We are pleased to announce the immediate availability of WordPress 4.9.8. This maintenance release fixes 46 bugs, enhancements and blessed tasks, including updating the Twenty Seventeen bundled theme.
We are pleased to announce the immediate availability of WordPress 4.9.8. This maintenance release fixes 46 bugs, enhancements and blessed tasks, including updating the Twenty Seventeen bundled theme. Following are the highlights of what is now available.
“Try Gutenberg” callout
Most users will now be presented with a notice in their WordPress dashboard. This “Try Gutenberg” is an opportunity for users to use the Gutenberg block editor before it is released in WordPress 5.0.
In WordPress 4.9.8, the callout will be shown to the following users:
If Gutenberg is not installed or activated, the callout will be shown to Admin users on single sites, and Super Admin users on multisites.
If Gutenberg is installed and activated, the callout will be shown to Contributor users and above.
If the Classic Editor plugin is installed and activated, the callout will be hidden for all users.
You can learn more by reading “Try Gutenberg” Callout in WordPress 4.9.8.
This release includes 18 Privacy fixes focused on ensuring consistency and flexibility in the new personal data tools that were added in 4.9.6, including:
The type of request being
WordPress 4.8 is out, named “Evans” in honor of William John “Bill” Evans. Grab now and bask in the glory of a fresh new release.
An Update with You in Mind Gear up for a more intuitive WordPress!
Version 4.8 of WordPress, named “Evans” in honor of jazz pianist and composer William John “Bill” Evans, is available for download or update in your WordPress dashboard. New features in 4.8 add more ways for you to express yourself and represent your brand.
Though some updates seem minor, they’ve been built by hundreds of contributors with you in mind. Get ready for new features you’ll welcome like an old friend: link improvements, three new media widgets covering images, audio, and video, an updated text widget that supports visual editing, and an upgraded news section in your dashboard which brings in nearby and upcoming WordPress events.
Exciting Widget Updates
Adding an image to a widget is now a simple task that is achievable for any WordPress user without needing to know code. Simply insert your image right within the widget settings. Try adding something like a headshot or a photo of your latest weekend adventure — and see it appear automatically.
A welcome video is a great way to humanize the branding of your website. You can now add any video
WordPress.org's attempt at introducing the world to Gutenberg. Shares some information around compatibility and future roadmap.
A new publishing experience for WordPress is in the works: get ready to make your words, pictures, and layout look as good on screen as they do in your imagination, without any code. You might have heard of this project — it’s called Gutenberg, after another invention that revolutionized publishing — but are wondering what it means for you. Who will see the biggest difference, and what it will change for your everyday workflows? Everyone, and everything. The Gutenberg editor uses blocks to create all types of content, replacing a half-dozen inconsistent ways of customizing WordPress, bringing it in line with modern coding standards, and aligning with open web initiatives. These content blocks transform how users, developers, and hosts interact with WordPress to make building rich web content easier and more intuitive, democratizing publishing — and work — for everyone, regardless of technical ability.
It’s great that so many people think WordPress is the best way to get their ideas on the web, and it’s easy to unlock the power of WordPress if you know how to write code — but not everyone does. And now, you won’t need to.
This is where the all of the Gutenberg documentation, guidelines, and development details are being kept.
“Gutenberg” is the codename for the 2017 WordPress editor focus. The goal of this focus is to create a new post and page editing experience that makes it easy for anyone to create rich post layouts. This was the kickoff goal: The editor will endeavour to create a new page and post building experience that makes writing rich posts effortless, and has “blocks” to make it easy what today might take shortcodes, custom HTML, or “mystery meat” embed discovery.
Key take-aways from parsing that paragraph:
Authoring richly laid out posts is a key strength of WordPress.
By embracing “the block”, we can potentially unify multiple different interfaces into one. Instead of learning how to write shortcodes, custom HTML, or paste URLs to embed, you should do with just learning the block, and all the pieces should fall in place.
“Mystery meat” refers to hidden features in software, features that you have to discover. WordPress already supports a large amount of blocks and 30+ embeds, so let’s surface them.
Gutenberg is being developed on GitHub, and you can try an early beta version today from the plugin repository. Though keep in mind
WordPress 4.9.5 is here. This is a security and maintenance release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately.
WordPress 4.9.5 is now available. This is a security and maintenance release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately. WordPress versions 4.9.4 and earlier are affected by three security issues. As part of the core team's ongoing commitment to security hardening, the following fixes have been implemented in 4.9.5:
Don't treat localhost as same host by default.
Use safe redirects when redirecting the login page if SSL is forced.
Make sure the version string is correctly escaped for use in generator tags.
Thank you to the reporters of these issues for practicing coordinated security disclosure: xknown of the WordPress Security Team, Nitin Venkatesh (nitstorm), and Garth Mortensen of the WordPress Security Team.
Twenty-five other bugs were fixed in WordPress 4.9.5. Particularly of note were:
The previous styles on caption shortcodes have been restored.
Cropping on touch screen devices is now supported.
A variety of strings such as error messages have been updated for better clarity.
The position of an attachment placeholder during uploads has been fixed.
This is a security release so better get to updating. Three issues including WP_Query being vulnerable to a SQL injection and a cross-site scripting (XSS) vulnerability.
WordPress 4.7.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.7.1 and earlier are affected by three security issues:
The user interface for assigning taxonomy terms in Press This is shown to users who do not have permissions to use it. Reported by David Herrera of Alley Interactive.
WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Mo Jangda (batmoo).
A cross-site scripting (XSS) vulnerability was discovered in the posts list table. Reported by Ian Dunn of the WordPress Security Team.
Thank you to the reporters of these issues for practicing responsible disclosure.
Download WordPress 4.7.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.7.2.
Thanks to everyone who contributed to 4.7.2.
HackerOne is a platform for security researchers to report vulnerabilities. With the announcement also comes introduction bug bounties!
WordPress has grown a lot over the last thirteen years – it now powers more than 28% of the top ten million sites on the web. During this growth, each team has worked hard to continually improve their tools and processes. Today, the WordPress Security Team is happy to announce that WordPress is now officially on HackerOne! HackerOne is a platform for security researchers to securely and responsibly report vulnerabilities to our team. It provides tools that improve the quality and consistency of communication with reporters, and will reduce the time spent on responding to commonly reported issues. This frees our team to spend more time working on improving the security of WordPress.
The security team has been working on this project for quite some time. Nikolay Bachiyski started the team working on it just over a year ago. We ran it as a private program while we worked out our procedures and processes, and are excited to finally make it public.
With the announcement of the WordPress HackerOne program we are also introducing bug bounties. Bug bounties let us reward reporters for disclosing issues to us and helping us secure our products and infrastructure. We’ve already awarded
RC - it's almost done. If you haven't tested, now's the time to jump in. WordPress 4.9 scheduled to be launched on Tuesday, November 14.
The release candidate for WordPress 4.9 is now available. RC means we think we’re done, but with millions of users and thousands of plugins and themes, it’s possible we’ve missed something. We hope to ship WordPress 4.9 on Tuesday, November 14, but we need your help to get there. If you haven’t tested 4.9 yet, now is the time!
To test WordPress 4.9, you can use the WordPress Beta Tester plugin or you can download the release candidate here (zip).
We’ve made almost 30 changes since releasing Beta 4 last week. For more details about what’s new in version 4.9, check out the Beta 1, Beta 2, Beta 3, and Beta 4 blog posts.
Developers, please test your plugins and themes against WordPress 4.9 and update your plugin’s Tested up to version in the readme to 4.9. If you find compatibility problems please be sure to post to the support forums so we can figure those out before the final release — we work hard to avoid breaking things. An in-depth field guide to developer-focused changes is coming soon on the core development blog. In the meantime, you can review the developer notes for 4.9.
Do you speak a language other than English? Help us translate
WordPress 4.9.6 is now available. This is a privacy and maintenance release. We encourage you to update your sites to take advantage of the new privacy features. Privacy The European Union's General Data Protection Regulation (GDPR) takes effect on May 25.
WordPress 4.9.6 is now available. This is a privacy and maintenance release. We encourage you to update your sites to take advantage of the new privacy features. Privacy
The European Union’s General Data Protection Regulation (GDPR) takes effect on May 25. The GDPR requires companies and site owners to be transparent about how they collect, use, and share personal data. It also gives individuals more access and choice when it comes to how their own personal data is collected, used, and shared.
It’s important to understand that while the GDPR is a European regulation, its requirements apply to all sites and online businesses that collect, store, and process personal data about EU residents no matter where the business is located.
You can learn more about the GDPR from the European Commission’s Data Protection page.
We’re committed to supporting site owners around the world in their work to comply with this important law. As part of that effort, we’ve added a number of new privacy features in this release.
Logged-out commenters will be given a choice on whether their name, email address, and website are saved in a cookie on their browser.
This is something i think the community should know. Regardless if you used Wangguard or not, take a moment and read the reason why the developer stopped.
Many people have been wondering why WangGuard closed for good. It is a question that I have come across more or less frequently in the WordPress forums, the official WordPress.org Slack, Twitter, and so on. I have never answered, but I feel that now the time has come to explain, since thousands of sites worldwide were using this plugin and there are conjectures everywhere.
From what I’ve seen, those conjectures can be anything from the economic ones, the professional ones, or the “he closed it just because” ones.
None of the above fits in the least with reality. Yes, WangGuard had a high server cost for me, but SiteGround had started to sponsor WangGuard, and hence that cost was gone. The only “cost” left was the time that I dedicated to the plugin. As to the professional one, that I had started to work for a company and had no time left, of course not. I still feel very comfortable working for myself, even though I can work more or less regularly for important companies, who know that I am a free agent. The “just because” conjecture is the most absurd of all: WangGuard was created to help people with a very big problem on the internet, particularly
WordPress 4.7.4, a maintenance release, is out. Contains 47 maintenance fixes and enhancements. Go get it or let auto-update work its magic.
After almost sixty million downloads of WordPress 4.7, we are pleased to announce the immediate availability of WordPress 4.7.4, a maintenance release. This release contains 47 maintenance fixes and enhancements, chief among them an incompatibility between the upcoming Chrome version and the visual editor, inconsistencies in media handling, and further improvements to the REST API. For a full list of changes, consult the release notes and the list of changes.
Download WordPress 4.7.4 or visit Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.7.4.
Thanks to everyone who contributed to 4.7.4:
Aaron Jorbin, Adam Silverstein, Andrea Fercia, Andrew Ozz, aussieguy123, Blobfolio, boldwater, Boone Gorges, Boro Sitnikovski, chesio, Curdin Krummenacher, Daniel Bachhuber, Darren Ethier (nerrad), David A. Kennedy, davidbenton, David Herrera, Dion Hulse, Dominik Schilling (ocean90), eclev91, Ella Van Dorpe, Gustave F. Gerhardt, ig_communitysites, James Nylen, Joe Dolson, John Blackbourn, karinedo, lukasbesch, maguiar, MatheusGimenez, Matthew Boynes, Matt Wiebe, Mayur Keshwani, Mel Choyce,
Smaller release than i think was expected, but includes improved visual editor experience, WordPress event locator, and a few other shiny things.
We’re planning a smaller WP release early next month, bringing in three major enhancements: An improved visual editor experience, with a new TinyMCE that allows you navigate more intuitively in and out of inline elements like links. (Try it out to see, it’s hard to describe.)
A revamp of the dashboard news widget to bring in nearby and upcoming events including meetups and WordCamps.
Several new media widgets covering images, audio, and video, and an enhancement to the text widget to support visual editing.
The first beta of 4.8 is now available for testing. You can use the beta tester plugin (or just run trunk) to try the latest and greatest, and each of these areas could use a ton of testing. Our goals are to make editing posts with links more intuitive, make widgets easier for new users and more convenient for existing ones, and get many more people aware of and attending our community events.
Four point eight is here
Small changes with a big punch
Big ones come later
Fully professional WordPress CV theme you can use to create online professional CV on the get go.
Fully professional WordPress CV theme, You can use this theme to create online professional CV on the get go. Cvee is perfect for WordPress CV theme. The theme comes with Full width layout, easy Logo upload. Cvee is 100% responsive built with HTML5 and CSS3, it is SEO friendly, mobile optimized and retina ready, thoroughly tested by WordPress coding standard has clean and a bloat free code, you can flesh out free CV, vCard, curriculam vitae or resume website. The best free WordPress CV theme 2018.
#WCEU The new WP plugin for Gutenberg editor is here. It's only v0.1 right now. Try it out!
Description The goal of the block editor is to make adding rich content to WordPress simple and enjoyable.
Warning: This is beta software, do not run on production sites!
The new post and page building experience will make writing rich posts effortless, making it easy to do what today might take shortcodes, custom HTML, or “mystery meat” embed discovery.
WordPress already supports a large amount of “blocks”, but doesn’t surface them very well, nor does it give them much in the way of layout options. By embracing the blocky nature of rich post content, we will surface the blocks that already exist, as well as provide more advanced layout options for each of them. This will allow you to easily compose beautiful posts like this example.
This plugin is being actively developed by many contributors. You can follow along on github.com/WordPress/gutenberg and on the #editor tag on the make.wordpress.org blog.
Contributors & Developers
This is a security and maintenance release and like most you should upgrade as soon as possible. Also a few other bugs addressed.
WordPress 4.9.1 is now available. This is a security and maintenance release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately. WordPress versions 4.9 and earlier are affected by four security issues which could potentially be exploited as part of a multi-vector attack. As part of the core team's ongoing commitment to security hardening, the following fixes have been implemented in 4.9.1:
Use a properly generated hash for the newbloguser key instead of a determinate substring.
Add escaping to the language attributes used on html elements.
Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.
Thank you to the reporters of these issues for practicing responsible security disclosure: Rahul Pratap Singh and John Blackbourn.
Eleven other bugs were fixed in WordPress 4.9.1. Particularly of note were:
Issues relating to the caching of theme template files.
The inability to edit theme and plugin files on Windows
Named “Tipton” for the jazz musician and band leader Billy Tipton... Featuring design drafts, scheduling, and locking, along with preview links... over 443 contributors!
Major Customizer Improvements, Code Error Checking, and More! Version 4.9 of WordPress, named “Tipton” in honor of jazz musician and band leader Billy Tipton, is available for download or update in your WordPress dashboard. New features in 4.9 will smooth your design workflow and keep you safe from coding errors.
Featuring design drafts, scheduling, and locking, along with preview links, the Customizer workflow improves collaboration for content creators. What’s more, code syntax highlighting and error checking will make for a clean and smooth site building experience. Finally, if all that wasn’t pretty great, we’ve got an awesome new Gallery widget and improvements to theme browsing and switching.
Customizer Workflow Improved
Yes, you read that right. Just like you can draft and revise posts and schedule them to go live on the date and time you choose, you can now tinker with your site’s design and schedule those design changes to go live as you please.
Collaborate with Design Preview Links
Need to get some feedback on proposed site design changes? WordPress 4.9 gives you a preview link you can send to colleagues and customers so that you can collect
A security release but also containing 6 maintenance fixes. Get your upgrade a-going people!
WordPress 4.8.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.8.1 and earlier are affected by these security issues:
$wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Slavco
A cross-site scripting (XSS) vulnerability was discovered in the oEmbed discovery. Reported by xknown of the WordPress Security Team.
A cross-site scripting (XSS) vulnerability was discovered in the visual editor. Reported by Rodolfo Assis (@brutelogic) of Sucuri Security.
A path traversal vulnerability was discovered in the file unzipping code. Reported by Alex Chapman (noxrnet).
A cross-site scripting (XSS) vulnerability was discovered in the plugin editor. Reported by 陈瑞琦 (Chen Ruiqi).
An open redirect was discovered on the user and term edit screens. Reported by Yasin Soliman (ysx).
A path traversal vulnerability was discovered in the customizer. Reported by Weston Ruter of the
It's here! Version 4.7 of WordPress, named “Vaughan” in honor of legendary jazz vocalist Sarah “Sassy” Vaughan.
Version 4.7 of WordPress, named “Vaughan” in honor of legendary jazz vocalist Sarah “Sassy” Vaughan, is available for download or update in your WordPress dashboard. New features in 4.7 help you get your site set up the way you want it. Introducing WordPress 4.7Get Link to Video
Presenting Twenty Seventeen
A brand new default theme brings your site to life with immersive featured images and video headers.
Twenty Seventeen focuses on business sites and features a customizable front page with multiple sections. Personalize it with widgets, navigation, social menus, a logo, custom colors, and more. Our default theme for 2017 works great in many languages, on any device, and for a wide range of users.
Your Site, Your Way
WordPress 4.7 adds new features to the customizer to help take you through the initial setup of a theme, with non-destructive live previews of all your changes in one uninterrupted workflow.
Theme Starter Content
To help give you a solid base to build from, individual themes can provide starter content that appears when you go to customize your brand new site. This can
WordPress 4.9 is slated for release on November 14 but this is the first beta. Time to start testing!
WordPress 4.9 Beta 1 is now available! This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site just to play with the new version. To test WordPress 4.9, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the beta here (zip).
WordPress 4.9 is slated for release on November 14, but we need your help to get there. We’ve been working on making it even easier to customize your site. Here are some of the bigger items to test and help us find as many bugs as possible in the coming weeks:
Drafting (#39896) and scheduling (#28721) of changes in the Customizer. Once you save or schedule a changeset, when any user comes into the Customizer the pending changes will be autoloaded. A button is provided to discard changes to restore the Customizer to the last published state. (This is a new “linear” mode for changesets, as opposed to “branching” mode which can be enabled by filter so that every time user opens the Customizer a new blank changeset will be started.)
Addition of a frontend preview link to the Customizer to allow changes
Quite a few security issues fixed in this one, yikes.
WordPress 4.7.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.7.2 and earlier are affected by six security issues:
Cross-site scripting (XSS) via media file metadata. Reported by Chris Andrè Dale, Yorick Koster, and Simon P. Briggs.
Control characters can trick redirect URL validation. Reported by Daniel Chatfield.
Unintended files can be deleted by administrators using the plugin deletion functionality. Reported by xuliang.
Cross-site scripting (XSS) via video URL in YouTube embeds. Reported by Daniel Cid.
Cross-site scripting (XSS) via taxonomy term names. Reported by Delta.
Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources. Reported by Sipke Mellema.
Thank you to the reporters for practicing responsible disclosure.
In addition to the security issues above, WordPress 4.7.3 contains 39 maintenance fixes to the 4.7 release series. For more information, see the release notes or consult the list of changes.
Download WordPress 4.7.3 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that
Come and get it! This update has some maintenance fixes and enhancements, mainly: (1) fixes to the rich Text widget and (2) introduction of the Custom HTML widget.
After over 13 million downloads of WordPress 4.8, we are pleased to announce the immediate availability of WordPress 4.8.1, a maintenance release. This release contains 29 maintenance fixes and enhancements, chief among them are fixes to the rich Text widget and the introduction of the Custom HTML widget. For a full list of changes, consult the release notes, the tickets closed, and the list of changes.
Download WordPress 4.8.1 or visit Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.8.1.
Thanks to everyone who contributed to 4.8.1:
Adam Silverstein, Andrea Fercia, Andrew Ozz, Atanas Angelov, bonger, Boone Gorges, Boro Sitnikovski, David Herrera, James Nylen, Jeffrey Paul, Jennifer M. Dodd, K. Adam White, Konstantin Obenland, Mel Choyce, r-a-y, Reuben Gunday, Rinku Y, Said El Bakkali, Sergey Biryukov, Siddharth Thevaril, Timmy Crawford, and Weston Ruter.
If you use the Display Widgets plugin, it has been removed from the plugin repository due to potentially malicious code.
This is the latest version of the plugin code (version 18.104.22.168) : https://plugins.trac.wordpress.org/browser/display-widgets/trunk/geolocation.php Look at the function on line 186 (pasted below).
Note the name of the function dynamic_page, what do you think a function with name Dynamic Page does?
It creates a DYNAMIC PAGE (a Dynamic WordPress Post) on Display Widget users sites and is loaded using line 299:
299 add_filter( 'the_posts', array( 'dw_geolocation_connector', 'dynamic_page' ) );
The above hooks into the_posts function, this line basically intercepts your Posts before they are output to the browser so the Dynamic Post can be added to the Posts.
Why would a plugin to determine where widgets are loaded create Dynamic Posts?
Line 187, this checks if a user is logged in, a logged in user is probably the site owner, when a user is logged in (the site owner) the Dynamic Page function does nothing (outputs the Posts normally). So if you are logged into your site and you look at your site in a browser everything looks normal.
Why would a legitimate plugin feature be hidden from the site owner and other logged in users?
If a user is logged out: that would be your sites visitors and
Release notes are out, and this release fixes 6 security issues.
WordPress 4.7.5 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.7.4 and earlier are affected by six security issues:
Insufficient redirect validation in the HTTP class. Reported by Ronni Skansing.
Improper handling of post meta data values in the XML-RPC API. Reported by Sam Thomas.
Lack of capability checks for post meta data in the XML-RPC API. Reported by Ben Bidner of the WordPress Security Team.
A Cross Site Request Forgery (CRSF) vulnerability was discovered in the filesystem credentials dialog. Reported by Yorick Koster.
A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files. Reported by Ronni Skansing.
A cross-site scripting (XSS) vulnerability was discovered related to the Customizer. Reported by Weston Ruter of the WordPress Security Team.
Thank you to the reporters of these issues for practicing responsible disclosure.
In addition to the security issues above, WordPress 4.7.5 contains 3 maintenance fixes to the 4.7 release series. For more information, see the release notes or consult the list of changes.
Help Test! Since last beta, includes enhancements for video headers, REST API bug fixes, media and page template support in starter content, and more.
The release candidate for WordPress 4.7 is now available. RC means we think we’re done, but with millions of users and thousands of plugins and themes, it’s possible we’ve missed something. We hope to ship WordPress 4.7 on Tuesday, December 6, but we need your help to get there. If you haven’t tested 4.7 yet, now is the time! To test WordPress 4.7, you can use the WordPress Beta Tester plugin or you can download the release candidate here (zip).
WordPress 4.7 is a jam-packed release, with a number of features focused on getting a theme set up for the first time. Highlights include a new default theme, video headers, custom CSS, customizer edit shortcuts, PDF thumbnail previews, user admin languages, REST API content endpoints, post type templates, and more.
We’ve made quite a few refinements since releasing Beta 4 a week ago, including usability and accessibility enhancements for video headers, media and page template support in starter content, and polishing of how custom CSS can be migrated to and extended by plugins and themes. The REST API endpoints saw a number of bugfixes and notably now have anonymous comment off by default.
Not sure where to start