The XML-RPC API has been extended to allow changing the user registration option. We fixed some Atom API attachment issues.
- Create custom galleries with the new include and exclude attributes that allow you to pull attachments from any post, not just the current one.
- When you’re editing files in the theme and plugin editors it remembers your location and takes you back to that line after you save. (Thank goodness!!!)
- The Press This bookmarklet has been improved and is faster than ever; give it a try for on-the-fly blogging from wherever you are on the internet.
- Custom taxonomies are now included in the WXR export file and imported correctly.
- Better hooks and filters for excerpts, smilies, HTTP requests, user profiles, author links, taxonomies, SSL support, tag clouds, query_posts and WP_Query
New in version 2.8.5 (October 21st, 2009)
- A fix for the Trackback Denial-of-Service attack that is currently being seen.
- Removal of areas within the code where php code in variables was evaluated.
- Switched the file upload functionality to be whitelisted for all users including Admins.
- Retiring of the two importers of Tag data from old plugins.
New in version 2.8.4 (August 12th, 2009)
- Yesterday a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password…
New in version 2.8.3 (August 5th, 2009)
- Unfortunately, I missed some places when fixing the privilege escalation issues for 2.8.1. Luckily, the entire WordPress community has our backs. Several folks in the community dug deeper and discovered areas that were overlooked. With their help, the remaining issues are fixed in 2.8.3. Since this is a security release, upgrading is highly recommended.
New in version 2.8.2 (July 20th, 2009)
- WordPress 2.8.2 fixes an XSS vulnerability. Comment author URLs were not fully sanitized when displayed in the admin. This could be exploited to redirect you away from the admin to another site.
New in version 2.8.1 Beta 1 (June 22nd, 2009)
- Certain themes were calling get_categories() in such a way that it would fail in 2.8. 2.8.1 works around this so these themes won’t have to change.
- Dashboard memory usage is reduced. Some people were running out of memory when loading the dashboard, resulting in an incomplete page.
- The automatic upgrade no longer accidentally deletes files when cleaning up from a failed upgrade.
- A problem where the rich text editor wasn’t being loaded due to compression issues has been worked around.
- Extra security has been put in place to better protect you from plugins that do not do explicit permission checks.
New in version 2.7 (December 11th, 2008)
- The first thing you’ll notice about 2.7 is its new interface. From the top down, we’ve listened to your feedback and thought deeply about the design and the result is a WordPress that’s just plain faster. Nearly every task you do on your blog will take fewer clicks and be faster in 2.7 than it did in a previous version. (Download it now, or read on for more.)
- Next you’ll begin to notice the new features subtly sprinkled through the new interface: the new dashboard that you can arrange with drag and drop to put the things most important to you on top, QuickPress, comment threading, paging, and the ability to reply to comments from your dashboard, the ability to install any plugin directly from WordPress.org with a single click, and sticky posts.
- Digging in further you might notice that every screen is customizable. Let’s say you never care about author on your post listings — just click “Screen Options” and uncheck it and it’s instantly gone from the page. The same for any module on the dashboard or write screen. If your screen is narrow and the menu is taking up too much horizontal room, click the arrow to minimize it to be icon-only, and then go to the write page and drag and drop everything from the right column into the main one, so your posting area is full-screen. (For example I like hiding everything except categories, tags, and publish. I put categories and tags on the right, and publish under the post box.)
New in version 2.7 RC2 (December 10th, 2008)
- Nearly 150 bugs were fixed since RC 1, including improvements to the backend styling, RTL fixes, fixes for the core and plugin updaters for more hosting setups, tag and category API improvements, comment handling improvements, and many more. Barring the discovery of any major bugs, this may be the last release candidate before the official 2.7 release.
New in version 2.7 RC1 (December 3rd, 2008)
- There have been numerous bugfixes since Beta 3, including all known major blocker issues.
- Also, the new icons for the admin menus have been incorporated.
New in version 2.6.5 (November 26th, 2008)
- This release fixes one security problem and three bugs.
- It is recommended that everyone upgrade.
- The security issue is an XSS exploit that fortunately only affects IP-based virtual servers running on Apache 2.x.
- Note that releases are skipping version 2.6.4 and jumping from 2.6.3 to 2.6.5 to avoid confusion with a fake 2.6.4 release that made the rounds.
- There is not and never will be a version 2.6.4.
New in version 2.7 Beta 3 (November 16th, 2008)
- Many PHP notice messages were cleaned up.
- A new design was made for Quick Edit.
- The Publish module was improved.
- Upload support was added for MS Office 2007+ file types.
- Improvements were made to checkbox range selections.
- Many other fixes and improvements were made to the admin interface.
New in version 2.7 Beta 2 (November 6th, 2008)
- Autosave fixes and automatic upgrade fixes were made.
- Some PHP warnings and notices were eliminated.
- Avatars were added to the Edit Users list.
- Rule fixes were rewritten for certain host setups.
- A first draft of the contextual help tab was written.
New in version 2.7 Beta 1 (November 2nd, 2008)
- WordPress 2.7 has a newly redesigned administrative interface, the result of much user feedback and testing.
- New features include a built-in WP core upgrade function, plugin directory browser/installer, the ability for child themes to override individual template files, sticky posts, improved comment management, and much more.
New in version 2.6.2 (September 9th, 2008)
- Stefan Esser recently warned developers of the dangers of SQL Column Truncation and the weakness of mt_rand(). With his help we worked around these problems and are now releasing WordPress 2.6.2. If you allow open registration on your blog, you should definitely upgrade. With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password. The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password. Stefan Esser will release details of the complete attack shortly. The attack is difficult to accomplish, but its mere possibility means we recommend upgrading to 2.6.2.
- Other PHP apps are susceptible to this class of attack. To protect all of your apps, grab the latest version of Suhosin. If you’ve already updated Suhosin, your existing WordPress install is already protected from the full exploit. You should still upgrade to 2.6.2 if you allow open user registration so as to prevent the possibility of passwords being randomized.