WordPress.org

An Update with You in Mind

Gear up for a more intuitive WordPress!

Version 4.8 of WordPress, named “Evans” in honor of jazz pianist and composer William John “Bill” Evans, is available for download or update in your WordPress dashboard. New features in 4.8 add more ways for you to express yourself and represent your brand.

Though some updates seem minor, they’ve been built by hundreds of contributors with you in mind. Get ready for new features you’ll welcome like an old friend: link improvements, three new media widgets covering images, audio, and video, an updated text widget that supports visual editing, and an upgraded news section in your dashboard which brings in nearby and upcoming WordPress events.

---

Exciting Widget Updates

Image Widget

Adding an image to a widget is now a simple task that is achievable for any WordPress user without needing to know code. Simply insert your image right within the widget settings. Try adding something like a headshot or a photo of your latest weekend adventure — and see it appear automatically.

Video Widget

A welcome video is a great way to humanize the branding of your website. You can now add any video from the Media Library to a sidebar on your site with the new Video widget. Use this to showcase a welcome video to introduce visitors to your site or promote your latest and greatest content.

Audio Widget

Are you a podcaster, musician, or avid blogger? Adding a widget with your audio file has never been easier. Upload your audio file to the Media Library, go to the widget settings, select your file, and you’re ready for listeners. This would be a easy way to add a more personal welcome message, too!

Rich Text Widget

This feature deserves a parade down the center of town! Rich-text editing capabilities are now native for Text widgets. Add a widget anywhere and format away. Create lists, add emphasis, and quickly and easily insert links. Have fun with your newfound formatting powers, and watch what you can accomplish in a short amount of time.

---

Link Boundaries

Have you ever tried updating a link, or the text around a link, and found you can’t seem to edit it correctly? When you edit the text after the link, your new text also ends up linked. Or you edit the text in the link, but your text ends up outside of it. This can be frustrating! With link boundaries, a great new feature, the process is streamlined and your links will work well. You’ll be happier. We promise.

---

Nearby WordPress Events

Did you know that WordPress has a thriving offline community with groups meeting regularly in more than 400 cities around the world? WordPress now draws your attention to the events that help you continue improving your WordPress skills, meet friends, and, of course, publish!

This is quickly becoming one of our favorite features. While you are in the dashboard (because you’re running updates and writing posts, right?) all upcoming WordCamps and official WordPress Meetups — local to you — will be displayed.

Being part of the community can help you improve your WordPress skills and network with people you wouldn’t otherwise meet. Now you can easily find your local events just by logging in to your dashboard and looking at the new Events and News dashboard widget.

---

Even More Developer Happiness 😊

More Accessible Admin Panel Headings

New CSS rules mean extraneous content (like “Add New” links) no longer need to be included in admin-area headings. These panel headings improve the experience for people using assistive technologies.

Removal of Core Support for WMV and WMA Files

As fewer and fewer browsers support Silverlight, file formats which require the presence of the Silverlight plugin are being removed from core support. Files will still display as a download link, but will no longer be embedded automatically.

Multisite Updates

New capabilities have been introduced to 4.8 with an eye towards removing calls to
is_super_admin(). Additionally, new hooks and tweaks to more granularly control site and user counts per network have been added.

Text-Editor JavaScript API

With the addition of TinyMCE to the text widget in 4.8 comes a new JavaScript API for instantiating the editor after page load. This can be used to add an editor instance to any text area, and customize it with buttons and functions. Great for plugin authors!

Media Widgets API

The introduction of a new base media widget REST API schema to 4.8 opens up possibilities for even more media widgets (like galleries or playlists) in the future. The three new media widgets are powered by a shared base class that covers most of the interactions with the media modal. That class also makes it easier to create new media widgets and paves the way for more to come.

Customizer Width Variable

Rejoice! New responsive breakpoints have been added to the customizer sidebar to make it wider on high-resolution screens. Customizer controls should use percentage-based widths instead of pixels.

---

The Squad

This release was led by Matt and Jeff Paul, with the help of the following fabulous folks. There are 346 contributors with props in this release, with 106 of them contributing for the first time. Pull up some Bill Evans on your music service of choice, and check out some of their profiles:

[Inactive], Aaron D. Campbell, Aaron Jorbin, abrightclearweb, Achal Jain, achbed, Acme Themes, Adam Silverstein, adammacias, Ahmad Awais, ahmadawais, airesvsg, ajoah, Aki Björklund, akshayvinchurkar, Alain Schlesser, Alex Concha, Alex Dimitrov, Alex Hon, alex27, allancole, Amanda Rush, Andrea Fercia, Andreas Panag, Andrew Nacin, Andrew Ozz, Andrey "Rarst" Savchenko, Andy Meerwaldt, Andy Mercer, Andy Skelton, Aniket Pant, Anil Basnet, Ankit K Gupta, Anthony Hortin, antisilent, Anton Timmermans, Antti Kuosmanen, apokalyptik, artoliukkonen, Arunas Liuiza, attitude, backermann, Bappi, Ben Cole, Bernhard Gronau, Bernhard Kau, binarymoon, Birgir Erlendsson (birgire), BjornW, bobbingwide, boblinthorst, boboudreau, bonger, Boone B. Gorges, Brady Vercher, Brainstorm Force, Brandon Kraft, Brian Hogg, Brian Krogsgard, Bronson Quick, Caroline Moore, Casey Driscoll, Caspie, Chandra Patel, Chaos Engine, cheeserolls, chesio, chetansatasiya, choong, Chouby, chredd, Chris Jean, Chris Marslender, Chris Smith, Chris Van Patten, Chris Wiegman, chriscct7, chriseverson, Christian Chung, Christian Nolen, Christian Wach, Christoph Herr, Clarion Technologies, Claudio Sanches, Claudio Sanches, ClaudioLaBarbera, codemovement.pk, coderkevin, codfish, coreymcollins, Curdin Krummenacher, Curtiss Grymala, Cătălin Dogaru, danhgilmore, Daniel Bachhuber , Daniel Kanchev, Daniel Pietrasik, Daniele Scasciafratte, Daryl L. L. Houston (dllh), Dave Pullig, Dave Romsey (goto10), David A. Kennedy, David Chandra Purnama, David Herrera, David Lingren, David Mosterd, David Shanske, davidbhayes, Davide 'Folletto' Casali, deeptiboddapati, delphinus, deltafactory, Denis de Bernardy, Derek Herman, Derrick Hammer, Derrick Koo, dimchik, Dinesh Chouhan, Dion Hulse, Dipesh Kakadiya, dmsnell, Dominik Schilling, Dotan Cohen, Doug Wollison, doughamlin, DreamOn11, Drew Jaynes, duncanjbrown, dungengronovius, DylanAuty, Eddie Hurtig, Eduardo Reveles, Edwin Cromley, ElectricFeet, Elio Rivero, Ella Iseulde Van Dorpe, elyobo, enodekciw, enshrined, Eric Andrew Lewis, Eric Lanehart, Evan Herman, Felix Arntz, Fencer04, Florian Brinkmann, Florian TIAR, FolioVision, fomenkoandrey, Francesco Taurino, Frank Klein, Frankie Jarrett, Fred, Fredrik Forsmo, fuscata, Gabriel Maldonado, Garth Mortensen, Gary Jones, Gary Pendergast, Geeky Software, George Stephanis, Goran Šerić, Graham Armfield, Grant Derepas, Gregory Karpinsky (@tivnet), Hardeep Asrani, Helen Hou-Sandí, Henry Wright, hiddenpearls, Hinaloe, Hristo Pandjarov, Hugo Baeta, Iain Poulson, Ian Dunn, Ian Edington, idealien, Ignacio Cruz Moreno, imath, implenton, Ionut Stanciu, Ipstenu (Mika Epstein), ivdimova, J.D. Grimes, Jacob Peattie, Jake Spurlock, James Nylen, jamesacero, Japh, Jared Cobb, jayarjo, jdolan, jdoubleu, Jeff Bowen, Jeff Paul, Jeffrey de Wit, Jeremy Felt, Jeremy Pry, jimt, Jip Moors, jmusal, Joe Dolson, Joe Hoyle, Joe McGill, Joel James, johanmynhardt, John Blackbourn, John Dittmar, John James Jacoby, John P. Bloch, John Regan, johnpgreen, Jon (Kenshino), Jonathan Bardo, Jonathan Brinley, Jonathan Daggerhart, Jonathan Desrosiers, Jonny Harris, jonnyauk, jordesign, JorritSchippers, Joseph Fusco, Josh Eaton, Josh Pollock, joshcummingsdesign, joshkadis, Joy, jrf, JRGould, Juanfra Aldasoro, Juhi Saxena, Junko Nukaga, Justin Busa, Justin Sainton, Justin Shreve, Justin Sternberg, K.Adam White, kacperszurek, Kailey (trepmal), KalenJohnson, Kat Hagan, Keanan Koppenhaver, keesiemeijer, kellbot, Kelly Dwan, Kevin Hagerty, Kirk Wight, kitchin, Kite, kjbenk, Knut Sparhell, koenschipper, kokarn, Konstantin Kovshenin, Konstantin Obenland, Konstantinos Kouratoras, kuchenundkakao, kuldipem, Laurel Fulford, Lee Willis, Leo Baiano, LittleBigThings (Csaba), Lucas Stark, Luke Cavanagh, Luke Gedeon, Luke Pettway, lyubomir_popov, mageshp, Mahesh Waghmare, Mangesh Parte, Manish Songirkar, mantismamita, Marcel Bootsman, Marin Atanasov, Mario Valney, Marius L. J., Mariyan Belchev, Mark Jaquith, Mark Root-Wiley, Mark Uraine, Marko Heijnen, markshep, matrixik, Matt Banks, Matt Jaworski, Matt King, Matt van Andel, Matt Wiebe, Matthew Haines-Young, mattyrob, Max Cutler, Maxime Culea, Mayo Moriyama, mckernanin, Mel Choyce, mhowell, Michael Arestad, Michael Arestad, michalzuber, Miina Sikk, Mike Auteri, Mike Crantea, Mike Glendinning, Mike Hansen, Mike Little, Mike Schroder, Mike Viele, Milan Dinić, modemlooper, Mohammad Jangda, Mohan Dere, monikarao, morettigeorgiev, Morgan Estes, Morten Rand-Hendriksen, moto hachi ( mt8.biz ), mrbobbybryant, Naim Naimov, Nate Reist, NateWr, nathanrice, Nazgul, Ned Zimmerman, net, Nick Halsey , Nicolas GUILLAUME, Nikhil Chavan, Nikhil Vimal, Nikolay Bachiyski, Nilambar Sharma, noplanman, nullvariable, odie2, odyssey, Okamoto Hidetaka, orvils, oskosk, Otto Kekäläinen, ovann86, Pantip Treerattanapitak (Nok), Pascal Birchler, patilvikasj, Paul Bearne, Paul Wilde, Payton Swick, pdufour, Perdaan, Peter Wilson, phh, php, Piotr Delawski, pippinsplugins, pjgalbraith, pkevan, Pratik, Pressionate, Presskopp, procodewp, Rachel Baker, Rahul Prajapati, Ramanan, Rami Yushuvaev, ramiabraham, ranh, Red Sand Media Group, Riad Benguella, Rian Rietveld, Richard Tape, Robert D Payne, Robert Jolly, Robert Noakes, Rocco Aliberti, Rodrigo Primo, Rommel Castro, Ronald Araújo, Ross Wintle, Roy Sivan, Ryan Kienstra, Ryan McCue, Ryan Plas, Ryan Welcher, Sal Ferrarello, Sami Keijonen, Samir Shah, Samuel Sidler, Sandesh, Sang-Min Yoon, Sanket Parmar, Sarah Gooding, Sayed Taqui, schrapel, Scott Reilly, Scott Taylor, scrappy@hub.org, scribu, seancjones, Sebastian Pisula, Sergey Biryukov, Sergio De Falco, sfpt, shayanys, shazahm1, shprink, simonlampen, skippy, smerriman, snacking, solal, Soren Wrede, Stanimir Stoyanov, Stanko Metodiev, Steph, Steph Wells, Stephanie Leary, Stephen Edgar, Stephen Harris, Steven Word, stevenlinx, Sudar Muthu, Swapnil V. Patil, swapnild, szaqal21, Takahashi Fumiki, Takayuki Miyauchi, Tammie Lister, tapsboy, Taylor Lovett, team, tg29359, tharsheblows, the, themeshaper, thenbrent, thomaswm, Thorsten Frommen, tierra, Tim Nash, Timmy Crawford, Timothy Jacobs, timph, Tkama, tnegri, Tom Auger, Tom J Nowell, tomdxw, Toro_Unit (Hiroshi Urabe), Torsten Landsiedel, transl8or, traversal, Travis Smith, Triet Minh, Trisha Salas, tristangemus, truongwp, tsl143, Ty Carlson, Ulrich, Utkarsh, Valeriu Tihai, Vishal Kakadiya, vortfu, Vrunda Kansara, webbgaraget, WebMan Design | Oliver Juhas, websupporter, Weston Ruter, William Earnhardt, williampatton, Wolly aka Paolo Valenti, yale01, Yoav Farhi, Yoga Sukma, Zach Wills, Zack Tollman, Ze Fontainhas, zhildzik, and zsusag.

 

Finally, thanks to all the community translators who worked on WordPress 4.8. Their efforts bring WordPress 4.8 fully translated to 38 languages at release time with more on the way.

Do you want to report on WordPress 4.8? We’ve compiled a press kit featuring information about the release features, and some media assets to help you along.

If you want to follow along or help out, check out Make WordPress and our core development blog. Thanks for choosing WordPress — we hope you enjoy!

The second release candidate for WordPress 4.8 is now available.

To test WordPress 4.8, you can use the WordPress Beta Tester plugin or you can download the release candidate here (zip).

We’ve made a handful of changes since releasing RC 1 last week. For more details about what’s new in version 4.8, check out the Beta 1, Beta 2, and RC1 blog posts.

Think you’ve found a bug? Please post to the Alpha/Beta support forum. If any known issues come up, you’ll be able to find them here.

Happy testing!

The release candidate for WordPress 4.8 is now available.

RC means we think we’re done, but with millions of users and thousands of plugins and themes, it’s possible we’ve missed something. We hope to ship WordPress 4.8 on Thursday, June 8, but we need your help to get there. If you haven’t tested 4.8 yet, now is the time!

To test WordPress 4.8, you can use the WordPress Beta Tester plugin or you can download the release candidate here (zip).

We’ve made a handful of changes since releasing Beta 2 earlier this week. For more details about what’s new in version 4.8, check out the Beta 1 and Beta 2 blog posts.

Think you’ve found a bug? Please post to the Alpha/Beta support forum. If any known issues come up, you’ll be able to find them here.

Developers, please test your plugins and themes against WordPress 4.8 and update your plugin’s Tested up to version in the readme to 4.8. If you find compatibility problems please be sure to post to the support forums so we can figure those out before the final release – we work hard to avoid breaking things. An in-depth field guide to developer-focused changes is coming soon on the core development blog.

Do you speak a language other than English? Help us translate WordPress into more than 100 languages!

This release’s haiku is courtesy of @matveb:

Érrese uno
Cien veces y más
Erre ce dos

Thanks for your continued help testing out the latest versions of WordPress.

WordPress 4.8 Beta 2 is now available!

