WordPress 4.1.1 Maintenance Release

WordPress 4.1.1 is now available. This maintenance release fixes 21 bugs in version 4.1.

Some of you may have been waiting to update to the latest version until now, but there just wasn’t much to address. WordPress 4.1 was a smooth-sailing release and has seen more than 14 million downloads in the last two months.

For a full list of changes, consult the list of tickets and the changelog. We fixed one annoying issue where a tag and a category with the same name could get muddled and prevent each other from being updated.

If you are one of the millions already running WordPress 4.1 and your site, we’ve started rolling out automatic background updates for 4.1.1 for sites that support them. Otherwise, download WordPress 4.1.1 or visit Dashboard → Updates and simply click “Update Now.”

Thanks to everyone who contributed to 4.1.1: Andrea Fercia, Boone Gorges, ChriCo, Dion Hulse, David Herrera, Drew Jaynes, Takuro Hishikawa, Thorsten Frommen, Iseulde, John Blackbourn, Aaron Jorbin, mattyrob, Konstantin Obenland, Dominik Schilling, Sergey Biryukov, sippis, tmatsuur, Marin Atanasov, Derek Herman, and Weston Ruter.

It is with both great honor and sadness we also recognize Kim Parsell as a contributor to this release and a truly beloved member of the community until her untimely passing in December. The project is working to establish a conference travel scholarship in her memory. We miss you, Kim.

WordPress 4.0.1 Security Release

WordPress 4.0.1 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

Sites that support automatic background updates will be updated to WordPress 4.0.1 within the next few hours. If you are still on WordPress 3.9.2, 3.8.4, or 3.7.4, you will be updated to 3.9.3, 3.8.5, or 3.7.5 to keep everything secure. (We don’t support older versions, so please update to 4.0.1 for the latest and greatest.)

WordPress versions 3.9.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. This was reported by Jouko Pynnonen. This issue does not affect version 4.0, but version 4.0.1 does address these eight security issues:

  • Three cross-site scripting issues that a contributor or author could use to compromise a site. Discovered by Jon Cave, Robert Chapin, and John Blackbourn of the WordPress security team.
  • A cross-site request forgery that could be used to trick a user into changing their password.
  • An issue that could lead to a denial of service when passwords are checked. Reported by Javier Nieto Arevalo and Andres Rojas Guerrero.
  • Additional protections for server-side request forgery attacks when WordPress makes HTTP requests. Reported by Ben Bidner (vortfu).
  • An extremely unlikely hash collision could allow a user’s account to be compromised, that also required that they haven’t logged in since 2008 (I wish I were kidding). Reported by David Anderson.
  • WordPress now invalidates the links in a password reset email if the user remembers their password, logs in, and changes their email address. Reported separately by Momen Bassel, Tanoy Bose, and Bojan Slavković of ManageWP.

Version 4.0.1 also fixes 23 bugs with 4.0, and we’ve made two hardening changes, including better validation of EXIF data we are extracting from uploaded photos. Reported by Chris Andrè Dale.

We appreciated the responsible disclosure of these issues directly to our security team. For more information, see the release notes or consult the list of changes.

Download WordPress 4.0.1 or venture over to Dashboard → Updates and simply click “Update Now”.

Already testing WordPress 4.1? The second beta is now available (zip) and it contains these security fixes. For more on 4.1, see the beta 1 announcement post.

WordPress 3.9.2 Security Release

WordPress 3.9.2 is now available as a security release for all previous versions. We strongly encourage you to update your sites immediately.

This release fixes a possible denial of service issue in PHP’s XML processing, reported by Nir Goldshlager of the Salesforce.com Product Security Team. It  was fixed by Michael Adams and Andrew Nacin of the WordPress security team and David Rothstein of the Drupal security team. This is the first time our two projects have coordinated joint security releases.

WordPress 3.9.2 also contains other security changes:

  • Fixes a possible but unlikely code execution when processing widgets (WordPress is not affected by default), discovered by Alex Concha of the WordPress security team.
  • Prevents information disclosure via XML entity attacks in the external GetID3 library, reported by Ivan Novikov of ONSec.
  • Adds protections against brute attacks against CSRF tokens, reported by David Tomaschik of the Google Security Team.
  • Contains some additional security hardening, like preventing cross-site scripting that could be triggered only by administrators.

We appreciated responsible disclosure of these issues directly to our security team. For more information, see the release notes or consult the list of changes.

Download WordPress 3.9.2 or venture over to Dashboard → Updates and simply click “Update Now”.

