WordPress Release: 4.0.1

TL;DR

WordPress 4.0.1 is a security and maintenance release addressing multiple security vulnerabilities and fixing several bugs from the 4.0 release. This update includes critical security patches for password handling and validation, improvements to the media library functionality, and fixes for editor issues. All WordPress users should upgrade immediately to protect their sites from potential security threats.

Highlight of the Release

• Critical security improvements for password handling and validation
• Fixed issues with the media grid and editor functionality
• Improved handling of image captions and media elements
• Added safeguards for PHP installations without ext/hash
• Fixed plugin search pagination issues
• Resolved infinite redirect loops on reverse proxies

Migration Guide

This is primarily a security and maintenance release with no database changes or major feature additions requiring special migration steps. However, there are a few things to note:

1. For developers using custom password handling: If you've implemented custom password handling that relies on the previous behavior, you may need to update your code to work with the improved security measures.

2. For sites using reverse proxies: The fix for infinite redirect loops on reverse proxies which proxy from HTTPS to HTTP may affect your setup if you were relying on the previous behavior. Test your proxy configuration after updating.

3. For developers working with hierarchical post types: The fix for permalinks of child posts in hierarchical post types when using default permalinks may affect custom code that relied on the previous behavior.

4. For sites with custom media implementations: The upgrade to MediaElement 2.15.1 and fixes to audio/video shortcodes may require testing if you have heavily customized media players.

Upgrade Recommendations

Immediate upgrade is strongly recommended for all WordPress sites.

This release contains critical security fixes that protect your site from potential vulnerabilities. The security team has addressed multiple issues related to password handling, data validation, and resource protection.

The update process is straightforward:

1. Back up your website files and database before upgrading
2. Update through your WordPress dashboard or download the update from wordpress.org
3. Test your site functionality after the update, particularly if you use custom themes or plugins that interact with the media library or editor

For sites on managed WordPress hosting, check with your host as they may apply these updates automatically.

Bug Fixes

Editor and Media Fixes

• Fixed a bug in Chrome where both the textarea and window would auto-scroll to unexpected positions when clicking a Quicktags button
• Fixed editor height reset after window resizing
• Improved handling of TinyMCE float panels and tooltips when scrolling
• Fixed image captions regexp when wpautop is disabled in wp_editor()
• Enhanced TinyMCE wpView to properly handle content insertion before a view
• Fixed media grid keyboard navigation to not respond to arrow keys when textarea has focus

Plugin and Core Functionality Fixes

• Fixed plugin search pagination by wrapping results in a form
• Resolved issues with orphaned attachments in media modal
• Fixed permalinks for child posts of hierarchical post types when using default permalinks
• Corrected handling of autoplay and loop attributes in audio/video shortcodes
• Fixed CSS box-sizing for checkboxes and radio buttons in Media Frames
• Corrected get_adjacent_post() to check term_id rather than term_taxonomy_id
• Fixed issues with attachment edit permissions
• Resolved issues with MediaElement upgrade to version 2.15.1
• Fixed infinite redirect loops on reverse proxies which proxy from HTTPS to HTTP
• Ensured proper initialization of roles in multisite installations
• Fixed playlists to properly handle video by default

New Features

Security Enhancements

• Added hash_equals() function for secure comparison of password hashes
• Improved form validation for password resets
• Invalidation of password keys when a user's email changes
• Better validation of HTML in captions
• Enhanced validation of image data
• Prevention of high resource usage when hashing large passwords
• Better validation of URLs used in core HTTP requests

Security Updates

• Password Handling: Added hash_equals() function for secure comparison of password hashes, providing protection against timing attacks
• Password Reset Validation: Implemented improved form validation for password resets to prevent potential vulnerabilities
• Email Change Security: Password reset keys are now automatically invalidated when a user changes their email address
• HTML Validation: Enhanced verification of HTML in captions to prevent potential XSS vulnerabilities
• Image Data Validation: Improved validation of image data to protect against malicious uploads
• Resource Protection: Added prevention mechanisms for high resource usage when hashing large passwords, protecting against potential DoS attacks
• URL Validation: Implemented better validation of URLs used in core HTTP requests to prevent potential server-side request forgery
• Media Security: Fixed various media-related security issues to ensure proper permission checking

Performance Improvements

• Anchored texturize to shortcodes to improve regex efficiency, addressing potential segfault issues
• Prevented high resource usage when hashing large passwords
• Optimized media handling to avoid unnecessary processing
• Improved editor performance by better handling of scrolling events and panel visibility

Impact Summary

WordPress 4.0.1 is a critical security and maintenance release that addresses several important vulnerabilities and fixes numerous bugs from the 4.0 release. The security improvements focus on password handling, form validation, and data sanitization, protecting sites from potential attacks.

The release also resolves several user experience issues, particularly with the media library and editor functionality introduced in 4.0. Content creators will benefit from fixes to editor scrolling, focus handling, and image caption processing. Administrators will appreciate the improved plugin search pagination and media management capabilities.

For developers, the release includes important fixes for hierarchical post types, attachment handling, and adds safeguards for PHP installations without the ext/hash extension. The performance improvements to regex efficiency and password hashing help maintain site stability and prevent potential resource exhaustion.

Overall, this is an essential update that strengthens WordPress security while improving the stability and functionality of core features introduced in version 4.0.