WordPress Release: 3.8.24

TL;DR

WordPress 3.8.24 is a security-focused maintenance release that addresses several important vulnerabilities and fixes PHP notices. This update includes multiple security hardening measures to protect your WordPress site from potential exploits, including improved hash generation, proper escaping of language attributes and feed enclosures, and restrictions on JavaScript file uploads for users without appropriate permissions.

Highlight of the Release

• Multiple security hardening measures to protect WordPress sites
• Fixed PHP notice when AUTH_SALT is undefined
• Improved hash generation for the newbloguser key
• Enhanced escaping for language attributes and feed enclosures
• Restricted JavaScript file uploads for users without unfiltered_html capability

Migration Guide

No migration steps are required for this update. This is a maintenance and security release that should be applied directly without any special migration procedures.

After updating, it's recommended to:

1. Test your site functionality to ensure everything works as expected
2. Review user permissions if you have users who previously uploaded JavaScript files but don't have the unfiltered_html capability

Upgrade Recommendations

Immediate upgrade strongly recommended for all WordPress 3.8 users.

This release contains important security hardening measures that protect your WordPress site from potential vulnerabilities. Given the security-focused nature of this update, all sites running WordPress 3.8.x should be updated to version 3.8.24 as soon as possible.

If you're running an older version of WordPress, consider upgrading to the latest major version for improved security, features, and performance.

Bug Fixes

• Fixed a PHP notice that would occur when AUTH_SALT is undefined
• Added a check to ensure that AUTH_SALT is not empty
• Removed version number from the readme file in the 3.8 branch

New Features

No new features were added in this release. WordPress 3.8.24 focuses on security hardening and bug fixes to improve the stability and security of your WordPress installation.

Security Updates

• Improved Hash Generation: Replaced deterministic substring with properly generated hash for the newbloguser key, enhancing security by making it less predictable
• Enhanced HTML Language Attributes: Added proper escaping to language attributes used on html elements to prevent potential XSS vulnerabilities
• Secured Feed Enclosures: Ensured attributes of enclosures are correctly escaped in RSS and Atom feeds to prevent potential injection attacks
• JavaScript Upload Restrictions: Removed the ability to upload JavaScript files for users who do not have the unfiltered_html capability, reducing the risk of malicious code execution

Performance Improvements

No specific performance improvements were included in this release. The focus of WordPress 3.8.24 was primarily on security hardening and bug fixes.

Impact Summary

WordPress 3.8.24 is primarily a security-focused release that addresses several potential vulnerabilities through improved escaping, hash generation, and file upload restrictions. The update also fixes PHP notices related to AUTH_SALT handling.

The most significant impact is on security, with multiple hardening measures implemented to protect sites from potential exploits. Content creators without the unfiltered_html capability will no longer be able to upload JavaScript files, which may affect some workflows but significantly improves security.

This release maintains compatibility with existing WordPress 3.8 installations while strengthening security measures. No new features or major changes to functionality were introduced, making this a straightforward but important security update.