WordPress.org

WordPress 4.6 Beta 1 is now available!

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site just to play with the new version. To test WordPress 4.6, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the beta here (zip).

WordPress 4.6 is slated for release on August 16, but to get there, we need your help testing what we have been working on, including:

• Shiny Updates v2 ([37714]) – Shiny Updates replaces progress updates with a simpler and more straight forward experience when installing, updating, and deleting plugins and themes.
• Native Fonts in the Admin (#36753) – Experience faster load times, especially when working offline, a removal of a third-party dependency, and a more native-feeling experience as the lines between the mobile web and native applications continue to blur.
• Editor Improvements – A more reliable recovery mode (#37025) and detection of broken URLs while you type them (#36638).

There have been changes for developers to explore as well:

• Resource Hints (#34292) – Allow browsers to prefetch specific pages, render them in the background, perform DNS lookups, or to begin the connection handshake (DNS, TCP, TLS) in the background.
• New WP_Site_Query (#35791) and WP_Network_Query (#32504) classes to query sites and networks with lazy loading for details.
• Requests (#33055) – A new PHP library for HTTP requests that supports parallel requests and more.
• WP_Term_Query (#35381) is modeled on existing query classes and provides a more consistent structure for generating term queries.
• Language Packs (#34114, #34213) – Translations managed through translate.wordpress.org now have a higher priority and are loaded just-in-time.
• WP_Post_Type (#36217) provides easier access to post type objects and their underlying properties.
• The Widgets API (#28216) was enhanced to support registering pre-instantiated widgets.
• Index definitions are now normalized by dbDelta() ([37583]).
• Comments can now be stored in a persistent object cache (#36906).
• External Libraries were updated to the latest versions – Masonry to 3.3.2 and imagesLoaded to 3.2.0 (#32802), MediaElement.js to 2.21.2 (#36759), and TinyMCE to 4.3.13 (#37225).
• REST API responses now include an auto-discovery header (#35580) and a refreshed nonce when responding to an authenticated response (#35662).
• Expanded Meta Registration API via register_meta() (#35658).
• Customizer – Improved API for setting validation (#34893, #36944).

If you want a more in-depth view of what major changes have made it into 4.6, check out posts tagged with 4.6 on the main development blog, or look at a list of everything that’s changed.

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on the WordPress Trac. There, you can also find a list of known bugs.

Happy testing!

More Shiny Updates
In 4.6 Beta 1.
And Font Natively.

WordPress 4.5.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.5.2 and earlier are affected by several security issues: redirect bypass in the customizer, reported by Yassine Aboukir; two different XSS problems via attachment names, reported by Jouko Pynnönen and Divyesh Prajapati; revision history information disclosure, reported independently by John Blackbourn from the WordPress security team and by Dan Moen from the Wordfence Research Team; oEmbed denial of service reported by Jennifer Dodd from Automattic; unauthorized category removal from a post, reported by David Herrera from Alley Interactive; password change via stolen cookie, reported by Michael Adams from the WordPress security team; and some less secure sanitize_file_name edge cases reported by Peter Westwood of  the WordPress security team.

Thank you to the reporters for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.5.3 fixes 17 bugs from 4.5, 4.5.1 and 4.5.2. For more information, see the release notes or consult the list of changes.

Download WordPress 4.5.3 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.5.3.

Thanks to everyone who contributed to 4.5.3:

Boone Gorges, Silvan Hagen, vortfu, Eric Andrew Lewis, Nikolay Bachiyski,  Michael Adams, Jeremy Felt, Dominik Schilling, Weston Ruter, Dion Hulse, Rachel Baker, Alex Concha, Jennifer M. Dodd, Brandon Kraft, Gary Pendergast, Ella Iseulde Van Dorpe, Joe McGill, Pascal Birchler, Sergey Biryukov, David Herrera and Adam Silverstein.