Sites that support automatic background updates will be updated to WordPress 3.9.2 within 12 hours. (If you are still on WordPress 3.8.3 or 3.7.3, you will also be updated to 3.8.4 or 3.7.4. We don’t support older versions, so please update to 3.9.2 for the latest and greatest.)

Already testing WordPress 4.0? The third beta is now available (zip) and it contains these security fixes.

WordPress 3.9.1 Maintenance Release

After three weeks and more than 9 million downloads of WordPress 3.9, we’re pleased to announce that WordPress 3.9.1 is now available.

This maintenance release fixes 34 bugs in 3.9, including numerous fixes for multisite networks, customizing widgets while previewing themes, and the updated visual editor. We’ve also made some improvements to the new audio/video playlists feature and made some adjustments to improve performance. For a full list of changes, consult the list of tickets and the changelog.

If you are one of the millions already running WordPress 3.9, we’ve started rolling out automatic background updates for 3.9.1. For sites that support them, of course.

Download WordPress 3.9.1 or venture over to Dashboard → Updates and simply click “Update Now.”

Thanks to all of these fine individuals for contributing to 3.9.1: Aaron Jorbin, Andrew Nacin, Andrew Ozz, Brian Richards, Chris Blower, Corey McKrill, Daniel Bachhuber, Dominik Schilling, feedmeastraycat, Gregory Cornelius, Helen Hou-Sandi, imath, Janneke Van Dorpe, Jeremy Felt, John Blackbourn, Konstantin Obenland, Lance Willett, m_i_n, Marius Jensen, Mark Jaquith, Milan Dinić, Nick Halsey, pavelevap, Scott Taylor, Sergey Biryukov, and Weston Ruter.

WordPress 3.9 Release Candidate 2

The second release candidate for WordPress 3.9 is now available for testing.

If you haven’t tested 3.9 yet, you’re running out of time! We made about five dozen changes since the first release candidate, and those changes are all helpfully summarized in our weekly post on the development blog. Probably the biggest fixes are to live widget previews and the new theme browser, along with some extra TinyMCE compatibility and some RTL fixes.

Plugin authors: Could you test your plugins against 3.9, and if they’re compatible, make sure they are marked as tested up to 3.9? It only takes a few minutes and this really helps make launch easier. Be sure to follow along the core development blog; we’ve been posting notes for developers for 3.9. (For example: HTML5, symlinks, MySQL, Plupload.)

To test WordPress 3.9 RC2, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the release candidate here (zip). If you’d like to learn more about what’s new in WordPress 3.9, visit the nearly complete About screen in your dashboard ( → About in the toolbar) and also check out the Beta 1 post.

This is for testing,
so not recommended for
production sites—yet.

WordPress 3.8.3 Maintenance Release

WordPress 3.8.3 is now available to fix a small but unfortunate bug in the WordPress 3.8.2 security release.

The “Quick Draft” tool on the dashboard screen was broken in the 3.8.2 update. If you tried to use it, your draft would disappear and it wouldn’t save. While we doubt anyone was writing a novella using this tool, any loss of content is unacceptable to us.

We recognize how much trust you place in us to safeguard your content, and we take this responsibility very seriously. We’re sorry we let you down.

We’ve all lost words we’ve written before, like an email thanks to a cat on the keyboard or a term paper to a blue screen of death. Over the last few WordPress releases, we’ve made a number of improvements to features like autosaves and revisions. With revisions, an old edit can always be restored. We’re trying our hardest to save your content somewhere even if your power goes out or your browser crashes. We even monitor your internet connection and prevent you from hitting that “Publish” button at the exact moment the coffee shop Wi-Fi has a hiccup.

It’s possible that the quick draft you lost last week is still in the database, and just hidden from view. As an added complication, these “discarded drafts” normally get deleted after seven days, and it’s already been six days since the release. If we were able to rescue your draft, you’ll see it on the “All Posts” screen after you update to 3.8.3. (We’ll also be pushing 3.8.3 out as a background update, so you may just see a draft appear.)

So, if you tried to jot down a quick idea last week, I hope WordPress has recovered it for you. Maybe it’ll turn into that novella.

Download WordPress 3.8.3 or click “Update Now” on Dashboard → Updates.

This affected version 3.7.2 as well, so we’re pushing a 3.7.3 to these installs, but we’d encourage you to update to the latest and greatest.


Now for some good news:
WordPress 3.9 is near.
Expect it this week

WordPress 3.9 Release Candidate

As teased earlier, the first release candidate for WordPress 3.9 is now available for testing!

We hope to ship WordPress 3.9 next week, but we need your help to get there. If you haven’t tested 3.9 yet, there’s no time like the present. (Please, not on a production site, unless you’re adventurous.)

To test WordPress 3.9 RC1, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the release candidate here (zip). If you’d like to learn more about what’s new in WordPress 3.9, visit the work-in-progress About screen in your dashboard ( → About in the toolbar) and check out the Beta 1 post.

Think you’ve found a bug? Please post to the Alpha/Beta area in the support forums. If any known issues come up, you’ll be able to find them here.

If you’re a plugin author, there are two important changes in particular to be aware of:

  • TinyMCE received a major update, to version 4.0. Any editor plugins written for TinyMCE 3.x might require some updates. (If things broke, we’d like to hear about them so we can make adjustments.) For more, see TinyMCE’s migration guide and API documentation, and the notes on the core development blog.
  • WordPress 3.9 now uses the MySQLi Improved extension for sites running PHP 5.5. Any plugins that made direct calls to mysql_* functions will experience some problems on these sites. For more information, see the notes on the core development blog.

Be sure to follow along the core development blog, where we will be continuing to post notes for developers for 3.9. (For example, read this if you are using Masonry in your theme.) And please, please update your plugin’s Tested up to version in the readme to 3.9 before April 16.

Release candidate
This haiku’s the easy one
3.9 is near

WordPress 3.8.2 Security Release

WordPress 3.8.2 is now available. This is an important security release for all previous versions and we strongly encourage you to update your sites immediately.

This releases fixes a weakness that could let an attacker force their way into your site by forging authentication cookies. This was discovered and fixed by Jon Cave of the WordPress security team.

It also contains a fix to prevent a user with the Contributor role from improperly publishing posts. Reported by edik.

This release also fixes nine bugs and contains three other security hardening changes:

  • Pass along additional information when processing pingbacks to help hosts identify potentially abusive requests.
  • Fix a low-impact SQL injection by trusted users. Reported by Tom Adams of dxw.
  • Prevent possible cross-domain scripting through Plupload, the third-party library WordPress uses for uploading files. Reported by Szymon Gruszecki.

We appreciated responsible disclosure of these security issues directly to our security team. For more information on all of the changes, see the release notes or consult the list of changes.

Download WordPress 3.8.2 or venture over to Dashboard → Updates and simply click “Update Now.”

Sites that support automatic background updates will be updated to WordPress 3.8.2 within 12 hours. If you are still on WordPress 3.7.1, you will be updated to 3.7.2, which contains the same security fixes as 3.8.2. We don’t support older versions, so please update to 3.8.2 for the latest and greatest.

Already testing WordPress 3.9? The first release candidate is now available (zip) and it contains these security fixes. Look for a full announcement later today; we expect to release 3.9 next week.

WordPress 3.9 Beta 3

The third (and maybe last) beta of WordPress 3.9 is now available for download.

Beta 3 includes more than 200 changes, including:

  • New features like live widget previews and the new theme installer are now more ready for prime time, so check ‘em out.
  • UI refinements when editing images and when working with media in the editor. We’ve also brought back some of the advanced display settings for images.
  • If you want to test out audio and video playlists, the links will appear in the media manager once you’ve uploaded an audio or video file.
  • For theme developers, we’ve added HTML5 caption support (#26642) to match the new gallery support (#26697).
  • The formatting function that turns straight quotes into smart quotes (among other things) underwent some changes to drastically speed it up, so let us know if you see anything weird.

We need your help. We’re still aiming for an April release, which means the next week will be critical for identifying and squashing bugs. If you’re just joining us, please see the Beta 1 announcement post for what to look out for.

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums, where friendly moderators are standing by. Plugin developers, if you haven’t tested WordPress 3.9 yet, now is the time — and be sure to update the “tested up to” version for your plugins so they’re listed as compatible with 3.9.

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site just to play with the new version. To test WordPress 3.9, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the beta here (zip).

WordPress 3.9
Let’s make the date official
It’s April 16

WordPress 3.9 Beta 2

WordPress 3.9 Beta 2 is now available for testing!

We’ve made more than a hundred changes since Beta 1, but we still need your help if we’re going to hit our goal of an April release. For what to look out for, please head on over to the Beta 1 announcement post. Some of the changes in Beta 2 include:

  • Rendering of embedded audio and video players directly in the visual editor.
  • Visual and functional improvements to the editor, the media manager, and theme installer.
  • Various bug fixes to TinyMCE, the software behind the visual editor.
  • Lots of fixes to widget management in the theme customizer.

As always, if you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. Or, if you’re comfortable writing a reproducible bug report, file one on the WordPress Trac. There, you can also find a list of known bugs and everything we’ve fixed so far.

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site just to play with the new version. To test WordPress 3.9, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the beta here (zip).