WordPress.org

WordPress 4.2.1 Security Release

Posted April 27, 2015 by Gary Pendergast. Filed under Releases, Security.

WordPress 4.2.1 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

A few hours ago, the WordPress team was made aware of a cross-site scripting vulnerability, which could enable commenters to compromise a site. The vulnerability was discovered by Jouko Pynnönen.

WordPress 4.2.1 has begun to roll out as an automatic background update, for sites that support those.

For more information, see the release notes or consult the list of changes.

Download WordPress 4.2.1 or venture over to Dashboard → Updates and simply click “Update Now”.

WordPress 4.2 “Powell”

Posted April 23, 2015 by Matt Mullenweg. Filed under Releases.

Version 4.2 of WordPress, named “Powell” in honor of jazz pianist Bud Powell, is available for download or update in your WordPress dashboard. New features in 4.2 help you communicate and share, globally.


An easier way to share content

Press ThisClip it, edit it, publish it. Get familiar with the new and improved Press This. From the Tools menu, add Press This to your browser bookmark bar or your mobile device home screen. Once installed you can share your content with lightning speed. Sharing your favorite videos, images, and content has never been this fast or this easy.


Extended character support

Character support for emoji, special charactersWriting in WordPress, whatever your language, just got better. WordPress 4.2 supports a host of new characters out-of-the-box, including native Chinese, Japanese, and Korean characters, musical and mathematical symbols, and hieroglyphs.

Don’t use any of those characters? You can still have fun — emoji are now available in WordPress! Get creative and decorate your content with 💙, 🐸, 🐒, 🍕, and all the many other emoji.


Customizer theme switcher

Switch themes in the Customizer

Browse and preview your installed themes from the Customizer. Make sure the theme looks great with your content, before it debuts on your site.

Tumbr.com oEmbed example

Even more embeds

Paste links from Tumblr.com and Kickstarter and watch them magically appear right in the editor. With every release, your publishing and editing experience get closer together.

Inline plugin updates

Streamlined plugin updates

Goodbye boring loading screen, hello smooth and simple plugin updates. Click Update Now and watch the magic happen.


Under the Hood

utf8mb4 support

Database character encoding has changed from utf8 to utf8mb4, which adds support for a whole range of new 4-byte characters.

JavaScript accessibility

You can now send audible notifications to screen readers in JavaScript with wp.a11y.speak(). Pass it a string, and an update will be sent to a dedicated ARIA live notifications area.

Shared term splitting

Terms shared across multiple taxonomies will be split when one of them is updated. Find out more in the Plugin Developer Handbook.

Complex query ordering

WP_Query, WP_Comment_Query, and WP_User_Query now support complex ordering with named meta query clauses.


The Team

Drew JaynesThis release was led by Drew Jaynes, with the help of these fine individuals. There are 283 contributors with props in this release, a new high. Pull up some Bud Powell on your music service of choice, and check out some of their profiles:

@mercime, A5hleyRich, Aaron D. Campbell, Aaron Jorbin, Abhishek Kumar, Adam Silverstein, Ahmad Awais, Alex King, Alex Mills, Alin Marcu, Allan Collins, Andrea Fercia, Andrew Bauer, Andrew Nacin, Andrew Norcross, Andrew Ozz, Ankit Gade, Ankit K Gupta, Anton Timmermans, Aram Zucker-Scharff, ArminBraun, Ashfame, Austin Matzko, avryl, Barry Kooij, Beau Lebens, Ben Doherty (Oomph, Inc), Billy S, Boone B. Gorges, Brandon Kraft, Brian Krogsgard, Brian Watson, CalEvans, Caroline, Casey Driscoll, Caspie, Chip Bennett, chipx86, ChriCo, Chris Baldelomar, Chris Olbekson, chriscct7, Christian Foellmann, Christopher Finke, Clifton Griffin, Code Master, Courtney Ivey, Craig Ralston, cweiske, Cătălin Dogaru, Daisuke Takahashi, Damian, Daniel Bachhuber, Daniel Jalkut (Red Sweater), Darin Kotter, Darren Ethier (nerrad), Daryl L. L. Houston (dllh), Dave McHale, David A. Kennedy, David Anderson, David Herrera, davideugenepratt, davidhamiltron, Denis de Bernardy, Derek Herman, Derek Smart, designsimply, Dion Hulse, Dipesh Kakadiya, Dominik Schilling, doublesharp, DzeryCZ, Dzikri Aziz, e.mazovetskiy, Eduardo Reveles, Edward Caissie, Elio Rivero, Ella Iseulde Van Dorpe, elliottcarlson, Enej Bajgorić, Eric Andrew Lewis, Eric Binnion, Erick Hitter, Erin 'Folletto' Casali, Evan Solomon, Fabien Quatravaux, fhwebcs, Florian Simeth, Frank Bueltge, Frank P. Walentynowicz, Franz Josef Kaiser, gabrielperezs, Garth Mortensen, Gary Cao, Gary Jones, Gary Pendergast, Geert De Deckere, genkisan, George Stephanis, Grégory Viguier, Graham Armfield, Gustavo Bordoni, hakre, Harish Chaudhari, hauvong, Helen Hou-Sandí, herbmillerjr, Hew, Hinaloe, horike, Hugh Lashbrooke, Hugo Baeta, Ian Dunn, ianmjones, idealien, Ipstenu (Mika Epstein), J.D. Grimes, Jack Lenox, James Collins, janhenckens, Jeff Farthing, Jeffrey de Wit, Jeremy Felt, Jesin A, Jip Moors, Joan Artes, Joe Dolson, Joe McGill, Joel Bernerman, Joen A., John Blackbourn, John Eckman, John James Jacoby, John Levandowski, Jonathan Desrosiers, joost de keijzer, Joost de Valk, Jose Castaneda, Josh Levinson, jphase, Julio Potier, Justin Kopepasah, Justin Sternberg, Justin Watt, K. Adam White, Kailey (trepmal), Kelly Choyce-Dwan, Kevin Ruscoe, Kim Parsell, Kite, Konstantin Kovshenin, Konstantin Obenland, Lance Willett, Leo, Leonardo Giacone, Liam Gladdy, maimairel, Mako, mallorydxw-old, Manny Fleurmond, marcelomazza, Marco Chiesi, Marcus Kazmierczak, Marin Atanasov, Mario Peshev, Marius L. J., Mark Jaquith, Marko Heijnen, Mathieu Viet, Matt Gibbs, Matt Martz, Matt Mullenweg, Matt Wiebe, Matt Zak, Matthew Boynes, Matthew Eppelsheimer, Matthew Haines-Young, mattyrob, Max Cutler, Mehul Kaklotar, Mel Choyce-Dwan, meloniq, Michael Adams (mdawaffe), Michael Arestad, Michael Beckwith, michalzuber, Mike Glendinning, Mike Hansen, Mike Jordan, Mike Schinkel, MikeNGarrett, Milan Dinić, mmn-o, Mohammad Jangda, MomDad, Morgan Estes, Morpheu5, Naoko Takano, nathan_dawson, Neil Pie, Nick Halsey, nicnicnicdevos, Nikhil Vimal, Nikolay Bachiyski, Nithin, Nuno Morgadinho, OriginalEXE, Paresh Radadiya, Pat Hawks, Paul Bearne, Paul Schreiber, Paul Wilde, pavelevap, Payton Swick, Pete Mall, Pete Nelson, Peter Wilson, Philipp Cordes, Pippin Williamson, podpirate, postpostmodern, Prasath Nadarajah, prasoon2211, Primoz Cigler, r-a-y, Rachel Baker, rahulbhangale, Rami Yushuvaev, Rastislav Lamos, Ravindra Pal Singh, Rian Rietveld, Ritesh Patel, Robert Chapin, Rodrigo Primo, Ross Wintle, Ryan Boren, Ryan Marks, Ryan Welcher, Sagar Jadhav, Samir Shah, samo9789, Samuel Sidler, Scott Grant, Scott Reilly, Scott Taylor, scott.gonzalez, scribu, Sean Hayes, Senff - a11n, Sergej Müller, Sergey Biryukov, sevenspark, Simon Wheatley, Siobhan, Slobodan Manic, Stephane Daury, Stephanie Leary, Stephen Edgar, Steve Grunwell, stevehickeydesign, Steven Word, taka2, Takashi Irie, Takuro Hishikawa, theMikeD, thomaswm, Thorsten Frommen, Till Krüss, Timi Wahalahti, Timothy Jacobs, tiqbiz, tmatsuur, Tmeister, Tobias Schutter, TobiasBg, Travis Northcutt, Trisha Salas, Ty Carlson, Tyrel Kelsey, uamv, Udit Desai, Ulrich Sossou, Veritaserum, VolodymyrC, vortfu, Weston Ruter, William Earnhardt, willstedt, and WordPressor.

Special thanks go to Siobhan McKeown for producing the release video and Cami Kaos for the voice-over.

Finally, thanks to all of the contributors who provided subtitles for the release video, which at last count had been translated into 30 languages!

Adrian Pop, Alin Marcu, Bagerathan Sivarajah, Besnik, Bjørn Johansen, Chantal Coolsma, cubells, Daisuke Takahashi, Diana K. Cury, DjZoNe, dyrer, Elzette Roelofse, Emre Erkan, fxbenard, TacoVerdo, Gabriel Reguly, Jenny Wong, Gary Jones, Håvard Grimelid, Joachim Jensen, Jimmy Xu, Junko Nukaga, JustinaKenan DervisevicKostas Vrouvas, Krzysztof Trynkiewicz, Luís Rodrigues, Luis Rull, Mark Thomas Gazel , Marius Jensen, matthee, Mattias Tengblad, Matúš Záhradník, Mayuko Moriyama, Michal Vittek, Milan Dinić, MrShemek, Naoko Takano, pavelevap, Peter Holme Obrestad, Petya Raykovska, Przemysław Mirota, qraczek, Rafa Poveda, Rami Yushuvaev, Rasheed Bydousi, Rhoslyn Prys, Robert Axelsen, Sergey Biryukov, Siobhan Bamber, Stephen Edgar, ک To Have داشتن, Torsten Landsiedel, Victor J. Quesada, Wolly, Xavi Ivars, Xavier Borderie

If you want to follow along or help out, check out Make WordPress and our core development blog. Thanks for choosing WordPress. See you soon for version 4.3!

WordPress 4.1.2 Security Release

Posted April 21, 2015 by Gary Pendergast. Filed under Releases, Security.

WordPress 4.1.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.1.1 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. This was reported by Cedric Van Bockhaven and fixed by Gary Pendergast, Mike Adams, and Andrew Nacin of the WordPress security team.

We also fixed three other security issues:

  • In WordPress 4.1 and higher, files with invalid or unsafe names could be uploaded. Discovered by Michael Kapfer and Sebastian Kraemer of HSASec.
  • In WordPress 3.9 and higher, a very limited cross-site scripting vulnerability could be used as part of a social engineering attack. Discovered by Jakub Zoczek.
  • Some plugins were vulnerable to an SQL injection vulnerability. Discovered by Ben Bidner of the WordPress security team.

We also made four hardening changes, discovered by J.D. Grimes, Divyesh Prajapati, Allan Collins, Marc-Alexandre Montpas and Jeff Bowen.

We appreciated the responsible disclosure of these issues directly to our security team. For more information, see the release notes or consult the list of changes.

Download WordPress 4.1.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.1.2.

Thanks to everyone who contributed to 4.1.2: Allan Collins, Alex Concha, Andrew Nacin, Andrew Ozz, Ben Bidner, Boone Gorges, Dion Hulse, Dominik Schilling, Drew Jaynes, Gary Pendergast, Helen Hou-Sandí, John Blackbourn, and Mike Adams.

A number of plugins also released security fixes yesterday. Keep everything updated to stay secure. If you’re a plugin author, please read this post to confirm that your plugin is not affected by the same issue. Thank you to all of the plugin authors who worked closely with our security team to ensure a coordinated response.

Already testing WordPress 4.2? The third release candidate is now available (zip) and it contains these fixes. For more on 4.2, see the RC 1 announcement post.

WordPress 4.2 Release Candidate

Posted April 15, 2015 by Drew Jaynes. Filed under Development, Releases.

The release candidate for WordPress 4.2 is now available.

We’ve made more than 140 changes since releasing Beta 4 a week and a half ago. RC means we think we’re done, but with millions of users and thousands of plugins and themes, it’s possible we’ve missed something. We hope to ship WordPress 4.2 on Wednesday, April 22, but we need your help to get there.

If you haven’t tested 4.2 yet, now is the time! (Please though, not on your live site unless you’re adventurous.)

Think you’ve found a bug? Please post to the Alpha/Beta support forum. If any known issues come up, you’ll be able to find them here.

To test WordPress 4.2 RC1, you can use the WordPress Beta Tester plugin or you can download the release candidate here (zip).

For more information about what’s new in version 4.2, check out the Beta 1, Beta 2, Beta 3, and Beta 4 blog posts.

Developers, please test your plugins and themes against WordPress 4.2 and update your plugin’s Tested up to version in the readme to 4.2 before next week. If you find compatibility problems, we never want to break things, so please be sure to post to the support forums so we can figure those out before the final release.

Be sure to follow along the core development blog, where we’ll continue to post notes for developers for 4.2.

Im-Press-ive saving
Achievement unlocked: RC
Release here we come

Improvements to WordPress.org

Posted April 4, 2015 by Samuel Sidler. Filed under Meta.

If you visit WordPress.org regularly you might have noticed some changes around the place. If you don’t, now’s the time to check them out! We’ve been working hard to improve the site to make it more useful to everyone, both developers and users, and we hope you like what we’ve done.

New Theme and Plugin Directories

Since WordPress 3.8, you’ve been enjoying improved theme management in your WordPress admin, and in WordPress 4.0 plugin management was refined. We’ve brought these experiences from your admin and re-created them right here on WordPress.org.

Theme Directory

The Theme Directory has a better browsing experience, with handy tabs where you can view featured, popular, and the latest themes. As with the theme experience in your admin, you can use the feature filter to browse for just the right theme for your WordPress website.

theme-directory

Click on a theme to get more information about it, including shiny screenshots, ratings, and statistics.

theme-directory-individual

Konstantin Obenland posted a good overview of everything involved with the theme directory overhaul and followed up with a post on improved statistics.

Plugin Directory

The Plugin Directory has a brand new theme that mirrors the experience in your WordPress admin, with a more visual experience, and better search and statistics.

plugin-directory

As well as a facelift, there are some great new features for you to play around with:

  • Favorites – when you’re logged in to you WordPress.org account, this page gives you direct access to the plugins that you have favorited.
  • Beta Testing – try out plugins where developers are experimenting with new features for WordPress.
  • Search by plugin author – you can search for a plugin author using their username.
  • Better statistics – listings now display the number of active installs so you can see how many people are actually using a plugin.

An overview of the new theme was posted by Scott Reilly.

Better Statistics

We’ve made huge improvements to our statistics. This gives us more useful information about the WordPress versions people are using, their PHP version, and their MySQL version.

Already these new statistics have provided us with useful insights into WordPress usage.

  • More than 43% of all sites are running the latest version of WordPress. Previously, we thought only 10% of sites were up-to-date. By excluding sites that are no longer online we were able to improve these statistics.
  • We were able to clear up the data around WordPress 3.0, bringing it more in line with expectations. This anomaly was a by-product of spammers.
  • Only 15.9% of sites are using PHP 5.2, which is better than we thought.

Over the coming months we’ll be able to use these statistics to bring you new tools and improvements, and to make more informed decisions across the board. Read Andrew Nacin’s post about these changes for more background.

Thanks!

Thanks to everyone who contributed to the theme directory redesign, the plugin directory refresh, and improved statistics: Alin MarcuDamon Cook, Dion Hulse, Dominik Schilling, Jan Cavan Boulas, Konstantin Obenland, Kyle Maurer, Matías Ventura, Mel Choyce, Natalie MacLees, Paul de Wouters, Samuel Sidler, Samuel Wood (Otto), Scott Reilly, Siobhan McKeown.

If you want to help out or follow along with future WordPress.org projects, check out Make WordPress and our meta development blog.

WordPress 4.2 Beta 4

Posted April 3, 2015 by Drew Jaynes. Filed under Development, Releases.

WordPress 4.2 Beta 4 is now available!

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site just to play with the new version. To test WordPress 4.2, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the beta here (zip).

For more information about what’s new in version 4.2, check out the Beta 1, Beta 2, and Beta 3 blog posts. Some of the changes in Beta 4 include:

  • Incrementally improved the experience when accessing the Customizer on mobile. Please test on your mobile devices and let us know if anything seems wonky.
  • Added the ability to make admin notices dismissible. Plugin and theme authors: adding .notice and .is-dismissible as adjacent classes to your notice containers should automatically make them dismissible. Please test.
  • Fixed some reported issues with backward-compatibility issues caused by the modularization of core JS files.
  • Removed the ability to swipe the admin menu open and closed on touch devices due to reports of some issues with built-in history navigation on certain platforms.
  • Improved accessibility of the WordPress admin by adding landmark roles. Screen reader users: please test in any core admin screens.
  • Various bug fixes. We’ve made more than 90 changes in the last week.

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. Or, if you’re comfortable writing a bug report, file one on the WordPress Trac. There, you can also find a list of known bugs and everything we’ve fixed.

Dismiss notices
Customizer on mobile
RC nearly here

See Also:

Want to follow the code? There’s a development P2 blog and you can track active development in the Trac timeline that often has 20–30 updates per day.

Want to find an event near you? Check out the WordCamp schedule and find your local Meetup group!

For more WordPress news, check out the WordPress Planet or subscribe to the WP Briefing podcast.

Categories

Subscribe to WordPress News

Join 1,930,688 other subscribers

Archives

%d bloggers like this: