WordPress 3.9.2 is now available as a security release for all previous versions. We strongly encourage you to update your sites immediately.
This release fixes a possible denial of service issue in PHP’s XML processing, reported by Nir Goldshlager of the Salesforce.com Product Security Team. It was fixed by Michael Adams and Andrew Nacin of the WordPress security team and David Rothstein of the Drupal security team. This is the first time our two projects have coordinated joint security releases.
WordPress 3.9.2 also contains other security changes:
- Fixes a possible but unlikely code execution when processing widgets (WordPress is not affected by default), discovered by Alex Concha of the WordPress security team.
- Prevents information disclosure via XML entity attacks in the external GetID3 library, reported by Ivan Novikov of ONSec.
- Adds protections against brute attacks against CSRF tokens, reported by David Tomaschik of the Google Security Team.
- Contains some additional security hardening, like preventing cross-site scripting that could be triggered only by administrators.
We appreciated responsible disclosure of these issues directly to our security team. For more information, see the release notes or consult the list of changes.
Download WordPress 3.9.2 or venture over to Dashboard → Updates and simply click “Update Now”.
Sites that support automatic background updates will be updated to WordPress 3.9.2 within 12 hours. (If you are still on WordPress 3.8.3 or 3.7.3, you will also be updated to 3.8.4 or 3.7.4. We don’t support older versions, so please update to 3.9.2 for the latest and greatest.)
Already testing WordPress 4.0? The third beta is now available (zip) and it contains these security fixes.
Comments Off on WordPress 3.9.2 Security Release
WordPress 4.0 Beta 2 is now available for download and testing. This is software still in development, so we don’t recommend that you run it on a production site. To get the beta, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the beta here (zip).
For more of what’s new in version 4.0, check out the Beta 1 blog post. Some of the changes in Beta 2 include:
- Further refinements for the the plugin installation and media library experiences.
- Updated TinyMCE, which now includes better indentation for lists and the restoration of the color picker.
- Cookies are now tied to a session internally, so if you have trouble logging in, #20276 may be the culprit.
- Various bug fixes (there were nearly 170 changes since last week).
If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. Or, if you’re comfortable writing a bug report, file one on the WordPress Trac. There, you can also find a list of known bugs and everything we’ve fixed.
Comments Off on WordPress 4.0 Beta 2
WordPress 4.0 Beta 1 is now available!
This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site just to play with the new version. To test WordPress 4.0, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the beta here (zip).
4.0 is due out next month, but to get there, we need your help testing what we’ve been working on:
- Previews of embedding via URLs in the visual editor and the “Insert from URL” tab in the media modal. Try pasting a URL (such as a WordPress.tv or YouTube video) onto its own line in the visual editor. (#28195, #15490)
- The Media Library now has a “grid” view in addition to the existing list view. Clicking on an item takes you into a modal where you can see a larger preview and edit information about that attachment, and you can navigate between items right from the modal without closing it. (#24716)
- We’re freshening up the plugin install experience. You’ll see some early visual changes as well as more information when searching for plugins and viewing details. (#28785, #27440)
- Selecting a language when you run the installation process. (#28577)
- The editor intelligently resizes and its top and bottom bars pin when needed. Browsers don’t like to agree on where to put things like cursors, so if you find a bug here, please also let us know your browser and operating system. (#28328)
- We’ve made some improvements to how your keyboard and cursor interact with TinyMCE views such as the gallery preview. Much like the editor resizing and scrolling improvements, knowing about your setup is particularly important for bug reports here. (#28595)
- Widgets in the Customizer are now loaded in a separate panel. (#27406)
- We’ve also made some changes to some formatting functions, so if you see quotes curling in the wrong direction, please file a bug report.
If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on the WordPress Trac. There, you can also find a list of known bugs and everything we’ve fixed so far.
Developers: Never fear, we haven’t forgotten you. There’s plenty for you, too – more on that in upcoming posts. In the meantime, check out the API for panels in the Customizer.
Media, things in between
Please help look for bugs
Comments Off on WordPress 4.0 Beta 1
After three weeks and more than 9 million downloads of WordPress 3.9, we’re pleased to announce that WordPress 3.9.1 is now available.
This maintenance release fixes 34 bugs in 3.9, including numerous fixes for multisite networks, customizing widgets while previewing themes, and the updated visual editor. We’ve also made some improvements to the new audio/video playlists feature and made some adjustments to improve performance. For a full list of changes, consult the list of tickets and the changelog.
If you are one of the millions already running WordPress 3.9, we’ve started rolling out automatic background updates for 3.9.1. For sites that support them, of course.
Download WordPress 3.9.1 or venture over to Dashboard → Updates and simply click “Update Now.”
Thanks to all of these fine individuals for contributing to 3.9.1: Aaron Jorbin, Andrew Nacin, Andrew Ozz, Brian Richards, Chris Blower, Corey McKrill, Daniel Bachhuber, Dominik Schilling, feedmeastraycat, Gregory Cornelius, Helen Hou-Sandi, imath, Janneke Van Dorpe, Jeremy Felt, John Blackbourn, Konstantin Obenland, Lance Willett, m_i_n, Marius Jensen, Mark Jaquith, Milan Dinić, Nick Halsey, pavelevap, Scott Taylor, Sergey Biryukov, and Weston Ruter.
Comments Off on WordPress 3.9.1 Maintenance Release
Version 3.9 of WordPress, named “Smith” in honor of jazz organist Jimmy Smith, is available for download or update in your WordPress dashboard. This release features a number of refinements that we hope you’ll love.
A smoother media editing experience
Improved visual editing
The updated visual editor has improved speed, accessibility, and mobile support. You can paste into the visual editor from your word processor without wasting time to clean up messy styling. (Yeah, we’re talking about you, Microsoft Word.)
Edit images easily
With quicker access to crop and rotation tools, it’s now much easier to edit your images while editing posts. You can also scale images directly in the editor to find just the right fit.
Drag and drop your images
Uploading your images is easier than ever. Just grab them from your desktop and drop them in the editor.
Galleries display a beautiful grid of images right in the editor, just like they do in your published post.
Do more with audio and video
Images have galleries; now we’ve added simple audio and video playlists, so you can showcase your music and clips.
Live widget and header previews
Add, edit, and rearrange your site’s widgets right in the theme customizer. No “save and surprise” — preview your changes live and only save them when you’re ready.
The improved header image tool also lets you upload, crop, and manage headers while customizing your theme.
Stunning new theme browser
Looking for a new theme should be easy and fun. Lose yourself in the boundless supply of free WordPress.org themes with the beautiful new theme browser.
