WordPress 4.9.1 is now available. This is a security and maintenance release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately.

WordPress versions 4.9 and earlier are affected by four security issues which could potentially be exploited as part of a multi-vector attack. As part of the core team's ongoing commitment to security hardening, the following fixes have been implemented in 4.9.1:

  1. Use a properly generated hash for the newbloguser key instead of a determinate substring.
  2. Add escaping to the language attributes used on html elements.
  3. Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.
  4. Remove the ability to upload JavaScript files for users who do not have the unfiltered_html capability.

Thank you to the reporters of these issues for practicing responsible security disclosure: Rahul Pratap Singh and John Blackbourn.

Eleven other bugs were fixed in WordPress 4.9.1. Particularly of note were:

  • Issues relating to the caching of theme template files.
  • A MediaElement JavaScript error preventing users of certain languages from being able to upload media files.
  • The inability to edit theme and plugin files on Windows based servers.

This post has more information about all of the issues fixed in 4.9.1 if you'd like to learn more.

Download WordPress 4.9.1 or venture over to Dashboard → Updates and click "Update Now." Sites that support automatic background updates are already beginning to update automatically.

Thank you to everyone who contributed to WordPress 4.9.1:

Alain Schlesser, Andrea Fercia, Angelika Reisiger, Blobfolio, bobbingwide, Chetan Prajapati, Dion Hulse, Dominik Schilling (ocean90), edo888, Erich Munz, Felix Arntz, Florian TIAR, Gary Pendergast, Igor Benic, Jeff Farthing, Jeffrey Paul, jeremyescott, Joe McGill, John Blackbourn, johnpgreen, Kelly Dwan, lenasterg, Marius L. J., Mel Choyce, Mário Valney, natacado, odyssey, precies, Saša, Sergey Biryukov, and Weston Ruter.

The next release candidate for WordPress 4.1 is now available for testing.

Seventy changes have gone in since the first release candidate. With no known issues left, we plan to release 4.1 tomorrow, December 18.

To test, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the release candidate here (zip). If you’d like to learn more about what’s new in WordPress 4.1, visit the updated About screen in your dashboard ( → About in the toolbar) and also check out the Beta 1 post.

Plugin authors: Remember to test your plugins against 4.1, and if they’re compatible, make sure they are marked as tested up to 4.1. Be sure to follow along the core development blog; we’ve been posting notes for developers for 4.1 as always.

The release candidate for WordPress 4.1 is now available.

We’ve made a lot of refinements over the last few weeks. RC means we think we’re done, but with millions of users and thousands of plugins and themes, it’s possible we’ve missed something. We hope to ship WordPress 4.1 on Tuesday, December 16, but we need your help to get there. If you haven’t tested 4.1 yet, now is the time! (Please though, not on your live site unless you’re adventurous.)

Think you’ve found a bug? Please post to the Alpha/Beta support forum. If any known issues come up, you’ll be able to find them here.

To test WordPress 4.1 RC1, you can use the WordPress Beta Tester plugin or you can download the release candidate here (zip). If you’d like to learn more about what’s new in WordPress 4.1, visit the About screen in your dashboard ( → About in the toolbar) or check out the beta announcement.

Developers, please test your plugins and themes against WordPress 4.1 and update your plugin’s Tested up to version in the readme to 4.1 before next week. If you find compatibility problems, we never want to break things, so please be sure to post to the support forums so we can figure those out before the final release.

Be sure to follow along the core development blog, where we’ll continue to post notes for developers for 4.1. (For example: if you’ve written a child theme for Twenty Fifteen, some of the new pagination functions have been renamed for clarity.)

Testing four point one
Why are we up at this hour?
Code is poetry

Welcome, everyone, to WordPress 4.1 Beta 1!

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site just to play with the new version. To test WordPress 4.1, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the beta here (zip).

WordPress 4.1 is due for release next month, so we need your help with testing. Here are some highlights of what to test:

  • Our beautiful new default theme, Twenty Fifteen. It’s a clean, mobile-first, blog-focused theme designed through simplicity.
  • A new distraction-free writing mode for the editor. It’s enabled by default for beta, and we’d love feedback on it.
  • The ability to automatically install new language packs right from the General Settings screen (available as long as your site’s filesystem is writable).
  • A new inline formatting toolbar for images embedded into posts.

There have been a lot of changes for developers to test as well:

If you want a more in-depth view of what changes have made it into 4.1, check out the weekly review posts on the main development blog.

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on the WordPress Trac. There, you can also find a list of known bugs and everything we’ve fixed so far.

Happy testing!

Twenty Fifteen theme
The beautiful face which hides
Many improvements