WordPress.org

WordPress 4.2.1 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

A few hours ago, the WordPress team was made aware of a cross-site scripting vulnerability, which could enable commenters to compromise a site. The vulnerability was discovered by Jouko Pynnönen.

WordPress 4.2.1 has begun to roll out as an automatic background update, for sites that support those.

For more information, see the release notes or consult the list of changes.

Download WordPress 4.2.1 or venture over to Dashboard → Updates and simply click “Update Now”.

Version 4.2 of WordPress, named “Powell” in honor of jazz pianist Bud Powell, is available for download or update in your WordPress dashboard. New features in 4.2 help you communicate and share, globally.

---

An easier way to share content

Clip it, edit it, publish it. Get familiar with the new and improved Press This. From the Tools menu, add Press This to your browser bookmark bar or your mobile device home screen. Once installed you can share your content with lightning speed. Sharing your favorite videos, images, and content has never been this fast or this easy.

---

Extended character support

Writing in WordPress, whatever your language, just got better. WordPress 4.2 supports a host of new characters out-of-the-box, including native Chinese, Japanese, and Korean characters, musical and mathematical symbols, and hieroglyphs.

Don’t use any of those characters? You can still have fun — emoji are now available in WordPress! Get creative and decorate your content with 💙, 🐸, 🐒, 🍕, and all the many other emoji.

---

---

Under the Hood

utf8mb4 support

Database character encoding has changed from utf8 to utf8mb4, which adds support for a whole range of new 4-byte characters.

JavaScript accessibility

You can now send audible notifications to screen readers in JavaScript with wp.a11y.speak(). Pass it a string, and an update will be sent to a dedicated ARIA live notifications area.

Shared term splitting

Terms shared across multiple taxonomies will be split when one of them is updated. Find out more in the Plugin Developer Handbook.

Complex query ordering

WP_Query, WP_Comment_Query, and WP_User_Query now support complex ordering with named meta query clauses.

---

The Team

This release was led by Drew Jaynes, with the help of these fine individuals. There are 283 contributors with props in this release, a new high. Pull up some Bud Powell on your music service of choice, and check out some of their profiles:

@mercime, A5hleyRich, Aaron D. Campbell, Aaron Jorbin, abhishekfdd, Adam Silverstein, Ahmad Awais, Alex King, Alex Mills (Viper007Bond), Alin Marcu, Allan Collins, Andrea Fercia, Andrew Bauer, Andrew Nacin, Andrew Norcross, Andrew Ozz, Ankit Gade, Ankit K Gupta, Anton Timmermans, Aram Zucker-Scharff, ArminBraun, Ashfame, Austin Matzko, avryl, Barry Kooij, Beau Lebens, Ben Doherty (Oomph, Inc), Billy Schneider, Boone B. Gorges, Brandon Kraft, Brian Krogsgard, Brian Watson, CalEvans, carolinegeven, Casey Driscoll, Caspie, Catalin Dogaru, Chip Bennett, chipx86, ChriCo, Chris Baldelomar, Chris Olbekson, Christian Foellmann, Christopher Finke, Clifton Griffin, Code Master, Corphi, Courtney Ivey, Craig Ralston, cweiske, Daisuke Takahashi, Damian, Daniel Bachhuber, Daniel Jalkut (Red Sweater), Darin Kotter, Darren Ethier (nerrad), Daryl L. L. Houston (dllh), Dave McHale, David A. Kennedy, David Anderson, David Herrera, Davide 'Folletto' Casali, davideugenepratt, davidhamiltron, Denis de Bernardy, Derek Herman, Derek Smart, designsimply, Dion Hulse, dipesh.kakadiya, Dominik Schilling, doublesharp, DzeryCZ, Dzikri Aziz, e.mazovetskiy, Eduardo Reveles, Edward Caissie, Elio Rivero, Ella Iseulde Van Dorpe, elliottcarlson, enej, Eric Andrew Lewis, Eric Binnion, Erick Hitter, Evan Solomon, Fabien Quatravaux, fhwebcs, Florian Simeth, Frank Bueltge, Frank P. Walentynowicz, Franz Josef Kaiser, Gary Cao, Gary Jones, Gary Pendergast, Geert De Deckere, genkisan, George Stephanis, Graham Armfield, Gustavo Bordoni, hakre, Harish Chaudhari, hauvong, Helen Hou-Sandí, herbmillerjr, Hew, horike, Hugh Lashbrooke, Hugo Baeta, Ian Dunn, ianmjones, idealien, imath, Ipstenu (Mika Epstein), J.D. Grimes, Jack Lenox, James Collins, janhenckens, Jeff Farthing, Jeffrey de Wit, Jeremy Felt, Jesin A, jipmoors, Joan Artes, Joe Dolson, Joe McGill, Joel Bernerman, Joen Asmussen, John Blackbourn, John Eckman, John James Jacoby, John Levandowski, Jonathan Desrosiers, joost de keijzer, Joost de Valk, Jose Castaneda, Josh Levinson, jphase, Julio Potier, Justin Kopepasah, Justin Sternberg, Justin Watt, K.Adam White, Kailey (trepmal), Kelly Dwan, Kevin Ruscoe, Kim Parsell, Kite, Konstantin Kovshenin, Konstantin Obenland, Lance Willett, Leonard, Leonardo Giacone, Liam Gladdy, maimairel, Mako, Manny Fleurmond, marcelomazza, Marco Chiesi, Marcus Kazmierczak, Marin Atanasov, Mario Peshev, Marius (Clorith), Mark Jaquith, Mark Senff, Marko Heijnen, Matt Gibbs, Matt Martz, Matt Mullenweg, Matt Wiebe, Matt Zak, Matthew Boynes, Matthew Eppelsheimer, Matthew Haines-Young, mattyrob, Max Cutler, mehulkaklotar, Mel Choyce, meloniq, Michael Adams (mdawaffe), Michael Arestad, Michael Beckwith, michalzuber, Mike Glendinning, Mike Hansen, Mike Jordan, Mike Schinkel, MikeNGarrett, Milan Dinic, mmn-o, Mohammad Jangda, MomDad, Morgan Estes, Morpheu5, Naoko Takano, nathan_dawson, Neil Pie, Nick Halsey, nicnicnicdevos, Nikhil Vimal, ninnypants, nitkr, Nuno Morgadinho, OriginalEXE, Paresh Radadiya, Pat Hawks, Paul Bearne, Paul Schreiber, Paul Wilde, pavelevap, Payton Swick, Pete Mall, Pete Nelson, Peter Wilson, Pippin Williamson, podpirate, postpostmodern, Prasath Nadarajah, prasoon2211, Primoz Cigler, r-a-y, Rachel Baker, rahulbhangale, Rami Yushuvaev, Rastislav Lamos, Ravindra Pal Singh, Rian Rietveld, Ritesh Patel, Robert Chapin, Rodrigo Primo, Ross Wintle, Ryan Boren, Ryan Marks, sagarjadhav, samo9789, samuelsidler, Scott Grant, Scott Reilly, Scott Taylor, scott.gonzalez, ScreenfeedFr, scribu, Sean Hayes, Sergej Muller, Sergey Biryukov, sevenspark, Simon Wheatley, Siobhan, sippis, Slobodan Manic, solarissmoke, Stephane Daury, Stephanie Leary, Stephen Edgar, Steve Grunwell, stevehickeydesign, Steven Word, Takashi Irie, Takuro Hishikawa, theMikeD, thomaswm, Thorsten Frommen, Till, Timothy Jacobs, tiqbiz, tmatsuur, tmeister, Tobias Schutter, TobiasBg, tomdxw, Travis Northcutt, trishasalas, Ty Carlson, UaMV, Udit Desai, Ulrich Sossou, Veritaserum, voldemortensen, VolodymyrC, vortfu, welcher, Weston Ruter, William Earnhardt, and WordPressor.

Special thanks go to Siobhan McKeown for producing the release video and Cami Kaos for the voice-over.

Finally, thanks to all of the contributors who provided subtitles for the release video, which at last count had been translated into 30 languages!