This release was led by Andrew Nacin and Mike Schroder, with the help of these fine individuals. There are 267 contributors with props in this release, a new high:
Aaron D. Campbell, Aaron Jorbin, Adam Harley (Kawauso), Adam Silverstein, adelval, Ajay, Akeda Bagus, Alex Concha, Alex Shiels, Alison Barrett, Allan Collins, Amy Hendrix (sabreuse), Andrea Fercia, Andrew Nacin, Andrew Norcross, Andrew Ozz, Andrew Wilder, Andrey "Rarst" Savchenko, Andy Keith, Andy Skelton, Anton Timmermans, Aubrey Portwood, Barry, Bartosz Romanowski, bassgang, bcworkz, Ben Dunkle, Bernhard Riedl, bigdawggi, Bob Gregor, bobbingwide, Brad Touesnard, bradparbs, Bram Duvigneau, Brandon Kraft, brasofilo, bravokeyl, Bryan Petty, cgaffga, Chirag Swadia, Chouby, Chris Blower, Chris Marslender, Chris Olbekson, Chris Scott, chriseverson, chrisguitarguy, Christopher Finke, ciantic, Comparativa de Bancos, Connor Jennings, Cor van Noorloos, cramdesign, Daniel Bachhuber, Daniel Jalkut (Red Sweater), Danny de Haan, Daryl Koopersmith, Dave Kellam, DaveE, David A. Kennedy, David Anderson, David Marichal, Denis de Bernardy, Dion Hulse, Dominik Schilling, Doug Wollison, Drew Jaynes, DrProtocols, Dustin Filippini, edik, Eduardo Reveles, Elio Rivero, enej, Eric Andrew Lewis, Eric Mann, Erica Varlese, Erick Hitter, Evan Anderson, Fahmi Adib, fboender, Frank Klein, Fumito MIZUNO, Gary Cao, Gary Jones, Gary Pendergast, genkisan, Gennady Kovshenin, George Stephanis, Graham Armfield, Grant Mangham, Gregory Cornelius, Gregory Karpinsky (@tivnet), hakre, hanni, Helen Hou-Sandí, ippetkov, Ipstenu (Mika Epstein), J.D. Grimes, Jack Reichert, jameslee, Janneke Van Dorpe, janrenn, JayCC, Jeff Sebring, Jen, Jeremy Felt, Jesin A, Jesper Johansen (jayjdk), jnielsendotnet, Joan Artes, Joe Dolson, Joe Hoyle, John Blackbourn, John James Jacoby, John P. Bloch, John Regan, Jon Cave, Jonas Bolinder (jond3r), Joost de Valk, Josh Pollock, Joshua Abenazer, jstraitiff, Julio Potier, Justin Kopepasah, Justin Sainton, K.Adam White, Kailey (trepmal), Kaspars, Kelly Dwan, kerikae, Kevin Worthington, Kim Parsell, Kirk Wight, kitchin, klihelp, Knut Sparhell, Konstantin Kovshenin, Konstantin Obenland, Krzysiek Drozdz, Lance Willett, ldebrouwer, Lee Willis, lpointet, Lucas Karpiuk, Luke Woodward, Mario Peshev, Mark Barnes, Mark Jaquith, Marko Heijnen, Marventus, Matt Banks, Matt Miklic, Matt Mullenweg, Matthew Boynes, Matthew Denton, Matthew Haines-Young, mattonomics, mattyrob, Matías Ventura, Max Cutler, mcadwell, Mel Choyce, meloniq, Michael Arestad, Michel - xiligroup dev, Miguel Fonseca, Mike Burns, Mike Hansen, Mike Manger, Mike Schinkel, Mike Schroder, mikecorkum, mitcho (Michael Yoshitaka Erlewine), Mohammad Jangda, Morgan Estes, Morten Rand-Hendriksen, Naoko Takano, Nashwan Doaqan, nendeb55, Nick Halsey, Nicole Arnold, Nikhil Vimal, Nivi Jah, Nuno Morgadinho, olivM, Omer Korner, OriginalEXE, Patrick Bates, Paul Bearne, Paul Gibbs, Paul Wilde, pavelevap, Peter Westwood, Philip Arthur Moore, Philipp Cordes, Pippin Williamson, Prasath Nadarajah, prettyboymp, raamdev, Rachel Baker, Ram Ratan Maurya, ramonchiara, Rhys Wynne, Ricardo Correia, Richard, Richard Sweeney, Richard Tape, Ricky Lee Whittemore, Robert Chapin, robmiller, Rodrigo Primo, romaimperator, roothorick, Ruud Laan, Ryan Boren, Ryan McCue, Sal Ferrarello, Samir Shah, Samuel Wood (Otto), Sandeep Raman, Scott Lee, Scott Reilly, Scott Taylor, ScreenfeedFr, scribu, sdasse, Sean Butze, Sean Hayes, Sean Nessworthy, Sergey Biryukov, shahpranaf, Shaun Andrews, Shinichi Nishikawa, Simon Prosser, Simon Wheatley, Siobhan, Siobhan Bamber (siobhyb), sirzooro, sonjanyc, Spencer Finnell, Spencer Piontkowski, stephcook22, Stephen Edgar, Stephen Harris, Steve Bruner, Steven Word, Takayuki Miyauchi, Tanner Moushey, Taylor Lovett, tbrams, TobiasBg, Tom Auger, Tom Willmot, Topher, topquarky, Torsten Landsiedel, Toru Miki, Travis Smith, Umesh Kumar, undergroundnetwork, VarunAgw, wawco, Weston Ruter, wokamoto, xsonic, Yoav Farhi, Yuri Victor, Zach Tirrell, and Ze Fontainhas. Also thanks to Michael Pick for producing the release video.
If you want to follow along or help out, check out Make WordPress and our core development blog. Thanks for choosing WordPress. See you soon for version 4.0!
Comments Off on WordPress 3.9 “Smith”
The second release candidate for WordPress 3.9 is now available for testing.
If you haven’t tested 3.9 yet, you’re running out of time! We made about five dozen changes since the first release candidate, and those changes are all helpfully summarized in our weekly post on the development blog. Probably the biggest fixes are to live widget previews and the new theme browser, along with some extra TinyMCE compatibility and some RTL fixes.
Plugin authors: Could you test your plugins against 3.9, and if they’re compatible, make sure they are marked as tested up to 3.9? It only takes a few minutes and this really helps make launch easier. Be sure to follow along the core development blog; we’ve been posting notes for developers for 3.9. (For example: HTML5, symlinks, MySQL, Plupload.)
To test WordPress 3.9 RC2, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the release candidate here (zip). If you’d like to learn more about what’s new in WordPress 3.9, visit the nearly complete About screen in your dashboard ( → About in the toolbar) and also check out the Beta 1 post.
This is for testing,
so not recommended for
Comments Off on WordPress 3.9 Release Candidate 2
WordPress 3.8.3 is now available to fix a small but unfortunate bug in the WordPress 3.8.2 security release.
The “Quick Draft” tool on the dashboard screen was broken in the 3.8.2 update. If you tried to use it, your draft would disappear and it wouldn’t save. While we doubt anyone was writing a novella using this tool, any loss of content is unacceptable to us.
We recognize how much trust you place in us to safeguard your content, and we take this responsibility very seriously. We’re sorry we let you down.
We’ve all lost words we’ve written before, like an email thanks to a cat on the keyboard or a term paper to a blue screen of death. Over the last few WordPress releases, we’ve made a number of improvements to features like autosaves and revisions. With revisions, an old edit can always be restored. We’re trying our hardest to save your content somewhere even if your power goes out or your browser crashes. We even monitor your internet connection and prevent you from hitting that “Publish” button at the exact moment the coffee shop Wi-Fi has a hiccup.
It’s possible that the quick draft you lost last week is still in the database, and just hidden from view. As an added complication, these “discarded drafts” normally get deleted after seven days, and it’s already been six days since the release. If we were able to rescue your draft, you’ll see it on the “All Posts” screen after you update to 3.8.3. (We’ll also be pushing 3.8.3 out as a background update, so you may just see a draft appear.)
So, if you tried to jot down a quick idea last week, I hope WordPress has recovered it for you. Maybe it’ll turn into that novella.
Download WordPress 3.8.3 or click “Update Now” on Dashboard → Updates.
This affected version 3.7.2 as well, so we’re pushing a 3.7.3 to these installs, but we’d encourage you to update to the latest and greatest.
Now for some good news:
WordPress 3.9 is near.
Expect it this week
Comments Off on WordPress 3.8.3 Maintenance Release
As teased earlier, the first release candidate for WordPress 3.9 is now available for testing!
We hope to ship WordPress 3.9 next week, but we need your help to get there. If you haven’t tested 3.9 yet, there’s no time like the present. (Please, not on a production site, unless you’re adventurous.)
To test WordPress 3.9 RC1, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the release candidate here (zip). If you’d like to learn more about what’s new in WordPress 3.9, visit the work-in-progress About screen in your dashboard ( → About in the toolbar) and check out the Beta 1 post.
Think you’ve found a bug? Please post to the Alpha/Beta area in the support forums. If any known issues come up, you’ll be able to find them here.
If you’re a plugin author, there are two important changes in particular to be aware of:
- TinyMCE received a major update, to version 4.0. Any editor plugins written for TinyMCE 3.x might require some updates. (If things broke, we’d like to hear about them so we can make adjustments.) For more, see TinyMCE’s migration guide and API documentation, and the notes on the core development blog.
- WordPress 3.9 now uses the MySQLi Improved extension for sites running PHP 5.5. Any plugins that made direct calls to
mysql_* functions will experience some problems on these sites. For more information, see the notes on the core development blog.
Be sure to follow along the core development blog, where we will be continuing to post notes for developers for 3.9. (For example, read this if you are using Masonry in your theme.) And please, please update your plugin’s Tested up to version in the readme to 3.9 before April 16.
This haiku’s the easy one
3.9 is near
Comments Off on WordPress 3.9 Release Candidate
WordPress 3.8.2 is now available. This is an important security release for all previous versions and we strongly encourage you to update your sites immediately.
This releases fixes a weakness that could let an attacker force their way into your site by forging authentication cookies. This was discovered and fixed by Jon Cave of the WordPress security team.
It also contains a fix to prevent a user with the Contributor role from improperly publishing posts. Reported by edik.
This release also fixes nine bugs and contains three other security hardening changes:
- Pass along additional information when processing pingbacks to help hosts identify potentially abusive requests.
- Fix a low-impact SQL injection by trusted users. Reported by Tom Adams of dxw.
- Prevent possible cross-domain scripting through Plupload, the third-party library WordPress uses for uploading files. Reported by Szymon Gruszecki.
We appreciated responsible disclosure of these security issues directly to our security team. For more information on all of the changes, see the release notes or consult the list of changes.
Download WordPress 3.8.2 or venture over to Dashboard → Updates and simply click “Update Now.”
Sites that support automatic background updates will be updated to WordPress 3.8.2 within 12 hours. If you are still on WordPress 3.7.1, you will be updated to 3.7.2, which contains the same security fixes as 3.8.2. We don’t support older versions, so please update to 3.8.2 for the latest and greatest.
Already testing WordPress 3.9? The first release candidate is now available (zip) and it contains these security fixes. Look for a full announcement later today; we expect to release 3.9 next week.
Comments Off on WordPress 3.8.2 Security Release
The third (and maybe last) beta of WordPress 3.9 is now available for download.
Beta 3 includes more than 200 changes, including:
- New features like live widget previews and the new theme installer are now more ready for prime time, so check ’em out.
- UI refinements when editing images and when working with media in the editor. We’ve also brought back some of the advanced display settings for images.
- If you want to test out audio and video playlists, the links will appear in the media manager once you’ve uploaded an audio or video file.
- For theme developers, we’ve added HTML5 caption support (#26642) to match the new gallery support (#26697).
- The formatting function that turns straight quotes into smart quotes (among other things) underwent some changes to drastically speed it up, so let us know if you see anything weird.
We need your help. We’re still aiming for an April release, which means the next week will be critical for identifying and squashing bugs. If you’re just joining us, please see the Beta 1 announcement post for what to look out for.
If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums, where friendly moderators are standing by. Plugin developers, if you haven’t tested WordPress 3.9 yet, now is the time — and be sure to update the “tested up to” version for your plugins so they’re listed as compatible with 3.9.
This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site just to play with the new version. To test WordPress 3.9, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the beta here (zip).
Let’s make the date official
It’s April 16
Comments Off on WordPress 3.9 Beta 3
« Newer Posts
— Older Posts »