WordPress Release: 3.7.2

TL;DR

WordPress 3.7.2 is a maintenance and security release that addresses several important bugs and security vulnerabilities in the core system. This update focuses on improving the background update system introduced in WordPress 3.7, fixing cache inconsistencies, addressing security issues with pingbacks, and hardening the system against potential exploits. The release includes important security fixes that all WordPress site owners should apply immediately.

Highlight of the Release

• Security hardening for HMAC verification
• Fixed pingback IP forwarding during verification
• Multiple improvements to the background update system
• Fixed cache inconsistencies affecting site performance
• Improved permission handling for content editors and contributors

Migration Guide

No specific migration steps are required for this maintenance release. WordPress 3.7.2 is a direct update from previous 3.7.x versions and should be applied automatically through the background update system for most sites.

If your site has not automatically updated, you can manually update through the WordPress dashboard or by downloading the update from the WordPress.org website.

As with any WordPress update, it's always recommended to:

1. Back up your website before updating
2. Check compatibility with your themes and plugins
3. Test your site functionality after the update is complete

Upgrade Recommendations

Immediate Upgrade Recommended

This release contains important security fixes and is strongly recommended for all WordPress sites running version 3.7 or 3.7.1.

Most sites should receive this update automatically through WordPress's background update system. If your site has not updated automatically, we recommend manually updating as soon as possible to ensure your site remains secure.

The update process should be seamless with no compatibility issues expected, as this is primarily a maintenance and security release that does not introduce new features or change existing functionality.

Bug Fixes

Background Update System

• Fixed PHP fatal error that could occur when using FTP for background updates on certain systems
• Improved filesystem permission checks by only verifying permissions for files that need modification
• Fixed issue where failed background updates would show unnecessary notifications
• Spread background updates over the hour to reduce server load
• Added proper statistics tracking for plugin and theme background updates
• Fixed PHP warnings caused by upgrader instance handling

Cache and Performance

• Fixed cache inconsistencies where options (particularly db_version) could have stale values after updates
• Resolved an issue where wp_clear_scheduled_hook() could enter an infinite loop due to cache inconsistency
• Prefixed notoptions cache key in multisite site-options to prevent collisions

Content Management

• Improved checks for contributors when saving posts to enhance security
• Fixed issue where bulk post data could be incorrectly modified during bulk_edit_posts() operations

Core Functionality

• Fixed regression in wp_mkdir_p() where parent folder permissions were not correctly applied to all created paths
• Updated Plupload Silverlight binary to version 1.5.8

New Features

No significant new features were introduced in this maintenance release. WordPress 3.7.2 focuses on bug fixes, security improvements, and enhancing the stability of existing functionality, particularly the background update system introduced in WordPress 3.7.

Security Updates

Pingback Security

• Improved pingback security by properly forwarding IP information during pingback verification
• This helps prevent pingback abuse and improves traceability

Content Management Security

• Enhanced security checks for contributors when saving posts
• This prevents potential privilege escalation issues

Core Security Hardening

• Hardened HMAC verification to prevent potential security vulnerabilities
• Removed links_recently_updated_time as a security hardening measure
• Updated Plupload Silverlight binary to version 1.5.8 to address potential security issues

Performance Improvements

Background Update Performance

• Background updates are now spread over the hour to reduce server load and improve reliability
• Fixed cache inconsistencies that could negatively impact performance after updates

Multisite Performance

• Resolved cache key collisions in multisite environments by prefixing the notoptions cache key with $wpdb->siteid
• This prevents unnecessary database queries caused by cache misses

Cron Performance

• Fixed an issue where wp_clear_scheduled_hook() could enter an infinite loop due to cache inconsistency, which could cause excessive server resource usage

Impact Summary

WordPress 3.7.2 is an important maintenance and security release that significantly improves the stability and security of WordPress sites. The update addresses several critical issues in the background update system introduced in WordPress 3.7, ensuring more reliable automatic updates across different server configurations.

The security improvements, including hardened HMAC verification and better pingback handling, protect sites against potential vulnerabilities. Cache consistency fixes resolve performance issues that could affect site speed and reliability, particularly after updates or in multisite environments.

For content managers, the improved security checks when saving posts and fixes for bulk editing enhance the safety and reliability of content management operations. The update also resolves several developer-facing issues, such as the regression in the wp_mkdir_p() function and cron scheduling problems.

Overall, this release strengthens WordPress's core functionality without introducing breaking changes, making it an essential update for all WordPress 3.7.x users.