WordPress.org

WordPress Now on HackerOne

Posted May 15, 2017 by Aaron D. Campbell. Filed under Security.

WordPress has grown a lot over the last thirteen years – it now powers more than 28% of the top ten million sites on the web. During this growth, each team has worked hard to continually improve their tools and processes. Today, the WordPress Security Team is happy to announce that WordPress is now officially on HackerOne!

HackerOne is a platform for security researchers to securely and responsibly report vulnerabilities to our team. It provides tools that improve the quality and consistency of communication with reporters, and will reduce the time spent on responding to commonly reported issues. This frees our team to spend more time working on improving the security of WordPress.

The security team has been working on this project for quite some time. Nikolay Bachiyski started the team working on it just over a year ago. We ran it as a private program while we worked out our procedures and processes, and are excited to finally make it public.

With the announcement of the WordPress HackerOne program we are also introducing bug bounties. Bug bounties let us reward reporters for disclosing issues to us and helping us secure our products and infrastructure. We’ve already awarded more than $3,700 in bounties to seven different reporters! We are thankful to Automattic for paying the bounties on behalf of the WordPress project.

The program and bounties cover all our projects including WordPress, BuddyPress, bbPress, GlotPress, and WP-CLI as well as all of our sites including WordPress.org, bbPress.org, WordCamp.org, BuddyPress.org, and GlotPress.org.

WordPress 4.8 Beta 1

Posted May 13, 2017 by Matt Mullenweg. Filed under Releases.

We’re planning a smaller WP release early next month, bringing in three major enhancements:

  • An improved visual editor experience, with a new TinyMCE that allows you to navigate more intuitively in and out of inline elements like links. (Try it out to see, it’s hard to describe.)
  • A revamp of the dashboard news widget to bring in nearby and upcoming events including meetups and WordCamps.
  • Several new media widgets covering images, audio, and video, and an enhancement to the text widget to support visual editing.

The first beta of 4.8 is now available for testing. You can use the beta tester plugin (or just run trunk) to try the latest and greatest, and each of these areas could use a ton of testing. Our goals are to make editing posts with links more intuitive, make widgets easier for new users and more convenient for existing ones, and get many more people aware of and attending our community events.

Four point eight is here
Small changes with a big punch
Big ones come later

WordPress 4.7.4 Maintenance Release

Posted April 20, 2017 by Pascal Birchler. Filed under Releases.

After almost sixty million downloads of WordPress 4.7, we are pleased to announce the immediate availability of WordPress 4.7.4, a maintenance release.

This release contains 47 maintenance fixes and enhancements, chief among them an incompatibility between the upcoming Chrome version and the visual editor, inconsistencies in media handling, and further improvements to the REST API. For a full list of changes, consult the release notes and the list of changes.

Download WordPress 4.7.4 or visit Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.7.4.

Thanks to everyone who contributed to 4.7.4:
Aaron Jorbin, Adam Silverstein, Andrea Fercia, Andrew Ozz, aussieguy123, Blobfolio, boldwater, Boone Gorges, Boro Sitnikovski, chesio, Curdin Krummenacher, Daniel Bachhuber, Darren Ethier (nerrad), David A. Kennedy, davidbenton, David Herrera, Dion Hulse, Dominik Schilling (ocean90), eclev91, Ella Van Dorpe, Gustave F. Gerhardt, ig_communitysites, James Nylen, Joe Dolson, John Blackbourn, karinedo, lukasbesch, maguiar, MatheusGimenez, Matthew Boynes, Matt Wiebe, Mayur Keshwani, Mel Choyce, Nick Halsey, Pascal Birchler, Peter Wilson, Piotr Delawski, Pratik Shrestha, programmin, Rachel Baker, sagarkbhatt, Sagar Prajapati, sboisvert, Scott Taylor, Sergey Biryukov, Stephen Edgar, Sybre Waaijer, Timmy Crawford, vortfu, and Weston Ruter.

WordPress 4.7.3 Security and Maintenance Release

Posted March 6, 2017 by James Nylen. Filed under Releases, Security.

WordPress 4.7.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.7.2 and earlier are affected by six security issues:

  1. Cross-site scripting (XSS) via media file metadata.  Reported by Chris Andrè Dale, Yorick Koster, and Simon P. Briggs.
  2. Control characters can trick redirect URL validation.  Reported by Daniel Chatfield.
  3. Unintended files can be deleted by administrators using the plugin deletion functionality.  Reported by TrigInc and xuliang.
  4. Cross-site scripting (XSS) via video URL in YouTube embeds.  Reported by Marc Montpas.
  5. Cross-site scripting (XSS) via taxonomy term names.  Reported by Delta.
  6. Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources.  Reported by Sipke Mellema.

Thank you to the reporters for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.7.3 contains 39 maintenance fixes to the 4.7 release series. For more information, see the release notes or consult the list of changes.

Download WordPress 4.7.3 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.7.3.

Thanks to everyone who contributed to 4.7.3: Aaron D. Campbell, Adam Silverstein, Alex Concha, Andrea Fercia, Andrew Ozz, asalce, blobfolio, bonger, Boone Gorges, Boro Sitnikovski, Brady Vercher, Brandon Lavigne, Bunty, ccprog, chetansatasiya, David A. Kennedy, David Herrera, Dhanendran, Dion Hulse, Dominik Schilling (ocean90), Drivingralle, Ella Van Dorpe, Gary Pendergast, Ian Dunn, Ipstenu (Mika Epstein), James Nylen, jazbek, Jeremy Felt, Jeremy Pry, Joe Hoyle, Joe McGill, John Blackbourn, John James Jacoby, Jonathan Desrosiers, Kelly Dwan, Marko Heijnen, MatheusGimenez, Mike Nelson, Mike Schroder, Muhammet Arslan, Nick Halsey, Pascal Birchler, Paul Bearne, pavelevap, Peter Wilson, Rachel Baker, reldev, Robert O’Rourke, Ryan Welcher, Sanket Parmar, Sean Hayes, Sergey Biryukov, Stephen Edgar, triplejumper12, Weston Ruter, and wpfo.

WordPress 4.7.2 Security Release

Posted January 26, 2017 by Aaron D. Campbell. Filed under Releases, Security.

WordPress 4.7.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.7.1 and earlier are affected by three security issues:

  1. The user interface for assigning taxonomy terms in Press This is shown to users who do not have permissions to use it. Reported by David Herrera of Alley Interactive.
  2. WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Mo Jangda (batmoo).
  3. A cross-site scripting (XSS) vulnerability was discovered in the posts list table. Reported by Ian Dunn of the WordPress Security Team.
  4. An unauthenticated privilege escalation vulnerability was discovered in a REST API endpoint. Reported by Marc-Alexandre Montpas of Sucuri Security. *

Thank you to the reporters of these issues for practicing responsible disclosure.

Download WordPress 4.7.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.7.2.

Thanks to everyone who contributed to 4.7.2.

* Update: An additional serious vulnerability was fixed in this release and public disclosure was delayed. For more information on this vulnerability, additional mitigation steps taken, and an explanation for why disclosure was delayed, please read Disclosure of Additional Security Fix in WordPress 4.7.2.

WordPress 4.7.1 Security and Maintenance Release

Posted January 11, 2017 by Aaron D. Campbell. Filed under Releases, Security.

WordPress 4.7 has been downloaded over 10 million times since its release on December 6, 2016 and we are pleased to announce the immediate availability of WordPress 4.7.1. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.7 and earlier are affected by eight security issues:

  1. Remote code execution (RCE) in PHPMailer – No specific issue appears to affect WordPress or any of the major plugins we investigated but, out of an abundance of caution, we updated PHPMailer in this release. This issue was fixed in PHPMailer thanks to Dawid Golunski and Paul Buonopane.
  2. The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API. Reported by Krogsgard and Chris Jean.
  3. Cross-site scripting (XSS) via the plugin name or version header on update-core.php. Reported by Dominik Schilling of the WordPress Security Team.
  4. Cross-site request forgery (CSRF) bypass via uploading a Flash file. Reported by Abdullah Hussam.
  5. Cross-site scripting (XSS) via theme name fallback. Reported by Mehmet Ince.
  6. Post via email checks mail.example.com if default settings aren’t changed. Reported by John Blackbourn of the WordPress Security Team.
  7. A cross-site request forgery (CSRF) was discovered in the accessibility mode of widget editing. Reported by Ronnie Skansing.
  8. Weak cryptographic security for multisite activation key. Reported by Jack.

Thank you to the reporters for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.7.1 fixes 62 bugs from 4.7. For more information, see the release notes or consult the list of changes.

Download WordPress 4.7.1 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.7.1.

Thanks to everyone who contributed to 4.7.1: Aaron D. Campbell, Aaron Jorbin, Adam Silverstein, Andrea Fercia, Andrew Ozz, bonger, Boone Gorges, Chandra Patel, Christian Chung, David Herrera, David Shanske, Dion Hulse, Dominik Schilling (ocean90), DreamOn11, Edwin Cromley, Ella van Dorpe, Gary Pendergast, Hristo Pandjarov, James Nylen, Jeff Bowen, Jeremy Felt, Jeremy Pry, Joe Hoyle, Joe McGill, John Blackbourn, Keanan Koppenhaver, Konstantin Obenland, laurelfulford, Marin Atanasov, mattyrob, monikarao, Nate Reist, Nick Halsey, Nikhil Chavan, nullvariable, Payton Swick, Peter Wilson, Presskopp, Rachel Baker, Ryan McCue, Sanket Parmar, Sebastian Pisula, sfpt, shazahm1, Stanimir Stoyanov, Steven Word, szaqal21, timph, voldemortensen, vortfu, and Weston Ruter.

WordPress 4.7 “Vaughan”

Posted December 6, 2016 by Helen Hou-Sandi. Filed under Releases.

Version 4.7 of WordPress, named “Vaughan” in honor of legendary jazz vocalist Sarah “Sassy” Vaughan, is available for download or update in your WordPress dashboard. New features in 4.7 help you get your site set up the way you want it.


Presenting Twenty Seventeen

A brand new default theme brings your site to life with immersive featured images and video headers.

Twenty Seventeen focuses on business sites and features a customizable front page with multiple sections. Personalize it with widgets, navigation, social menus, a logo, custom colors, and more. Our default theme for 2017 works great in many languages, on any device, and for a wide range of users.


Your Site, Your Way

WordPress 4.7 adds new features to the customizer to help take you through the initial setup of a theme, with non-destructive live previews of all your changes in one uninterrupted workflow.

Theme Starter Content

To help give you a solid base to build from, individual themes can provide starter content that appears when you go to customize your brand new site. This can range from placing a business information widget in the best location to providing a sample menu with social icon links to a static front page complete with beautiful images. Don’t worry – nothing new will appear on the live site until you’re ready to save and publish your initial theme setup.

Edit Shortcuts

Visible icons appear to show you which parts of your site can be customized while live previewing. Click on a shortcut and get straight to editing. Paired with starter content, getting started with customizing your site is faster than ever.

Video Headers

Sometimes a big atmospheric video as a moving header image is just what you need to showcase your wares; go ahead and try it out with Twenty Seventeen. Need some video inspiration? Try searching for sites with video headers available for download and use.

Smoother Menu Building

Many menus for sites contain links to the pages of your site, but what happens when you don’t have any pages yet? Now you can add new pages while building menus instead of leaving the customizer and abandoning your changes. Once you’ve published your customizations, you’ll have new pages ready for you to fill with content.

Custom CSS

Sometimes you just need a few visual tweaks to make your site perfect. WordPress 4.7 allows you to add custom CSS and instantly see how your changes affect your site. The live preview allows you to work quickly without page refreshes slowing you down.


PDF Thumbnail Previews

Managing your document collection is easier with WordPress 4.7. Uploading PDFs will generate thumbnail images so you can more easily distinguish between all your documents.