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site just to play with the new version. To test WordPress 4.8, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the beta here (zip).

For more information on what’s new in 4.8, check out the Beta 1 blog post. Since then, we’ve made over 50 changes in Beta 2.

Do you speak a language other than English? Help us translate WordPress into more than 100 languages!

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac, where you can also find a list of known bugs.

WordPress four point eight
One step closer to release
Please test Beta 2!

WordPress 4.7.5 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.7.4 and earlier are affected by six security issues:

1. Insufficient redirect validation in the HTTP class. Reported by Ronni Skansing.
2. Improper handling of post meta data values in the XML-RPC API. Reported by Sam Thomas.
3. Lack of capability checks for post meta data in the XML-RPC API. Reported by Ben Bidner of the WordPress Security Team.
4. A Cross Site Request Forgery (CSRF)  vulnerability was discovered in the filesystem credentials dialog. Reported by Yorick Koster.
5. A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files. Reported by Ronni Skansing.
6. A cross-site scripting (XSS) vulnerability was discovered related to the Customizer. Reported by Weston Ruter of the WordPress Security Team.

Thank you to the reporters of these issues for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.7.5 contains 3 maintenance fixes to the 4.7 release series. For more information, see the release notes or consult the list of changes.

Download WordPress 4.7.5 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.7.5.

Thanks to everyone who contributed to 4.7.5.

WordPress has grown a lot over the last thirteen years – it now powers more than 28% of the top ten million sites on the web. During this growth, each team has worked hard to continually improve their tools and processes. Today, the WordPress Security Team is happy to announce that WordPress is now officially on HackerOne!

HackerOne is a platform for security researchers to securely and responsibly report vulnerabilities to our team. It provides tools that improve the quality and consistency of communication with reporters, and will reduce the time spent on responding to commonly reported issues. This frees our team to spend more time working on improving the security of WordPress.

The security team has been working on this project for quite some time. Nikolay Bachiyski started the team working on it just over a year ago. We ran it as a private program while we worked out our procedures and processes, and are excited to finally make it public.

With the announcement of the WordPress HackerOne program we are also introducing bug bounties. Bug bounties let us reward reporters for disclosing issues to us and helping us secure our products and infrastructure. We’ve already awarded more than $3,700 in bounties to seven different reporters! We are thankful to Automattic for paying the bounties on behalf of the WordPress project.

The program and bounties cover all our projects including WordPress, BuddyPress, bbPress, GlotPress, and WP-CLI as well as all of our sites including WordPress.org, bbPress.org, WordCamp.org, BuddyPress.org, and GlotPress.org.

We’re planning a smaller WP release early next month, bringing in three major enhancements:

• An improved visual editor experience, with a new TinyMCE that allows you to navigate more intuitively in and out of inline elements like links. (Try it out to see, it’s hard to describe.)
• A revamp of the dashboard news widget to bring in nearby and upcoming events including meetups and WordCamps.
• Several new media widgets covering images, audio, and video, and an enhancement to the text widget to support visual editing.

The first beta of 4.8 is now available for testing. You can use the beta tester plugin (or just run trunk) to try the latest and greatest, and each of these areas could use a ton of testing. Our goals are to make editing posts with links more intuitive, make widgets easier for new users and more convenient for existing ones, and get many more people aware of and attending our community events.

Four point eight is here
Small changes with a big punch
Big ones come later

After almost sixty million downloads of WordPress 4.7, we are pleased to announce the immediate availability of WordPress 4.7.4, a maintenance release.

This release contains 47 maintenance fixes and enhancements, chief among them an incompatibility between the upcoming Chrome version and the visual editor, inconsistencies in media handling, and further improvements to the REST API. For a full list of changes, consult the release notes and the list of changes.

Download WordPress 4.7.4 or visit Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.7.4.

Thanks to everyone who contributed to 4.7.4:
Aaron Jorbin, Adam Silverstein, Andrea Fercia, Andrew Ozz, aussieguy123, Blobfolio, boldwater, Boone Gorges, Boro Sitnikovski, chesio, Curdin Krummenacher, Daniel Bachhuber, Darren Ethier (nerrad), David A. Kennedy, davidbenton, David Herrera, Dion Hulse, Dominik Schilling (ocean90), eclev91, Ella Van Dorpe, Gustave F. Gerhardt, ig_communitysites, James Nylen, Joe Dolson, John Blackbourn, karinedo, lukasbesch, maguiar, MatheusGimenez, Matthew Boynes, Matt Wiebe, Mayur Keshwani, Mel Choyce, Nick Halsey, Pascal Birchler, Peter Wilson, Piotr Delawski, Pratik Shrestha, programmin, Rachel Baker, sagarkbhatt, Sagar Prajapati, sboisvert, Scott Taylor, Sergey Biryukov, Stephen Edgar, Sybre Waaijer, Timmy Crawford, vortfu, and Weston Ruter.

WordPress 4.7.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.7.2 and earlier are affected by six security issues:

1. Cross-site scripting (XSS) via media file metadata.  Reported by Chris Andrè Dale, Yorick Koster, and Simon P. Briggs.
2. Control characters can trick redirect URL validation.  Reported by Daniel Chatfield.
3. Unintended files can be deleted by administrators using the plugin deletion functionality.  Reported by TrigInc and xuliang.
4. Cross-site scripting (XSS) via video URL in YouTube embeds.  Reported by Marc Montpas.
5. Cross-site scripting (XSS) via taxonomy term names.  Reported by Delta.
6. Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources.  Reported by Sipke Mellema.

Thank you to the reporters for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.7.3 contains 39 maintenance fixes to the 4.7 release series. For more information, see the release notes or consult the list of changes.

Download WordPress 4.7.3 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.7.3.

Thanks to everyone who contributed to 4.7.3: Aaron D. Campbell, Adam Silverstein, Alex Concha, Andrea Fercia, Andrew Ozz, asalce, blobfolio, bonger, Boone Gorges, Boro Sitnikovski, Brady Vercher, Brandon Lavigne, Bunty, ccprog, chetansatasiya, David A. Kennedy, David Herrera, Dhanendran, Dion Hulse, Dominik Schilling (ocean90), Drivingralle, Ella Van Dorpe, Gary Pendergast, Ian Dunn, Ipstenu (Mika Epstein), James Nylen, jazbek, Jeremy Felt, Jeremy Pry, Joe Hoyle, Joe McGill, John Blackbourn, John James Jacoby, Jonathan Desrosiers, Kelly Dwan, Marko Heijnen, MatheusGimenez, Mike Nelson, Mike Schroder, Muhammet Arslan, Nick Halsey, Pascal Birchler, Paul Bearne, pavelevap, Peter Wilson, Rachel Baker, reldev, Robert O’Rourke, Ryan Welcher, Sanket Parmar, Sean Hayes, Sergey Biryukov, Stephen Edgar, triplejumper12, Weston Ruter, and wpfo.

WordPress 4.7.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.7.1 and earlier are affected by three security issues:

1. The user interface for assigning taxonomy terms in Press This is shown to users who do not have permissions to use it. Reported by David Herrera of Alley Interactive.
2. WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Mo Jangda (batmoo).
3. A cross-site scripting (XSS) vulnerability was discovered in the posts list table. Reported by Ian Dunn of the WordPress Security Team.
4. An unauthenticated privilege escalation vulnerability was discovered in a REST API endpoint. Reported by Marc-Alexandre Montpas of Sucuri Security. *

Thank you to the reporters of these issues for practicing responsible disclosure.

Download WordPress 4.7.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.7.2.

Thanks to everyone who contributed to 4.7.2.

* Update: An additional serious vulnerability was fixed in this release and public disclosure was delayed. For more information on this vulnerability, additional mitigation steps taken, and an explanation for why disclosure was delayed, please read Disclosure of Additional Security Fix in WordPress 4.7.2.