WordPress 4.8.2 Security and Maintenance Release

WordPress 4.8.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.8.1 and earlier are affected by these security issues:

  1. $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Slavco
  2. A cross-site scripting (XSS) vulnerability was discovered in the oEmbed discovery. Reported by xknown of the WordPress Security Team.
  3. A cross-site scripting (XSS) vulnerability was discovered in the visual editor. Reported by Rodolfo Assis (@brutelogic) of Sucuri Security.
  4. A path traversal vulnerability was discovered in the file unzipping code. Reported by Alex Chapman (noxrnet).
  5. A cross-site scripting (XSS) vulnerability was discovered in the plugin editor. Reported by 陈瑞琦 (Chen Ruiqi).
  6. An open redirect was discovered on the user and term edit screens. Reported by Yasin Soliman (ysx).
  7. A path traversal vulnerability was discovered in the customizer. Reported by Weston Ruter of the WordPress Security Team.
  8. A cross-site scripting (XSS) vulnerability was discovered in template names. Reported by Luka (sikic).
  9. A cross-site scripting (XSS) vulnerability was discovered in the link modal. Reported by Anas Roubi (qasuar).

Thank you to the reporters of these issues for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.8.2 contains 6 maintenance fixes to the 4.8 release series. For more information, see the release notes or consult the list of changes.

Download WordPress 4.8.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.8.2.

Thanks to everyone who contributed to 4.8.2.

Subscribe to get new posts in your mailbox.

Share

WordPress 4.8 “Evans”

An Update with You in Mind

Gear up for a more intuitive WordPress!

Version 4.8 of WordPress, named “Evans” in honor of jazz pianist and composer William John “Bill” Evans, is available for download or update in your WordPress dashboard. New features in 4.8 add more ways for you to express yourself and represent your brand.

Though some updates seem minor, they’ve been built by hundreds of contributors with you in mind. Get ready for new features you’ll welcome like an old friend: link improvements, three new media widgets covering images, audio, and video, an updated text widget that supports visual editing, and an upgraded news section in your dashboard which brings in nearby and upcoming WordPress events.


Exciting Widget Updates

Image Widget

Adding an image to a widget is now a simple task that is achievable for any WordPress user without needing to know code. Simply insert your image right within the widget settings. Try adding something like a headshot or a photo of your latest weekend adventure — and see it appear automatically.

Video Widget

A welcome video is a great way to humanize the branding of your website. You can now add any video from the Media Library to a sidebar on your site with the new Video widget. Use this to showcase a welcome video to introduce visitors to your site or promote your latest and greatest content.

Audio Widget

Are you a podcaster, musician, or avid blogger? Adding a widget with your audio file has never been easier. Upload your audio file to the Media Library, go to the widget settings, select your file, and you’re ready for listeners. This would be a easy way to add a more personal welcome message, too!

Rich Text Widget

This feature deserves a parade down the center of town! Rich-text editing capabilities are now native for Text widgets. Add a widget anywhere and format away. Create lists, add emphasis, and quickly and easily insert links. Have fun with your newfound formatting powers, and watch what you can accomplish in a short amount of time.


Link Boundaries

Have you ever tried updating a link, or the text around a link, and found you can’t seem to edit it correctly? When you edit the text after the link, your new text also ends up linked. Or you edit the text in the link, but your text ends up outside of it. This can be frustrating! With link boundaries, a great new feature, the process is streamlined and your links will work well. You’ll be happier. We promise.


Nearby WordPress Events

Did you know that WordPress has a thriving offline community with groups meeting regularly in more than 400 cities around the world? WordPress now draws your attention to the events that help you continue improving your WordPress skills, meet friends, and, of course, publish!

This is quickly becoming one of our favorite features. While you are in the dashboard (because you’re running updates and writing posts, right?) all upcoming WordCamps and official WordPress Meetups — local to you — will be displayed.

Being part of the community can help you improve your WordPress skills and network with people you wouldn’t otherwise meet. Now you can easily find your local events just by logging in to your dashboard and looking at the new Events and News dashboard widget.


Even More Developer Happiness ??

More Accessible Admin Panel Headings

New CSS rules mean extraneous content (like “Add New” links) no longer need to be included in admin-area headings. These panel headings improve the experience for people using assistive technologies.

Removal of Core Support for WMV and WMA Files

As fewer and fewer browsers support Silverlight, file formats which require the presence of the Silverlight plugin are being removed from core support. Files will still display as a download link, but will no longer be embedded automatically.

Multisite Updates

New capabilities have been introduced to 4.8 with an eye towards removing calls to
is_super_admin(). Additionally, new hooks and tweaks to more granularly control site and user counts per network have been added.

Text-Editor JavaScript API

With the addition of TinyMCE to the text widget in 4.8 comes a new JavaScript API for instantiating the editor after page load. This can be used to add an editor instance to any text area, and customize it with buttons and functions. Great for plugin authors!

Media Widgets API

The introduction of a new base media widget REST API schema to 4.8 opens up possibilities for even more media widgets (like galleries or playlists) in the future. The three new media widgets are powered by a shared base class that covers most of the interactions with the media modal. That class also makes it easier to create new media widgets and paves the way for more to come.

Customizer Width Variable

Rejoice! New responsive breakpoints have been added to the customizer sidebar to make it wider on high-resolution screens. Customizer controls should use percentage-based widths instead of pixels.

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

Share

WordPress 4.7.5 Security and Maintenance Release

WordPress 4.7.5 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.7.4 and earlier are affected by six security issues:

  1. Insufficient redirect validation in the HTTP class. Reported by Ronni Skansing.
  2. Improper handling of post meta data values in the XML-RPC API. Reported by Sam Thomas.
  3. Lack of capability checks for post meta data in the XML-RPC API. Reported by Ben Bidner of the WordPress Security Team.
  4. A Cross Site Request Forgery (CSRF)  vulnerability was discovered in the filesystem credentials dialog. Reported by Yorick Koster.
  5. A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files. Reported by Ronni Skansing.
  6. A cross-site scripting (XSS) vulnerability was discovered related to the Customizer. Reported by Weston Ruter of the WordPress Security Team.

Thank you to the reporters of these issues for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.7.5 contains 3 maintenance fixes to the 4.7 release series. For more information, see the release notes or consult the list of changes.

Download WordPress 4.7.5 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.7.5.

Subscribe to get new posts in your mailbox.

Share

WordPress 4.7.3 Security and Maintenance Release

WordPress 4.7.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.7.2 and earlier are affected by six security issues:

  1. Cross-site scripting (XSS) via media file metadata.  Reported by Chris Andrè Dale, Yorick Koster, and Simon P. Briggs.
  2. Control characters can trick redirect URL validation.  Reported by Daniel Chatfield.
  3. Unintended files can be deleted by administrators using the plugin deletion functionality.  Reported by TrigInc and xuliang.
  4. Cross-site scripting (XSS) via video URL in YouTube embeds.  Reported by Marc Montpas.
  5. Cross-site scripting (XSS) via taxonomy term names.  Reported by Delta.
  6. Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources.  Reported by Sipke Mellema.

Thank you to the reporters for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.7.3 contains 39 maintenance fixes to the 4.7 release series. For more information, see the release notes or consult the list of changes.

Download WordPress 4.7.3 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.7.3.

Subscribe to get new posts in your mailbox.

Share

WordPress 4.7.2 Security Release

WordPress 4.7.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.7.1 and earlier are affected by three security issues:

  1. The user interface for assigning taxonomy terms in Press This is shown to users who do not have permissions to use it. Reported by David Herrera of Alley Interactive.
  2. WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Mo Jangda (batmoo).
  3. A cross-site scripting (XSS) vulnerability was discovered in the posts list table. Reported by Ian Dunn of the WordPress Security Team.
  4. An unauthenticated privilege escalation vulnerability was discovered in a REST API endpoint. Reported by Marc-Alexandre Montpas of Sucuri Security. *

Thank you to the reporters of these issues for practicing responsible disclosure.

Download WordPress 4.7.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.7.2.

Thanks to everyone who contributed to 4.7.2.

* Update: An additional serious vulnerability was fixed in this release and public disclosure was delayed. For more information on this vulnerability, additional mitigation steps taken, and an explanation for why disclosure was delayed, please read Disclosure of Additional Security Fix in WordPress 4.7.2.

Subscribe to get new posts in your mailbox.

Share

WordPress 4.7.1 Security and Maintenance Release

This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.7 and earlier are affected by eight security issues:

  1. Remote code execution (RCE) in PHPMailer – No specific issue appears to affect WordPress or any of the major plugins we investigated but, out of an abundance of caution, we updated PHPMailer in this release. This issue was fixed in PHPMailer thanks to Dawid Golunski and Paul Buonopane.
  2. The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API. Reported by Krogsgard and Chris Jean.
  3. Cross-site scripting (XSS) via the plugin name or version header on update-core.php. Reported by Dominik Schilling of the WordPress Security Team.
  4. Cross-site request forgery (CSRF) bypass via uploading a Flash file. Reported by Abdullah Hussam.
  5. Cross-site scripting (XSS) via theme name fallback. Reported by Mehmet Ince.
  6. Post via email checks mail.example.com if default settings aren’t changed. Reported by John Blackbourn of the WordPress Security Team.
  7. A cross-site request forgery (CSRF) was discovered in the accessibility mode of widget editing. Reported by Ronnie Skansing.
  8. Weak cryptographic security for multisite activation key. Reported by Jack.

Thank you to the reporters for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.7.1 fixes 62 bugs from 4.7. For more information, see the release notes or consult the list of changes.

Download WordPress 4.7.1 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.7.1.

Subscribe to get new posts in your mailbox.

Share

WordPress 4.7 “Vaughan”

Version 4.7 of WordPress, named “Vaughan” in honor of legendary jazz vocalist Sarah “Sassy” Vaughan, is available for download or update in your WordPress dashboard. New features in 4.7 help you get your site set up the way you want it.


Presenting Twenty Seventeen

A brand new default theme brings your site to life with immersive featured images and video headers.

WordPress 4.7 “Vaughan”

Twenty Seventeen focuses on business sites and features a customizable front page with multiple sections. Personalize it with widgets, navigation, social menus, a logo, custom colors, and more. Our default theme for 2017 works great in many languages, on any device, and for a wide range of users.


Your Site, Your Way

WordPress 4.7 adds new features to the customizer to help take you through the initial setup of a theme, with non-destructive live previews of all your changes in one uninterrupted workflow.

Theme Starter Content

Video Player

00:00
00:20

To help give you a solid base to build from, individual themes can provide starter content that appears when you go to customize your brand new site. This can range from placing a business information widget in the best location to providing a sample menu with social icon links to a static front page complete with beautiful images. Don’t worry – nothing new will appear on the live site until you’re ready to save and publish your initial theme setup.

Edit Shortcuts

Video Player

00:00
00:07

Visible icons appear to show you which parts of your site can be customized while live previewing. Click on a shortcut and get straight to editing. Paired with starter content, getting started with customizing your site is faster than ever.

Video Headers

Video Player

00:00
00:10

Sometimes a big atmospheric video as a moving header image is just what you need to showcase your wares; go ahead and try it out with Twenty Seventeen. Need some video inspiration? Try searching for sites with video headers available for download and use.

Smoother Menu Building

WordPress 4.7 “Vaughan”

Many menus for sites contain links to the pages of your site, but what happens when you don’t have any pages yet? Now you can add new pages while building menus instead of leaving the customizer and abandoning your changes. Once you’ve published your customizations, you’ll have new pages ready for you to fill with content.

Custom CSS

WordPress 4.7 “Vaughan”

Sometimes you just need a few visual tweaks to make your site perfect. WordPress 4.7 allows you to add custom CSS and instantly see how your changes affect your site. The live preview allows you to work quickly without page refreshes slowing you down.


PDF Thumbnail Previews

WordPress 4.7 “Vaughan”

Managing your document collection is easier with WordPress 4.7. Uploading PDFs will generate thumbnail images so you can more easily distinguish between all your documents.

Dashboard in your language

WordPress 4.7 “Vaughan”

Just because your site is in one language doesn’t mean that everybody helping manage it prefers that language for their admin. Add more languages to your site and a user language option will show up in your user’s profiles.


Introducing REST API Content Endpoints

WordPress 4.7 comes with REST API endpoints for posts, comments, terms, users, meta, and settings.

Content endpoints provide machine-readable external access to your WordPress site with a clear, standards-driven interface, paving the way for new and innovative methods of interacting with sites through plugins, themes, apps, and beyond. Ready to get started with development? Check out the REST API reference.


Even More Developer Happiness 😊

Post Type Templates

By opening up the page template functionality to all post types, theme developers have even more flexibility with the WordPress template hierarchy.

More Theme API Goodies

WordPress 4.7 includes new functions, hooks, and behavior for theme developers.

Custom Bulk Actions

List tables, now with more than bulk edit and delete.

WP_Hook

The code that lies beneath actions and filters has been overhauled and modernized, fixing bugs along the way.

Settings Registration API

register_setting() has been enhanced to include type, description, and REST API visibility.

Customize Changesets

Customize changesets make changes in the customizer persistent, like autosave drafts. They also make exciting new features like starter content possible.

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

Share

WordPress 4.6.1 Security and Maintenance Release

WordPress 4.6.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.6 and earlier are affected by two security issues: a cross-site scripting vulnerability via image filename, reported by SumOfPwn researcher Cengiz Han Sahin; and a path traversal vulnerability in the upgrade package uploader, reported by Dominik Schilling from the WordPress security team.

Thank you to the reporters for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.6.1 fixes 15 bugs from 4.6. For more information, see the release notes or consult the list of changes.

Download WordPress 4.6.1 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.6.1.

Subscribe to get new posts in your mailbox.

Share

WordPress 4.6 “Pepper”

Version 4.6 of WordPress, named “Pepper” in honor of jazz baritone saxophonist Park Frederick “Pepper” Adams III, is available for download or update in your WordPress dashboard. New features in 4.6 help you to focus on the important things while feeling more at home.


Streamlined Updates

WordPress 4.6 “Pepper”

Don’t lose your place: stay on the same page while you update, install, and delete your plugins and themes.


Native Fonts

WordPress 4.6 “Pepper”

The WordPress dashboard now takes advantage of the fonts you already have, making it load faster and letting you feel more at home on whatever device you use.


Editor Improvements

Inline Link Checker

WordPress 4.6 “Pepper”

Ever accidentally made a link to Now WordPress automatically checks to make sure you didn’t.

Content Recovery

WordPress 4.6 “Pepper”

As you type, WordPress saves your content to the browser. Recovering saved content is even easier with WordPress 4.6.


Under The Hood

Resource Hints

Resource hints help browsers decide which resources to fetch and preprocess. WordPress 4.6 adds them automatically for your styles and scripts making your site even faster.

Robust Requests

The HTTP API now leverages the Requests library, improving HTTP standard support and adding case-insensitive headers, parallel HTTP requests, and support for Internationalized Domain Names.

WP_Term_Query and WP_Post_Type

A new WP_Term_Query class adds flexibility to query term information while a new WP_Post_Type object makes interacting with post types more predictable.

Meta Registration API

The Meta Registration API has been expanded to support types, descriptions, and REST API visibility.

Translations On Demand

WordPress will install and use the newest language packs for your plugins and themes as soon as they’re available from WordPress.org’s community of translators.

JavaScript Library Updates

Masonry 3.3.2, imagesLoaded 3.2.0, MediaElement.js 2.22.0, TinyMCE 4.4.1, and Backbone.js 1.3.3 are bundled.

Customizer APIs for Setting Validation and Notifications

Settings now have an API for enforcing validation constraints. Likewise, customizer controls now support notifications, which are used to display validation errors instead of failing silently.

Multisite, now faster than ever

Cached and comprehensive site queries improve your network admin experience. The addition of WP_Site_Query and WP_Network_Query help craft advanced queries with less effort.

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

Share

WordPress 4.5.3 Maintenance and Security Release

WordPress 4.5.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.5.2 and earlier are affected by several security issues: redirect bypass in the customizer, reported by Yassine Aboukir; two different XSS problems via attachment names, reported by Jouko Pynnönen and Divyesh Prajapati; revision history information disclosure, reported independently by John Blackbourn from the WordPress security team and by Dan Moen from the Wordfence Research Team; oEmbed denial of service reported by Jennifer Dodd from Automattic; unauthorized category removal from a post, reported by David Herrera from Alley Interactive; password change via stolen cookie, reported by Michael Adams from the WordPress security team; and some less secure sanitize_file_name edge cases reported by Peter Westwood of  the WordPress security team.

Thank you to the reporters for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.5.3 fixes 17 bugs from 4.5, 4.5.1 and 4.5.2. For more information, see the release notes or consult the list of changes.

Download WordPress 4.5.3 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.5.3.

Subscribe to get new posts in your mailbox.

Share

WordPress 4.5.2 Security Release

WordPress 4.5.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.5.1 and earlier are affected by a SOME vulnerability through Plupload, the third-party library WordPress uses for uploading files. WordPress versions 4.2 through 4.5.1 are vulnerable to reflected XSS using specially crafted URIs through MediaElement.js, the third-party library used for media players. MediaElement.js and Plupload have also released updates fixing these issues.

Both issues were analyzed and reported by Mario Heiderich, Masato Kinugawa, and Filedescriptor from Cure53. Thanks to the team for practicing responsible disclosure, and to the Plupload and MediaElement.js teams for working closely with us to coordinate and fix these issues.

Download WordPress 4.5.2 or venture over to Dashboard ? Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.5.2.

Subscribe to get new posts in your mailbox.

Share

WordPress 4.5.1 Maintenance Release

After about six million downloads of WordPress 4.5, we are pleased to announce the immediate availability of WordPress 4.5.1, a maintenance release.

We strongly encourage you to update your sites immediately.

This release fixes 12 bugs, chief among them a singular class issue that broke sites based on the Twenty Eleven theme, an incompatibility between certain Chrome versions and the visual editor, and an Imagick bug that could break media uploads. This maintenance release fixes a total of 12 bugs in Version 4.5. For more information, see the release notes or consult the list of changes.

Subscribe to get new posts in your mailbox.

Share

WordPress 4.5 “Coleman”

Version 4.5 of WordPress, named “Coleman” in honor of jazz saxophonist Coleman Hawkins, is available for download or update in your WordPress dashboard. New features in 4.5 help streamline your workflow, whether you’re writing or building your site.


Editing Improvements

illustration-short-inlinelinks

Inline Linking

Stay focused on your writing with a less distracting interface that keeps you in place and allows you to easily link to your content.

editing-shortcuts-big

Formatting Shortcuts

Do you enjoy using formatting shortcuts for lists and headings? Now they’re even more useful, with horizontal lines and <code>.


Customization Improvements

illustration-short-responsive-preview

Live Responsive Previews

Make sure your site looks great on all screens! Preview mobile, tablet, and desktop views directly in the customizer.

WordPress 4.5 “Coleman”

Custom Logos

Themes can now support logos for your business or brand. Try it out with Twenty Sixteen and Twenty Fifteen in the Site Identity section of the customizer.


Under the Hood

Smart Image Resizing

Generated images now load up to 50% faster with no noticeable quality loss. It’s really cool.

Selective Refresh

The customizer now supports a comprehensive framework for rendering parts of the preview without rewriting your PHP code in JavaScript.

Script Loader Improvements

Better support has been added for script header/footer dependencies. New wp_add_inline_script() enables adding extra code to registered scripts.

Better Embed Templates

Embed templates have been split into parts and can be directly overridden by themes via the template hierarchy.

JavaScript Library Updates

jQuery 1.12.3, jQuery Migrate 1.4.0, Backbone 1.2.3, and Underscore 1.8.3 are bundled.

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

Share

WordPress 4.4.2 Security and Maintenance Release

WordPress 4.4.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.4.1 and earlier are affected by a cross-site scripting vulnerability that could allow a site to be compromised.

For more details about what was fixed check out the details.

Subscribe to get new posts in your mailbox.

Share

WordPress 4.4.1 Security and Maintenance Release

WordPress 4.4.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.4 and earlier are affected by a cross-site scripting vulnerability that could allow a site to be compromised.

For more details about what was fixed check out the details.

Subscribe to get new posts in your mailbox.

Share

WordPress 4.3 “Billie”

Version 4.3 of WordPress, named “Billie” in honor of jazz singer Billie Holiday, is available for download or update in your WordPress dashboard. New features in 4.3 make it even easier to format your content and customize your site.


Menus in the Customizer

Create your menu, update it, and assign it, all while live-previewing in the customizer. The streamlined customizer design provides a mobile-friendly and accessible interface. With every release, it becomes easier and faster to make your site just the way you want it.


Formatting Shortcuts

Video Player

Your writing flow just got faster with new formatting shortcuts in WordPress 4.3. Use asterisks to create lists and number signs to make a heading. No more breaking your flow; your text looks great with a * and a #.


Site Icons

Site icons represent your site in browser tabs, bookmark menus, and on the home screen of mobile devices. Add your unique site icon in the customizer; it will even stay in place when you switch themes. Make your whole site reflect your brand.


Better Passwords

Keep your site more secure with WordPress’ improved approach to passwords. Instead of receiving passwords via email, you’ll get a password reset link. When you add new users to your site or edit a user profile, WordPress will automatically generate a secure password.


Other improvements

  • A smoother admin experience – Refinements to the list view across the admin make your WordPress more accessible and easier to work with on any device.
  • Comments turned off on pages – All new pages that you create will have comments turned off. Keep discussions to your blog, right where they’re supposed to happen.
  • Customize your site quickly – Wherever you are on the front-end, you can click the customize link in the toolbar to swiftly make changes to your site.

The Team

Special thanks go to Siobhan McKeown for producing the release video, Hugo Baeta for the design, and Jack Lenox for the voice-over.

Finally, thanks to all of the contributors who provided subtitles for the release video, which at last count had been translated into 30 languages!

If you want to follow along or help out, check out Make WordPress and our core development blog. Thanks for choosing WordPress. See you soon for version 4.4!

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

Share

WordPress 4.2.4 Security and Maintenance Release

WordPress 4.2.4 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

This release addresses six issues, including three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site, which were discovered by Marc-Alexandre Montpas of Sucuri, Helen Hou-Sandí of the WordPress security team, Netanel Rubin of Check Point, and Ivan Grigorov. It also includes a fix for a potential timing side-channel attack, discovered by Johannes Schmitt of Scrutinizer, and prevents an attacker from locking a post from being edited, discovered by Mohamed A. Baset.

Our thanks to those who have practiced responsible disclosure of security issues.

WordPress 4.2.4 also fixes four bugs. For more information, see the release notes or consult the list of changes.

Download WordPress 4.2.4 or venture over to Dashboard ? Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.2.4.

Already testing WordPress 4.3? The second release candidate is now available (zip) and it contains these fixes. For more on 4.3, see the RC 1 announcement post.

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

Share

WordPress 4.2.3 Security and Maintenance Release

WordPress 4.2.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site. This was initially reported by Jon Cave and fixed by Robert Chapin, both of the WordPress security team, and later reported by Jouko Pynnönen.

We also fixed an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft. Reported by Netanel Rubin from Check Point Software Technologies.

Our thanks to those who have practiced responsible disclosure of security issues.

WordPress 4.2.3 also contains fixes for 20 bugs from 4.2. For more information, see the release notes or consult the list of changes.

Download WordPress 4.2.3 or venture over to Dashboard ? Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.2.3.

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

Share

WordPress 4.2.2 Security and Maintenance Release

WordPress 4.2.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

Version 4.2.2 addresses two security issues:

  • The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file. To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it. Reported by Robert Abela of Netsparker.
  • WordPress versions 4.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. WordPress 4.2.2 includes a comprehensive fix for this issue. Reported separately by Rice Adu and Tong Shi.

The release also includes hardening for a potential cross-site scripting vulnerability when using the visual editor. This issue was reported by Mahadev Subedi.

Our thanks to those who have practiced responsible disclosure of security issues.

WordPress 4.2.2 also contains fixes for 13 bugs from 4.2. For more information, see the release notes or consult the list of changes.

Download WordPress 4.2.2 or venture over to Dashboard ? Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.2.2.

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

Share

WordPress 4.2.1 Security Release

WordPress 4.2.1 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

A few hours ago, the WordPress team was made aware of a cross-site scripting vulnerability, which could enable commenters to compromise a site. The vulnerability was discovered by Jouko Pynnönen.

WordPress 4.2.1 has begun to roll out as an automatic background update, for sites that support those.

For more information, see the release notes or consult the list of changes.

Download WordPress 4.2.1 or venture over to Dashboard ? Updates and simply click “Update Now”.

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

Share

WordPress 4.2 “Powell”

Version 4.2 of WordPress, named “Powell” in honor of jazz pianist Bud Powell, is available for download or update in your WordPress dashboard. New features in 4.2 help you communicate and share, globally.

Introducing WordPress 4.2 “Powell”

Introducing WordPress 4.2 "Powell"

?

An easier way to share content

Clip it, edit it, publish it. Get familiar with the new and improved Press This. From the Tools menu, add Press This to your browser bookmark bar or your mobile device home screen. Once installed you can share your content with lightning speed. Sharing your favorite videos, images, and content has never been this fast or this easy.


Extended character support

Writing in WordPress, whatever your language, just got better. WordPress 4.2 supports a host of new characters out-of-the-box, including native Chinese, Japanese, and Korean characters, musical and mathematical symbols, and hieroglyphs.

Don’t use any of those characters? You can still have fun — emoji are now available in WordPress! Get creative and decorate your content with ??, ??, ??, ??, and all the many other emoji.


 

Switch themes in the Customizer

Browse and preview your installed themes from the Customizer. Make sure the theme looks great with your content, before it debuts on your site.

 

Even more embeds

Paste links from Tumblr.com and Kickstarter and watch them magically appear right in the editor. With every release, your publishing and editing experience get closer together.

 

Streamlined plugin updates

Goodbye boring loading screen, hello smooth and simple plugin updates. ClickUpdate Now and watch the magic happen.


Under the Hood

utf8mb4 support

Database character encoding has changed from utf8 to utf8mb4, which adds support for a whole range of new 4-byte characters.

JavaScript accessibility

You can now send audible notifications to screen readers in JavaScript withwp.a11y.speak(). Pass it a string, and an update will be sent to a dedicated ARIA live notifications area.

Shared term splitting

Terms shared across multiple taxonomies will be split when one of them is updated. Find out more in the Plugin Developer Handbook.

Complex query ordering

WP_Query, WP_Comment_Query, and WP_User_Query now support complex ordering with named meta query clauses.


Special thanks go to Siobhan McKeown for producing the release video and Cami Kaos for the voice-over.

If you want to follow along or help out, check out Make WordPress and our core development blog. Thanks for choosing WordPress. See you soon for version 4.3!

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

Share

WordPress 4.1.2 Security Release

WordPress 4.1.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.1.1 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. This was reported by Cedric Van Bockhaven and fixed by Gary Pendergast, Mike Adams, andAndrew Nacin of the WordPress security team.

We also fixed three other security issues:

  • In WordPress 4.1 and higher, files with invalid or unsafe names could be uploaded. Discovered by Michael Kapfer and Sebastian Kraemer of HSASec.
  • In WordPress 3.9 and higher, a very limited cross-site scripting vulnerability could be used as part of a social engineering attack. Discovered by Jakub Zoczek.
  • Some plugins were vulnerable to an SQL injection vulnerability. Discovered by Ben Bidner of the WordPress security team.

We also made four hardening changes, discovered by J.D. Grimes, Divyesh Prajapati,Allan Collins and Marc-Alexandre Montpas.

We appreciated the responsible disclosure of these issues directly to our security team. For more information, see the release notes or consult the list of changes.

Download WordPress 4.1.2 or venture over to Dashboard ? Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.1.2.

A number of plugins also released security fixes yesterday. Keep everything updated to stay secure. If you’re a plugin author, please read this post to confirm that your plugin is not affected by the same issue. Thank you to all of the plugin authors who worked closely with our security team to ensure a coordinated response.

Already testing WordPress 4.2? The third release candidate is now available (zip) and it contains these fixes. For more on 4.2, see the RC 1 announcement post.

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

Share

WordPress 4.1 “Dinah”

Version 4.1 of WordPress, named “Dinah” in honor of jazz singer Dinah Washington, is available for download or update in your WordPress dashboard. New features in WordPress 4.1 help you focus on your writing, and the new default theme lets you show it off in style.


Introducing Twenty Fifteen

Our newest default theme, Twenty Fifteen, is a blog-focused theme designed for clarity.

Twenty Fifteen has flawless language support, with help from Google’s Noto font family.

The straightforward typography is readable on any screen size.

Your content always takes center stage, whether viewed on a phone, tablet, laptop, or desktop computer.


Distraction-free writing

Just write.

Sometimes, you just need to concentrate on putting your thoughts into words. Try turning on distraction-free writing mode. When you start typing, all the distractions will fade away, letting you focus solely on your writing. All your editing tools instantly return when you need them.


The Finer Points

Choose a language

Right now, WordPress 4.1 is already translated into over forty languages, with more always in progress. You can switch to any translation on the General Settings screen.

Log out everywhere

If you’ve ever worried you forgot to sign out from a shared computer, you can now go to your profile and log out everywhere.

Vine embeds

Embedding videos from Vine is as simple as pasting a URL onto its own line in a post. See the full list of supported embeds.

Plugin recommendations

The plugin installer suggests plugins for you to try. Recommendations are based on the plugins you and other users have installed.


Under the Hood

Complex Queries

Metadata, date, and term queries now support advanced conditional logic, like nested clauses and multiple operators — A AND ( B OR C ).

Customizer API

The customizer now supports conditionally showing panels and sections based on the page being previewed.

<title> tags in themes

add_theme_support( 'title-tag' ) tells WordPress to handle the complexities of document titles.

Developer Reference

Continued improvements to inline code documentation have made the developer reference more complete than ever.


The Choir

This release was led by John Blackbourn, with the help of these awesome folks.

There were 283 contributors to this release, again a new high.

If you want to help out or follow along, check out Make WordPress and our core development blog.

Thanks for choosing WordPress. Happy holidays and see you next year for version 4.2!

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

Share

WordPress 4.0.1 Security Release

WordPress 4.0.1 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

Sites that support automatic background updates will be updated to WordPress 4.0.1 within the next few hours. If you are still on WordPress 3.9.2, 3.8.4, or 3.7.4, you will be updated to 3.9.3, 3.8.5, or 3.7.5 to keep everything secure. (We don’t support older versions, so please update to 4.0.1 for the latest and greatest.)

WordPress versions 3.9.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. This was reported by Jouko Pynnonen. This issue does not affect version 4.0, but version 4.0.1 does address these eight security issues:

  • Three cross-site scripting issues that a contributor or author could use to compromise a site. Discovered by Jon Cave, Robert Chapin, and John Blackbourn of the WordPress security team.
  • A cross-site request forgery that could be used to trick a user into changing their password.
  • An issue that could lead to a denial of service when passwords are checked. Reported by Javier Nieto Arevalo and Andres Rojas Guerrero.
  • Additional protections for server-side request forgery attacks when WordPress makes HTTP requests. Reported by Ben Bidner (vortfu).
  • An extremely unlikely hash collision could allow a user’s account to be compromised, that also required that they haven’t logged in since 2008 (I wish I were kidding). Reported by David Anderson.
  • WordPress now invalidates the links in a password reset email if the user remembers their password, logs in, and changes their email address. Reported separately by Momen Bassel, Tanoy Bose, and Bojan Slavkovic of ManageWP.

Version 4.0.1 also fixes 23 bugs with 4.0, and we’ve made two hardening changes, including better validation of EXIF data we are extracting from uploaded photos. Reported by Chris Andrè Dale.

We appreciated the responsible disclosure of these issues directly to our security team. For more information, see the release notes or consult the list of changes.

Download WordPress 4.0.1 or venture over to Dashboard ? Updates and simply click “Update Now”.

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

Share

WordPress 4.0 “Benny”

Version 4.0 of WordPress, named “Benny” in honor of jazz clarinetist and bandleaderBenny Goodman, is available for download or update in your WordPress dashboard. While 4.0 is just another number for us after 3.9 and before 4.1, we feel we’ve put a little extra polish into it. This release brings you a smoother writing and management experience we think you’ll enjoy.

Introducing WordPress 4.0 “Benny”

Introducing WordPress 4.0 "Benny"

?

Manage your media with style

Media LibraryExplore your uploads in a beautiful, endless grid. A new details preview makes viewing and editing any amount of media in sequence a snap.


Working with embeds has never been easier

Paste in a YouTube URL on a new line, and watch it magically become an embedded video. Now try it with a tweet. Oh yeah — embedding has become a visual experience. The editor shows a true preview of your embedded content, saving you time and giving you confidence.

We’ve expanded the services supported by default, too — you can embed videos from CollegeHumor, playlists from YouTube, and talks from TED. Check out all of the embeds that WordPress supports.


Focus on your content

Writing and editing is smoother and more immersive with an editor that expands to fit your content as you write, and keeps the formatting tools available at all times.


Finding the right plugin

Add plugins

There are more than 30,000 free and open source plugins in the WordPress plugin directory. WordPress 4.0 makes it easier to find the right one for your needs, with new metrics, improved search, and a more visual browsing experience.


The Ensemble

This release was led by Helen Hou-Sandí, with the help of these fine individuals.

If you want to follow along or help out, check out Make WordPress and our core development blog. Thanks for choosing WordPress. See you soon for version 4.1!

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

Share

WordPress 3.9.2 Security Release

WordPress 3.9.2 is now available as a security release for all previous versions. We strongly encourage you to update your sites immediately.

This release fixes a possible denial of service issue in PHP’s XML processing, reported by Nir Goldshlager of the Salesforce.com Product Security Team. It was fixed by Michael Adams and Andrew Nacin of the WordPress security team and David Rothstein of the Drupal security team. This is the first time our two projects have coordinated joint security releases.

WordPress 3.9.2 also contains other security changes:

  • Fixes a possible but unlikely code execution when processing widgets (WordPress is not affected by default), discovered by Alex Concha of the WordPress security team.
  • Prevents information disclosure via XML entity attacks in the external GetID3 library, reported by Ivan Novikov of ONSec.
  • Adds protections against brute attacks against CSRF tokens, reported by David Tomaschik of the Google Security Team.
  • Contains some additional security hardening, like preventing cross-site scripting that could be triggered only by administrators.

We appreciated responsible disclosure of these issues directly to our security team. For more information, see the release notes or consult the list of changes.

Download WordPress 3.9.2 or venture over to Dashboard ? Updates and simply click “Update Now”.

Sites that support automatic background updates will be updated to WordPress 3.9.2 within 12 hours. (If you are still on WordPress 3.8.3 or 3.7.3, you will also be updated to 3.8.4 or 3.7.4. We don’t support older versions, so please update to 3.9.2 for the latest and greatest.)

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

Share

WordPress 3.9.1 Maintenance Release

After three weeks and more than 9 million downloads of WordPress 3.9, we’re pleased to announce that WordPress 3.9.1 is now available.

We strongly encourage you to update your sites immediately.

This maintenance release fixes 34 bugs in 3.9, including numerous fixes for multisite networks, customizing widgets while previewing themes, and the updated visual editor. We’ve also made some improvements to the new audio/video playlists feature and made some adjustments to improve performance. For a full list of changes, consult the list of tickets and the changelog.

If you are one of the millions already running WordPress 3.9, we’ve started rolling out automatic background updates for 3.9.1. For sites that support them, of course.

Download WordPress 3.9.1 or venture over to Dashboard ? Updates and simply click “Update Now.”

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

Share

WordPress 3.9 “Smith”

Version 3.9 of WordPress, named “Smith” in honor of jazz organist Jimmy Smith, is available for download or update in your WordPress dashboard. This release features a number of refinements that we hope you’ll love.

A smoother media editing experience

Improved visual editing

The updated visual editor has improved speed, accessibility, and mobile support. You can paste into the visual editor from your word processor without wasting time to clean up messy styling. (Yeah, we’re talking about you, Microsoft Word.)

Edit images easily

With quicker access to crop and rotation tools, it’s now much easier to edit your images while editing posts. You can also scale images directly in the editor to find just the right fit.

 

Drag and drop your images

Uploading your images is easier than ever. Just grab them from your desktop and drop them in the editor.


Gallery previews

Galleries display a beautiful grid of images right in the editor, just like they do in your published post.


Do more with audio and video

Images have galleries; now we’ve added simple audio and video playlists, so you can showcase your music and clips.


Live widget and header previews

Add, edit, and rearrange your site’s widgets right in the theme customizer. No “save and surprise” — preview your changes live and only save them when you’re ready.

The improved header image tool also lets you upload, crop, and manage headers while customizing your theme.


Stunning new theme browser

Looking for a new theme should be easy and fun. Lose yourself in the boundless supply of free WordPress.org themes with the beautiful new theme browser.


The Crew

This release was led by Andrew Nacin and Mike Schroder, with the help of these fine individuals.

If you want to follow along or help out, check out Make WordPress and our core development blog. Thanks for choosing WordPress. See you soon for version 4.0!

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

Share

WordPress 3.8.3 Maintenance Release

WordPress 3.8.3 is now available to fix a small but unfortunate bug in the WordPress 3.8.2 security release.

We strongly encourage you to update your sites immediately.

The “Quick Draft” tool on the dashboard screen was broken in the 3.8.2 update. If you tried to use it, your draft would disappear and it wouldn’t save. While we doubt anyone was writing a novella using this tool, any loss of content is unacceptable to us.

We recognize how much trust you place in us to safeguard your content, and we take this responsibility very seriously. We’re sorry we let you down.

We’ve all lost words we’ve written before, like an email thanks to a cat on the keyboard or a term paper to a blue screen of death. Over the last few WordPress releases, we’ve made a number of improvements to features like autosaves and revisions. With revisions, an old edit can always be restored. We’re trying our hardest to save your content somewhere even if your power goes out or your browser crashes. We even monitor your internet connection and prevent you from hitting that “Publish” button at the exact moment the coffee shop Wi-Fi has a hiccup.

It’s possible that the quick draft you lost last week is still in the database, and just hidden from view. As an added complication, these “discarded drafts” normally get deleted after seven days, and it’s already been six days since the release. If we were able to rescue your draft, you’ll see it on the “All Posts” screen after you update to 3.8.3. (We’ll also be pushing 3.8.3 out as a background update, so you may just see a draft appear.)

So, if you tried to jot down a quick idea last week, I hope WordPress has recovered it for you. Maybe it’ll turn into that novella.

Download WordPress 3.8.3 or click “Update Now” on Dashboard ? Updates.

This affected version 3.7.2 as well, so we’re pushing a 3.7.3 to these installs, but we’d encourage you to update to the latest and greatest.

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

Share

WordPress 3.8.2 Security Release

WordPress 3.8.2 is now available. This is an important security release for all previous versions and we strongly encourage you to update your sites immediately.

This releases fixes a weakness that could let an attacker force their way into your site by forging authentication cookies. This was discovered and fixed by Jon Cave of the WordPress security team.

It also contains a fix to prevent a user with the Contributor role from improperly publishing posts. Reported by edik.

This release also fixes nine bugs and contains three other security hardening changes:

  • Pass along additional information when processing pingbacks to help hosts identify potentially abusive requests.
  • Fix a low-impact SQL injection by trusted users. Reported by Tom Adams of dxw.
  • Prevent possible cross-domain scripting through Plupload, the third-party library WordPress uses for uploading files. Reported by Szymon Gruszecki.

We appreciated responsible disclosure of these security issues directly to our security team. For more information on all of the changes, see the release notes or consult the list of changes.

Download WordPress 3.8.2 or venture over to Dashboard ? Updates and simply click “Update Now.”

Sites that support automatic background updates will be updated to WordPress 3.8.2 within 12 hours. If you are still on WordPress 3.7.1, you will be updated to 3.7.2, which contains the same security fixes as 3.8.2. We don’t support older versions, so please update to 3.8.2 for the latest and greatest.

Already testing WordPress 3.9? The first release candidate is now available (zip) and it contains these security fixes. Look for a full announcement later today; we expect to release 3.9 next week.

Reposted from WordPress.org
Subscribe to get new posts in your mailbox.
Share

WordPress 3.8.1 Maintenance Release

After six weeks and more than 9.3 million downloads of WordPress 3.8, we’re pleased to announce WordPress 3.8.1 is now available and we strongly encourage you to update your sites immediately.

Version 3.8.1 is a maintenance releases that addresses 31 bugs in 3.8, including various fixes and improvements for the new dashboard design and new themes admin screen. An issue with taxonomy queries in WP_Query was resolved. And if you’ve been frustrated by submit buttons that won’t do anything when you click on them (or thought you were going crazy, like some of us), we’ve found and fixed this “dead zone” on submit buttons.

It also contains a fix for embedding tweets (by placing the URL to the tweet on its own line), which was broken due to a recent Twitter API change. (For more on Embeds, see the Codex.)

For a full list of changes, consult the list of tickets and the changelog. There’s also a detailed summary for developers on the development blog.

If you are one of the millions already running WordPress 3.8, we will start rolling out automatic background updates for WordPress 3.8.1 in the next few hours. For sites that support them, of course.

Download WordPress 3.8.1 or venture over to Dashboard ? Updates and simply click “Update Now.”

WordPress three eight one
We heard you didn’t like bugs
So we took them out

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

Share

WordPress 3.8 “Parker”

Version 3.8 of WordPress, named “Parker” in honor of Charlie Parker, bebop innovator, is available for download or update in your WordPress dashboard. We hope you’ll think this is the most beautiful update yet.

?

Introducing a modern new design

overview

WordPress has gotten a facelift. 3.8 brings a fresh new look to the entire admin dashboard. Gone are overbearing gradients and dozens of shades of grey — bring on a bigger, bolder, more colorful design!

about-modern-wordpress

Modern aesthetic

The new WordPress dashboard has a fresh, uncluttered design that embraces clarity and simplicity.

Clean typography

The Open Sans typeface provides simple, friendly text that is optimized for both desktop and mobile viewing. It’s even open source, just like WordPress.

Refined contrast

We think beautiful design should never sacrifice legibility. With superior contrast and large, comfortable type, the new design is easy to read and a pleasure to navigate.


WordPress on every device

responsiveWe all access the internet in different ways. Smartphone, tablet, notebook, desktop — no matter what you use, WordPress will adapt and you’ll feel right at home.

High definition at high speed

WordPress is sharper than ever with new vector-based icons that scale to your screen. By ditching pixels, pages load significantly faster, too.


Admin color schemes to match your personality

colors

WordPress just got a colorful new update. We’ve included eight new admin color schemes so you can pick the one that suits you best.

Color schemes can be previewed and changed from your Profile page.


Refined theme management

themesThe new themes screen lets you survey your themes at a glance. Or want more information? Click to discover more. Then sit back and use your keyboard’s navigation arrows to flip through every theme you’ve got.

Smoother widget experience

Drag-drag-drag. Scroll-scroll-scroll. Widget management can be complicated. With the new design, we’ve worked to streamline the widgets screen.

Have a large monitor? Multiple widget areas stack side-by-side to use the available space. Using a tablet? Just tap a widget to add it.


Twenty Fourteen, a sleek new magazine theme

The new Twenty Fourteen theme displayed on a laptop. tablet and phone

Turn your blog into a magazine

Create a beautiful magazine-style site with WordPress and Twenty Fourteen. Choose a grid or a slider to display featured content on your homepage. Customize your site with three widget areas or change your layout with two page templates.

With a striking design that does not compromise our trademark simplicity, Twenty Fourteen is our most intrepid default theme yet.


Beginning of a new era

This release was led by Matt Mullenweg. This is our second release using the new plugin-first development process, with a much shorter timeframe than in the past. We think it’s been going great. You can check out the features currently in production on the make/core blog.

Thanks for choosing WordPress. See you soon for version 3.9!

Reposted from WordPress.org

Subscribe to get new posts in your mailbox.

Share

WordPress 3.7 “Basie”

Version 3.7 of WordPress, named “Basie” in honor of Count Basie, is available for download or update in your WordPress dashboard. This release features some of the most important architectural updates we’ve made to date. Here are the big ones:

  • Updates while you sleep: With WordPress 3.7, you don’t have to lift a finger to apply maintenance and security updates. Most sites are now able to automatically apply these updates in the background. The update process also has been made even more reliable and secure, with dozens of new checks and safeguards.
  • Stronger password recommendations: Your password is your site’s first line of defense. It’s best to create passwords that are complex, long, and unique. To that end, our password meter has been updated in WordPress 3.7 to recognize common mistakes that can weaken your password: dates, names, keyboard patterns (123456789), and even pop culture references.
  • Better global support: Localized versions of WordPress will receive faster and more complete translations. WordPress 3.7 adds support for automatically installing the right language files and keeping them up to date, a boon for the many millions who use WordPress in a language other than English.

For developers there are lots of options around how to control the new updates feature, including allowing it to handle major upgrades as well as minor ones, more sophisticated date query support, and multisite improvements. As always, if you’re hungry for more dive into the Codex or browse the over 400 closed tickets on Trac.

A New Wave

This release was led by Andrew Nacin, backed up by Dion Hulse and Jon Cave. This is our first release using the new plugin-first development process, with a much shorter timeframe than in the past. (3.6 was released in August.) The 3.8 release, due in December, will continue this plugin-led development cycle that gives much more autonomy to plugin leads and allows us to decouple feature development from a release. You can follow this grand experiment, and what we’re learning from it, on the make/core blog.

Enjoy what may be one of your last few manual updates. See you soon for version 3.8!

Reprinted from WordPress.org

Subscribe to get new posts in your mailbox.

Share

WordPress 3.6.1 Maintenance and Security Release

After nearly 7 million downloads of WordPress 3.6, we are pleased to announce the availability of version 3.6.1. This maintenance release fixes 13 bugs in version 3.6, which was a very smooth release.

WordPress 3.6.1 is also a security release for all previous WordPress versions and we strongly encourage you to update your sites immediately. It addresses three issues fixed by the WordPress security team:

  • Block unsafe PHP unserialization that could occur in limited situations and setups, which can lead to remote code execution. Reported by Tom Van Goethem.
  • Prevent a user with an Author role, using a specially crafted request, from being able to create a post “written by” another user. Reported by Anakorn Kyavatanakij.
  • Fix insufficient input validation that could result in redirecting or leading a user to another website. Reported by Dave Cummo, a Northrup Grumman subcontractor for the U.S. Centers for Disease Control and Prevention.

Additionally, we’ve adjusted security restrictions around file uploads to mitigate the potential for cross-site scripting.

We appreciated responsible disclosure of these issues directly to our security team. For more information on the changes, see the release notes or consult the list of changes.

Download WordPress 3.6.1 or update now from the Dashboard ? Updates menu in your site’s admin area.

Reprinted from WordPress

Subscribe to get new posts in your mailbox.

Share

WordPress 3.6 “Oscar”

The latest and greatest WordPress, version 3.6, is now live to the world and includes a beautiful new blog-centric theme, bullet-proof autosave and post locking, a revamped revision browser, native support for audio and video embeds, and improved integrations with Spotify, Rdio, and SoundCloud. Here’s a video that shows off some of the features using our cast of professional actors:

Introducing WordPress 3.6 “Oscar”

Introducing WordPress 3.6 "Oscar"

We’re calling this release “Oscar” in honor of the great jazz pianist Oscar Peterson. Here’s a bit more about some of the new features, which you can also find on the about page in your dashboard after you upgrade.

User Features

  • The new Twenty Thirteen theme inspired by modern art puts focus on your content with a colorful, single-column design made for media-rich blogging.
  • Revamped Revisions save every change and the new interface allows you to scroll easily through changes to see line-by-line who changed what and when.
  • Post Locking and Augmented Autosave will especially be a boon to sites where more than a single author is working on a post. Each author now has their own autosave stream, which stores things locally as well as on the server (so much harder to lose something) and there’s an interface for taking over editing of a post, as demonstrated beautifully by our bearded buddies in the video above.
  • Built-in HTML5 media player for native audio and video embeds with no reliance on external services.
  • The Menu Editor is now much easier to understand and use.

Developer features

  • A new audio/video API gives you access to metadata like ID3 tags.
  • You can now choose HTML5 markup for things like comment and search forms, and comment lists.
  • Better filters for how revisions work, so you can store a different amount of history for different post types.
  • Tons more listed on the Codex, and of course you can always browse the over 700 closed tickets.

Reprinted from WordPress

Subscribe to get new posts in your mailbox.

Share

Passwords and Passphrases, you’re most common security measure

The first and most common piece of security everyone is aware of and using is a password or hopefully a passphrase. Today I will outline the differences between the two along with some guidelines and suggestions. In part 2 of my coverage about passwords I will go into more detail about some things to look out for when creating and using passwords.

About passwords and passphrases

Passwords are short sequences of letters, numbers, and symbols that you enter to verify your identity to a system, which then allows you access to secure data or other resources.

Passphrases operate on the same principle as passwords, and are used in exactly the same way. However, they differ from traditional passwords in two aspects:

  • Passphrases are generally longer than passwords. While passwords can frequently be as short as six or even four characters, passphrases have larger minimum lengths and, in practice, typical passphrases might be 20 or 30 characters long or longer. This greater length provides more powerful security; it is far more difficult for a cracker to break a 25-character passphrase than an eight-character password.
  • The rules for valid passphrases differ from those for passwords. Systems that use shorter passwords often disallow actual words or names, which are notoriously insecure; instead, your password is usually an apparently random sequence of characters. The greater length of passphrases, by contrast, allows you to create an easily memorable phrase rather than a cryptic series of letters, numbers, and symbols.

What makes a password or passphrase strong?

A strong password:A strong passphrase:
  • Is at least eight characters long.
  • Does not contain your user name, real name, or company name.
  • Does not contain a complete word.
  • Is significantly different from previous passwords.
  • Is 20 to 30 characters long.
  • Is a series of words that create a phrase.
  • Does not contain common phrases found in literature or music.
  • Does not contain words found in the dictionary.
  • Does not contain your user name, real name, or company name.
  • Is significantly different from previous passwords or passphrases.

Strong passwords and passphrases contain characters from each of the following four categories:

Character categoryExamples
Uppercase lettersA, B, C
Lowercase lettersa, b, c
Numbers0, 1, 2, 3, 4, 5, 6, 7, 8, 9
Symbols found on the keyboard (all keyboard characters not defined as letters or numerals) and spaces` ~ ! @ # $ % ^ & * ( ) _ – + = { } [ ] \ | : ; ” ‘ < > , . ? /

A password or passphrase might meet all the criteria above and still be weak. For example, Hello2U! meets all the criteria for a strong password listed above, but is still weak because it contains a complete word. H3ll0 2 U! is a stronger alternative because it replaces some of the letters in the complete word with numbers and also includes spaces.

 

Help yourself remember your strong password or passphrase by following these tips:

  • Create an acronym from an easy-to-remember piece of information. For example, pick a phrase that is meaningful to you, such as My son’s birthday is 12 December, 2004. Using that phrase as your guide, you might use Msbi12/Dec,4 for your password.
  • Substitute numbers, symbols, and misspellings for letters or words in an easy-to-remember phrase. For example, My son’s birthday is 12 December, 2004 could become Mi$un’s Brthd8iz 12124, which would make a good passphrase.
  • Relate your password or passphrase to a favorite hobby or sport. For example, I love to play badminton could becomeILuv2PlayB@dm1nt()n.

If you feel you must write down your password or passphrase to remember it, make sure you don’t label it as such, and keep it in a safe place.

Guidelines for keeping your passwords and passphrases secure

  • Consider using passphrase vaulting.
  • Do not write your username and password or passphrase in the same place.
  • Never share your password or passphrase with anyone.
  • Never send anyone your password or passphrase via email, even if the message requesting your password seems official. A request for a password or passphrase is very likely a phishing scam.
  • Change your password or passphrase at least every six months.
  • Do not use the same password or passphrase over multiple services or web sites.

Subscribe to get new posts in your mailbox.

Share

Privacy and Security in uncertain times

Recently I was at a conference and the subject of computer and Internet security came up.  That, coupled with all that has been in the news lately, helped me decide to do a series of posts covering some of my general security suggestions.  I will try to make at least one post a week, and will be posting some suggestions on ATTOG Technologies as well.

Topics will include (and will be amended as we go):

  • Passwords
  • Encryption
  • Privacy
  • Data Security/Integrity

Stay tuned for our first post on hard drive encryption.

Subscribe to get new posts in your mailbox.

Share