Drupal Release: 7.6

TL;DR

WordPress 7.6 brings significant improvements to security, performance, and user experience. This release focuses on enhancing password security, fixing critical AJAX handling issues, improving RTL support, and addressing various documentation gaps. Key highlights include increased password hashing iterations for better security, fixes for remote streamwrapper support, and solutions for several UI and performance bottlenecks. This maintenance release is recommended for all WordPress sites to ensure optimal security and functionality.

Highlight of the Release

• Enhanced password security with increased hashing iterations
• Fixed critical AJAX handling issues that caused UI problems
• Improved support for remote streamwrappers
• Better performance for sites with large numbers of permissions
• Fixed 'New' comment marker functionality
• Added warnings for insecure private file configurations
• Improved RTL support across multiple components

Migration Guide

Password Hashing Changes

With the increased number of hashing iterations for passwords, there's no action required for site administrators. The system will automatically update password hashes to the new format when users log in. This is a transparent change that improves security without requiring manual intervention.

AJAX Handling Changes

If you've built custom modules that rely on AJAX binding to mousedown events, you may need to update your code to use click events instead. The change from mousedown to click binding was made to fix various UI problems, but it might affect custom implementations that specifically relied on the mousedown behavior.

Field Translatability Default Change

Fields created through the UI now default to non-translatable (FALSE) to match the API behavior. If you need translatable fields, make sure to explicitly enable this option when creating fields. Existing fields are not affected by this change.

Upgrade Recommendations

This release contains important security enhancements and bug fixes that improve the stability, performance, and security of WordPress sites. All users are strongly encouraged to upgrade to version 7.6 as soon as possible.

The upgrade process should be straightforward for most sites, with no special steps required beyond the standard update procedure. However, as always, it's recommended to:

1. Back up your database and files before upgrading
2. Test the upgrade on a staging environment if possible
3. Check custom modules and themes for compatibility
4. Run update.php after upgrading to ensure all database updates are applied

For sites with custom AJAX implementations, review your code to ensure it doesn't rely on the previous mousedown binding behavior that has been changed to click binding in this release.

Bug Fixes

AJAX Handling Improvements

• Fixed various problems due to AJAX binding to mousedown instead of click, which was causing unexpected behavior in forms and UI elements
• Fixed usage of deprecated form_state['clicked_button'] that was causing bugs during AJAX submissions by non-buttons
• Added documentation and bug fix for 'prevent' AJAX property

Text Processing and Display

• Fixed regression where line-breaks were mangled by drupal_html_to_text()
• Fixed RTL support in user module and locale CSS
• Fixed node body 'description' and 'required' attributes on nodes upgraded from previous versions

Form and Field Handling

• Fixed list_field_update_forbid() logic that was backwards
• Fixed term reference autocomplete widget having problems handling terms with commas
• Fixed multiple parent relations confirmation form losing term descriptions
• Fixed undefined index issues in comment_preview() and field_default_form()

Caching and Performance

• Fixed book_get_books() cache becoming stale when batch-inserting book pages
• Fixed blocks being added to 'hidden' region when theme first enabled
• Fixed path aliases broken after upgrade
• Optimized database operations to avoid unnecessary updates

Date and Time Handling

• Fixed date_validate() function to properly validate elements
• Fixed REQUEST_TIME to handle float with microseconds on PHP 5.4

Module-specific Fixes

• Fixed Shortcut module installation via install profiles when menu module wasn't installed first
• Fixed D6->D7 update not converting 'primary-links' menu to 'main-menu'
• Fixed 'New' comment marker functionality

New Features

New Security Warning for Private Files

A new warning has been added to alert administrators when private files are accessible over the web, helping to prevent potential security vulnerabilities. This feature helps site administrators identify and fix insecure file system configurations before they can be exploited.

Improved Field Language Support

Added support for field meta conditions in EntityFieldQuery to allow for field language updates, providing better multilingual content handling. This enhancement improves the flexibility and robustness of multilingual sites.

Security Updates

Enhanced Password Security

Password security has been significantly improved by increasing the number of hashing iterations used for password hashes. This change makes password hashes more resistant to brute force attacks and rainbow table attacks, providing better protection for user accounts.

Security Tests

Added comprehensive tests for SA-CORE-2011-001 security advisory, ensuring that the security fixes are properly implemented and validated.

Private File Security

Added a warning system to alert administrators when private files are accessible over the web, helping to identify and mitigate potential security vulnerabilities related to file system configuration.

Performance Improvements

Permission Management Performance

The administration page for managing user permissions (/admin/people/permissions) has been optimized to handle large numbers of permissions without becoming unusable. This significantly improves the experience for sites with many roles and complex permission structures.

Menu Navigation Optimization

The _menu_navigation_links_rebuild() function has been optimized to improve performance when rebuilding navigation menus, reducing the time and resources required for this operation.

Database Performance

• Improved performance by avoiding unnecessary database updates where expired=0 is already set
• Better handling of nested transactions for DDL changes in MySQL
• Optimized install process to avoid unnecessary menu-touching functions that were causing SQL syntax errors

Testing Framework Improvements

The SimpleTest framework now uses proc_open() instead of pcntl_fork(), providing better compatibility and performance across different environments. Additionally, file_directory_temp() has been improved to work better on Windows systems.

Impact Summary

WordPress 7.6 delivers significant improvements across multiple areas of the platform. The security enhancements, particularly the increased password hashing iterations, provide better protection for user accounts without requiring any action from administrators or users. Performance optimizations for permission management pages and menu navigation will be especially beneficial for larger sites with complex permission structures.

The fixes for AJAX handling resolve several long-standing issues that were causing unpredictable behavior in forms and UI elements. Content editors will appreciate the fixed 'New' comment marker functionality and improved handling of terms with commas in autocomplete widgets.

Developers benefit from better documentation, fixed remote streamwrapper support, and improved handling of nested transactions in MySQL. The addition of warnings for insecure private file configurations helps administrators identify potential security issues before they can be exploited.

For multilingual sites, the improvements to RTL support and field language handling enhance the user experience for non-English users. The various fixes for upgrade-related issues, such as preserving node body attributes and path aliases, ensure smoother transitions from previous versions.

Overall, this release represents a solid maintenance update that addresses a wide range of issues across the platform, improving security, performance, and user experience without introducing disruptive changes.