WordPress Release: 4.0.21

TL;DR

WordPress 4.0.21 is a security and maintenance release that addresses several important security vulnerabilities and fixes PHP notices. This update includes multiple hardening measures to improve site security, including proper escaping of language attributes, better handling of enclosures in feeds, restrictions on JavaScript file uploads, and improved hash generation. It also fixes issues with the AUTH_SALT constant handling to prevent PHP notices.

Highlight of the Release

• Multiple security hardening measures implemented
• Fixed PHP notices when AUTH_SALT is undefined
• Improved hash generation for newbloguser key
• Enhanced escaping for language attributes and feed enclosures
• Restricted JavaScript file uploads for users without unfiltered_html capability

Migration Guide

No specific migration steps are required for this update. This is a maintenance and security release that should be applied as soon as possible to ensure your WordPress installation remains secure.

To update:

1. Back up your website files and database
2. Update through the WordPress dashboard or download the update and install manually
3. Verify your site functionality after the update is complete

Upgrade Recommendations

This release contains important security fixes. All WordPress 4.0 users are strongly encouraged to update immediately to version 4.0.21.

If you're running an older version of WordPress, it's recommended to upgrade to the latest version (not just 4.0.21) to benefit from all security improvements and new features.

Bug Fixes

• Fixed PHP notice that occurred when AUTH_SALT was undefined
• Added check to ensure AUTH_SALT is not empty
• Removed version number from the readme file in the 4.0 branch

New Features

No new features were added in this release. WordPress 4.0.21 focuses on security hardening and bug fixes to improve the stability and security of existing functionality.

Security Updates

• Improved Hash Generation: Replaced deterministic substring with properly generated hash for the newbloguser key, enhancing security
• Enhanced HTML Escaping: Added proper escaping to language attributes used on html elements to prevent potential XSS vulnerabilities
• Feed Security: Ensured attributes of enclosures are correctly escaped in RSS and Atom feeds to prevent potential injection attacks
• Upload Restrictions: Removed the ability to upload JavaScript files for users who do not have the unfiltered_html capability, reducing the risk of malicious code execution

Performance Improvements

No specific performance improvements were included in this release. The focus was primarily on security hardening and bug fixes.

Impact Summary

WordPress 4.0.21 is primarily a security-focused release that addresses several potential vulnerabilities through improved escaping, better hash generation, and restricted JavaScript uploads. The update also fixes PHP notices related to the AUTH_SALT constant.

The security hardening measures significantly improve protection against potential XSS attacks and other security threats. Site administrators should apply this update promptly to ensure their WordPress installations remain secure.

This release maintains compatibility with existing themes and plugins while enhancing the overall security posture of WordPress 4.0 installations. No functionality changes were introduced that would impact normal site operations.