WordPress 4.9.6 is now available. This is a privacy and maintenance release. We encourage you to update your sites to take advantage of the new privacy features.
The European Union’s General Data Protection Regulation (GDPR) takes effect on May 25. The GDPR requires companies and site owners to be transparent about how they collect, use, and share personal data. It also gives individuals more access and choice when it comes to how their own personal data is collected, used, and shared.
It’s important to understand that while the GDPR is a European regulation, its requirements apply to all sites and online businesses that collect, store, and process personal data about EU residents no matter where the business is located.
We’re committed to supporting site owners around the world in their work to comply with this important law. As part of that effort, we’ve added a number of new privacy features in this release.
Logged-out commenters will be given a choice on whether their name, email address, and website are saved in a cookie on their browser.
Site owners have a new email-based method that they can use to confirm personal data requests. This request confirmation tool works for both export and erasure requests, and for both registered users and commenters.
95 updates were made in WordPress 4.9.6. In addition to the above, particularly of note were:
“Mine” has been added as a filter in the media library.
When viewing a plugin in the admin, it will now tell you the minimum PHP version required.
We’ve added new PHP polyfills for forwards-compatibility and proper variable validation.
TinyMCE was updated to the latest version (4.7.11).
This maintenance release fixes a severe bug in 4.9.3, which will cause sites that support automatic background updates to fail to update automatically, and will require action from you (or your host) for it to be updated to 4.9.4.
Four years ago with WordPress 3.7 “Basie”, we added the ability for WordPress to self-update, keeping your website secure and bug-free, even when you weren’t available to do it yourself. For four years it’s helped keep millions of installs updated with very few issues over that time. Unfortunately yesterdays 4.9.3 release contained a severe bug which was only discovered after release. The bug will cause WordPress to encounter an error when it attempts to update itself to WordPress 4.9.4, and will require an update to be performed through the WordPress dashboard or hosts update tools.
WordPress managed hosting companies who install updates automatically for their customers can install the update as normal, and we’ll be working with other hosts to ensure that as many customers of theirs who can be automatically updated to WordPress 4.9.4 can be.
This maintenance release fixes 34 bugs in 4.9, including fixes for Customizer changesets, widgets, visual editor, and PHP 7.2 compatibility. For a full list of changes, consult the list of tickets and the changelog.
Download WordPress 4.9.3 or visit Dashboard → Updates and click “Update Now.” Sites that support automatic background updates are already beginning to update automatically.
Thank you to everyone who contributed to WordPress 4.9.3:
WordPress 4.9.2 is now available. This is a security and maintenance release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately.
An XSS vulnerability was discovered in the Flash fallback files in MediaElement, a library that is included with WordPress. Because the Flash files are no longer needed for most use cases, they have been removed from WordPress.
WordPress 4.9.1 is now available. This is a security and maintenance release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately.
WordPress versions 4.9 and earlier are affected by four security issues which could potentially be exploited as part of a multi-vector attack. As part of the core team's ongoing commitment to security hardening, the following fixes have been implemented in 4.9.1:
Use a properly generated hash for the newbloguser key instead of a determinate substring.
Add escaping to the language attributes used on html elements.
Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.
Major Customizer Improvements, Code Error Checking, and More! ?
Version 4.9 of WordPress, named “Tipton” in honor of jazz musician and band leader Billy Tipton, is available for download or update in your WordPress dashboard. New features in 4.9 will smooth your design workflow and keep you safe from coding errors.
Featuring design drafts, scheduling, and locking, along with preview links, the Customizer workflow improves collaboration for content creators. What’s more, code syntax highlighting and error checking will make for a clean and smooth site building experience. Finally, if all that wasn’t pretty great, we’ve got an awesome new Gallery widget and improvements to theme browsing and switching.
Customizer Workflow Improved
Draft and Schedule Site Design Customizations
Yes, you read that right. Just like you can draft and revise posts and schedule them to go live on the date and time you choose, you can now tinker with your site’s design and schedule those design changes to go live as you please.
Collaborate with Design Preview Links
Need to get some feedback on proposed site design changes? WordPress 4.9 gives you a preview link you can send to colleagues and customers so that you can collect and integrate feedback before you schedule the changes to go live. Can we say collaboration++?
Design Locking Guards Your Changes
Ever encounter a scenario where two designers walk into a project and designer A overrides designer B’s beautiful changes? WordPress 4.9’s design lock feature (similar to post locking) secures your draft design so that no one can make changes to it or erase all your hard work.
A Prompt to Protect Your Work
Were you lured away from your desk before you saved your new draft design? Fear not, when you return, WordPress 4.9 will politely ask whether or not you’d like to save your unsaved changes.
Syntax Highlighting and Error Checking? Yes, Please!
You’ve got a display problem but can’t quite figure out exactly what went wrong in the CSS you lovingly wrote. With syntax highlighting and error checking for CSS editing and the Custom HTML widget introduced in WordPress 4.8.1, you’ll pinpoint coding errors quickly. Practically guaranteed to help you scan code more easily, and suss out & fix code errors quickly.
Sandbox for Safety
The dreaded white screen. You’ll avoid it when working on themes and plugin code because WordPress 4.9 will warn you about saving an error. You’ll sleep better at night.
Warning: Potential Danger Ahead!
When you edit themes and plugins directly, WordPress 4.9 will politely warn you that this is a dangerous practice and will recommend that you draft and test changes before updating your file. Take the safe route: You’ll thank you. Your team and customers will thank you.
Even More Widget Updates
The New Gallery Widget
An incremental improvement to the media changes hatched in WordPress 4.8, you can now add a gallery via this new widget. Yes!
Press a Button, Add Media
Want to add media to your text widget? Embed images, video, and audio directly into the widget along with your text, with our simple but useful Add Media button. Woo!
Site Building Improvements
More Reliable Theme Switching
When you switch themes, widgets sometimes think they can just move location. Improvements in WordPress 4.9 offer more persistent menu and widget placement when you decide it’s time for a new theme.
Find and Preview the Perfect Theme
Looking for a new theme for your site? Now, from within the Customizer, you can search, browse, and preview over 2600 themes before deploying changes to your site. What’s more, you can speed your search with filters for subject, features, and layout.
Better Menu Instructions = Less Confusion
Were you confused by the steps to create a new menu? Perhaps no longer! We’ve ironed out the UX for a smoother menu creation process. Newly updated copy will guide you.
Lend a Hand with Gutenberg ?
WordPress is working on a new way to create and control your content and we’d love to have your help. Interested in being an early tester or getting involved with the Gutenberg project? Contribute on GitHub.
We’ve made numerous improvements to the Customizer JS API in WordPress 4.9, eliminating many pain points. (Hello, default parameters for constructs! Goodbye repeated ID for constructs!) There are also new base control templates, a date/time control, and section/panel/global notifications to name a few. Check out the full list.
New capabilities have been introduced that allow granular management of plugins and translation files. In addition, the site switching process in multisite has been fine-tuned to update the available roles and capabilities in a more reliable and coherent way.
This release was led by Mel Choyce and Weston Ruter, with the help of the following fabulous folks. There are 443 contributors with props in this release, with 185 of them contributing for the first time. Pull up some Billy Tipton on your music service of choice, and check out some of their profiles:
The third release candidate for WordPress 4.9 is now available.
A release candidate (RC) means we think we’re done, but with millions of users and thousands of plugins and themes, it’s possible we’ve missed something. In fact, we did miss some things in RC1 and RC2. This third release candidate was not originally scheduled, but due a number of defects uncovered through your testing of RC2 (thank you!), we are putting out another 4.9 release candidate.
We hope to ship WordPress 4.9 on Tuesday, November 14 (that’s tomorrow) at 23:00 UTC, but we still need your help to get there. If you haven’t tested 4.9 yet, now is the time! If there are additional defects uncovered through testing between now and the release time, we may delay the 4.9 release to the following day.
We’ve made just over 20 changes since releasing RC2 last week (as we did between RC1 and RC2). For more details about what’s new in version 4.9, check out the Beta 1, Beta 2, Beta 3, Beta 4, RC1, and RC2 blog posts. A few specific areas to test in RC3:
Switching between the Visual and Text tabs of the editor, and the syncing of the cursor between those two tabs.
Overriding linting errors in the Customizer’s Additional CSS editor.
Adding nav menu items for Custom Links in the Customizer.
Scheduling customization drafts (stubbed posts/pages) for publishing in the Customizer.
Autosave revisions for changes in the Customizer.
About page styling.
Developers, please test your plugins and themes against WordPress 4.9 and update your plugin’s Tested up to version in the readme to 4.9. If you find compatibility problems please be sure to post to the support forums so we can figure those out before the final release — we work hard to avoid breaking things. Please see the summative field guide to the 4.9 developer notes on the core development blog.