WordPress Release: 3.8.26

TL;DR

WordPress 3.8.26 Release

This maintenance release focuses on security improvements and minor fixes. It includes important security enhancements for the login page by implementing wp_safe_redirect() when HTTPS is forced, proper escaping of version strings in templates, and updates the copyright year in license files. This release is recommended for all WordPress 3.8 installations to maintain security standards.

Highlight of the Release

• Enhanced login security with wp_safe_redirect() implementation
• Improved template security through proper version string escaping
• Updated copyright year to 2018 in license.txt

Migration Guide

No migration steps are required for this update. This is a maintenance release that can be applied directly to any WordPress 3.8 installation without breaking changes or special migration procedures.

Upgrade Recommendations

It is strongly recommended that all WordPress 3.8 users upgrade to version 3.8.26 as soon as possible due to the security improvements included in this release.

While WordPress 3.8 is an older branch and not the latest major version, sites still running this version should apply this update to maintain basic security standards. However, site owners should also consider upgrading to the latest WordPress major version for full security coverage and feature improvements.

Bug Fixes

• Fixed issue #43007 related to copyright information in license files
• Addressed security concerns with login redirects when HTTPS is forced
• Fixed potential security vulnerability with unescaped version strings in templates

New Features

No significant new features were added in this maintenance release. WordPress 3.8.26 focuses primarily on security improvements and bug fixes for the 3.8 branch.

Security Updates

Security Enhancements

• Login Page Security: Implemented wp_safe_redirect() when redirecting the login page if forced to use HTTPS, preventing potential redirect vulnerabilities
• Template Security: Improved security by ensuring version strings are correctly escaped for use in attributes, preventing potential XSS vulnerabilities
• These changes help protect WordPress sites from potential security exploits related to redirects and improper escaping

Performance Improvements

No specific performance improvements were included in this maintenance release. The focus was primarily on security enhancements and bug fixes.

Impact Summary

WordPress 3.8.26 is a security-focused maintenance release that addresses important vulnerabilities in the login process and template rendering. By implementing wp_safe_redirect() for HTTPS login pages and properly escaping version strings, this update significantly reduces the risk of redirect-based attacks and cross-site scripting (XSS) vulnerabilities. While the changes are minimal in scope, they provide critical security improvements for sites still running on the WordPress 3.8 branch. This release demonstrates WordPress's ongoing commitment to maintaining security even for older versions of the platform.