WordPress 4.9 Beta 3 is now available!

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site just to play with the new version. To test WordPress 4.9, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the beta here (zip).

For more information on what’s new in 4.9, check out the Beta 1 blog post. Since the Beta 1 release, we’ve made 70 changes in Beta 2 and 92 changes in Beta 3. A few of these newest changes to take note of in particular:

  • The plugin/theme editors now show files in a scrollable expandable tree list. See #24048.
  • Backwards compatibility has been improved for MediaElement.js, which is upgraded from 2.2 to 4.2. See #42189.
  • When you create post stubs in the Customizer (such as for nav menu items, for the homepage or the posts page), if you then schedule your customized changes or save them as a draft, then these Customizer-created posts will appear in the admin as “Customization Drafts”; these drafts can be edited before your customized changes are published, at which time these posts (or pages) will also be automatically published. See #42220.
  • Theme browsing and installation experience in the Customizer has seen some bugfixes (e.g. #42215 and #42212), with some known remaining issues outstanding in Safari.
  • There is now a callout on the dashboard to install and activate Gutenberg. See #41316.
  • Menus in the Customizer have seen additional usability improvements. See #36279 and #42114.

Do you speak a language other than English? Help us translate WordPress into more than 100 languages!

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac, where you can also find a list of known bugs.

Many refinements
Exist within this release;
Can you find them all?

WordPress 4.9 Beta 2 is now available!

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site just to play with the new version. To test WordPress 4.9, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the beta here (zip).

For more information on what’s new in 4.9, check out the Beta 1 blog post. Since then, we’ve made 70 changes in Beta 2.

Do you speak a language other than English? Help us translate WordPress into more than 100 languages!

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac, where you can also find a list of known bugs.

Let’s test all of these:
code editing, theme switches,
widgets, scheduling.

WordPress 4.9 Beta 1 is now available!

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site just to play with the new version. To test WordPress 4.9, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the beta here (zip).

WordPress 4.9 is slated for release on November 14, but we need your help to get there. We’ve been working on making it even easier to customize your site. Here are some of the bigger items to test and help us find as many bugs as possible in the coming weeks:

  • Drafting (#39896) and scheduling (#28721) of changes in the Customizer. Once you save or schedule a changeset, when any user comes into the Customizer the pending changes will be autoloaded. A button is provided to discard changes to restore the Customizer to the last published state. (This is a new “linear” mode for changesets, as opposed to “branching” mode which can be enabled by filter so that every time  user opens the Customizer a new blank changeset will be started.)
  • Addition of a frontend preview link to the Customizer to allow changes to be browsed on the frontend, even without a user being logged in (#39896).
  • Addition of autosave revisions in the Customizer (#39275).
  • A brand new theme browsing experience in the Customizer (#37661).
  • Gallery widget (#41914), following the media and image widgets introduced in 4.8.
  • Support for shortcodes in Text widgets (#10457).
  • Support for adding media to Text widgets (#40854).
  • Support for adding oEmbeds outside post content, including Text widgets (#34115).
  • Support for videos from providers other than YouTube and Vimeo in the Video widget (#42039)
  • Improve the flow for creating new menus in the Customizer (#40104).
  • Educated guess mapping of nav menus and widgets when switching themes (#39692).
  • Plugins: Introduce singular capabilities for activating and deactivating individual plugins (#38652).
  • Sandbox PHP file edits in both plugins and themes, without auto-deactivation when an error occurs; a PHP edit that introduces a fatal error is rolled back with an opportunity then for the user to fix the error and attempt to re-save. (#21622).
  • Addition of dirty state for widgets on the admin screen, indicating when a widget has been successfully saved and showing an “Are you sure?” dialog when attempting to leave without saving changes. (#23120, #41610)

As always, there have been exciting changes for developers to explore as well, such as:

  • CodeMirror editor added to theme/plugin editor, Custom CSS in Customizer, and Custom HTML widgets. Integration includes support for linters to catch errors before you attempt to save. Includes new APIs for plugins to instantiate editors. (#12423)
  • Introduction of an extensible code editor control for adding instances of CodeMirror to the Customizer. (#41897)
  • Addition of global notifications area (#35210), panel and section notifications (#38794), and a notification overlay that takes over the entire screen in the Customizer (#37727).
  • A date/time control in the Customizer (#42022).
  • Improve usability of Customize JS API (#42083, #37964, #36167).
  • Introduction of control templates for base controls (#30738).
  • Use WP_Term_Query when transforming tax queries (#37038).
  • Database: Add support for MySQL servers connecting to IPv6 hosts (#41722).
  • Emoji: Bring Twemoji compatibility to PHP (#35293). Test for any weirdness with emoji in RSS feeds or emails.
  • I18N: Introduce the Plural_Forms class (#41562).
  • Media: Upgrade MediaElement.js to 4.2.5-74e01a40 (#39686).
  • Media: Use max-width for default captions (#33981). We will want to make sure this doesn’t cause unexpected visual regressions in existing themes, default themes were all fine in testing.
  • Media: Reduce duplicated custom header crops in the Customizer (#21819).
  • Media: Store video creation date in meta (#35218). Please help test different kinds of videos.
  • Multisite: Introduce get_site_by() (#40180).
  • Multisite: Improve get_blog_details() by using get_site_by() (#40228).
  • Multisite: Improve initializing available roles when switch sites (#38645).
  • Multisite: Initialize a user’s roles correctly when setting them up for a different site (#36961).
  • REST API: Support registering complex data structures for settings and meta
  • REST API: Support for objects in schema validation and sanitization (#38583)
  • Role/Capability: Introduce capabilities dedicated to installing and updating language files (#39677).
  • Remove SWFUpload (#41752).
  • Users: Require a confirmation link in an email to be clicked when a user attempts to change their email address (#16470).
  • Core and the unit test suite is fully compatible with the upcoming release of PHP 7.2

If you want a more in-depth view of what major changes have made it into 4.9, check out posts tagged with 4.9 on the main development blog, or look at a list of everything that’s changed. There will be more developer notes to come, so keep an eye out for those as well.

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac, where you can also find a list of known bugs.

Happy testing!

Without your testing,
we might hurt the internet.
Please help us find bugs.🐛

WordPress 4.8.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.8.1 and earlier are affected by these security issues:

  1. $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Slavco
  2. A cross-site scripting (XSS) vulnerability was discovered in the oEmbed discovery. Reported by xknown of the WordPress Security Team.
  3. A cross-site scripting (XSS) vulnerability was discovered in the visual editor. Reported by Rodolfo Assis (@brutelogic) of Sucuri Security.
  4. A path traversal vulnerability was discovered in the file unzipping code. Reported by Alex Chapman (noxrnet).
  5. A cross-site scripting (XSS) vulnerability was discovered in the plugin editor. Reported by 陈瑞琦 (Chen Ruiqi).
  6. An open redirect was discovered on the user and term edit screens. Reported by Yasin Soliman (ysx).
  7. A path traversal vulnerability was discovered in the customizer. Reported by Weston Ruter of the WordPress Security Team.
  8. A cross-site scripting (XSS) vulnerability was discovered in template names. Reported by Luka (sikic).
  9. A cross-site scripting (XSS) vulnerability was discovered in the link modal. Reported by Anas Roubi (qasuar).

Thank you to the reporters of these issues for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.8.2 contains 6 maintenance fixes to the 4.8 release series. For more information, see the release notes or consult the list of changes.

Download WordPress 4.8.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.8.2.

Thanks to everyone who contributed to 4.8.2.

After over 13 million downloads of WordPress 4.8, we are pleased to announce the immediate availability of WordPress 4.8.1, a maintenance release.

This release contains 29 maintenance fixes and enhancements, chief among them are fixes to the rich Text widget and the introduction of the Custom HTML widget. For a full list of changes, consult the release notes, the tickets closed, and the list of changes.

Download WordPress 4.8.1 or visit Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.8.1.

Thanks to everyone who contributed to 4.8.1:
Adam Silverstein, Andrea Fercia, Andrew Ozz, Atanas Angelov, bonger, Boone Gorges, Boro Sitnikovski, David Herrera, James Nylen, Jeffrey Paul, Jennifer M. Dodd, K. Adam White, Konstantin Obenland, Mel Choyce, r-a-y, Reuben Gunday, Rinku Y, Said El Bakkali, Sergey Biryukov, Siddharth Thevaril, Timmy Crawford, and Weston Ruter.

An Update with You in Mind

Gear up for a more intuitive WordPress!

Version 4.8 of WordPress, named “Evans” in honor of jazz pianist and composer William John “Bill” Evans, is available for download or update in your WordPress dashboard. New features in 4.8 add more ways for you to express yourself and represent your brand.

Though some updates seem minor, they’ve been built by hundreds of contributors with you in mind. Get ready for new features you’ll welcome like an old friend: link improvements, three new media widgets covering images, audio, and video, an updated text widget that supports visual editing, and an upgraded news section in your dashboard which brings in nearby and upcoming WordPress events.


Exciting Widget Updates

Image Widget

Adding an image to a widget is now a simple task that is achievable for any WordPress user without needing to know code. Simply insert your image right within the widget settings. Try adding something like a headshot or a photo of your latest weekend adventure — and see it appear automatically.

Video Widget

A welcome video is a great way to humanize the branding of your website. You can now add any video from the Media Library to a sidebar on your site with the new Video widget. Use this to showcase a welcome video to introduce visitors to your site or promote your latest and greatest content.

Audio Widget

Are you a podcaster, musician, or avid blogger? Adding a widget with your audio file has never been easier. Upload your audio file to the Media Library, go to the widget settings, select your file, and you’re ready for listeners. This would be a easy way to add a more personal welcome message, too!

Rich Text Widget

This feature deserves a parade down the center of town! Rich-text editing capabilities are now native for Text widgets. Add a widget anywhere and format away. Create lists, add emphasis, and quickly and easily insert links. Have fun with your newfound formatting powers, and watch what you can accomplish in a short amount of time.


Link Boundaries

Have you ever tried updating a link, or the text around a link, and found you can’t seem to edit it correctly? When you edit the text after the link, your new text also ends up linked. Or you edit the text in the link, but your text ends up outside of it. This can be frustrating! With link boundaries, a great new feature, the process is streamlined and your links will work well. You’ll be happier. We promise.


Nearby WordPress Events

Did you know that WordPress has a thriving offline community with groups meeting regularly in more than 400 cities around the world? WordPress now draws your attention to the events that help you continue improving your WordPress skills, meet friends, and, of course, publish!

This is quickly becoming one of our favorite features. While you are in the dashboard (because you’re running updates and writing posts, right?) all upcoming WordCamps and official WordPress Meetups — local to you — will be displayed.

Being part of the community can help you improve your WordPress skills and network with people you wouldn’t otherwise meet. Now you can easily find your local events just by logging in to your dashboard and looking at the new Events and News dashboard widget.


Even More Developer Happiness 😊

More Accessible Admin Panel Headings

New CSS rules mean extraneous content (like “Add New” links) no longer need to be included in admin-area headings. These panel headings improve the experience for people using assistive technologies.

Removal of Core Support for WMV and WMA Files

As fewer and fewer browsers support Silverlight, file formats which require the presence of the Silverlight plugin are being removed from core support. Files will still display as a download link, but will no longer be embedded automatically.

Multisite Updates

New capabilities have been introduced to 4.8 with an eye towards removing calls to
is_super_admin(). Additionally, new hooks and tweaks to more granularly control site and user counts per network have been added.

Text-Editor JavaScript API

With the addition of TinyMCE to the text widget in 4.8 comes a new JavaScript API for instantiating the editor after page load. This can be used to add an editor instance to any text area, and customize it with buttons and functions. Great for plugin authors!

Media Widgets API

The introduction of a new base media widget REST API schema to 4.8 opens up possibilities for even more media widgets (like galleries or playlists) in the future. The three new media widgets are powered by a shared base class that covers most of the interactions with the media modal. That class also makes it easier to create new media widgets and paves the way for more to come.

Customizer Width Variable

Rejoice! New responsive breakpoints have been added to the customizer sidebar to make it wider on high-resolution screens. Customizer controls should use percentage-based widths instead of pixels.


The Squad

This release was led by Matt and Jeff Paul, with the help of the following fabulous folks. There are 346 contributors with props in this release, with 106 of them contributing for the first time. Pull up some Bill Evans on your music service of choice, and check out some of their profiles:

1naveengiri, 4nickpick, Aaron D. Campbell, Aaron Jorbin, abhishek, Abhishek Kumar, abrain, Adam Harley (Kawauso), Adam Silverstein, Adam Soucie, Afzal Multani, Ahmad Awais, ajoah, Alex Concha, Alex Floyd Marshall, Alex King, Alex Shiels, Andrea Fercia, Andrea Middleton, Andrew Nacin, Andrew Ozz, Andrew Rockwell, Andy Mercer, Ankit K Gupta, arena94, Arshid, Arun, asalce, ashokkumar24, Barry Ceelen, bcworkz, Bharat Kambariya, Blobfolio, bonger, Boone B. Gorges, Boro Sitnikovski, Brad Touesnard, Brady Vercher, Brandon Kraft, Brandon Lavigne, Bridget Willard, Bunty, Cami Kaos, Carl Alberto, Casey Driscoll, cazm, ccprog, Chandra Patel, chesio, chetansatasiya, Chirag Patel, Chouby, Chris Klosowski, Chris Mok, chriseverson, Christian Chung, Corey McKrill, Courtney P.K., Cristiano Zanca, csloisel, Curdin Krummenacher, Cyrus Collier, Daniel Bachhuber , Daniel Llewellyn, Daniele Scasciafratte, Darren Ethier (nerrad), Darshan_dj, darthaud, Daryl L. L. Houston (dllh), David A. Kennedy, David Anderson, David Binovec, David Herrera, David Shanske, davidbenton, designsimply, Dhanendran, Dharmesh Patel, Dhaval Parekh, dingo-d, Dion Hulse, Dominik Schilling, Dotan Cohen, DoubleH, DreamOn11, Drew Jaynes, Drivingralle, dspilka, Edwin Cromley, Ejner Galaz, Ella Iseulde Van Dorpe, emirpprime, Eric Andrew Lewis, Erick Hitter, Ethan Allen, Fabien Quatravaux, Felix Arntz, fibonaccina, Florian TIAR, Francesca Marano, Frank Neumann-Staude, Franz Josef Kaiser, Gabriel Maldonado, Garth Mortensen, Gary Cao, Gary Pendergast, George Stephanis, Gustave F. Gerhardt, hedgefield, Helen Hou-Sandí, helgatheviking, Hristo Pandjarov, Ian Dunn, ig_communitysites, Igor Zinovyev, imath, Ipstenu (Mika Epstein), ireneyoast, Ivan Stefanov, ivantedja, J.D. Grimes, Jack Reichert, Jake Spurlock, James Nylen, Jaydeep Rami, jazbek, Jeff Bowen, Jeff Farthing, Jeff Paul, Jeffrey de Wit, Jen Miller, Jeremy Felt, Jeremy Pry, Jignesh Nakrani, Jip Moors, jjcomack, Joe Dolson, Joe Hoyle, Joe McGill, John Blackbourn, John James Jacoby, John Regan, Jonathan Desrosiers, Jonny Harris, Joost de Valk, Josepha, Josh Pollock, Juhi Saxena, Justin Kopepasah, Justin Tucker, K.Adam White, kafleg, Kailey (trepmal), karinedo, Kathryn, kaushik, Keanan Koppenhaver, keesiemeijer, Kelly Dwan, Kite, kjellr, Konstantin Kovshenin, Konstantin Obenland, kostasx, kubik-rubik, KUCKLU, Lance Willett, Laurel Fulford, Lee Willis, leemon, LewisCowles, LiamMcArthur, Lucas Stark, lukasbesch, Luke Cavanagh, Maedah Batool, maguiar, Mahesh Prajapati, mantismamita, Marin Atanasov, Mark Jaquith, Mark Root-Wiley, Mark Uraine, Marko Heijnen, Matheus Martins, MatheusGimenez, mathieuhays, matias, Matt Wiebe, Matthew Boynes, Matthew Haines-Young, mattyrob, Maxime Culea, Mayo Moriyama, Mayur Keshwani, Mel Choyce, Menaka S., Michael Arestad, michalzuber, michelleweber, Miina Sikk, Mike Crantea, Mike Hansen, Mike Jolley, Mike Little, Mike Nelson, Mike Schroder, Milan Dinić, Milind More, Mithun Raval, MMDeveloper, Mohammad Jangda, mohanjith, monikarao, Morgan Estes, moto hachi ( mt8.biz ), MrGregWaugh, mschadegg, Muhammet Arslan, MULTIDOTS, Naoko Takano, Naomi C. Bush, Nate Reist, Ned Zimmerman, Nick Halsey , Nikhil Chavan, Nitin Kevadiya, Nitish Kaila, nobremarcos, NoseGraze, nsundberg, nullvariable, odyssey, page-carbajal, Pascal Birchler, Paul Bearne, Paul Biron, Paul de Wouters, Paul Ryan, pavelevap, Payton Swick, pdufour, Perdaan, Peter Wilson, Philip John, Piotr Delawski, Piotr Soluch, postpostmodern, Pranali Patel, Pratik Shrestha, Presskopp, printsachen1, Priyanka Behera, prosti, ptbello, Rachel Baker, Rafael Ehlers, raggedrobins, raisonon, Rami Yushuvaev, ramiabraham, ranh, RC Lations, redrambles, reidbusi, reldev, rellect, RENAUT, rensw90, reportermike, Rian Rietveld, Riddhi Mehta, Robbie Cahill, Robert O'Rourke, Robin Cornett, runciters, Ryan Boren, Ryan McCue, Ryan Welcher, Sagar Jadhav, Sagar Prajapati, sagarkbhatt, Sal Ferrarello, Samantha Miller, Sami Keijonen, Samuel Sidler, Sanket Parmar, sathyapulse, sboisvert, Scott Reilly, Scott Taylor, Sean Hayes, Sebastian Pisula, Sergey Biryukov, sfpt, sgolemon, Shady Sharaf, shashwatmittal, shazahm1, shulard, slbmeh, Soren Wrede, Stanimir Stoyanov, Stephane Daury (stephdau), Stephen Edgar, Stephen Harris, Steven Word, stormrockwell, Sudar Muthu, Supercoder, Sybre Waaijer, szaqal21, taggon, Takayuki Miyauchi, Takayuki Miyoshi, Tammie Lister, technopolitica, teinertb, tejas5989, terwdan, tharsheblows, theMikeD, thepelkus, Thorsten Frommen, Timmy Crawford, Timothy Jacobs, timph, tmatsuur, tomdxw, Topher, Travis Smith, triplejumper12, truongwp, tymvie, Ulrich, Utkarsh, vaishu.agola27, vijustin, vortfu, Weston Ruter, wpfo, xrmx, ze3kr, and Zeljko Ascic.

 

Finally, thanks to all the community translators who worked on WordPress 4.8. Their efforts bring WordPress 4.8 fully translated to 38 languages at release time with more on the way.

Do you want to report on WordPress 4.8? We’ve compiled a press kit featuring information about the release features, and some media assets to help you along.

If you want to follow along or help out, check out Make WordPress and our core development blog. Thanks for choosing WordPress — we hope you enjoy!

The second release candidate for WordPress 4.8 is now available.

To test WordPress 4.8, you can use the WordPress Beta Tester plugin or you can download the release candidate here (zip).

We’ve made a handful of changes since releasing RC 1 last week. For more details about what’s new in version 4.8, check out the Beta 1, Beta 2, and RC1 blog posts.

Think you’ve found a bug? Please post to the Alpha/Beta support forum. If any known issues come up, you’ll be able to find them here.

Happy testing!

The release candidate for WordPress 4.8 is now available.

RC means we think we’re done, but with millions of users and thousands of plugins and themes, it’s possible we’ve missed something. We hope to ship WordPress 4.8 on Thursday, June 8, but we need your help to get there. If you haven’t tested 4.8 yet, now is the time!

To test WordPress 4.8, you can use the WordPress Beta Tester plugin or you can download the release candidate here (zip).

We’ve made a handful of changes since releasing Beta 2 earlier this week. For more details about what’s new in version 4.8, check out the Beta 1 and Beta 2 blog posts.

Think you’ve found a bug? Please post to the Alpha/Beta support forum. If any known issues come up, you’ll be able to find them here.

Developers, please test your plugins and themes against WordPress 4.8 and update your plugin’s Tested up to version in the readme to 4.8. If you find compatibility problems please be sure to post to the support forums so we can figure those out before the final release – we work hard to avoid breaking things. An in-depth field guide to developer-focused changes is coming soon on the core development blog.

Do you speak a language other than English? Help us translate WordPress into more than 100 languages!

This release’s haiku is courtesy of @matveb:

Érrese uno
Cien veces y más
Erre ce dos

Thanks for your continued help testing out the latest versions of WordPress.

WordPress 4.8 Beta 2 is now available!

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site just to play with the new version. To test WordPress 4.8, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the beta here (zip).

For more information on what’s new in 4.8, check out the Beta 1 blog post. Since then, we’ve made over 50 changes in Beta 2.

Do you speak a language other than English? Help us translate WordPress into more than 100 languages!

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac, where you can also find a list of known bugs.

WordPress four point eight
One step closer to release
Please test Beta 2!

WordPress 4.7.5 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.7.4 and earlier are affected by six security issues:

  1. Insufficient redirect validation in the HTTP class. Reported by Ronni Skansing.
  2. Improper handling of post meta data values in the XML-RPC API. Reported by Sam Thomas.
  3. Lack of capability checks for post meta data in the XML-RPC API. Reported by Ben Bidner of the WordPress Security Team.
  4. A Cross Site Request Forgery (CRSF)  vulnerability was discovered in the filesystem credentials dialog. Reported by Yorick Koster.
  5. A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files. Reported by Ronni Skansing.
  6. A cross-site scripting (XSS) vulnerability was discovered related to the Customizer. Reported by Weston Ruter of the WordPress Security Team.

Thank you to the reporters of these issues for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.7.5 contains 3 maintenance fixes to the 4.7 release series. For more information, see the release notes or consult the list of changes.

Download WordPress 4.7.5 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.7.5.

Thanks to everyone who contributed to 4.7.5.