WordPress Release: 3.9.10

TL;DR

WordPress 3.9.10 Maintenance Release

This maintenance release focuses on two key improvements: optimizing the background update system and enhancing theme security. The update removes redundant scheduled update checks (7am/7pm) while ensuring the API TTL is properly respected. Additionally, it includes an important security fix that properly escapes error messages in themes, preventing potential XSS vulnerabilities.

Highlight of the Release

• Removed redundant 7am/7pm background update checks to optimize performance
• Fixed security vulnerability by properly escaping error messages in themes
• Backported API TTL respect to WordPress 3.7/3.8 branches

Migration Guide

No migration steps are required for this maintenance release. WordPress 3.9.10 is a standard update that can be applied through the WordPress dashboard or via manual update methods.

The changes to the background update system are handled automatically and require no configuration changes or user intervention.

Upgrade Recommendations

This update is recommended for all WordPress 3.9.x users due to:

1. Security improvements for theme error message handling
2. Performance optimizations for the background update system

Users should update to WordPress 3.9.10 as soon as possible using the built-in update functionality in the WordPress dashboard or through their standard update process.

For users on older WordPress versions (3.7/3.8), while some improvements have been backported, upgrading to the latest WordPress version is still recommended for the most comprehensive security and feature improvements.

Bug Fixes

Background Update System Improvements

• Removed redundant 7am/7pm background update check schedule
• Ensured proper respect for API TTL (Time To Live) values
• Fixed issue where background updates were checking too frequently (fixes #35323)
• Backported API TTL respect functionality to WordPress 3.7/3.8 branches

New Features

No new features were added in this maintenance release. WordPress 3.9.10 focuses on bug fixes, security improvements, and performance optimizations to the existing codebase.

Security Updates

Theme Security Enhancement

• Fixed a potential security vulnerability by properly escaping error messages in themes
• This prevents potential Cross-Site Scripting (XSS) attacks that could exploit unescaped output
• Improves overall theme security posture

Performance Improvements

Background Update System Optimization

The removal of redundant 7am/7pm background update checks results in:

• Reduced server load with fewer scheduled tasks
• More efficient use of resources by eliminating unnecessary update checks
• Better adherence to API TTL values, reducing unnecessary API calls
• Improved overall system performance for WordPress installations

Impact Summary

WordPress 3.9.10 is a targeted maintenance release that addresses specific performance and security concerns. The changes to the background update system will reduce unnecessary server load by eliminating redundant update checks at fixed times (7am/7pm), instead properly respecting the API TTL values. This is particularly beneficial for sites on shared hosting where resource optimization is important.

The security improvement for theme error message escaping addresses a potential vulnerability that could be exploited in certain circumstances. While not explicitly described as a critical security issue, proper output escaping is an important security practice to prevent XSS attacks.

Overall, this release represents WordPress's ongoing commitment to maintaining older branches with important security and performance improvements, even as development focuses on newer versions. The changes are minimal and focused, with no risk of breaking existing functionality.