WordPress.org

Ready to get started?Download WordPress

WordPress 3.6.1 Maintenance and Security Release

Posted September 11, 2013 by Andrew Nacin. Filed under Releases, Security.

After nearly 7 million downloads of WordPress 3.6, we are pleased to announce the availability of version 3.6.1. This maintenance release fixes 13 bugs in version 3.6, which was a very smooth release.

WordPress 3.6.1 is also a security release for all previous WordPress versions and we strongly encourage you to update your sites immediately. It addresses three issues fixed by the WordPress security team:

  • Block unsafe PHP unserialization that could occur in limited situations and setups, which can lead to remote code execution. Reported by Tom Van Goethem.
  • Prevent a user with an Author role, using a specially crafted request, from being able to create a post “written by” another user. Reported by Anakorn Kyavatanakij.
  • Fix insufficient input validation that could result in redirecting or leading a user to another website. Reported by Dave Cummo, a Northrup Grumman subcontractor for the U.S. Centers for Disease Control and Prevention.

Additionally, we’ve adjusted security restrictions around file uploads to mitigate the potential for cross-site scripting.

We appreciated responsible disclosure of these issues directly to our security team. For more information on the changes, see the release notes or consult the list of changes.

Download WordPress 3.6.1 or update now from the Dashboard → Updates menu in your site’s admin area.

WordPress 3.6 “Oscar”

Posted August 1, 2013 by Matt Mullenweg. Filed under Releases.

The latest and greatest WordPress, version 3.6, is now live to the world and includes a beautiful new blog-centric theme, bullet-proof autosave and post locking, a revamped revision browser, native support for audio and video embeds, and improved integrations with Spotify, Rdio, and SoundCloud. Here’s a video that shows off some of the features using our cast of professional actors:

We’re calling this release “Oscar” in honor of the great jazz pianist Oscar Peterson. Here’s a bit more about some of the new features, which you can also find on the about page in your dashboard after you upgrade.

User Features

  • The new Twenty Thirteen theme inspired by modern art puts focus on your content with a colorful, single-column design made for media-rich blogging.
  • Revamped Revisions save every change and the new interface allows you to scroll easily through changes to see line-by-line who changed what and when.
  • Post Locking and Augmented Autosave will especially be a boon to sites where more than a single author is working on a post. Each author now has their own autosave stream, which stores things locally as well as on the server (so much harder to lose something) and there’s an interface for taking over editing of a post, as demonstrated beautifully by our bearded buddies in the video above.
  • Built-in HTML5 media player for native audio and video embeds with no reliance on external services.
  • The Menu Editor is now much easier to understand and use.

Developer features

  • A new audio/video API gives you access to metadata like ID3 tags.
  • You can now choose HTML5 markup for things like comment and search forms, and comment lists.
  • Better filters for how revisions work, so you can store a different amount of history for different post types.
  • Tons more listed on the Codex, and of course you can always browse the over 700 closed tickets.

The Band

This release was led by Mark Jaquith and Aaron Campbell, and included contributions from the following fine folks. Pull up some Oscar Peterson on your music service of choice, or vinyl if you have it, and check out some of their profiles:

Aaron Brazell, Aaron D. Campbell, Aaron Holbrook, Aaron Jorbin, Adam Harley, adamsilverstein, AK Ted, Alex Concha, Alex King, Alex Mills (Viper007Bond), Amaury Balmer, Amy Hendrix (sabreuse), Anatol Broder, Andrew Nacin, Andrew Ozz, Andrew Ryno, Andy Skelton, Antonio, apimlott, awellis13, Barry, Beau Lebens, BelloSwan, bilalcoder, Billy (bananastalktome), bobbingwide, Bob Gregor, bradparbs, Brady Vercher, Brandon Kraft, Brian Layman, Brian Zeligson, Bryan Petty, Callum Macdonald, Carl Danley, Caspie, Charleston Software Associates, cheeserolls, Chip Bennett, Chris Olbekson, Christopher Cochran, Christopher Finke, Chris Wallace, Cor van Noorloos, crazycoders, Daniel Bachhuber, Daniel Dvorkin (MZAWeb), Daniel Jalkut (Red Sweater), daniloercoli, Danny de Haan, Dave Ross, David Favor, David Trower, David Williamson, Dion Hulse, dllh, Dominik Schilling (ocean90), dovyp, Drew Jaynes (DrewAPicture), dvarga, Edward Caissie, elfin, Empireoflight, Eric Andrew Lewis, Erick Hitter, Eric Mann, Evan Solomon, faishal, feedmeastraycat, Frank Klein, Franz Josef Kaiser, FStop, Gabriel Koen, Gary Cao, Gary Jones, gcorne, GeertDD, Gennady Kovshenin, George Stephanis, gish, Gregory Karpinsky, hakre, hbanken, hebbet, Helen Hou-Sandi, helgatheviking, hirozed, hurtige, hypertextranch, Ian Dunn, Ipstenu (Mika Epstein), jakub, James Michael DuPont, jbutkus, Jeremy Felt, Jerry Bates (JerrySarcastic), Jesper Johansen (Jayjdk), Joe Hoyle, Joen Asmussen, Joey Kudish, John Blackbourn (johnbillion), John James Jacoby, Jonas Bolinder (jond3r), Jonathan Desrosiers, Jon Bishop, Jon Cave, Jose Castaneda, Joseph Scott, Josh Visick, jrbeilke, jrf, Justin de Vesine, Justin Sainton, kadamwhite, Kailey (trepmal), karmatosed, Kelly Dwan, keoshi, Konstantin Kovshenin, Konstantin Obenland, ktdreyer, Kurt Payne, kwight, Lance Willett, Lee Willis (leewillis77), lessbloat, Mantas Malcius, Maor Chasen, Marcel Brinkkemper, MarcusPope, Mark-k, Mark Jaquith, Mark McWilliams, Marko Heijnen, Matt Banks, Matthew Boynes, MatthewRuddy, Matt Wiebe, Max Cutler, Mel Choyce, mgibbs189, Michael, Michael Adams (mdawaffe), Michael Beckwith, Michael Fields, Mike Hansen, Mike Schroder, Milan Dinic, mitcho (Michael Yoshitaka Erlewine), Mohammad Jangda, najamelan, Naoko Takano, Nashwan Doaqan, Niall Kennedy, Nick Daugherty, Nick Halsey, ninnypants, norcross, ParadisePorridge, Paul, Paul Clark, pavelevap, Pete Mall, Peter Westwood, Phill Brown, Pippin Williamson, Pollett, Prasath Nadarajah, programmin, rachelbaker, Rami Yushuvaev, redpixelstudios, reidburke, retlehs, Reuben Gunday, rlerdorf, Rodrigo Primo, roulandf, rovo89, Ryan Duff, Ryan Hellyer, Ryan McCue, Safirul Alredha, sara cannon, scholesmafia, Scott Kingsley Clark, Scott Reilly, Scott Taylor, scribu, Seisuke Kuraishi (tenpura), Sergej, Sergey Biryukov, Simon Hampel, Simon Wheatley, Siobhan, sirzooro, slene, solarissmoke, SriniG, Stephen Harris, storkontheroof, Sunny Ratilal, sweetie089, Tar, Taylor Lovett, Thomas van der Beek, Tim Carr, tjsingleton, TobiasBg, toscho, Tracy Rotton, TravisHoffman, uuf6429, Vitor Carvalho, wojtek, wpewill, WraithKenny, wycks, Xavier Borderie, Yoav Farhi, Zachary Brown, Zack Tollman, zekeweeks, ziegenberg, and viniciusmassuchetto.

Time to upgrade!

WordPress 3.6 Release Candidate 2

Posted July 24, 2013 by Mark Jaquith. Filed under Development, Testing.

The second release candidate for WordPress 3.6 is now available for download and testing.

We’re down to only a few remaining issues, and the final release should be available in a matter of days. In RC2, we’ve tightened up some aspects of revisions, autosave, and the media player, and fixed some bugs that were spotted in RC1. Please test this release candidate as much as you can, so we can deliver a smooth final release!

Think you’ve found a bug? Please post to the Alpha/Beta area in the support forums.

Developers, please continue to test your plugins and themes, so that if there is a compatibility issue, we can figure it out before the final release. You can find our list of known issues here.

To test WordPress 3.6, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the release candidate here (zip).

Revisions so smooth
We autosave your changes
Data loss begone!

WordPress 3.6 Release Candidate

Posted July 13, 2013 by Mark Jaquith. Filed under Development, Testing.

The first release candidate for WordPress 3.6 is now available.

We hope to ship WordPress 3.6 in a couple weeks. But to do that, we really need your help! If you haven’t tested 3.6 yet, there’s no time like the present. (But please: not on a live production site, unless you’re feeling especially adventurous.)

Think you’ve found a bug? Please post to the Alpha/Beta area in the support forums. If any known issues come up, you’ll be able to find them here. Developers, please test your plugins and themes, so that if there is a compatibility issue, we can sort it out before the final release.

To test WordPress 3.6, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the release candidate here (zip).

As you may have heard, we backed the Post Format UI feature out of the release. On the other hand, our slick new revisions browser had some extra time to develop. You should see it with 200+ revisions loaded — scrubbing back and forth at lightning speed is a thing of beauty.

Delayed, but still loved
The release will be out soon
Test it, por favor

Annual WordPress Survey & WCSF

Posted July 9, 2013 by Matt Mullenweg. Filed under Community, Events.

It’s time for our third annual user and developer survey! If you’re a WordPress user, developer, or business, we want your feedback. Just like previous years, we’ll share the data at the upcoming WordCamp San Francisco (WCSF). Results will also be sent to each survey respondent.

It only takes a few minutes to fill out the survey, which will provide an overview of how people use WordPress.

If you missed past State of the Word keynotes, be sure to check out them out for survey results from 2011 and 2012.

Speaking of WCSF, if you didn’t get a ticket or are too far away to attend, you can still get a ticket for the live stream! Watch the live video stream from the comfort of your home on July 26 and 27; WCSF t-shirt, or any shirt, optional.

I hope to see you there.

WordPress 3.5.2 Maintenance and Security Release

Posted June 21, 2013 by Andrew Nacin. Filed under Releases, Security.

WordPress 3.5.2 is now available. This is the second maintenance release of 3.5, fixing 12 bugsThis is a security release for all previous versions and we strongly encourage you to update your sites immediately. The WordPress security team resolved seven security issues, and this release also contains some additional security hardening.

The security fixes included:

  • Blocking server-side request forgery attacks, which could potentially enable an attacker to gain access to a site.
  • Disallow contributors from improperly publishing posts, reported by Konstantin Kovshenin, or reassigning the post’s authorship, reported by Luke Bryan.
  • An update to the SWFUpload external library to fix cross-site scripting vulnerabilities. Reported by mala and Szymon Gruszecki. (Developers: More on SWFUpload here.)
  • Prevention of a denial of service attack, affecting sites using password-protected posts.
  • An update to an external TinyMCE library to fix a cross-site scripting vulnerability. Reported by Wan Ikram.
  • Multiple fixes for cross-site scripting. Reported by Andrea Santese and Rodrigo.
  • Avoid disclosing a full file path when a upload fails. Reported by Jakub Galczyk.

We appreciated responsible disclosure of these issues directly to our security team. For more information on the changes, see the release notes or consult the list of changes.

Download WordPress 3.5.2 or update now from the Dashboard → Updates menu in your site’s admin area.

Also: WordPress 3.6 Beta 4: If you are testing WordPress 3.6, please note that WordPress 3.6 Beta 4 (zip) includes fixes for these security issues.

Ten Good Years

Posted May 31, 2013 by Matt Mullenweg. Filed under Meta.

It’s been ten years since we started this thing, and what a long way we’ve come. From a discussion between myself and Mike Little about forking our favorite blogging software, to powering 18% of the web. It’s been a crazy, exciting, journey, and one that won’t stop any time soon.

At ten years, it’s fun to reflect on our beginnings. We launched WordPress on 27th May 2003, but that wasn’t inception. Go back far enough, and you can read a post by Michel Valdrighi who, frustrated by the self-hosted blogging platforms available, decided to write his own software; “b2, a PHP+MySQL alternative to Blogger and GreyMatter.” b2 was easy to install, easy to configure, and easy for developers to extend. Of all the blogging platforms out there, b2 was the right one for me: I could write my content and get it on the web quickly and painlessly.

Sometimes, however, life gets in the way. In 2002, Michel stopped maintaining b2. Over time, security flaws became apparent and updates were needed and, while the b2 community could write patches and fixes, no one was driving the software forward. We were lucky that Michel decided to release b2 under the GPL; the software may have been abandoned, but we weren’t without options. A fork was always a possibility. That was where it stood in January 2003, when I posted about forking b2 and Mike responded. The rest, as they say, is history.

From the very beginning to the present day, I’ve been impressed by the thought, care, and dedication that WordPress’ developers have demonstrated. Each one has brought his or her unique perspective, each individual has strengthened the whole. It would be impossible to thank each of them here individually, but their achievements speak for themselves. In WordPress 1.2 the new Plugin API made it easy for developers to extend WordPress. In the same release gettext() internationalization opened WordPress up to every language (hat tip: Ryan Boren for spending hours wrapping strings with gettext). In WordPress 1.5 our Theme system made it possible for WordPress users to quickly change their site’s design: there was huge resistance to the theme system from the wider community at the time, but can you imagine WordPress without it? Versions 2.7, 2.8, and 2.9 saw improvements that let users install and update their plugins and themes with one click. WordPress has seen a redesign by happycog (2.3) and gone under extensive user testing and redesign (Crazyhorse, Liz Danzico and Jen Mylo, WordPress 2.5). In WordPress 3.0 we merged WordPress MU with WordPress — a huge job but 100% worth it. And in WordPress 3.5 we revamped the media uploader to make it easier for people to get their images, video, and media online.

In sticking to our commitment to user experience, we’ve done a few things that have made us unpopular. The WYSIWYG editor was hated by many, especially those who felt that if you have a blog you should know HTML. Some developers hated that we stuck with our code, refusing to rewrite, but it’s always been the users that matter: better a developer lose sleep than a site break for a user. Our code isn’t always beautiful, after all, when WordPress was created most of us were still learning PHP, but we try to make a flawless experience for users.

It’s not all about developers. WordPress’ strength lies in the diversity of its community. From the start, we wanted a low barrier to entry and we came up with our “famous 5 minute install”. This brought on board users from varied technical background: people who didn’t write code wanted to help make WordPress better. If you couldn’t write code, it didn’t matter: you could answer a question in the support forums, write documentation, translate WordPress, or build your friends and family a WordPress website. There is space in the community for anyone with a passion for WordPress.

It’s been wonderful to see all of the people who have used WordPress to build their home on the internet. Early on we got excited by switchers. From a community of tinkerers we grew, as writers such as Om Malik, Mark Pilgrim, and Molly Holzschlag made the switch to WordPress. Our commitment to effortless publishing quickly paid off and has continued to do so: the WordPress 1.2 release saw 822 downloads per day, our latest release, WordPress 3.5, has seen 145,692 per day.

I’m continually amazed by what people have built with WordPress. I’ve seen musicians and photographers, magazines such as Life, BoingBoing, and the New York Observer, government websites, a filesystem, mobile applications, and even seen WordPress guide missiles.

As the web evolves, WordPress evolves. Factors outside of our control will always influence WordPress’ development: today it’s mobile devices and retina display, tomorrow it could be Google Glass or technology not yet conceived. A lot can happen in ten years! As technology changes and advances, WordPress has to change with it while remaining true to its core values: making publishing online easy for everyone. How we rise to these challenges will be what defines WordPress over the coming ten years.

To celebrate ten years of WordPress, we’re working on a book about our history. We’re carrying out interviews with people who have involved with the community from the very beginning, those who are still around, and those who have left. It’s a huge project, but we wanted to have something to share with you on the 10th anniversary. To learn about the very early days of WordPress, just after Mike and I forked b2 you can download Chapter 3 right here. We’ll be releasing the rest of the book serially, so watch out as the story of the last ten years emerges.

In the meantime, I penned my own letter to WordPress and other community members have been sharing their thoughts:

You can see how WordPress’ 10th Anniversary was celebrated all over the world by visiting the wp10 website, according to Meetup we had 4,999 celebrators.

To finish, I just want to say thank you to everyone: to the developers who write the code, to the designers who make WordPress sing, to the worldwide community translating WordPress into so many languages, to volunteers who answer support questions, to those who make WordPress accessible, to the systems team and the plugin and theme reviewers, to documentation writers, event organisers, evangelists, detractors, supporters and friends. Thanks to the jazzers whose music inspired us and whose names are at the heart of WordPress. Thanks to everyone who uses WordPress to power their blog or website, and to everyone who will in the future. Thanks to WordPress and its community that I’m proud to be part of.

Thank you. I can’t wait to see what the next ten years bring.

Final thanks to Siobhan McKeown for help with this post.

The Next 10 Starts Now

Posted May 27, 2013 by Jen Mylo. Filed under Community.

All around the globe today, people are celebrating the 10th anniversary of the first WordPress release, affectionately known as #wp10. Watching the feed of photos, tweets, and posts from Auckland to Zambia is incredible; from first-time bloggers to successful WordPress-based business owners, people are coming out in droves to raise a glass and share the “holiday” with their local communities. With hundreds of parties going on today, it’s more visible than ever just how popular WordPress has become.

Thank you to everyone who has ever contributed to this project: your labors of love made this day possible.

But today isn’t just about reflecting on how we got this far (though I thought Matt’s reflection on the first ten years was lovely). We are constantly moving forward. As each release cycle begins and ends (3.6 will be here soon, promise!), we always see an ebb and flow in the contributor pool. Part of ensuring the longevity of WordPress means mentoring new contributors, continually bringing new talent and fresh points of view to our family table.

I am beyond pleased to announce that this summer we will be mentoring 8 interns, most of them new contributors, through Google Summer of Code and the Gnome Outreach Program for Women. Current contributors, who already volunteer their time working on WordPress, will provide the guidance and oversight for a variety of exciting projects  this summer. Here are the people/projects involved in the summer internships:

  • Ryan McCue, from Australia, working on a JSON-based REST API. Mentors will be Bryan Petty and Eric Mann, with a reviewer assist from Andrew Norcross.
  • Kat Hagan, from the United States, working on a Post by Email plugin to replace the core function. Mentors will be Justin Shreve and George Stephanis, with an assist from Peter Westwood.
  • Siobhan Bamber, from Wales, working on a support (forums, training, documentation) internship. Mentors will be Mika Epstein and Hanni Ross.
  • Frederick Ding, from the United States, working on improving portability. Mentors will be Andrew Nacin and Mike Schroder.
  • Sayak Sakar, from India, working on porting WordPress for WebOS to Firefox OS. Mentor will be Eric Johnson.
  • Alex Höreth, from Germany, working on  adding WordPress native revisions to the theme and plugin code editors. Mentors will be Dominik Schilling and Aaron Campbell, with a reviewer assist from Daniel Bachhuber.
  • Mert Yazicioglu, from Turkey, working on ways to improve our community profiles at profiles.wordpress.org. Mentors will be Scott Reilly and Boone Gorges.
  • Daniele Maio, from Italy, working on a native WordPress app for Blackberry 10. Mentor will be Danilo Ercoli.

Did you notice that our summer cohort is as international as the #wp10 parties going on today? I can only think that this is a good sign.

It’s always a difficult process to decide which projects to mentor through these programs. There are always more applicants with interesting ideas with whom we’d like to work than there are opportunities. Luckily, WordPress is a free/libre open source software project, and anyone can begin contributing at any time. Is this the year for you? We’d love for you to join us as we work toward #wp20. ;)

WordPress 3.6 Beta 3

Posted May 11, 2013 by Mark Jaquith. Filed under Development.

WordPress 3.6 Beta 3 is now available!

This is software still in development and we really don’t recommend that you run it on a production site — set up a test site just to play with the new version. To test WordPress 3.6, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the beta here (zip).

Beta 3 contains about a hundred changes, including improvements to the image Post Format flow (yay, drag-and-drop image upload!), a more polished revision comparison screen, and a more quote-like quote format for Twenty Thirteen.

As a bonus, we now have oEmbed support for the popular music-streaming services Rdio and Spotify (the latter of which kindly created an oEmbed endpoint a mere 24 hours after we lamented their lack of one). Here’s an album that’s been getting a lot of play as I’ve been working on WordPress 3.6:

Plugin developers, theme developers, and WordPress hosts should be testing beta 3 extensively. The more you test the beta, the more stable our release candidates and our final release will be.

As always, if you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. Or, if you’re comfortable writing a reproducible bug report, file one on the WordPress Trac. There, you can also find a list of known bugs and everything we’ve fixed so far.

We’re looking forward to your feedback. If you find a bug, please report it, and if you’re a developer, try to help us fix it. We’ve already had more than 150 contributors to version 3.6 — it’s not too late to join in!

WordPress 3.6 Beta 2

Posted April 29, 2013 by Mark Jaquith. Filed under Development.

WordPress 3.6 Beta 2 is now available!

This is software still in development and we really don’t recommend that you run it on a production site — set up a test site just to play with the new version. To test WordPress 3.6, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the beta here (zip).

The longer-than-usual delay between beta 1 and beta 2 was due to poor user testing results with the Post Formats UI. Beta 2 contains a modified approach for format choosing and switching, which has done well in user testing. We’ve also made the Post Formats UI hide-able via Screen Options, and set a reasonable default based on what your theme supports.

There were a lot of bug fixes and polishing tweaks done for beta 2 as well, so definitely check it out if you had an issues with beta 1.

Plugin developers, theme developers, and WordPress hosts should be testing beta 2 extensively. The more you test the beta, the more stable our release candidates and our final release will be.

As always, if you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. Or, if you’re comfortable writing a reproducible bug report, file one on the WordPress Trac. There, you can also find a list of known bugs and everything we’ve fixed so far.

We’re looking forward to your feedback. If you find a bug, please report it, and if you’re a developer, try to help us fix it. We’ve already had more than 150 contributors to version 3.6 — it’s not too late to join in!

« Newer PostsOlder Posts »

See Also:

For more WordPress news, check out the WordPress Planet.

There’s also a development P2 blog.

To see how active the project is check out our Trac timeline, it often has 20–30 updates per day.

Categories

%d bloggers like this: