Blog | 7th Circle Designs

WordPress 5.0.3 Maintenance Release

WordPress 5.0.3 is now available!

5.0.3 is a maintenance release that includes 36 bug fixes and 7 performance updates. The focus of this release was fine-tuning the new block editor, and fixing any major bugs or regressions.

Here are a few of the highlights:

15 block editor related bug fixes and improvements have been added to bundled themes. Make sure to update these for an improved block editing experience.
2 block editor related internationalization (I18N) bugs have been fixed
Users with JavaScript disabled now see a notice when attempting to use the block editor.
A few PHP errors in the Customizer have been fixed.
Some issues uploading common file types, like CSVs, have been fixed.

For a full list of changes, please consult the list of tickets on Trac, changelog, or read a more technical summary on the Make WordPress Core blog.

You can download WordPress 5.0.3 or visit Dashboard → Updates on your site and click Update Now. Sites that support automatic background updates have already started to update automatically.

Subscribe to get new posts in your mailbox.

WooCommerce 3.5.3 release notes

WooCommerce 3.5.3 is now available. This patch release fixes an issue affecting stores running WordPress 5.0.2. This new version of WordPress was released yesterday, and changed the default value of a few variables. This modification caused the WooCommerce orders list table displayed in WP Admin to break. More information on this bug can be found in this WordPress core ticket, as well as this WooCommerce issue.

1 commit made it into this release and the full changelog is below.

* Fix - Fix orders list table in the admin after a change introduced in WordPress 5.0.2. #22273

Download the latest release of WooCommerce here or venture over to Dashboard → Updates to update your plugins from WordPress.

Subscribe to get new posts in your mailbox.

WordPress 5.0.2 Maintenance Release

WordPress 5.0.2 is now available!

5.0.2 is a maintenance release for WordPress 5.0 that addresses 73 bugs. The primary focus of this release was performance improvements in the block editor: the cumulated performance gains make it 330% faster for a post with 200 blocks.

Here are a few of the additional highlights:

45 total Block Editor improvements are included (14 performance enhancements & 31 bug fixes).
17 Block Editor related bugs have been fixed across all of the bundled themes.
Some internationalization (i18n) issues related to script loading have also been fixed.

For a full list of changes, please consult the list of tickets on Trac or the changelog.

You can download WordPress 5.0.2 or visit Dashboard → Updates and click Update Now. Sites that support automatic background updates have already started to update automatically.

Subscribe to get new posts in your mailbox.

WordPress 5.0.1 Security Release

WordPress 5.0.1 is now available. This is a security release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately.

Plugin authors are encouraged to read the 5.0.1 developer notes for information on backwards-compatibility.

WordPress versions 5.0 and earlier are affected by the following bugs, which are fixed in version 5.0.1. Updated versions of WordPress 4.9 and older releases are also available, for users who have not yet updated to 5.0.

Karim El Ouerghemmi discovered that authors could alter meta data to delete files that they weren’t authorized to.
Simon Scannell of RIPS Technologies discovered that authors could create posts of unauthorized post types with specially crafted input.
Sam Thomas discovered that contributors could craft meta data in a way that resulted in PHP object injection.
Tim Coen discovered that contributors could edit new comments from higher-privileged users, potentially leading to a cross-site scripting vulnerability.
Tim Coen also discovered that specially crafted URL inputs could lead to a cross-site scripting vulnerability in some circumstances. WordPress itself was not affected, but plugins could be in some situations.
Team Yoast discovered that the user activation screen could be indexed by search engines in some uncommon configurations, leading to exposure of email addresses, and in some rare cases, default generated passwords.
Tim Coen and Slavco discovered that authors on Apache-hosted sites could upload specifically crafted files that bypass MIME verification, leading to a cross-site scripting vulnerability.

Thank you to all of the reporters for privately disclosing the vulnerabilities, which gave us time to fix them before WordPress sites could be attacked.

Download WordPress 5.0.1, or venture over to Dashboard → Updates and click Update Now. Sites that support automatic background updates are already beginning to update automatically.

Subscribe to get new posts in your mailbox.

WordPress 5.0 “Bebo”

Say Hello to the New Editor

We’ve made some big upgrades to the editor. Our new block-based editor is the first step toward an exciting new future with a streamlined editing experience across your site. You’ll have more flexibility with how content is displayed, whether you are building your first site, revamping your blog, or write code for a living.

Building with Blocks

The new block-based editor won’t change the way any of your content looks to your visitors. What it will do is let you insert any type of multimedia in a snap and rearrange to your heart’s content. Each piece of content will be in its own block; a distinct wrapper for easy maneuvering. If you’re more of an HTML and CSS sort of person, then the blocks won’t stand in your way. WordPress is here to simplify the process, not the outcome.

We have tons of blocks available by default, and more get added by the community every day. Here are a few of the blocks to help you get started:

Paragraph
Heading
Preformatted
Quote
Image
Gallery
Cover
Video
Audio
Columns
File
Code
List
Button
Embeds
More

Freedom to Build, Freedom to Write

This new editing experience provides a more consistent treatment of design as well as content. If you’re building client sites, you can create reusable blocks. This lets your clients add new content anytime, while still maintaining a consistent look and feel.

A Stunning New Default Theme

Introducing Twenty Nineteen, a new default theme that shows off the power of the new editor.

Designed for the block editor

Twenty Nineteen features custom styles for the blocks available by default in 5.0. It makes extensive use of editor styles throughout the theme. That way, what you create in your content editor is what you see on the front of your site.

Simple, type-driven layout

Featuring ample whitespace, and modern sans-serif headlines paired with classic serif body text, Twenty Nineteen is built to be beautiful on the go. It uses system fonts to increase loading speed. No more long waits on slow networks!

Versatile design for all sites

Twenty Nineteen is designed to work for a wide variety of use cases. Whether you’re running a photo blog, launching a new business, or supporting a non-profit, Twenty Nineteen is flexible enough to fit your needs.

Give Twenty Nineteen a try

Developer Happiness

Protect

Blocks provide a comfortable way for users to change content directly, while also ensuring the content structure cannot be easily disturbed by accidental code edits. This allows the developer to control the output, building polished and semantic markup that is preserved through edits and not easily broken.

Compose

Take advantage of a wide collection of APIs and interface components to easily create blocks with intuitive controls for your clients. Utilizing these components not only speeds up development work but also provide a more consistent, usable, and accessible interface to all users.

Create

The new block paradigm opens up a path of exploration and imagination when it comes to solving user needs. With the unified block insertion flow, it’s easier for your clients and customers to find and use blocks for all types of content. Developers can focus on executing their vision and providing rich editing experiences, rather than fussing with difficult APIs.

Learn how to get started

Keep it Classic

Prefer to stick with the familiar Classic Editor? No problem! Support for the Classic Editor plugin will remain in WordPress through 2021.

The Classic Editor plugin restores the previous WordPress editor and the Edit Post screen. It lets you keep using plugins that extend it, add old-style meta boxes, or otherwise depend on the previous editor. To install, visit your plugins page and click the “Install Now” button next to “Classic Editor”. After the plugin finishes installing, click “Activate”. That’s it!

Note to users of assistive technology: if you experience usability issues with the block editor, we recommend you continue to use the Classic Editor.

Check out the Classic Editor

This release is named in homage to the pioneering Cuban jazz musician Bebo Valdés.

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

WooCommerce 3.5.2 security/fix/compatibility release notes

WooCommerce 3.5.2 is now available. This release patches a number of bugs, adds compatibility with the Twenty Nineteen theme and with PHP 7.3, and fixes one security issue. Versions 3.5.1 and earlier are affected by a stored XSS vulnerability through the API which can be exploited by users with write-access API keys, and we recommend all users running WooCommerce 3.x upgrade to 3.5.2 to mitigate it. Thanks to Karim for disclosing this vulnerability.

Important: If you will be using the Twenty Nineteen theme included with WordPress 5.0 or if you will be using PHP 7.3, you should also be using WooCommerce 3.5.2+. In this release we’ve added the necessary styling for stores to look nice in the Twenty Nineteen theme and made backwards-compatible code tweaks to prevent notices and warnings when running PHP 7.3.

~87 commits made it into this release and the full changelog is below.

* Enhancement - Added compatibility for Twenty Nineteen theme. #21970
* Update - Prepare WooCommerce for PHP 7.3. #22009
* Tweak - Updates the signature field type to "password" in PayPal settings for increased security. #21715
* Tweak - Change the filter name in the /myaccount/lost-password-confirmation.php template to differentiate between other filter with same name and different message. #21829
* Tweak - Reintroduce Preview button by popular demand with the understanding that the Preview will only work on some product fields. It was removed from pubished products in 3.5.0 to prevent confusion. #21838
* Tweak - Add tool to systems status tools for running the DB update routine. #21923
* Tweak - Revert default behavior for `woocommerce_formatted_address_force_country_display` filter to maintain backwards compatibility. #21865
* Tweak - Update products block notice for WP 5.0. #21930
* Tweak - Use wp_kses_post instead of esc_html for sanitizing product titles to allow minimal HTML in product titles. #21936
* Tweak - Use dedicated woocommerce_add_order_again_cart_item to filter cart item data when ordering again. Prevents issues with applying woocommerce_add_cart_item out of context. #21947
* Tweak - Remove postal code for Angola, São Tomé and Príncipe since they don't use postal codes and update locale info. #21984 #21985 #21987
* Fix - Metadata with array key of 0 can save properly. #21641
* Fix - Prevent deleting the default product category via REST API. #21696
* Fix - Fix 'Table does not exist' messages on System Status Report in multisite. #21706
* Fix - Add dynamic SSL check to dashboard SSL notice to prevent misdiagnosing that sites aren't set up with SSL. #21738
* Fix - Don't show escaped HTML in admin order item details for fees. #21769
* Fix - Don't include draft variable products in on sale product results. #21778
* Fix - Add woocommerce_hold_stock_minutes check back to stock check in cart/checkout. #21797 #22050
* Fix - Fix potential undefined index notice on checkout fields when comparing the sort order. #21801
* Fix - Throw an error when trying to set a variation as the parent of a variation in the CSV importer. #21810
* Fix - Make "account erasure request" text translatable. #21812
* Fix - Display notices on Order Pay page. #21821
* Fix - Fix tax rate uploading by file path. #21831
* Fix - Make wc_download_log_permission_id constraint creation work better on multisites and multiple sites using the same DB. #21836 #21940
* Fix - Don't render undecoded HTML entities in variations dimensions. #21844
* Fix - Do not check for stock when not managing stock or have backorders enabled when paying through the order-pay page. #21849
* Fix - Apply priority field sorting on additional filters to make it apply on the edit address pages as well. #21856
* Fix - Fix export and edit of attribute labels with html encoded special characters in product CSV exporter. #21864
* Fix - Prevent fatal error when rendering plaintext customer invoice email. #21879
* Fix - Prevent fatal error when delivering webhooks using v3 API. #21921
* Fix - Prevent undefined variable notice in wc_increase_stock_levels. #21928
* Fix - Fix overescaping image output on product widget. #21929
* Fix - Croatian Kuna symbol should be lowercase. #21934
* Fix - Fixed an error when deleting logged entries when using the 'WC_Log_Handler_DB' handler. #21949
* Fix - Update ShipStation plugin info so install works through setup wizard. #21953
* Fix - Use dynamic DB table name in product list table shipping class query. #21954
* Fix - Log file date/time should be in UTC and not site timezone as per the +00:00:00 string appended to it. #21981
* Fix - Set customer's country to selling country when only selling to one country and default customer location is 'none'. #21995
* Fix - Change new account email copy to be compatible with auto-generated accounts. #21999
* Fix - Correct Aria-Labelledby attribute for quantity selectors. #22000
* Fix - Show notices on lost password page. #22001
* Fix - Fix authentication errors when using the REST API with 3rd-party authentication. #22013
* Fix - Fix issues where potentially not all active plugins were included on the system status report. #22057
* Fix - Make PDT validation use the same rounding as the IPN validation to prevent erroneous totals mismatch. #21729

Download the latest release of WooCommerce here or venture over to Dashboard → Updates to update your plugins from WordPress.

Subscribe to get new posts in your mailbox.

WooCommerce 3.5.1 release notes

WooCommerce 3.5.1 is now available. This release patches the highest priority bugs introduced in the WC 3.5.0 release and updates WooCommerce to work nicely with WordPress 5.0.

Important: If you will be using WordPress 5.0, you should also be using WooCommerce 3.5.1+. WordPress 5.0 changed the name of a filter used to force the classic editor on the Edit Product screens, and this release updates WooCommerce to use the latest filter. You can read more about this change here.

~67 commits made it into this release and the full changelog is below.

* Fix - Use CRUD method to get product images to fix custom tables missing images. #21608
* Fix - Use HTML entity for times sign when outputting dimensions to fix RTL support. #21633
* Fix - Fix India address format to look nice in the shipping calculator. #21647
* Fix - Don't default gallery variation images to gallery thumbnail size if flexslider is disabled. #21655
* Fix - Revert show shipping behavior change to prevent missing shipping line on Cart page. #21658
* Fix - Removed non-existing WC_Product_Simple->set_date_created_gmt method. #21675
* Fix - Use correct comment_type when fetching recent reviews for widget. #21689
* Fix - Do not include strong tags as part of translation string on subscriptions disconnect message. #21690
* Fix - Make it possible to send webhooks with the v3 API. #21745
* Fix - Fix get_cart_from_session infinite loop when filters used. #21749
* Fix - Use array instead of string to define class for address line 2 input on checkout. #21757
* Fix - Make checkout fields priority work correctly again. #21763
* Tweak - Remove mentions of deprecated live shipping rates from setup wizard. #21645
* Tweak- Update product block editor hook for WP 5.0. #21703
* Tweak - Merged similar strings to reduce number of translatable strings. #21704
* Tweak - Remove hated "Over to you" text from emails. #21709
* Tweak - Revert problematic customer as post author change. #21740

Download the latest release of WooCommerce here or venture over to Dashboard → Updates to update your plugins from WordPress.

Subscribe to get new posts in your mailbox.

WooCommerce 3.5 is here!

WooCommerce 3.5 is a “minor” release; this version should be backwards compatible with sites running versions of WooCommerce greater than or equal to 3.0. We do of course recommend ensuring your extensions and themes are compatible before upgrading, and making backups for peace of mind–see this handy guide for more details.

REST API v3

This release introduces the latest version of the WooCommerce REST API. This API has some new endpoints as well as features added to existing endpoints. Among these are:

A reviews endpoint to list, get, create, and update product reviews.
Date fields are now editable on the products endpoint, and the endpoint has been updated to work with the “on backorder” stock status introduced in WC 3.3.
A series of new reports endpoints to get total counts of orders, products, customers, coupons and reviews.
Automatic total calculations when applying/removing coupons in the orders endpoint.
New data endpoints to fetch Continents, Countries and Currencies.
Refund line items through the API.
Query sort products by price, popularity and rating.
Query products and variations by stock_status.
Ability to batch update settings.

For a complete list of the API endpoints and their features check out the API documentation.

Note: REST API v2 and other legacy API versions are still included in WooCommerce 3.5 for backwards compatibility.

Improved copy for transactional emails

We have updated the default wording of the WooCommerce transactional e-mails to make them friendlier and less robotic. The emails have had the same wording for years, so an update to the wording was due. Having better default content for the transactional e-mails reduces the need for custom e-mail templates and overrides, and it will improve the customer experience.

This is the first phase of a larger initiative to improve WooCommerce’s emails and email content editing experience. Stay tuned in 2019 for more improvements.

Features for store owners

Here’s some other new features you may find useful while using WooCommerce:

You can now export products by category in the CSV exporter.
You can now set a low-stock threshold for individual products.
The payment method settings page has improved accessibility.

Features for store builders and developers

If you’re building stores for clients, or just developing on top of WooCommerce, here’s some new toys at your disposal:

The Action Scheduler library used by the WooCommerce Subscriptions plugin and other WooCommerce plugins is now included in WooCommerce core. It provides a robust, scalable background processing solution for developers. In 3.5 webhooks will be delivered using this library.
Support for the Custom Product Tables feature plugin. We’re working on custom database tables to store product data and improve the performance and scalability of WooCommerce. This release adds the hooks and filters required by the feature plugin. Read more about this here.
Support for the wc-admin feature plugin. We’re working on a modernization of the WooCommerce admin experience. This release adds the API endpoints required by the feature plugin. Read more about this here.
Many new filters and actions to increase the customizability of WooCommerce.

On top of the new features, there are a variety of minor tweaks, new hooks, performance improvements, and fixes in this minor release. We won’t go into detail here, but you can see the full list of changes in the readme if you’re interested!

Upgrading to 3.5

3.5 is a minor update and should be compatible with sites running any version of WooCommerce greater than or equal to 3.0. We still recommend testing and backing up prior to upgrading just to be safe.

Note: There are a few post-update database upgrade routines that need to run after updating. These may run for a while if you have a large amount of data in your database. On very large databases we recommend running the upgrade routine with the WP CLI command wp wc update instead of through the admin interface.

Subscribe to get new posts in your mailbox.

WooCommerce 3.4.7 fix release notes

WooCommerce 3.4.7 is now available. This is the last WooCommerce 3.4.x release, and it patches a couple issues introduced in WC 3.4.6 on certain site setups. ~9 commits made it into this release and the full changelog is below.

* Fix - Simplify importer file path check to cause less issues. #21573
* Fix - Better role checking for user editing capabilities. #21569 #21575

Download the latest release of WooCommerce here or venture over to Dashboard → Updates to update your plugins from WordPress.

As usual, if you spot any other issues in WooCommerce core please log them in detail on Github, and to disclose a security issue to our team, please submit a report via HackerOne here.

Subscribe to get new posts in your mailbox.

WordPress 4.9.8 Maintenance Release

This maintenance release fixes 46 bugs, enhancements and blessed tasks, including updating the Twenty Seventeen bundled theme.

Following are the highlights of what is now available.

“Try Gutenberg” callout

Most users will now be presented with a notice in their WordPress dashboard. This “Try Gutenberg” is an opportunity for users to use the Gutenberg block editor before it is released in WordPress 5.0.

In WordPress 4.9.8, the callout will be shown to the following users:

If Gutenberg is not installed or activated, the callout will be shown to Admin users on single sites, and Super Admin users on multisites.
If Gutenberg is installed and activated, the callout will be shown to Contributor users and above.
If the Classic Editor plugin is installed and activated, the callout will be hidden for all users.

You can learn more by reading “Try Gutenberg” Callout in WordPress 4.9.8.

Privacy fixes/enhancements

This release includes 18 Privacy fixes focused on ensuring consistency and flexibility in the new personal data tools that were added in 4.9.6, including:

The type of request being confirmed is now included in the subject line for all privacy confirmation emails.
Improved consistency with site name being used for privacy emails in multisite.
Pagination for Privacy request admin screens can now be adjusted.
Increased the test coverage for several core privacy functions.

This post has more information about all of the issues fixed in 4.9.8 if you’d like to learn more.

Download WordPress 4.9.8 or venture over to Dashboard ? Updates and click “Update Now.” Sites that support automatic background updates are already beginning to update automatically.

Subscribe to get new posts in your mailbox.

WordPress 4.9.7 Security and Maintenance Release

WordPress 4.9.7 is now available. This is a security and maintenance release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately.

WordPress versions 4.9.6 and earlier are affected by a media issue that could potentially allow a user with certain capabilities to attempt to delete files outside the uploads directory.

Thank you to Slavco for reporting the original issue and Matt Barry for reporting related issues.

Seventeen other bugs were fixed in WordPress 4.9.7. Particularly of note were:

Taxonomy: Improve cache handling for term queries.
Posts, Post Types: Clear post password cookie when logging out.
Widgets: Allow basic HTML tags in sidebar descriptions on Widgets admin screen.
Community Events Dashboard: Always show the nearest WordCamp if one is coming up, even if there are multiple Meetups happening first.
Privacy: Make sure default privacy policy content does not cause a fatal error when flushing rewrite rules outside of the admin context.

Download WordPress 4.9.7 or venture over to Dashboard → Updates and click “Update Now.” Sites that support automatic background updates are already beginning to update automatically.

Subscribe to get new posts in your mailbox.

WordPress 4.9.6 Privacy and Maintenance Release

WordPress 4.9.6 is now available. This is a privacy and maintenance release. We encourage you to update your sites to take advantage of the new privacy features.

A decorative header featuring the text "GDPR" and a lock inside of a blue shield, on multicolor green background.

Privacy

The European Union’s General Data Protection Regulation (GDPR) takes effect on May 25. The GDPR requires companies and site owners to be transparent about how they collect, use, and share personal data. It also gives individuals more access and choice when it comes to how their own personal data is collected, used, and shared.

It’s important to understand that while the GDPR is a European regulation, its requirements apply to all sites and online businesses that collect, store, and process personal data about EU residents no matter where the business is located.

You can learn more about the GDPR from the European Commission’s Data Protection page.

We’re committed to supporting site owners around the world in their work to comply with this important law. As part of that effort, we’ve added a number of new privacy features in this release.

Comments

A screenshot of a comment form, where the new "Save my name, email, and website in this browser for the next time I comment" checkbox is featured.

Logged-out commenters will be given a choice on whether their name, email address, and website are saved in a cookie on their browser.

Privacy Policy Page

A screenshot of the new Privacy Settings page.

Site owners can now designate a privacy policy page. This page will be shown on your login and registration pages. You should manually add a link to your policy to every page on your website. If you have a footer menu, that’s a great place to include your privacy policy.

In addition, we’ve created a guide that includes insights from WordPress and participating plugins on how they handle personal data. These insights can be copied and pasted into your site’s privacy policy to help you get started.

If you maintain a plugin that collects data, we recommend including that information in WordPress’ privacy policy guide. Learn more in our Privacy section of the Plugin Handbook.

Data Handling

A screenshot of the new Export Personal Data tools page. Several export requests are listed on the page, to demonstrate how the new feature will work.

Data Export

Site owners can export a ZIP file containing a user’s personal data, using data gathered by WordPress and participating plugins.

Data Erasure

Site owners can erase a user’s personal data, including data collected by participating plugins.

Howdy,
A request has been made to perform the following action on your account:
Export Personal Data
To confirm this, please click on the following link:
http://.wordpress.org/wp-login.php?action=confirmaction…
You can safely ignore and delete this email if you do not want to
take this action.
This email has been sent to you@example.com.
Regards,
Your friends at WordPress
http://wordpress.org

Site owners have a new email-based method that they can use to confirm personal data requests. This request confirmation tool works for both export and erasure requests, and for both registered users and commenters.

Maintenance

95 updates were made in WordPress 4.9.6. In addition to the above, particularly of note were:

“Mine” has been added as a filter in the media library.
When viewing a plugin in the admin, it will now tell you the minimum PHP version required.
We’ve added new PHP polyfills for forwards-compatibility and proper variable validation.
TinyMCE was updated to the latest version (4.7.11).

This post has more information about all of the issues fixed in 4.9.6 if you’d like to learn more.

Download WordPress 4.9.6 or venture over to Dashboard ? Updates and click “Update Now.” Sites that support automatic background updates will start updating soon.

Please note that if you’re currently on WordPress 4.9.3, you should manually update your site immediately.

Subscribe to get new posts in your mailbox.

WordPress 4.9.5 Security and Maintenance Release

WordPress 4.9.5 is now available. This is a security and maintenance release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately.

WordPress versions 4.9.4 and earlier are affected by three security issues. As part of the core team’s ongoing commitment to security hardening, the following fixes have been implemented in 4.9.5:

Don’t treat localhost as same host by default.
Use safe redirects when redirecting the login page if SSL is forced.
Make sure the version string is correctly escaped for use in generator tags.

Thank you to the reporters of these issues for practicing coordinated security disclosure: xknown of the WordPress Security Team, Nitin Venkatesh (nitstorm), and Garth Mortensen of the WordPress Security Team.

Twenty-five other bugs were fixed in WordPress 4.9.5. Particularly of note were:

The previous styles on caption shortcodes have been restored.
Cropping on touch screen devices is now supported.
A variety of strings such as error messages have been updated for better clarity.
The position of an attachment placeholder during uploads has been fixed.
Custom nonce functionality in the REST API JavaScript client has been made consistent throughout the code base.
Improved compatibility with PHP 7.2.

Download WordPress 4.9.5 or venture over to Dashboard → Updates and click “Update Now.” Sites that support automatic background updates are already beginning to update automatically.

Subscribe to get new posts in your mailbox.

WordPress 4.9.4 Maintenance Release

This maintenance release fixes a severe bug in 4.9.3, which will cause sites that support automatic background updates to fail to update automatically, and will require action from you (or your host) for it to be updated to 4.9.4.

Four years ago with WordPress 3.7, we added the ability for WordPress to self-update, keeping your website secure and bug-free, even when you weren’t available to do it yourself. For four years it’s helped keep millions of installs updated with very few issues over that time. Unfortunately yesterdays 4.9.3 release contained a severe bug which was only discovered after release. The bug will cause WordPress to encounter an error when it attempts to update itself to WordPress 4.9.4, and will require an update to be performed through the WordPress dashboard or hosts update tools.

WordPress managed hosting companies who install updates automatically for their customers can install the update as normal, and we’ll be working with other hosts to ensure that as many customers of theirs who can be automatically updated to WordPress 4.9.4 can be.

For more technical details of the issue, we’ve posted on our Core Development blog. For a full list of changes, consult the list of tickets.

Download WordPress 4.9.4 or visit Dashboard → Updates and click “Update Now.”

Subscribe to get new posts in your mailbox.

WordPress 4.9.3 Maintenance Release

WordPress 4.9.3 is now available.

This maintenance release fixes 34 bugs in 4.9, including fixes for Customizer changesets, widgets, visual editor, and PHP 7.2 compatibility. For a full list of changes, consult the list of tickets and the changelog.

Download WordPress 4.9.3 or visit Dashboard → Updates and click “Update Now.” Sites that support automatic background updates are already beginning to update automatically.

Subscribe to get new posts in your mailbox.

WordPress 4.9.2 Security and Maintenance Release

WordPress 4.9.2 is now available. This is a security and maintenance release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately.

An XSS vulnerability was discovered in the Flash fallback files in MediaElement, a library that is included with WordPress. Because the Flash files are no longer needed for most use cases, they have been removed from WordPress.

MediaElement has released a new version that contains a fix for the bug, and a WordPress plugin containing the fixed files is available in the plugin repository.

Thank you to the reporters of this issue for practicing responsible security disclosure: Enguerran Gillier and Widiz.

21 other bugs were fixed in WordPress 4.9.2. Particularly of note were:

JavaScript errors that prevented saving posts in Firefox have been fixed.
The previous taxonomy-agnostic behavior of get_category_link() and category_description() was restored.
Switching themes will now attempt to restore previous widget assignments, even when there are no sidebars to map.

The Codex has more information about all of the issues fixed in 4.9.2, if you’d like to learn more.

Download WordPress 4.9.2 or venture over to Dashboard ? Updates and click “Update Now.” Sites that support automatic background updates are already beginning to update automatically.

Subscribe to get new posts in your mailbox.

WordPress 4.9.1 Security and Maintenance Release

WordPress 4.9.1 is now available. This is a security and maintenance release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately.

WordPress versions 4.9 and earlier are affected by four security issues which could potentially be exploited as part of a multi-vector attack. As part of the core team’s ongoing commitment to security hardening, the following fixes have been implemented in 4.9.1:

Use a properly generated hash for the newbloguser key instead of a determinate substring.
Add escaping to the language attributes used on html elements.
Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.
Remove the ability to upload JavaScript files for users who do not have the unfiltered_html capability.

Thank you to the reporters of these issues for practicing responsible security disclosure: Rahul Pratap Singh and John Blackbourn.

Eleven other bugs were fixed in WordPress 4.9.1. Particularly of note were:

Issues relating to the caching of theme template files.
A MediaElement JavaScript error preventing users of certain languages from being able to upload media files.
The inability to edit theme and plugin files on Windows based servers.

Download WordPress 4.9.1 or venture over to Dashboard → Updates and click “Update Now.” Sites that support automatic background updates are already beginning to update automatically.

Subscribe to get new posts in your mailbox.

WordPress 4.9 “Tipton”

Major Customizer Improvements, Code Error Checking, and More! ??

Version 4.9 of WordPress, named “Tipton” in honor of jazz musician and band leader Billy Tipton, is available for download or update in your WordPress dashboard. New features in 4.9 will smooth your design workflow and keep you safe from coding errors.

Featuring design drafts, scheduling, and locking, along with preview links, the Customizer workflow improves collaboration for content creators. What’s more, code syntax highlighting and error checking will make for a clean and smooth site building experience. Finally, if all that wasn’t pretty great, we’ve got an awesome new Gallery widget and improvements to theme browsing and switching.

Customizer Workflow Improved

Draft and Schedule Site Design Customizations

Yes, you read that right. Just like you can draft and revise posts and schedule them to go live on the date and time you choose, you can now tinker with your site’s design and schedule those design changes to go live as you please.

Collaborate with Design Preview Links

Need to get some feedback on proposed site design changes? WordPress 4.9 gives you a preview link you can send to colleagues and customers so that you can collect and integrate feedback before you schedule the changes to go live. Can we say collaboration++?

Design Locking Guards Your Changes

Ever encounter a scenario where two designers walk into a project and designer A overrides designer B’s beautiful changes? WordPress 4.9’s design lock feature (similar to post locking) secures your draft design so that no one can make changes to it or erase all your hard work.

A Prompt to Protect Your Work

Were you lured away from your desk before you saved your new draft design? Fear not, when you return, WordPress 4.9 will politely ask whether or not you’d like to save your unsaved changes.

Coding Enhancements

Syntax Highlighting and Error Checking? Yes, Please!

You’ve got a display problem but can’t quite figure out exactly what went wrong in the CSS you lovingly wrote. With syntax highlighting and error checking for CSS editing and the Custom HTML widget introduced in WordPress 4.8.1, you’ll pinpoint coding errors quickly. Practically guaranteed to help you scan code more easily, and suss out & fix code errors quickly.

Sandbox for Safety

The dreaded white screen. You’ll avoid it when working on themes and plugin code because WordPress 4.9 will warn you about saving an error. You’ll sleep better at night.

Warning: Potential Danger Ahead!

When you edit themes and plugins directly, WordPress 4.9 will politely warn you that this is a dangerous practice and will recommend that you draft and test changes before updating your file. Take the safe route: You’ll thank you. Your team and customers will thank you.

Even More Widget Updates

The New Gallery Widget

An incremental improvement to the media changes hatched in WordPress 4.8, you can now add a gallery via this new widget. Yes!

Press a Button, Add Media

Want to add media to your text widget? Embed images, video, and audio directly into the widget along with your text, with our simple but useful Add Media button. Woo!

Site Building Improvements

More Reliable Theme Switching

When you switch themes, widgets sometimes think they can just move location. Improvements in WordPress 4.9 offer more persistent menu and widget placement when you decide it’s time for a new theme.

Find and Preview the Perfect Theme

Looking for a new theme for your site? Now, from within the Customizer, you can search, browse, and preview over 2600 themes before deploying changes to your site. What’s more, you can speed your search with filters for subject, features, and layout.

Better Menu Instructions = Less Confusion

Were you confused by the steps to create a new menu? Perhaps no longer! We’ve ironed out the UX for a smoother menu creation process. Newly updated copy will guide you.

Lend a Hand with Gutenberg ??

WordPress is working on a new way to create and control your content and we’d love to have your help. Interested in being an early tester or getting involved with the Gutenberg project? Contribute on GitHub.

(PS: this post was written in Gutenberg!)

Developer Happiness ??

Customizer JS API Improvements

We’ve made numerous improvements to the Customizer JS API in WordPress 4.9, eliminating many pain points. (Hello, default parameters for constructs! Goodbye repeated ID for constructs!) There are also new base control templates, a date/time control, and section/panel/global notifications to name a few. Check out the full list.

CodeMirror available for use in your themes and plugins

We’ve introduced a new code editing library, CodeMirror, for use within core. CodeMirror allows for syntax highlighting, error checking, and validation when creating code writing or editing experiences within your plugins, like CSS or JavaScript include fields.

MediaElement.js upgraded to 4.2.6

WordPress 4.9 includes an upgraded version of MediaElement.js, which removes dependencies on jQuery, improves accessibility, modernizes the UI, and fixes many bugs.

Roles and Capabilities Improvements

New capabilities have been introduced that allow granular management of plugins and translation files. In addition, the site switching process in multisite has been fine-tuned to update the available roles and capabilities in a more reliable and coherent way.

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

WordPress 4.8.3 Security Release

WordPress versions 4.8.2 and earlier are affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Anthony Ferrara.

This release includes a change in behaviour for the esc_sql() function. Most developers will not be affected by this change, you can read more details in the developer note.

Thank you to the reporter of this issue for practicing responsible disclosure.

Download WordPress 4.8.3 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.8.3.

Subscribe to get new posts in your mailbox.

WordPress 4.8.2 Security and Maintenance Release

WordPress 4.8.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.8.1 and earlier are affected by these security issues:

$wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Slavco
A cross-site scripting (XSS) vulnerability was discovered in the oEmbed discovery. Reported by xknown of the WordPress Security Team.
A cross-site scripting (XSS) vulnerability was discovered in the visual editor. Reported by Rodolfo Assis (@brutelogic) of Sucuri Security.
A path traversal vulnerability was discovered in the file unzipping code. Reported by Alex Chapman (noxrnet).
A cross-site scripting (XSS) vulnerability was discovered in the plugin editor. Reported by 陈瑞琦 (Chen Ruiqi).
An open redirect was discovered on the user and term edit screens. Reported by Yasin Soliman (ysx).
A path traversal vulnerability was discovered in the customizer. Reported by Weston Ruter of the WordPress Security Team.
A cross-site scripting (XSS) vulnerability was discovered in template names. Reported by Luka (sikic).
A cross-site scripting (XSS) vulnerability was discovered in the link modal. Reported by Anas Roubi (qasuar).

Thank you to the reporters of these issues for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.8.2 contains 6 maintenance fixes to the 4.8 release series. For more information, see the release notes or consult the list of changes.

Download WordPress 4.8.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.8.2.

Thanks to everyone who contributed to 4.8.2.

Subscribe to get new posts in your mailbox.

WordPress 4.8.1 Maintenance Release

After over 13 million downloads of WordPress 4.8, we are pleased to announce the immediate availability of WordPress 4.8.1, a maintenance release.

This release contains 29 maintenance fixes and enhancements, chief among them are fixes to the rich Text widget and the introduction of the Custom HTML widget. For a full list of changes, consult the release notes, the tickets closed, and the list of changes.

Download WordPress 4.8.1 or visit Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.8.1.

Subscribe to get new posts in your mailbox.

WordPress 4.8 “Evans”

An Update with You in Mind

Gear up for a more intuitive WordPress!

Version 4.8 of WordPress, named “Evans” in honor of jazz pianist and composer William John “Bill” Evans, is available for download or update in your WordPress dashboard. New features in 4.8 add more ways for you to express yourself and represent your brand.

Though some updates seem minor, they’ve been built by hundreds of contributors with you in mind. Get ready for new features you’ll welcome like an old friend: link improvements, three new media widgets covering images, audio, and video, an updated text widget that supports visual editing, and an upgraded news section in your dashboard which brings in nearby and upcoming WordPress events.

Exciting Widget Updates

Image Widget

Adding an image to a widget is now a simple task that is achievable for any WordPress user without needing to know code. Simply insert your image right within the widget settings. Try adding something like a headshot or a photo of your latest weekend adventure — and see it appear automatically.

Video Widget

A welcome video is a great way to humanize the branding of your website. You can now add any video from the Media Library to a sidebar on your site with the new Video widget. Use this to showcase a welcome video to introduce visitors to your site or promote your latest and greatest content.

Audio Widget

Are you a podcaster, musician, or avid blogger? Adding a widget with your audio file has never been easier. Upload your audio file to the Media Library, go to the widget settings, select your file, and you’re ready for listeners. This would be a easy way to add a more personal welcome message, too!

Rich Text Widget

This feature deserves a parade down the center of town! Rich-text editing capabilities are now native for Text widgets. Add a widget anywhere and format away. Create lists, add emphasis, and quickly and easily insert links. Have fun with your newfound formatting powers, and watch what you can accomplish in a short amount of time.

Link Boundaries

Have you ever tried updating a link, or the text around a link, and found you can’t seem to edit it correctly? When you edit the text after the link, your new text also ends up linked. Or you edit the text in the link, but your text ends up outside of it. This can be frustrating! With link boundaries, a great new feature, the process is streamlined and your links will work well. You’ll be happier. We promise.

Nearby WordPress Events

Did you know that WordPress has a thriving offline community with groups meeting regularly in more than 400 cities around the world? WordPress now draws your attention to the events that help you continue improving your WordPress skills, meet friends, and, of course, publish!

This is quickly becoming one of our favorite features. While you are in the dashboard (because you’re running updates and writing posts, right?) all upcoming WordCamps and official WordPress Meetups — local to you — will be displayed.

Being part of the community can help you improve your WordPress skills and network with people you wouldn’t otherwise meet. Now you can easily find your local events just by logging in to your dashboard and looking at the new Events and News dashboard widget.

Even More Developer Happiness ??

More Accessible Admin Panel Headings

New CSS rules mean extraneous content (like “Add New” links) no longer need to be included in admin-area headings. These panel headings improve the experience for people using assistive technologies.

Removal of Core Support for WMV and WMA Files

As fewer and fewer browsers support Silverlight, file formats which require the presence of the Silverlight plugin are being removed from core support. Files will still display as a download link, but will no longer be embedded automatically.

Multisite Updates

New capabilities have been introduced to 4.8 with an eye towards removing calls to
is_super_admin(). Additionally, new hooks and tweaks to more granularly control site and user counts per network have been added.

Text-Editor JavaScript API

With the addition of TinyMCE to the text widget in 4.8 comes a new JavaScript API for instantiating the editor after page load. This can be used to add an editor instance to any text area, and customize it with buttons and functions. Great for plugin authors!

Media Widgets API

The introduction of a new base media widget REST API schema to 4.8 opens up possibilities for even more media widgets (like galleries or playlists) in the future. The three new media widgets are powered by a shared base class that covers most of the interactions with the media modal. That class also makes it easier to create new media widgets and paves the way for more to come.

Customizer Width Variable

Rejoice! New responsive breakpoints have been added to the customizer sidebar to make it wider on high-resolution screens. Customizer controls should use percentage-based widths instead of pixels.

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

WordPress 4.7.5 Security and Maintenance Release

WordPress 4.7.5 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.7.4 and earlier are affected by six security issues:

Insufficient redirect validation in the HTTP class. Reported by Ronni Skansing.
Improper handling of post meta data values in the XML-RPC API. Reported by Sam Thomas.
Lack of capability checks for post meta data in the XML-RPC API. Reported by Ben Bidner of the WordPress Security Team.
A Cross Site Request Forgery (CSRF) vulnerability was discovered in the filesystem credentials dialog. Reported by Yorick Koster.
A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files. Reported by Ronni Skansing.
A cross-site scripting (XSS) vulnerability was discovered related to the Customizer. Reported by Weston Ruter of the WordPress Security Team.

Thank you to the reporters of these issues for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.7.5 contains 3 maintenance fixes to the 4.7 release series. For more information, see the release notes or consult the list of changes.

Download WordPress 4.7.5 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.7.5.

Subscribe to get new posts in your mailbox.

WordPress 4.7.4 Maintenance Release

After almost sixty million downloads of WordPress 4.7, we are pleased to announce the immediate availability of WordPress 4.7.4, a maintenance release.

This release contains 47 maintenance fixes and enhancements, chief among them an incompatibility between the upcoming Chrome version and the visual editor, inconsistencies in media handling, and further improvements to the REST API. For a full list of changes, consult the release notes and the list of changes.

Download WordPress 4.7.4 or visit Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.7.4.

Subscribe to get new posts in your mailbox.

WordPress 4.7.3 Security and Maintenance Release

WordPress 4.7.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.7.2 and earlier are affected by six security issues:

Cross-site scripting (XSS) via media file metadata. Reported by Chris Andrè Dale, Yorick Koster, and Simon P. Briggs.
Control characters can trick redirect URL validation. Reported by Daniel Chatfield.
Unintended files can be deleted by administrators using the plugin deletion functionality. Reported by TrigInc and xuliang.
Cross-site scripting (XSS) via video URL in YouTube embeds. Reported by Marc Montpas.
Cross-site scripting (XSS) via taxonomy term names. Reported by Delta.
Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources. Reported by Sipke Mellema.

Thank you to the reporters for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.7.3 contains 39 maintenance fixes to the 4.7 release series. For more information, see the release notes or consult the list of changes.

Download WordPress 4.7.3 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.7.3.

Subscribe to get new posts in your mailbox.

WordPress 4.7.2 Security Release

WordPress 4.7.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.7.1 and earlier are affected by three security issues:

The user interface for assigning taxonomy terms in Press This is shown to users who do not have permissions to use it. Reported by David Herrera of Alley Interactive.
WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Mo Jangda (batmoo).
A cross-site scripting (XSS) vulnerability was discovered in the posts list table. Reported by Ian Dunn of the WordPress Security Team.
An unauthenticated privilege escalation vulnerability was discovered in a REST API endpoint. Reported by Marc-Alexandre Montpas of Sucuri Security. *

Thank you to the reporters of these issues for practicing responsible disclosure.

Download WordPress 4.7.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.7.2.

Thanks to everyone who contributed to 4.7.2.

* Update: An additional serious vulnerability was fixed in this release and public disclosure was delayed. For more information on this vulnerability, additional mitigation steps taken, and an explanation for why disclosure was delayed, please read Disclosure of Additional Security Fix in WordPress 4.7.2.

Subscribe to get new posts in your mailbox.

WordPress 4.7.1 Security and Maintenance Release

This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.7 and earlier are affected by eight security issues:

Remote code execution (RCE) in PHPMailer – No specific issue appears to affect WordPress or any of the major plugins we investigated but, out of an abundance of caution, we updated PHPMailer in this release. This issue was fixed in PHPMailer thanks to Dawid Golunski and Paul Buonopane.
The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API. Reported by Krogsgard and Chris Jean.
Cross-site scripting (XSS) via the plugin name or version header on update-core.php. Reported by Dominik Schilling of the WordPress Security Team.
Cross-site request forgery (CSRF) bypass via uploading a Flash file. Reported by Abdullah Hussam.
Cross-site scripting (XSS) via theme name fallback. Reported by Mehmet Ince.
Post via email checks mail.example.com if default settings aren’t changed. Reported by John Blackbourn of the WordPress Security Team.
A cross-site request forgery (CSRF) was discovered in the accessibility mode of widget editing. Reported by Ronnie Skansing.
Weak cryptographic security for multisite activation key. Reported by Jack.

Thank you to the reporters for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.7.1 fixes 62 bugs from 4.7. For more information, see the release notes or consult the list of changes.

Download WordPress 4.7.1 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.7.1.

Subscribe to get new posts in your mailbox.

WordPress 4.7 “Vaughan”

Version 4.7 of WordPress, named “Vaughan” in honor of legendary jazz vocalist Sarah “Sassy” Vaughan, is available for download or update in your WordPress dashboard. New features in 4.7 help you get your site set up the way you want it.

Presenting Twenty Seventeen

A brand new default theme brings your site to life with immersive featured images and video headers.

WordPress 4.7 “Vaughan”

Twenty Seventeen focuses on business sites and features a customizable front page with multiple sections. Personalize it with widgets, navigation, social menus, a logo, custom colors, and more. Our default theme for 2017 works great in many languages, on any device, and for a wide range of users.

Your Site, Your Way

WordPress 4.7 adds new features to the customizer to help take you through the initial setup of a theme, with non-destructive live previews of all your changes in one uninterrupted workflow.

Theme Starter Content

Video Player

00:00

00:20

To help give you a solid base to build from, individual themes can provide starter content that appears when you go to customize your brand new site. This can range from placing a business information widget in the best location to providing a sample menu with social icon links to a static front page complete with beautiful images. Don’t worry – nothing new will appear on the live site until you’re ready to save and publish your initial theme setup.

Edit Shortcuts

Video Player

00:00

00:07

Visible icons appear to show you which parts of your site can be customized while live previewing. Click on a shortcut and get straight to editing. Paired with starter content, getting started with customizing your site is faster than ever.

Video Headers

Video Player

00:00

00:10

Sometimes a big atmospheric video as a moving header image is just what you need to showcase your wares; go ahead and try it out with Twenty Seventeen. Need some video inspiration? Try searching for sites with video headers available for download and use.

Smoother Menu Building

Many menus for sites contain links to the pages of your site, but what happens when you don’t have any pages yet? Now you can add new pages while building menus instead of leaving the customizer and abandoning your changes. Once you’ve published your customizations, you’ll have new pages ready for you to fill with content.

Custom CSS

WordPress 4.7 “Vaughan”

Sometimes you just need a few visual tweaks to make your site perfect. WordPress 4.7 allows you to add custom CSS and instantly see how your changes affect your site. The live preview allows you to work quickly without page refreshes slowing you down.

PDF Thumbnail Previews

WordPress 4.7 “Vaughan”

Managing your document collection is easier with WordPress 4.7. Uploading PDFs will generate thumbnail images so you can more easily distinguish between all your documents.

Dashboard in your language

WordPress 4.7 “Vaughan”

Just because your site is in one language doesn’t mean that everybody helping manage it prefers that language for their admin. Add more languages to your site and a user language option will show up in your user’s profiles.

Introducing REST API Content Endpoints

WordPress 4.7 comes with REST API endpoints for posts, comments, terms, users, meta, and settings.

Content endpoints provide machine-readable external access to your WordPress site with a clear, standards-driven interface, paving the way for new and innovative methods of interacting with sites through plugins, themes, apps, and beyond. Ready to get started with development? Check out the REST API reference.

Even More Developer Happiness

Post Type Templates

By opening up the page template functionality to all post types, theme developers have even more flexibility with the WordPress template hierarchy.

More Theme API Goodies

WordPress 4.7 includes new functions, hooks, and behavior for theme developers.

Custom Bulk Actions

List tables, now with more than bulk edit and delete.

`WP_Hook`

The code that lies beneath actions and filters has been overhauled and modernized, fixing bugs along the way.

Settings Registration API

register_setting() has been enhanced to include type, description, and REST API visibility.

Customize Changesets

Customize changesets make changes in the customizer persistent, like autosave drafts. They also make exciting new features like starter content possible.

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

WordPress 4.6.1 Security and Maintenance Release

WordPress 4.6.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.6 and earlier are affected by two security issues: a cross-site scripting vulnerability via image filename, reported by SumOfPwn researcher Cengiz Han Sahin; and a path traversal vulnerability in the upgrade package uploader, reported by Dominik Schilling from the WordPress security team.

Thank you to the reporters for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.6.1 fixes 15 bugs from 4.6. For more information, see the release notes or consult the list of changes.

Download WordPress 4.6.1 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.6.1.

Subscribe to get new posts in your mailbox.

WordPress 4.6 “Pepper”

Version 4.6 of WordPress, named “Pepper” in honor of jazz baritone saxophonist Park Frederick “Pepper” Adams III, is available for download or update in your WordPress dashboard. New features in 4.6 help you to focus on the important things while feeling more at home.

Streamlined Updates

WordPress 4.6 “Pepper”

Don’t lose your place: stay on the same page while you update, install, and delete your plugins and themes.

Native Fonts

WordPress 4.6 “Pepper”

The WordPress dashboard now takes advantage of the fonts you already have, making it load faster and letting you feel more at home on whatever device you use.

Editor Improvements

Inline Link Checker

WordPress 4.6 “Pepper”

Ever accidentally made a link to Now WordPress automatically checks to make sure you didn’t.

Content Recovery

WordPress 4.6 “Pepper”

As you type, WordPress saves your content to the browser. Recovering saved content is even easier with WordPress 4.6.

Under The Hood

Resource Hints

Resource hints help browsers decide which resources to fetch and preprocess. WordPress 4.6 adds them automatically for your styles and scripts making your site even faster.

Robust Requests

The HTTP API now leverages the Requests library, improving HTTP standard support and adding case-insensitive headers, parallel HTTP requests, and support for Internationalized Domain Names.

`WP_Term_Query` and `WP_Post_Type`

A new WP_Term_Query class adds flexibility to query term information while a new WP_Post_Type object makes interacting with post types more predictable.

Meta Registration API

The Meta Registration API has been expanded to support types, descriptions, and REST API visibility.

Translations On Demand

WordPress will install and use the newest language packs for your plugins and themes as soon as they’re available from WordPress.org’s community of translators.

JavaScript Library Updates

Masonry 3.3.2, imagesLoaded 3.2.0, MediaElement.js 2.22.0, TinyMCE 4.4.1, and Backbone.js 1.3.3 are bundled.

Customizer APIs for Setting Validation and Notifications

Settings now have an API for enforcing validation constraints. Likewise, customizer controls now support notifications, which are used to display validation errors instead of failing silently.

Multisite, now faster than ever

Cached and comprehensive site queries improve your network admin experience. The addition of WP_Site_Query and WP_Network_Query help craft advanced queries with less effort.

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

WordPress 4.5.3 Maintenance and Security Release

WordPress 4.5.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.5.2 and earlier are affected by several security issues: redirect bypass in the customizer, reported by Yassine Aboukir; two different XSS problems via attachment names, reported by Jouko Pynnönen and Divyesh Prajapati; revision history information disclosure, reported independently by John Blackbourn from the WordPress security team and by Dan Moen from the Wordfence Research Team; oEmbed denial of service reported by Jennifer Dodd from Automattic; unauthorized category removal from a post, reported by David Herrera from Alley Interactive; password change via stolen cookie, reported by Michael Adams from the WordPress security team; and some less secure sanitize_file_name edge cases reported by Peter Westwood of the WordPress security team.

Thank you to the reporters for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.5.3 fixes 17 bugs from 4.5, 4.5.1 and 4.5.2. For more information, see the release notes or consult the list of changes.

Download WordPress 4.5.3 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.5.3.

Subscribe to get new posts in your mailbox.

WordPress 4.5.2 Security Release

WordPress 4.5.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.5.1 and earlier are affected by a SOME vulnerability through Plupload, the third-party library WordPress uses for uploading files. WordPress versions 4.2 through 4.5.1 are vulnerable to reflected XSS using specially crafted URIs through MediaElement.js, the third-party library used for media players. MediaElement.js and Plupload have also released updates fixing these issues.

Both issues were analyzed and reported by Mario Heiderich, Masato Kinugawa, and Filedescriptor from Cure53. Thanks to the team for practicing responsible disclosure, and to the Plupload and MediaElement.js teams for working closely with us to coordinate and fix these issues.

Download WordPress 4.5.2 or venture over to Dashboard ? Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.5.2.

Subscribe to get new posts in your mailbox.

WordPress 4.5.1 Maintenance Release

After about six million downloads of WordPress 4.5, we are pleased to announce the immediate availability of WordPress 4.5.1, a maintenance release.

We strongly encourage you to update your sites immediately.

This release fixes 12 bugs, chief among them a singular class issue that broke sites based on the Twenty Eleven theme, an incompatibility between certain Chrome versions and the visual editor, and an Imagick bug that could break media uploads. This maintenance release fixes a total of 12 bugs in Version 4.5. For more information, see the release notes or consult the list of changes.

Subscribe to get new posts in your mailbox.

WordPress 4.5 “Coleman”

Version 4.5 of WordPress, named “Coleman” in honor of jazz saxophonist Coleman Hawkins, is available for download or update in your WordPress dashboard. New features in 4.5 help streamline your workflow, whether you’re writing or building your site.

Editing Improvements

illustration-short-inlinelinks

Inline Linking

Stay focused on your writing with a less distracting interface that keeps you in place and allows you to easily link to your content.

editing-shortcuts-big

Formatting Shortcuts

Do you enjoy using formatting shortcuts for lists and headings? Now they’re even more useful, with horizontal lines and <code>.

Customization Improvements

illustration-short-responsive-preview

Live Responsive Previews

Make sure your site looks great on all screens! Preview mobile, tablet, and desktop views directly in the customizer.

WordPress 4.5 “Coleman”

Custom Logos

Themes can now support logos for your business or brand. Try it out with Twenty Sixteen and Twenty Fifteen in the Site Identity section of the customizer.

Under the Hood

Smart Image Resizing

Generated images now load up to 50% faster with no noticeable quality loss. It’s really cool.

Selective Refresh

The customizer now supports a comprehensive framework for rendering parts of the preview without rewriting your PHP code in JavaScript.

Script Loader Improvements

Better support has been added for script header/footer dependencies. New wp_add_inline_script() enables adding extra code to registered scripts.

Better Embed Templates

Embed templates have been split into parts and can be directly overridden by themes via the template hierarchy.

JavaScript Library Updates

jQuery 1.12.3, jQuery Migrate 1.4.0, Backbone 1.2.3, and Underscore 1.8.3 are bundled.

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

WordPress 4.4.2 Security and Maintenance Release

WordPress 4.4.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.4.1 and earlier are affected by a cross-site scripting vulnerability that could allow a site to be compromised.

For more details about what was fixed check out the details.

Subscribe to get new posts in your mailbox.

WordPress 4.4.1 Security and Maintenance Release

WordPress 4.4.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.4 and earlier are affected by a cross-site scripting vulnerability that could allow a site to be compromised.

For more details about what was fixed check out the details.

Subscribe to get new posts in your mailbox.

Graph Paper Press

Graph Paper Press is a small team of web designers and developers based in Brooklyn, NY who build graphically minimal WordPress themes for photographers, artists and entrepreneurs. Their content-rich designs allow you to create a blog, build a portfolio and sell your photography or artwork online in one place! They offer a variety of free WordPress themes and premium WordPress themes that cater specifically to the needs of creatives. Getting started is easy:

Register an account with Graph Paper Press.
Browse and find a theme you love!
Download it and follow the installation instructions!

Effortless Customization

Graph Paper Press has dozens of WordPress themes and plugins that are both easy to use and customize. Their themes allow you to change fonts, colors, backgrounds, headers, menus, insert logos and create slideshows so that your site is exactly what you want it to be.

E-Commerce Ready

Graph Paper Press also makes a free plugin called Sell Media that allows you to sell photos, prints and other media directly through your WordPress site. Coupled with its many extensions, Sell Media becomes an easy platform through which you can track sales, calculate commissions, protect your work and connect with your customers. It’s a sure-fire way to create and manage a photography business through WordPress. Install Sell Media and voila! You’re running a business!

Final Words…

Sometimes things just don’t work out, and that’s okay. Graph Paper Press offers a 30-day, money-back guarantee on all of their products.

Use this coupon code and save 25%

SAVE25TODAY

Get Started Now

WordPress 4.3 “Billie”

Version 4.3 of WordPress, named “Billie” in honor of jazz singer Billie Holiday, is available for download or update in your WordPress dashboard. New features in 4.3 make it even easier to format your content and customize your site.

Menus in the Customizer

Create your menu, update it, and assign it, all while live-previewing in the customizer. The streamlined customizer design provides a mobile-friendly and accessible interface. With every release, it becomes easier and faster to make your site just the way you want it.

Formatting Shortcuts

Video Player

Your writing flow just got faster with new formatting shortcuts in WordPress 4.3. Use asterisks to create lists and number signs to make a heading. No more breaking your flow; your text looks great with a * and a #.

Site Icons

Site icons represent your site in browser tabs, bookmark menus, and on the home screen of mobile devices. Add your unique site icon in the customizer; it will even stay in place when you switch themes. Make your whole site reflect your brand.

Better Passwords

Keep your site more secure with WordPress’ improved approach to passwords. Instead of receiving passwords via email, you’ll get a password reset link. When you add new users to your site or edit a user profile, WordPress will automatically generate a secure password.

Other improvements

A smoother admin experience – Refinements to the list view across the admin make your WordPress more accessible and easier to work with on any device.
Comments turned off on pages – All new pages that you create will have comments turned off. Keep discussions to your blog, right where they’re supposed to happen.
Customize your site quickly – Wherever you are on the front-end, you can click the customize link in the toolbar to swiftly make changes to your site.

The Team

Special thanks go to Siobhan McKeown for producing the release video, Hugo Baeta for the design, and Jack Lenox for the voice-over.

Finally, thanks to all of the contributors who provided subtitles for the release video, which at last count had been translated into 30 languages!

If you want to follow along or help out, check out Make WordPress and our core development blog. Thanks for choosing WordPress. See you soon for version 4.4!

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

WordPress 4.2.4 Security and Maintenance Release

WordPress 4.2.4 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

This release addresses six issues, including three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site, which were discovered by Marc-Alexandre Montpas of Sucuri, Helen Hou-Sandí of the WordPress security team, Netanel Rubin of Check Point, and Ivan Grigorov. It also includes a fix for a potential timing side-channel attack, discovered by Johannes Schmitt of Scrutinizer, and prevents an attacker from locking a post from being edited, discovered by Mohamed A. Baset.

Our thanks to those who have practiced responsible disclosure of security issues.

WordPress 4.2.4 also fixes four bugs. For more information, see the release notes or consult the list of changes.

Download WordPress 4.2.4 or venture over to Dashboard ? Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.2.4.

Already testing WordPress 4.3? The second release candidate is now available (zip) and it contains these fixes. For more on 4.3, see the RC 1 announcement post.

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

WordPress 4.2.3 Security and Maintenance Release

WordPress 4.2.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site. This was initially reported by Jon Cave and fixed by Robert Chapin, both of the WordPress security team, and later reported by Jouko Pynnönen.

We also fixed an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft. Reported by Netanel Rubin from Check Point Software Technologies.

Our thanks to those who have practiced responsible disclosure of security issues.

WordPress 4.2.3 also contains fixes for 20 bugs from 4.2. For more information, see the release notes or consult the list of changes.

Download WordPress 4.2.3 or venture over to Dashboard ? Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.2.3.

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

WordPress 4.2.2 Security and Maintenance Release

WordPress 4.2.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

Version 4.2.2 addresses two security issues:

The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file. To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it. Reported by Robert Abela of Netsparker.
WordPress versions 4.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. WordPress 4.2.2 includes a comprehensive fix for this issue. Reported separately by Rice Adu and Tong Shi.

The release also includes hardening for a potential cross-site scripting vulnerability when using the visual editor. This issue was reported by Mahadev Subedi.

Our thanks to those who have practiced responsible disclosure of security issues.

WordPress 4.2.2 also contains fixes for 13 bugs from 4.2. For more information, see the release notes or consult the list of changes.

Download WordPress 4.2.2 or venture over to Dashboard ? Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.2.2.

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

WordPress 4.2.1 Security Release

WordPress 4.2.1 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

A few hours ago, the WordPress team was made aware of a cross-site scripting vulnerability, which could enable commenters to compromise a site. The vulnerability was discovered by Jouko Pynnönen.

WordPress 4.2.1 has begun to roll out as an automatic background update, for sites that support those.

For more information, see the release notes or consult the list of changes.

Download WordPress 4.2.1 or venture over to Dashboard ? Updates and simply click “Update Now”.

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

WordPress 4.2 “Powell”

Version 4.2 of WordPress, named “Powell” in honor of jazz pianist Bud Powell, is available for download or update in your WordPress dashboard. New features in 4.2 help you communicate and share, globally.

Introducing WordPress 4.2 “Powell”

An easier way to share content

Clip it, edit it, publish it. Get familiar with the new and improved Press This. From the Tools menu, add Press This to your browser bookmark bar or your mobile device home screen. Once installed you can share your content with lightning speed. Sharing your favorite videos, images, and content has never been this fast or this easy.

Extended character support

Writing in WordPress, whatever your language, just got better. WordPress 4.2 supports a host of new characters out-of-the-box, including native Chinese, Japanese, and Korean characters, musical and mathematical symbols, and hieroglyphs.

Don’t use any of those characters? You can still have fun — emoji are now available in WordPress! Get creative and decorate your content with ??, ??, ??, ??, and all the many other emoji.

Switch themes in the Customizer

Browse and preview your installed themes from the Customizer. Make sure the theme looks great with your content, before it debuts on your site.

Even more embeds

Paste links from Tumblr.com and Kickstarter and watch them magically appear right in the editor. With every release, your publishing and editing experience get closer together.

Streamlined plugin updates

Goodbye boring loading screen, hello smooth and simple plugin updates. ClickUpdate Now and watch the magic happen.

Under the Hood

utf8mb4 support

Database character encoding has changed from utf8 to utf8mb4, which adds support for a whole range of new 4-byte characters.

JavaScript accessibility

You can now send audible notifications to screen readers in JavaScript withwp.a11y.speak(). Pass it a string, and an update will be sent to a dedicated ARIA live notifications area.

Shared term splitting

Terms shared across multiple taxonomies will be split when one of them is updated. Find out more in the Plugin Developer Handbook.

Complex query ordering

WP_Query, WP_Comment_Query, and WP_User_Query now support complex ordering with named meta query clauses.

Special thanks go to Siobhan McKeown for producing the release video and Cami Kaos for the voice-over.

If you want to follow along or help out, check out Make WordPress and our core development blog. Thanks for choosing WordPress. See you soon for version 4.3!

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

WordPress 4.1.2 Security Release

WordPress 4.1.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.1.1 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. This was reported by Cedric Van Bockhaven and fixed by Gary Pendergast, Mike Adams, andAndrew Nacin of the WordPress security team.

We also fixed three other security issues:

In WordPress 4.1 and higher, files with invalid or unsafe names could be uploaded. Discovered by Michael Kapfer and Sebastian Kraemer of HSASec.
In WordPress 3.9 and higher, a very limited cross-site scripting vulnerability could be used as part of a social engineering attack. Discovered by Jakub Zoczek.
Some plugins were vulnerable to an SQL injection vulnerability. Discovered by Ben Bidner of the WordPress security team.

We also made four hardening changes, discovered by J.D. Grimes, Divyesh Prajapati,Allan Collins and Marc-Alexandre Montpas.

We appreciated the responsible disclosure of these issues directly to our security team. For more information, see the release notes or consult the list of changes.

Download WordPress 4.1.2 or venture over to Dashboard ? Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.1.2.

A number of plugins also released security fixes yesterday. Keep everything updated to stay secure. If you’re a plugin author, please read this post to confirm that your plugin is not affected by the same issue. Thank you to all of the plugin authors who worked closely with our security team to ensure a coordinated response.

Already testing WordPress 4.2? The third release candidate is now available (zip) and it contains these fixes. For more on 4.2, see the RC 1 announcement post.

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

WordPress 4.1 “Dinah”

Version 4.1 of WordPress, named “Dinah” in honor of jazz singer Dinah Washington, is available for download or update in your WordPress dashboard. New features in WordPress 4.1 help you focus on your writing, and the new default theme lets you show it off in style.

Introducing Twenty Fifteen

Our newest default theme, Twenty Fifteen, is a blog-focused theme designed for clarity.

Twenty Fifteen has flawless language support, with help from Google’s Noto font family.

The straightforward typography is readable on any screen size.

Your content always takes center stage, whether viewed on a phone, tablet, laptop, or desktop computer.

Distraction-free writing

Just write.

Sometimes, you just need to concentrate on putting your thoughts into words. Try turning on distraction-free writing mode. When you start typing, all the distractions will fade away, letting you focus solely on your writing. All your editing tools instantly return when you need them.

The Finer Points

Choose a language

Right now, WordPress 4.1 is already translated into over forty languages, with more always in progress. You can switch to any translation on the General Settings screen.

Log out everywhere

If you’ve ever worried you forgot to sign out from a shared computer, you can now go to your profile and log out everywhere.

Vine embeds

Embedding videos from Vine is as simple as pasting a URL onto its own line in a post. See the full list of supported embeds.

Plugin recommendations

The plugin installer suggests plugins for you to try. Recommendations are based on the plugins you and other users have installed.

Under the Hood

Complex Queries

Metadata, date, and term queries now support advanced conditional logic, like nested clauses and multiple operators — A AND ( B OR C ).

Customizer API

The customizer now supports conditionally showing panels and sections based on the page being previewed.

`<title>` tags in themes

add_theme_support( 'title-tag' ) tells WordPress to handle the complexities of document titles.

Developer Reference

Continued improvements to inline code documentation have made the developer reference more complete than ever.

The Choir

This release was led by John Blackbourn, with the help of these awesome folks.

There were 283 contributors to this release, again a new high.

If you want to help out or follow along, check out Make WordPress and our core development blog.

Thanks for choosing WordPress. Happy holidays and see you next year for version 4.2!

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

WordPress 4.0.1 Security Release

WordPress 4.0.1 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

Sites that support automatic background updates will be updated to WordPress 4.0.1 within the next few hours. If you are still on WordPress 3.9.2, 3.8.4, or 3.7.4, you will be updated to 3.9.3, 3.8.5, or 3.7.5 to keep everything secure. (We don’t support older versions, so please update to 4.0.1 for the latest and greatest.)

WordPress versions 3.9.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. This was reported by Jouko Pynnonen. This issue does not affect version 4.0, but version 4.0.1 does address these eight security issues:

Three cross-site scripting issues that a contributor or author could use to compromise a site. Discovered by Jon Cave, Robert Chapin, and John Blackbourn of the WordPress security team.
A cross-site request forgery that could be used to trick a user into changing their password.
An issue that could lead to a denial of service when passwords are checked. Reported by Javier Nieto Arevalo and Andres Rojas Guerrero.
Additional protections for server-side request forgery attacks when WordPress makes HTTP requests. Reported by Ben Bidner (vortfu).
An extremely unlikely hash collision could allow a user’s account to be compromised, that also required that they haven’t logged in since 2008 (I wish I were kidding). Reported by David Anderson.
WordPress now invalidates the links in a password reset email if the user remembers their password, logs in, and changes their email address. Reported separately by Momen Bassel, Tanoy Bose, and Bojan Slavkovic of ManageWP.

Version 4.0.1 also fixes 23 bugs with 4.0, and we’ve made two hardening changes, including better validation of EXIF data we are extracting from uploaded photos. Reported by Chris Andrè Dale.

We appreciated the responsible disclosure of these issues directly to our security team. For more information, see the release notes or consult the list of changes.

Download WordPress 4.0.1 or venture over to Dashboard ? Updates and simply click “Update Now”.

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

WordPress 4.0 “Benny”

Version 4.0 of WordPress, named “Benny” in honor of jazz clarinetist and bandleaderBenny Goodman, is available for download or update in your WordPress dashboard. While 4.0 is just another number for us after 3.9 and before 4.1, we feel we’ve put a little extra polish into it. This release brings you a smoother writing and management experience we think you’ll enjoy.

Introducing WordPress 4.0 “Benny”

Manage your media with style

Media Library Explore your uploads in a beautiful, endless grid. A new details preview makes viewing and editing any amount of media in sequence a snap.

Working with embeds has never been easier

Paste in a YouTube URL on a new line, and watch it magically become an embedded video. Now try it with a tweet. Oh yeah — embedding has become a visual experience. The editor shows a true preview of your embedded content, saving you time and giving you confidence.

We’ve expanded the services supported by default, too — you can embed videos from CollegeHumor, playlists from YouTube, and talks from TED. Check out all of the embeds that WordPress supports.

Focus on your content

Writing and editing is smoother and more immersive with an editor that expands to fit your content as you write, and keeps the formatting tools available at all times.

Finding the right plugin

Add plugins

There are more than 30,000 free and open source plugins in the WordPress plugin directory. WordPress 4.0 makes it easier to find the right one for your needs, with new metrics, improved search, and a more visual browsing experience.

The Ensemble

This release was led by Helen Hou-Sandí, with the help of these fine individuals.

If you want to follow along or help out, check out Make WordPress and our core development blog. Thanks for choosing WordPress. See you soon for version 4.1!

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

WordPress 3.9.2 Security Release

WordPress 3.9.2 is now available as a security release for all previous versions. We strongly encourage you to update your sites immediately.

This release fixes a possible denial of service issue in PHP’s XML processing, reported by Nir Goldshlager of the Salesforce.com Product Security Team. It was fixed by Michael Adams and Andrew Nacin of the WordPress security team and David Rothstein of the Drupal security team. This is the first time our two projects have coordinated joint security releases.

WordPress 3.9.2 also contains other security changes:

Fixes a possible but unlikely code execution when processing widgets (WordPress is not affected by default), discovered by Alex Concha of the WordPress security team.
Prevents information disclosure via XML entity attacks in the external GetID3 library, reported by Ivan Novikov of ONSec.
Adds protections against brute attacks against CSRF tokens, reported by David Tomaschik of the Google Security Team.
Contains some additional security hardening, like preventing cross-site scripting that could be triggered only by administrators.

We appreciated responsible disclosure of these issues directly to our security team. For more information, see the release notes or consult the list of changes.

Download WordPress 3.9.2 or venture over to Dashboard ? Updates and simply click “Update Now”.

Sites that support automatic background updates will be updated to WordPress 3.9.2 within 12 hours. (If you are still on WordPress 3.8.3 or 3.7.3, you will also be updated to 3.8.4 or 3.7.4. We don’t support older versions, so please update to 3.9.2 for the latest and greatest.)

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

WordPress 3.9.1 Maintenance Release

After three weeks and more than 9 million downloads of WordPress 3.9, we’re pleased to announce that WordPress 3.9.1 is now available.

We strongly encourage you to update your sites immediately.

This maintenance release fixes 34 bugs in 3.9, including numerous fixes for multisite networks, customizing widgets while previewing themes, and the updated visual editor. We’ve also made some improvements to the new audio/video playlists feature and made some adjustments to improve performance. For a full list of changes, consult the list of tickets and the changelog.

If you are one of the millions already running WordPress 3.9, we’ve started rolling out automatic background updates for 3.9.1. For sites that support them, of course.

Download WordPress 3.9.1 or venture over to Dashboard ? Updates and simply click “Update Now.”

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

WordPress 3.9 “Smith”

Version 3.9 of WordPress, named “Smith” in honor of jazz organist Jimmy Smith, is available for download or update in your WordPress dashboard. This release features a number of refinements that we hope you’ll love.

A smoother media editing experience

Improved visual editing

The updated visual editor has improved speed, accessibility, and mobile support. You can paste into the visual editor from your word processor without wasting time to clean up messy styling. (Yeah, we’re talking about you, Microsoft Word.)

Edit images easily

With quicker access to crop and rotation tools, it’s now much easier to edit your images while editing posts. You can also scale images directly in the editor to find just the right fit.

Drag and drop your images

Uploading your images is easier than ever. Just grab them from your desktop and drop them in the editor.

Gallery previews

Galleries display a beautiful grid of images right in the editor, just like they do in your published post.

Do more with audio and video

“Ain’t Misbehavin’”LOUIS ARMSTRONG