Dashboard in your language

Just because your site is in one language doesn’t mean that everybody helping manage it prefers that language for their admin. Add more languages to your site and a user language option will show up in your user’s profiles.


Introducing REST API Content Endpoints

WordPress 4.7 comes with REST API endpoints for posts, comments, terms, users, meta, and settings.

Content endpoints provide machine-readable external access to your WordPress site with a clear, standards-driven interface, paving the way for new and innovative methods of interacting with sites through plugins, themes, apps, and beyond. Ready to get started with development? Check out the REST API reference.


Even More Developer Happiness 😊

Post Type Templates

By opening up the page template functionality to all post types, theme developers have even more flexibility with the WordPress template hierarchy.

More Theme API Goodies

WordPress 4.7 includes new functions, hooks, and behavior for theme developers.

Custom Bulk Actions

List tables, now with more than bulk edit and delete.

WP_Hook

The code that lies beneath actions and filters has been overhauled and modernized, fixing bugs along the way.

Settings Registration API

register_setting() has been enhanced to include type, description, and REST API visibility.

Customize Changesets

Customize changesets make changes in the customizer persistent, like autosave drafts. They also make exciting new features like starter content possible.


The Squad

This release was led by Helen Hou-Sandí, backed up by Jeff Paul and Aaron Jorbin as Release Deputies, and with the help of these fine individuals. There are 482 contributors with props in this release—the most ever—with 205 of them contributing for the first time. Pull up some sassy Sarah Vaughan on your music service of choice, and check out some of their profiles:

Aaron D. Campbell, abrightclearweb, Achal Jain, achbed, Acme Themes, Adam Silverstein, adammacias, Ahmad Awais, ahmadawais, airesvsg, ajoah, Aki Björklund, akshayvinchurkar, Alain Schlesser, Alex Concha, Alex Dimitrov, Alex Hon, alex27, allancole, Amanda Rush, Andrea Fercia, Andreas Panag, Andrew Nacin, Andrew Ozz, Andrey "Rarst" Savchenko, Andy Meerwaldt, Andy Mercer, Andy Skelton, Aniket Pant, Anil Basnet, Ankit K Gupta, Anthony Hortin, antisilent, Anton Timmermans, apokalyptik, artoliukkonen, Arunas Liuiza, attitude, backermann, Bappi, Ben Cole, Bernhard Gronau, Bernhard Kau, binarymoon, Birgir Erlendsson (birgire), BjornW, bobbingwide, boblinthorst, boboudreau, bonger, Boone B. Gorges, Brady Vercher, Brainstorm Force, Brandon Kraft, Brian Hogg, Brian Krogsgard, Bronson Quick, Caroline Moore, Casey Driscoll, Caspie, Chandra Patel, Chaos Engine, cheeserolls, chesio, chetansatasiya, choong, Chouby, chredd, Chris Jean, Chris Marslender, Chris Smith, Chris Van Patten, Chris Wiegman, chriscct7, chriseverson, Christian Chung, Christian Nolen, Christian Wach, Christoph Herr, Clarion Technologies, Claudio Sanches, Claudio Sanches, ClaudioLaBarbera, codemovement.pk, coderkevin, codfish, coreymcollins, Curdin Krummenacher, Curtiss Grymala, Cătălin Dogaru, danhgilmore, Daniel Bachhuber , Daniel Kanchev, Daniel Pietrasik, Daniele Scasciafratte, Daryl L. L. Houston (dllh), Dave Pullig, Dave Romsey (goto10), David A. Kennedy, David Chandra Purnama, David Herrera, David Lingren, David Mosterd, David Shanske, davidbhayes, Davide 'Folletto' Casali, deeptiboddapati, delphinus, deltafactory, Denis de Bernardy, Derek Herman, Derrick Hammer, Derrick Koo, dimchik, Dinesh Chouhan, Dion Hulse, dipeshkakadiya, dmsnell, Dominik Schilling, Dotan Cohen, Doug Wollison, doughamlin, DreamOn11, Drew Jaynes, duncanjbrown, dungengronovius, DylanAuty, Eddie Hurtig, Eduardo Reveles, Edwin Cromley, ElectricFeet, Elio Rivero, Ella Iseulde Van Dorpe, elyobo, enodekciw, enshrined, Eric Andrew Lewis, Eric Lanehart, Evan Herman, Felix Arntz, Fencer04, Florian Brinkmann, Florian TIAR, FolioVision, fomenkoandrey, Francesco Taurino, Frank Klein, Frankie Jarrett, Fred, Fredrik Forsmo, fuscata, Gabriel Maldonado, Garth Mortensen, Gary Jones, Gary Pendergast, Geeky Software, George Stephanis, Goran Šerić, Graham Armfield, Grant Derepas, Gregory Karpinsky (@tivnet), Hardeep Asrani, Henry Wright, hiddenpearls, Hinaloe, Hristo Pandjarov, Hugo Baeta, Iain Poulson, Ian Dunn, Ian Edington, idealien, Ignacio Cruz Moreno, imath, implenton, Ionut Stanciu, Ipstenu (Mika Epstein), ivdimova, J.D. Grimes, Jacob Peattie, Jake Spurlock, James Nylen, jamesacero, Japh, Jared Cobb, jayarjo, jdolan, jdoubleu, Jeff Bowen, Jeffrey de Wit, Jeremy Felt, Jeremy Pry, jimt, Jip Moors, jmusal, Joe Dolson, Joe Hoyle, Joe McGill, Joel James, johanmynhardt, John Blackbourn, John Dittmar, John James Jacoby, John P. Bloch, John Regan, johnpgreen, Jon (Kenshino), Jonathan Bardo, Jonathan Brinley, Jonathan Daggerhart, Jonathan Desrosiers, Jonny Harris, jonnyauk, jordesign, JorritSchippers, Joseph Fusco, Josh Eaton, Josh Pollock, joshcummingsdesign, joshkadis, Joy, jrf, JRGould, Juanfra Aldasoro, Juhi Saxena, Junko Nukaga, Justin Busa, Justin Sainton, Justin Shreve, Justin Sternberg, K.Adam White, kacperszurek, Kailey (trepmal), KalenJohnson, Kat Hagan, Keanan Koppenhaver, keesiemeijer, kellbot, Kelly Dwan, Kevin Hagerty, Kirk Wight, kitchin, Kite, kjbenk, Knut Sparhell, koenschipper, kokarn, Konstantin Kovshenin, Konstantin Obenland, Konstantinos Kouratoras, kuchenundkakao, kuldipem, Laurel Fulford, Lee Willis, Leo Baiano, LittleBigThings (Csaba), Lucas Stark, Luke Cavanagh, Luke Gedeon, Luke Pettway, lyubomir_popov, Mário Valney, mageshp, Mahesh Waghmare, Mangesh Parte, Manish Songirkar, mantismamita, Marcel Bootsman, Marin Atanasov, Marius L. J., Mariyan Belchev, Mark Jaquith, Mark Root-Wiley, Mark Uraine, Marko Heijnen, markshep, matrixik, Matt Banks, Matt King, Matt Mullenweg, Matt PeepSo, Matt van Andel, Matt Wiebe, Matthew Haines-Young, mattyrob, Max Cutler, Maxime Culea, Mayo Moriyama, mckernanin, Mel Choyce, mhowell, Michael Arestad, Michael Arestad, michalzuber, Miina Sikk, Mike Auteri, Mike Crantea, Mike Glendinning, Mike Hansen, Mike Little, Mike Schroder, Mike Viele, Milan Dinić, modemlooper, Mohammad Jangda, Mohan Dere, monikarao, morettigeorgiev, Morgan Estes, Morten Rand-Hendriksen, moto hachi ( mt8.biz ), mrbobbybryant, Naim Naimov, Nate Reist, NateWr, nathanrice, Nazgul, Ned Zimmerman, net, Nick Halsey , Nicolas GUILLAUME, Nikhil Chavan, Nikhil Vimal, Nikolay Bachiyski, Nilambar Sharma, noplanman, nullvariable, odie2, odyssey, Okamoto Hidetaka, orvils, oskosk, Otto Kekäläinen, ovann86, Pantip Treerattanapitak (Nok), Pascal Birchler, patilvikasj, Paul Bearne, Paul Wilde, Payton Swick, pdufour, Perdaan, Peter Wilson, phh, php, Piotr Delawski, pippinsplugins, pjgalbraith, pkevan, Pratik, Pressionate, Presskopp, procodewp, Rachel Baker, Rahul Prajapati, Ramanan, Rami Yushuvaev, ramiabraham, ranh, Red Sand Media Group, Riad Benguella, Rian Rietveld, Richard Tape, Robert D Payne, Robert Jolly, Robert Noakes, Rocco Aliberti, Rodrigo Primo, Rommel Castro, Ronald Araújo, Ross Wintle, Roy Sivan, Ryan Kienstra, Ryan McCue, Ryan Plas, Ryan Welcher, Sal Ferrarello, Sami Keijonen, Samir Shah, Samuel Sidler, Sandesh, Sang-Min Yoon, Sanket Parmar, Sarah Gooding, Sayed Taqui, schrapel, Scott Reilly, Scott Taylor, scrappy@hub.org, scribu, seancjones, Sebastian Pisula, Sergey Biryukov, Sergio De Falco, sfpt, shayanys, shazahm1, shprink, simonlampen, skippy, smerriman, snacking, solal, Soren Wrede, Stanimir Stoyanov, Stanko Metodiev, Steph, Steph Wells, Stephanie Leary, Stephen Edgar, Stephen Harris, Steven Word, stevenlinx, Sudar Muthu, Swapnil V. Patil, swapnild, szaqal21, Takahashi Fumiki, Takayuki Miyauchi, Tammie Lister, tapsboy, Taylor Lovett, team, tg29359, tharsheblows, the, themeshaper, thenbrent, thomaswm, Thorsten Frommen, tierra, Tim Nash, Timmy Crawford, Timothy Jacobs, timph, Tkama, tnegri, Tom Auger, Tom J Nowell, tomdxw, Toro_Unit (Hiroshi Urabe), Torsten Landsiedel, transl8or, traversal, Travis Smith, Triet Minh, Trisha Salas, tristangemus, truongwp, tsl143, Ty Carlson, Ulrich, Utkarsh, Valeriu Tihai, Viljami Kuosmanen, Vishal Kakadiya, vortfu, Vrunda Kansara, webbgaraget, WebMan Design | Oliver Juhas, websupporter, Weston Ruter, William Earnhardt, williampatton, Wolly aka Paolo Valenti, WraithKenny, yale01, Yoav Farhi, Yoga Sukma, Zach Wills, Zack Tollman, Ze Fontainhas, zhildzik, and zsusag.

