WordPress Release: 3.8.2

TL;DR

WordPress 3.8.2 is a maintenance and security release that addresses several bugs and security vulnerabilities from the 3.8 branch. This update includes important security hardening measures, fixes for theme display issues, improvements to the admin interface, and corrections for various functional bugs. The release focuses on enhancing stability, security, and accessibility while maintaining compatibility with the WordPress 3.8 branch.

Highlight of the Release

• Security hardening with improved HMAC verification
• Fixed accessibility issues in the Themes screen
• Improved handling of pingback IP addresses for better security
• Better contributor permission checks when saving posts
• Enhanced background update statistics for plugins and themes

Migration Guide

No specific migration steps are required for this maintenance release. WordPress 3.8.2 is a direct update from previous 3.8.x versions and doesn't introduce any breaking changes or require special migration procedures.

To update to WordPress 3.8.2:

1. Back up your website files and database before updating
2. Use the automatic update feature in your WordPress dashboard
3. Alternatively, download the update from wordpress.org and perform a manual update

After updating, verify that your themes and plugins continue to function correctly.

Upgrade Recommendations

This update is highly recommended for all WordPress 3.8.x users due to the security fixes included. The release addresses several security vulnerabilities and bugs that could affect site stability and security.

Priority: High
Urgency: Update as soon as possible

Since this is a maintenance and security release, the risk of compatibility issues with existing themes and plugins is minimal. However, as with any update, it's always recommended to:

1. Create a complete backup of your site before updating
2. Test the update on a staging environment if possible
3. Check your site functionality after updating

Bug Fixes

• WP_Query Tag Handling: Fixed an issue in WP_Query::get_queried_object() to properly account for pre_get_posts by checking for tag when tag_id isn't present (fixes #27362).

• Password Form Validation: Resolved validation issues in get_the_password_form() caused by wpautop() function (fixes #27071).

• Theme Screen CSS Issues:

  • Fixed stretched "unapproved" red lines in the Comments dashboard widget
  • Fixed tags input in small viewports to make it more usable, especially in Firefox (fixes #26910, #27082)

• Bulk Edit Posts: Fixed an issue where bulk postdata was being overwritten inside the bulk_edit_posts() loop.

• Theme Error Display: Improved how WP_Theme errors are displayed on the Themes screen (fixes #27235).

• Background Updates: Fixed PHP warnings caused by Upgrader instance being passed into Theme & Plugin $extra_stats parameter (fixes #27633).

New Features

WordPress 3.8.2 doesn't introduce new features as it's primarily a maintenance and security release. However, it does include some enhancements to existing functionality:

• Enhanced Background Update Statistics: Now recording plugin and theme update statistics similar to core updates, providing better tracking and reporting of update processes.

• Improved Theme Error Handling: The Themes screen now uses a normal error display for WP_Theme errors, making issues more visible and easier to understand.

• Updated Plupload Silverlight Binary: Updated to version 1.5.8 for improved file upload functionality.

Security Updates

• Hardened HMAC Verification: Improved the security of HMAC (Hash-based Message Authentication Code) verification to protect against potential vulnerabilities.

• Pingback Security: Enhanced pingback security by forwarding the pingback IP during pingback verification (fixes #27613).

• Contributor Permission Checks: Implemented better checks for contributors when saving posts to prevent potential permission escalation issues (see #27452).

• Removed Deprecated Functionality: Removed links_recently_updated_time as part of security hardening measures (see #27649).

• Bulk Edit Posts Security: Fixed potential security issues related to bulk editing posts by preventing data stomping inside the bulk_edit_posts() loop.

Performance Improvements

This release doesn't include significant performance improvements as it's primarily focused on bug fixes and security enhancements. The changes are mostly related to functionality corrections and security hardening rather than performance optimization.

Impact Summary

WordPress 3.8.2 is a targeted maintenance and security release that strengthens the WordPress core without introducing major changes to functionality or user experience. The primary impact is improved security through several hardening measures, particularly around HMAC verification, pingback handling, and contributor permissions.

The release also addresses several UI and accessibility improvements, particularly in the Themes screen and admin interface. These changes enhance usability for administrators and content creators while providing a more secure experience for all users.

For developers, the fixes to WP_Query and bulk edit functionality resolve edge cases that could cause unexpected behavior. The enhanced background update statistics provide better visibility into plugin and theme updates.

Overall, this release represents WordPress's commitment to maintaining security and stability in the 3.8 branch while addressing reported issues from the community. The changes are focused and targeted, minimizing potential disruption while maximizing security benefits.