WordPress 4.9.1 Security and Maintenance Release

WordPress 4.9.1 is now available. This is a security and maintenance release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately.

WordPress versions 4.9 and earlier are affected by four security issues which could potentially be exploited as part of a multi-vector attack. As part of the core team’s ongoing commitment to security hardening, the following fixes have been implemented in 4.9.1:

  1. Use a properly generated hash for the newbloguser key instead of a determinate substring.
  2. Add escaping to the language attributes used on html elements.
  3. Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.
  4. Remove the ability to upload JavaScript files for users who do not have the unfiltered_html capability.

Thank you to the reporters of these issues for practicing responsible security disclosureRahul Pratap Singh and John Blackbourn.

Eleven other bugs were fixed in WordPress 4.9.1. Particularly of note were:

  • Issues relating to the caching of theme template files.
  • A MediaElement JavaScript error preventing users of certain languages from being able to upload media files.
  • The inability to edit theme and plugin files on Windows based servers.

This post has more information about all of the issues fixed in 4.9.1 if you’d like to learn more.

Download WordPress 4.9.1 or venture over to Dashboard → Updates and click “Update Now.” Sites that support automatic background updates are already beginning to update automatically.

Related Posts:

  • No Related Posts

WordPress 4.9 “Tipton”

Major Customizer Improvements, Code Error Checking, and More! 🎉

 WordPress 4.9 “Tipton”

Version 4.9 of WordPress, named “Tipton” in honor of jazz musician and band leader Billy Tipton, is available for download or update in your WordPress dashboard. New features in 4.9 will smooth your design workflow and keep you safe from coding errors.

Featuring design drafts, scheduling, and locking, along with preview links, the Customizer workflow improves collaboration for content creators. What’s more, code syntax highlighting and error checking will make for a clean and smooth site building experience. Finally, if all that wasn’t pretty great, we’ve got an awesome new Gallery widget and improvements to theme browsing and switching.


Customizer Workflow Improved

 WordPress 4.9 “Tipton”

Draft and Schedule Site Design Customizations

Yes, you read that right. Just like you can draft and revise posts and schedule them to go live on the date and time you choose, you can now tinker with your site’s design and schedule those design changes to go live as you please.

Collaborate with Design Preview Links

Need to get some feedback on proposed site design changes? WordPress 4.9 gives you a preview link you can send to colleagues and customers so that you can collect and integrate feedback before you schedule the changes to go live. Can we say collaboration++?

Design Locking Guards Your Changes

Ever encounter a scenario where two designers walk into a project and designer A overrides designer B’s beautiful changes? WordPress 4.9’s design lock feature (similar to post locking) secures your draft design so that no one can make changes to it or erase all your hard work.

A Prompt to Protect Your Work

Were you lured away from your desk before you saved your new draft design? Fear not, when you return, WordPress 4.9 will politely ask whether or not you’d like to save your unsaved changes.


Coding Enhancements

 WordPress 4.9 “Tipton”

Syntax Highlighting and Error Checking? Yes, Please!

You’ve got a display problem but can’t quite figure out exactly what went wrong in the CSS you lovingly wrote. With syntax highlighting and error checking for CSS editing and the Custom HTML widget introduced in WordPress 4.8.1, you’ll pinpoint coding errors quickly. Practically guaranteed to help you scan code more easily, and suss out & fix code errors quickly.

Sandbox for Safety

The dreaded white screen. You’ll avoid it when working on themes and plugin code because WordPress 4.9 will warn you about saving an error. You’ll sleep better at night.

Warning: Potential Danger Ahead!

When you edit themes and plugins directly, WordPress 4.9 will politely warn you that this is a dangerous practice and will recommend that you draft and test changes before updating your file. Take the safe route: You’ll thank you. Your team and customers will thank you.


Even More Widget Updates

 WordPress 4.9 “Tipton”

The New Gallery Widget

An incremental improvement to the media changes hatched in WordPress 4.8, you can now add a gallery via this new widget. Yes!

Press a Button, Add Media

Want to add media to your text widget? Embed images, video, and audio directly into the widget along with your text, with our simple but useful Add Media button. Woo!


Site Building Improvements

 WordPress 4.9 “Tipton”

More Reliable Theme Switching

When you switch themes, widgets sometimes think they can just move location. Improvements in WordPress 4.9 offer more persistent menu and widget placement when you decide it’s time for a new theme.

Find and Preview the Perfect Theme

Looking for a new theme for your site? Now, from within the Customizer, you can search, browse, and preview over 2600 themes before deploying changes to your site. What’s more, you can speed your search with filters for subject, features, and layout.

Better Menu Instructions = Less Confusion

Were you confused by the steps to create a new menu? Perhaps no longer! We’ve ironed out the UX for a smoother menu creation process. Newly updated copy will guide you.


Lend a Hand with Gutenberg 🤝

 WordPress 4.9 “Tipton”

WordPress is working on a new way to create and control your content and we’d love to have your help. Interested in being an early tester or getting involved with the Gutenberg project? Contribute on GitHub.

(PS: this post was written in Gutenberg!)


Developer Happiness 😊

Customizer JS API Improvements

We’ve made numerous improvements to the Customizer JS API in WordPress 4.9, eliminating many pain points. (Hello, default parameters for constructs! Goodbye repeated ID for constructs!) There are also new base control templates, a date/time control, and section/panel/global notifications to name a few. Check out the full list.

CodeMirror available for use in your themes and plugins

We’ve introduced a new code editing library, CodeMirror, for use within core. CodeMirror allows for syntax highlighting, error checking, and validation when creating code writing or editing experiences within your plugins, like CSS or JavaScript include fields.

MediaElement.js upgraded to 4.2.6

WordPress 4.9 includes an upgraded version of MediaElement.js, which removes dependencies on jQuery, improves accessibility, modernizes the UI, and fixes many bugs.

Roles and Capabilities Improvements

New capabilities have been introduced that allow granular management of plugins and translation files. In addition, the site switching process in multisite has been fine-tuned to update the available roles and capabilities in a more reliable and coherent way.

Related Posts:

  • No Related Posts

WordPress 3.1.4 (and 3.2 Release Candidate 3)

WordPress 3.1.4 is available now and is a maintenance and security update for all previous versions.

This release fixes an issue that could allow a malicious Editor-level user to gain further access to the site. Thanks K. Gudinavicius of SEC Consult for bringing this to our attention. Version 3.1.4 also incorporates several other security fixes and hardening measures thanks to the work of WordPress developers Alexander Concha and Jon Cave of our security team. Consult the change log for more details.

Download WordPress 3.1.4 or update immediately from the Dashboard → Updates menu in your site’s admin area.

Related Posts:

WordPress 3.2-beta2 Released

WordPress 3.2-beta2 was released today. There are few changes that may affect some plugins.

1. The admin UI style was updated. This is mostly a visual update so if your plugin uses the default admin CSS styles on its settings page, it will inherit all seamlessly.

2. The “Favorites” menu (top/right on all admin pages) was removed completely.

3. jQuery was updated to version 1.6.1 and jQuery UI was updated to 1.8.12. We encourage all authors of themes or plugins that use jQuery to test them in 3.2-beta2 as there are a couple of changes that may affect many plugins:

– jQuery 1.5.0 and newer no longer allows selectors of the form [property=value]. These selectors now require quotes: [property=”value”].

– jQuery 1.6.0 and newer introduces another method: .prop() that replaces many .attr() calls. This was (partially) reverted in jQuery 1.6.1 but some uses of .attr() are not working any more. For example .attr(‘checked’, ”) doesn’t uncheck checkboxes any more.

Best would be to replace all getting/setting of ‘checked’, ‘selected’ and ‘disabled’ from .attr() to .prop() (using .prop() is also much faster). More information on the jQuery blog: http://blog.jquery.com/2011/05/12/jquery-1-6-1-released/

4. WordPress 3.2 has new minimal requirements: PHP 5.2.4 and MySQL 5.0.15. Most of the PHP 4 compat code was removed except for a few class constructors since many plugins seem to call them directly. If your plugin uses any of the WordPress PHP classes, please test that it calls them properly.

Related Posts:

WordPress 3.1.3 Now Available

WordPress 3.1.3 is now available so remember to update. Please keep your WordPress up to date.

  • Various security hardening by Alexander Concha.
  • Taxonomy query hardening by John Lamansky.
  • Prevent sniffing out user names of non-authors by using canonical redirects. Props Verónica Valeros.
  • Media security fixes by Richard Lundeen of Microsoft, Jesse Ou of Microsoft, and Microsoft Vulnerability Research.
  • Improves file upload security on hosts with dangerous security settings.
  • Cleans up old WordPress import files if the import does not finish.
  • Introduce “clickjacking” protection in modern browsers on admin and login pages.

Related Posts:

  • No Related Posts

WordPress 3.2, Beta 1 Released – IE 6 Dead Dead Dead

WordPress 3.2 beta 1 has been released into the hands of beta testers. The big news is that we are finally on the way to stomping out IE 6, the bane of web developers existence. The millions of wordpress sites will soon prompt your lazy arse users to move to newer versions.

From WordPress.org:

Here’s some of what’s new:

  • Performance improvements like you wouldn’t believe. What’s that mean? Things are faster!
  • Distraction-free Writing. The visual editor’s full-screen composing experience has gotten a major overhaul, and is now available from HTML mode, too. More than ever, WordPress allows you to focus on what matters most — your content.
  • Admin UI Refresh. The last major redesign of the WordPress admin was in 2008. This isn’t a major redesign, just a little facelift to keep us feeling young. WordPress turns 8 later this month, you know.
  • New Default Theme. Introducing Twenty Eleven, based on the popular Duster theme. Rotating header images, post format support, and more.
  • Browse Happy. WordPress is made to work with modern browsers. If you visit your Dashboard using an outdated web browser, we’ll let you know there’s a newer version available.
  • Admin Bar. We’ve added more links to the admin bar to make it even more useful.
Be Aware:
  • WordPress has new minimum system requirements: PHP 5.2.4 and MySQL 5.0.
  • Internet Explorer 6 will no longer be supported.
  • The favorites menu has been removed. If you’ve written any plugins that use this menu, it’s time to switch over to an admin bar placement.

If you want to be a beta tester, you should check out the Codex article on how to report bugs.

Related Posts:

  • No Related Posts

WordPress Camps – June 2011

533985271 1f28804553 Wordpress Camps   June 2011

June 4–5: WordCamp Reno-Lake Tahoe in Reno, NV. Organized by a WordPress core UI group contributor, WordCamp Reno-Lake Tahoe is taking place in Reno and has a packed schedule full of visiting experts.

June 11–12: WordCamp Kansas City in Overland Park, KS. With publisher, designer, and developer tracks, Kansas City’s WordCamp will have a little something for everyone, presented in large part by local speakers.

June 17–19: WordCamp Columbus in Columbus, OH. WordCamp Columbus has a new organizer this year and is bringing the focus more firmly onto WordPress (and less on social media). Their 3-day event includes an entire day for newbies, and another for non-profits, a nice addition to the usual blogger/developer tracks.

July 9–10: WordCamp Montreal in Montreal, Quebec. This group consistently puts on a great every year. If you register now, you can still get a $10 discount and get both days for only $30 (with sessions in both English and French to reflect the bilingual nature of the city). Montreal plays host to a number of festivals throughout the year, and this weekend is no different, including festivals for the arts, comedy, tango, and even circus arts.

July 16: WordCamp San Diego in San Diego, CA. First WordCamp in San Diego! They have talking about this for over a year, and are now starting to really ramp up the planning. They’re finalizing their venue right now, and I would expect a great roster of speakers.

July 16-17: WordCamp Portsmouth in Portsmouth, UK. The annual WordCamp UK that moves from city to city each year alights this year in Portsmouth. This one is notable because Mike Little, co-founder of WordPress, is part of the organizing team.

July 23–24: WordCamp Boston in Boston, MA. Another one just about to lock down some details and get starting with speaker selection, etc. An easy train ride from so many places, and not in the middle of winter this year!

July 30-31: WordCamp Chicago has new organizers and is a new venue this year. A call for speakers, supporters, and volunteers will likely be posted sometime next week.

[Image CC by Titanas]

Related Posts:

WordPress 3.1.2 Update

99849468 27fa4c7c80 Wordpress 3.1.2 Update

WordPress 3.1.2 is now available and is a security release for all previous WordPress versions.

This release addresses a vulnerability that allowed Contributor-level users to improperly publish posts.

The issue was discovered by a member of our security team, WordPress developer Andrew Nacin, with Benjamin Balter.

We suggest you update to 3.1.2 promptly, especially if you allow users to register as contributors or if you have untrusted users. This release also fixes a few bugs that missed the boat for version 3.1.1.

Download 3.1.2 or update automatically from the Dashboard → Updates menu in your site’s admin area.

[Image cc by Mick ㋡rlosky ]

Related Posts:

iPad-afy Your WordPress Blog

PadPressed is the easiest way for WordPress publishers to make their content tablet friendly using their existing theme.

Although not as clean as a native application, it is a quick and convenient way to get your WordPress blog, iPad friendly. You can find more information here.

Related Posts: