WordPress Release: 2.8.5

TL;DR

WordPress 2.8.5 is a maintenance release that addresses several security vulnerabilities and bug fixes. This update improves file handling security, fixes PHP notices, restores default search engine visibility settings, and enhances XML-RPC functionality. The release also removes deprecated importers and improves code quality by replacing eval() usage with safer alternatives.

Highlight of the Release

• Fixed security vulnerability by disabling unfiltered uploads for admins by default
• Restored default behavior of blogs appearing in search engines on installation
• Fixed attachment file downloads that were previously generating PHP notices
• Replaced eval() usage with safer WP_MatchesMapRegex class for request processing
• Fixed XML-RPC draft viewing with correct GMT date settings

Migration Guide

No specific migration steps are required for this maintenance release. WordPress 2.8.5 is a direct update from previous 2.8.x versions and should not cause any compatibility issues with existing sites.

Note that two deprecated importers (BunnyTags and Jerome's Keywords) have been retired in this release. If you were using these importers, they will no longer be available after upgrading.

Upgrade Recommendations

This update is highly recommended for all WordPress 2.8.x users due to the security fixes included. The release addresses several security vulnerabilities and fixes bugs that could affect site functionality.

To upgrade:

1. Back up your website files and database
2. Download WordPress 2.8.5 from the WordPress.org repository
3. Deactivate plugins
4. Upload the new files, replacing the old ones
5. Run the WordPress upgrade process by visiting /wp-admin/upgrade.php
6. Reactivate plugins

Alternatively, you may use the automatic update feature if available in your WordPress installation.

Bug Fixes

• Fixed attachment file downloads that were generating PHP notices (#10372)
• Restored default behavior of blogs appearing in search engines on installation (#10621)
• Ensured drafts viewed over XML-RPC have correct GMT date set (#10244)
• Fixed PHP notice in wp-admin/includes/post.php (#10678)
• Added missing break statement in code related to unfiltered uploads (#10692)
• Fixed attachment metadata handling during imports - metadata is now properly regenerated
• Removed trailing whitespace after closing PHP tags
• Improved charset handling by stripping commas and spaces

New Features

No significant new features were introduced in this maintenance release. WordPress 2.8.5 focuses primarily on security enhancements and bug fixes to improve the stability and security of existing functionality.

Security Updates

• Disabled unfiltered uploads for administrators by default (#10692)
• Replaced eval() usage in request processing with new WP_MatchesMapRegex() class (#9602)
• Added prophylactic escapes to improve security against potential XSS vulnerabilities
• Improved input sanitization by stripping nulls from input
• Enhanced charset handling security by stripping commas and spaces from charset values

Performance Improvements

This release doesn't include specific performance improvements. The focus was primarily on security enhancements and bug fixes rather than performance optimizations.

Impact Summary

WordPress 2.8.5 is primarily a security and maintenance release that addresses several important vulnerabilities and bugs. The most significant impact is the security enhancement that disables unfiltered uploads for administrators by default, reducing the risk of malicious file uploads. The release also fixes issues with attachment file downloads, XML-RPC functionality, and PHP notices that were affecting user experience.

Code quality improvements include replacing eval() usage with safer alternatives and removing deprecated importers. These changes help maintain WordPress's security posture and reduce technical debt.

For site owners, the restoration of default search engine visibility settings ensures that new WordPress installations behave as expected regarding search engine indexing.

Overall, this release strengthens WordPress's security and stability without introducing breaking changes or requiring significant adaptation from users or developers.