Adrian Pop, Alin Marcu, Bagerathan Sivarajah, Besnik, Bjørn Johansen, Chantal Coolsma, cubells, Daisuke Takahashi, Diana K. Cury, DjZoNe, dyrer, Elzette Roelofse, Emre Erkan, fxbenard, TacoVerdo, Gabriel Reguly, Jenny Wong, Gary Jones, Håvard Grimelid, Joachim Jensen, Jimmy Xu, Junko Nukaga, Justina, Kenan Dervisevic, Kostas Vrouvas, Krzysztof Trynkiewicz, Luís Rodrigues, Luis Rull, Mark Thomas Gazel , Marius Jensen, matthee, Mattias Tengblad, Matúš Záhradník, Mayuko Moriyama, Michal Vittek, Milan Dinić, MrShemek, Naoko Takano, pavelevap, Peter Holme Obrestad, Petya Raykovska, Przemysław Mirota, qraczek, Rafa Poveda, Rami Yushuvaev, Rasheed Bydousi, Rhoslyn Prys, Robert Axelsen, Sergey Biryukov, Siobhan Bamber, Stephen Edgar, ک To Have داشتن, Torsten Landsiedel, Victor J. Quesada, Wolly, Xavi Ivars, Xavier Borderie

If you want to follow along or help out, check out Make WordPress and our core development blog. Thanks for choosing WordPress. See you soon for version 4.3!

WordPress 4.1.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.1.1 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. This was reported by Cedric Van Bockhaven and fixed by Gary Pendergast, Mike Adams, and Andrew Nacin of the WordPress security team.

We also fixed three other security issues:

• In WordPress 4.1 and higher, files with invalid or unsafe names could be uploaded. Discovered by Michael Kapfer and Sebastian Kraemer of HSASec.
• In WordPress 3.9 and higher, a very limited cross-site scripting vulnerability could be used as part of a social engineering attack. Discovered by Jakub Zoczek.
• Some plugins were vulnerable to an SQL injection vulnerability. Discovered by Ben Bidner of the WordPress security team.

We also made four hardening changes, discovered by J.D. Grimes, Divyesh Prajapati, Allan Collins, Marc-Alexandre Montpas and Jeff Bowen.

We appreciated the responsible disclosure of these issues directly to our security team. For more information, see the release notes or consult the list of changes.

Download WordPress 4.1.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.1.2.

Thanks to everyone who contributed to 4.1.2: Allan Collins, Alex Concha, Andrew Nacin, Andrew Ozz, Ben Bidner, Boone Gorges, Dion Hulse, Dominik Schilling, Drew Jaynes, Gary Pendergast, Helen Hou-Sandí, John Blackbourn, and Mike Adams.

A number of plugins also released security fixes yesterday. Keep everything updated to stay secure. If you’re a plugin author, please read this post to confirm that your plugin is not affected by the same issue. Thank you to all of the plugin authors who worked closely with our security team to ensure a coordinated response.

Already testing WordPress 4.2? The third release candidate is now available (zip) and it contains these fixes. For more on 4.2, see the RC 1 announcement post.

The release candidate for WordPress 4.2 is now available.

We’ve made more than 140 changes since releasing Beta 4 a week and a half ago. RC means we think we’re done, but with millions of users and thousands of plugins and themes, it’s possible we’ve missed something. We hope to ship WordPress 4.2 on Wednesday, April 22, but we need your help to get there.

If you haven’t tested 4.2 yet, now is the time! (Please though, not on your live site unless you’re adventurous.)

Think you’ve found a bug? Please post to the Alpha/Beta support forum. If any known issues come up, you’ll be able to find them here.

To test WordPress 4.2 RC1, you can use the WordPress Beta Tester plugin or you can download the release candidate here (zip).

For more information about what’s new in version 4.2, check out the Beta 1, Beta 2, Beta 3, and Beta 4 blog posts.

Developers, please test your plugins and themes against WordPress 4.2 and update your plugin’s Tested up to version in the readme to 4.2 before next week. If you find compatibility problems, we never want to break things, so please be sure to post to the support forums so we can figure those out before the final release.

Be sure to follow along the core development blog, where we’ll continue to post notes for developers for 4.2.

Im-Press-ive saving
Achievement unlocked: RC
Release here we come

If you visit WordPress.org regularly you might have noticed some changes around the place. If you don’t, now’s the time to check them out! We’ve been working hard to improve the site to make it more useful to everyone, both developers and users, and we hope you like what we’ve done.

New Theme and Plugin Directories

Since WordPress 3.8, you’ve been enjoying improved theme management in your WordPress admin, and in WordPress 4.0 plugin management was refined. We’ve brought these experiences from your admin and re-created them right here on WordPress.org.

Theme Directory

The Theme Directory has a better browsing experience, with handy tabs where you can view featured, popular, and the latest themes. As with the theme experience in your admin, you can use the feature filter to browse for just the right theme for your WordPress website.

Click on a theme to get more information about it, including shiny screenshots, ratings, and statistics.

Konstantin Obenland posted a good overview of everything involved with the theme directory overhaul and followed up with a post on improved statistics.

Plugin Directory

The Plugin Directory has a brand new theme that mirrors the experience in your WordPress admin, with a more visual experience, and better search and statistics.

As well as a facelift, there are some great new features for you to play around with:

• Favorites – when you’re logged in to you WordPress.org account, this page gives you direct access to the plugins that you have favorited.
• Beta Testing – try out plugins where developers are experimenting with new features for WordPress.
• Search by plugin author – you can search for a plugin author using their username.
• Better statistics – listings now display the number of active installs so you can see how many people are actually using a plugin.

An overview of the new theme was posted by Scott Reilly.

Better Statistics

We’ve made huge improvements to our statistics. This gives us more useful information about the WordPress versions people are using, their PHP version, and their MySQL version.

Already these new statistics have provided us with useful insights into WordPress usage.

• More than 43% of all sites are running the latest version of WordPress. Previously, we thought only 10% of sites were up-to-date. By excluding sites that are no longer online we were able to improve these statistics.
• We were able to clear up the data around WordPress 3.0, bringing it more in line with expectations. This anomaly was a by-product of spammers.
• Only 15.9% of sites are using PHP 5.2, which is better than we thought.

Over the coming months we’ll be able to use these statistics to bring you new tools and improvements, and to make more informed decisions across the board. Read Andrew Nacin’s post about these changes for more background.

Thanks!

Thanks to everyone who contributed to the theme directory redesign, the plugin directory refresh, and improved statistics: Alin Marcu, Damon Cook, Dion Hulse, Dominik Schilling, Jan Cavan Boulas, Konstantin Obenland, Kyle Maurer, Matías Ventura, Mel Choyce, Natalie MacLees, Paul de Wouters, Samuel Sidler, Samuel Wood (Otto), Scott Reilly, Siobhan McKeown.

If you want to help out or follow along with future WordPress.org projects, check out Make WordPress and our meta development blog.

WordPress 4.2 Beta 4 is now available!

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site just to play with the new version. To test WordPress 4.2, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the beta here (zip).

For more information about what’s new in version 4.2, check out the Beta 1, Beta 2, and Beta 3 blog posts. Some of the changes in Beta 4 include:

• Incrementally improved the experience when accessing the Customizer on mobile. Please test on your mobile devices and let us know if anything seems wonky.
• Added the ability to make admin notices dismissible. Plugin and theme authors: adding .notice and .is-dismissible as adjacent classes to your notice containers should automatically make them dismissible. Please test.
• Fixed some reported issues with backward-compatibility issues caused by the modularization of core JS files.
• Removed the ability to swipe the admin menu open and closed on touch devices due to reports of some issues with built-in history navigation on certain platforms.
• Improved accessibility of the WordPress admin by adding landmark roles. Screen reader users: please test in any core admin screens.
• Various bug fixes. We’ve made more than 90 changes in the last week.

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. Or, if you’re comfortable writing a bug report, file one on the WordPress Trac. There, you can also find a list of known bugs and everything we’ve fixed.

Dismiss notices
Customizer on mobile
RC nearly here

WordPress 4.2 Beta 3 is now available!

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site just to play with the new version. To test WordPress 4.2, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the beta here (zip).

For more information about what’s new in version 4.2, check out the Beta 1 and Beta 2 blog posts. Some of the changes in Beta 3 include:

• Removed Shiny Installs functionality due to concerns about the activation workflow. Please test the remaining “Shiny Updates” functionality from both the Plugins > Add New and Plugins screens to ensure in-line updating still works as well as before.
• Fixed an issue with the Comments Quick Edit layout breaking on smaller screens. Please test on your mobile devices.
• Improved accessibility of login screen errors. Screen reader users: please let us know if you encounter any issues.
• Refined the emoji compatibility script to only load on the front- and back-end if the browser requires it. If you’re using a legacy web browser, please test.
• Fixed several issues in Press This with inserted images being improperly linked to locations other than the source site. Go ahead, “press” a site with images on the page and tell us if the image links aren’t working as you’d expect.
• Standardized the time display format in a variety of admin screens, switching to 24-hour notation where a.m. or p.m. are not specified. Please let us know if you notice you notice anything amiss!
• Various other bug fixes. We’ve made more than 65 changes in the last week.

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. Or, if you’re comfortable writing a bug report, file one on the WordPress Trac. There, you can also find a list of known bugs and everything we’ve fixed.

Emoji loader
“Shiny Updates” still stand firm
Beta 3, please test!

WordPress 4.2 Beta 2 is now available!

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site just to play with the new version. To test WordPress 4.2, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the beta here (zip).

For more information about what’s new in version 4.2, check out the Beta 1 blog post. Some of the changes in Beta 2 include:

• Added support for entering FTP and SSH credentials when updating plugins in-place. FTP and SSH users, please test!
• Improved cross-browser support for emoji throughout WordPress. If you’re using an older web browser, please tell us if you have problems using emoji.
• Further refined Press This authoring with auto-embedded media and better content scanning. We’d love to know how auto-embeds work for you.
• Added a constructor and improved method consistency in WP_Comment_Query. Developers: if you’re extending WP_Comment_Query, please let us know if you run into any issues.
• Various bug fixes. We’ve made more than 70 changes in the last week.

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. Or, if you’re comfortable writing a bug report, file one on the WordPress Trac. There, you can also find a list of known bugs and everything we’ve fixed.

Test some emoji
FTP and SSH
Let’s “Press” some embeds!

WordPress 4.2 Beta 1 is now available!

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site just to play with the new version. To test WordPress 4.2, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the beta here (zip).

4.2 is due out next month, but to get there, we need your help testing what we’ve been working on:

• Press This has been completely revamped to make sharing content from around the web easier than ever. The new workflow is mobile friendly, and we’d love for you to try it out on all of your devices. Navigate to the Tools screen in your WordPress backend to get started (#31373).
• Browsing and switching installed themes has been added to the Customizer to make switching faster and more convenient. We’re especially interested to know if this helps streamline the process of setting up your site (#31303).
• The workflow for updating and installing plugins just got more intuitive with the ability to install or update in-place from the Plugins screens. Try it out and let us know what you think! (#29820)
• If you felt like emoji were starkly missing from your content toolbox, worry no more. We’ve added emoji support nearly everywhere, even post slugs 👍 (#31242).

Developers: There have been a lot of changes for you to test as well, including:

• Taxonomy Roadmap: Terms shared across multiple taxonomies will now be split into separate terms when one of them is updated. Please let us know if you hit any snags (#5809).
• New wp.a11y.speak() functionality helps your JavaScript talk to screen readers to better inform impaired users what’s happening on-screen. Try it out in your plugin or theme and let us know if you notice any adverse affects (#31368).
• Named clause support has been added to WP_Query, WP_Comment_Query, and WP_User_Query, allowing specific meta_query clauses to be used with orderby. If you have any complex queries, please test them (#31045, #31265).

If you want a more in-depth view of what changes have made it into 4.2, check out the weekly review posts on the main development blog.

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on the WordPress Trac. There, you can also find a list of known bugs and everything we’ve fixed so far.

Happy testing!

Press This: switch a theme
Save time installing plugins
Testing makes us 😃

WordPress 4.1.1 is now available. This maintenance release fixes 21 bugs in version 4.1.

Some of you may have been waiting to update to the latest version until now, but there just wasn’t much to address. WordPress 4.1 was a smooth-sailing release and has seen more than 14 million downloads in the last two months.

For a full list of changes, consult the list of tickets and the changelog. We fixed one annoying issue where a tag and a category with the same name could get muddled and prevent each other from being updated.

If you are one of the millions already running WordPress 4.1 and your site, we’ve started rolling out automatic background updates for 4.1.1 for sites that support them. Otherwise, download WordPress 4.1.1 or visit Dashboard → Updates and simply click “Update Now.”

Thanks to everyone who contributed to 4.1.1: Andrea Fercia, Boone Gorges, ChriCo, Dion Hulse, David Herrera, Drew Jaynes, Takuro Hishikawa, Thorsten Frommen, Iseulde, John Blackbourn, Aaron Jorbin, mattyrob, Konstantin Obenland, Dominik Schilling, Sergey Biryukov, sippis, tmatsuur, Marin Atanasov, Derek Herman, and Weston Ruter.

It is with both great honor and sadness we also recognize Kim Parsell as a contributor to this release and a truly beloved member of the community until her untimely passing in December. The project is working to establish a conference travel scholarship in her memory. We miss you, Kim.