 
Special thanks go to Rami Abraham for producing the release video and the many fine haiku we saw in the beta and RC announcement posts.

Finally, thanks to all the community translators who worked on WordPress 4.7. Their efforts bring WordPress 4.7 fully translated to 52 languages at release time with more on the way. Additionally, the WordPress 4.7 release video has been captioned into 44 languages.

If you want to follow along or help out, check out Make WordPress and our core development blog. Thanks for choosing WordPress – we hope you enjoy!

Moving Toward SSL

Posted December 1, 2016 by Matt Mullenweg. Filed under Development.

We’re at a turning point: 2017 is going to be the year that we’re going to see features in WordPress which require hosts to have HTTPS available. Just as JavaScript is a near necessity for smoother user experiences and more modern PHP versions are critical for performance, SSL just makes sense as the next hurdle our users are going to face.

SSL basically means the link between your browser and the server is encrypted. SSL used to be difficult to implement, and often expensive or slow. Modern browsers, and the incredible success of projects like Let’s Encrypt have made getting a certificate to secure your site fast, free, and something we think every host should support by default, especially in a post-Snowden era. Google also weighs SSL as a search engine ranking factor and will begin flagging unencrypted sites in Chrome.

First, early in 2017, we will only promote hosting partners that provide a SSL certificate by default in their accounts. Later we will begin to assess which features, such as API authentication, would benefit the most from SSL and make them only enabled when SSL is there.

Separately, I also think the performance improvements in PHP7 are particularly impressive, and major kudos to everyone who worked on that. We will consider whether hosts use PHP7 by default for new accounts next year as well.

 

WordPress 4.7 Release Candidate

Posted November 24, 2016 by Helen Hou-Sandi. Filed under Releases.

The release candidate for WordPress 4.7 is now available.

RC means we think we’re done, but with millions of users and thousands of plugins and themes, it’s possible we’ve missed something. We hope to ship WordPress 4.7 on Tuesday, December 6, but we need your help to get there. If you haven’t tested 4.7 yet, now is the time! To test WordPress 4.7, you can use the WordPress Beta Tester plugin or you can download the release candidate here (zip).

WordPress 4.7 is a jam-packed release, with a number of features focused on getting a theme set up for the first time. Highlights include a new default theme, video headers, custom CSS, customizer edit shortcuts, PDF thumbnail previews, user admin languages, REST API content endpoints, post type templates, and more.

We’ve made quite a few refinements since releasing Beta 4 a week ago, including usability and accessibility enhancements for video headers, media and page template support in starter content, and polishing of how custom CSS can be migrated to and extended by plugins and themes. The REST API endpoints saw a number of bugfixes and notably now have anonymous comment off by default.

Not sure where to start with testing? Try setting up a fresh site on a new installation with Twenty Seventeen (hint: head into customizing your site before touching any pages or widgets) and taking notes on what you enjoyed and what got you stuck. For more details about what’s new in version 4.7, check out the Beta 1Beta 2, Beta 3, and Beta 4 blog posts.

Think you’ve found a bug? Please post to the Alpha/Beta support forum. If any known issues come up, you’ll be able to find them here.

Developers, please test your plugins and themes against WordPress 4.7 and update your plugin’s Tested up to version in the readme to 4.7. If you find compatibility problems please be sure to post to the support forums so we can figure those out before the final release – we work hard to avoid breaking things. An in-depth field guide to developer-focused changes is coming soon on the core development blog.

Do you speak a language other than English? Help us translate WordPress into more than 100 languages! And if you haven’t yet done so, now is a great time to take the Annual WordPress Survey and send it on to your friends.

Happy testing! And now for another Rami Abraham haiku break.

Select your language
Then let your users choose theirs
get_user_locale()

Theme authors rejoice
Any option may employ
Selective refresh

Custom header video
Make sure to add_theme_support
Bling above the fold

A new template dawns
A hierarchy member
Post-type templates live

PDF updates
Pack a parade of polish
Prettier previews

Template Post Type: New
Template Post Type: And Useful
Template Post Type: Thing

Let lists live lively
Laud wp_list_sort()
Less laconic lists

WordPress 4.7 Beta 4

Posted November 16, 2016 by Helen Hou-Sandi. Filed under Releases.

WordPress 4.7 Beta 4 is now available!

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site just to play with the new version. To test WordPress 4.7, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the beta here (zip).

For more information on what’s new in 4.7, check out the Beta 1, Beta 2, and Beta 3 blog posts, along with in-depth developer guides on make/core. We’ve made about 60 changes in the last few days for beta 4, including tweaks to Twenty Seventeen, custom CSS, and the REST API content endpoints.

Do you speak a language other than English? Help us translate WordPress into more than 100 languages!

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac, where you can also find a list of known bugs.

We are almost there
Please test your plugins and themes
RC coming soon

« Newer PostsOlder Posts »

See Also:

For more WordPress news, check out the WordPress Planet.

There’s also a development P2 blog.

To see how active the project is check out our Trac timeline, it often has 20–30 updates per day.

Categories

%d bloggers like this: