WordPress Release: 4.0.32

TL;DR

WordPress 4.0.32 is a security and maintenance release that addresses several important security vulnerabilities and improves error handling across multiple components. This update focuses on enhancing security for XML-RPC, embeds, meta handling, and theme functionality while also improving administrative screen options and error messages. All WordPress 4.0 users should update immediately to protect their sites from potential security issues.

Highlight of the Release

• Enhanced security for XML-RPC functionality with improved error handling
• Disabled deserialization in Requests_Utility_FilteredIterator to prevent potential attacks
• Disabled embeds on deactivated Multisite sites for better security
• Improved screen option handling with backward compatibility

Migration Guide

No specific migration steps are required for this update. This is a standard security and maintenance release that should be applied through the normal WordPress update process.

To update:

1. Back up your website files and database
2. Update through the WordPress admin dashboard or download the update from wordpress.org
3. Test your site functionality after updating

No changes to themes, plugins, or customizations should be necessary as a result of this update.

Upgrade Recommendations

Immediate Update Recommended

This release contains important security fixes that address multiple vulnerabilities. All WordPress 4.0 users should update to version 4.0.32 immediately to protect their sites from potential security issues.

While WordPress 4.0 is an older version and no longer receives regular updates, this security release was provided to address critical vulnerabilities. However, for the best security and features, users should consider upgrading to the latest major version of WordPress when possible.

Bug Fixes

Administration

• Fixed screen option handling to ensure backward compatibility by passing the result of set-screen-option filter to the new set_screen_option_{$option} filter
• Renamed the $keep parameter to $screen_option in both filters for better clarity
• Updated documentation to better reflect the purpose of these filters

XML-RPC

• Fixed error message handling for unprivileged users
• Corrected error message return when attachment ID is incorrect

Installation & Upgrades

• Improved logic check when determining installation status to prevent potential issues

Themes

• Fixed security issue where non-privileged users could potentially set background images when a theme uses the deprecated custom background page

New Features

WordPress 4.0.32 introduces a new filter set_screen_option_{$option} that works alongside the existing set-screen-option filter to ensure backward compatibility when managing screen options in the WordPress admin. This provides developers with more granular control over specific screen options while maintaining compatibility with existing code.

Security Updates

Security Enhancements

• XML-RPC Security: Improved error messages for unprivileged users to prevent information disclosure and enhanced error handling when attachment IDs are incorrect
• Deserialization Protection: Disabled deserialization in Requests_Utility_FilteredIterator to prevent potential PHP object injection attacks
• Embed Security: Disabled embeds on deactivated Multisite sites to prevent potential misuse
• Escaping Functions: Modified escaping functions to avoid potential false positives that could lead to security vulnerabilities
• Meta Protection: Enhanced sanitization of meta keys before checking protection status to prevent unauthorized access
• Theme Background Images: Improved security checks to ensure only privileged users can set background images when themes use the deprecated custom background page

Performance Improvements

This release doesn't include specific performance improvements. The focus was primarily on security enhancements and bug fixes rather than performance optimizations.

Impact Summary

WordPress 4.0.32 is primarily a security-focused release that addresses several important vulnerabilities across different components of the CMS. The update improves security in XML-RPC handling, prevents potential deserialization attacks, enhances meta data protection, and fixes issues with embeds on deactivated Multisite installations.

For developers, the release introduces a new filter for screen option handling while maintaining backward compatibility, and improves parameter naming for better code clarity. The security enhancements are particularly important as they address potential vulnerabilities that could be exploited by malicious actors.

Site owners and administrators benefit from these security improvements without any required changes to their workflows or site configurations. The update is backward compatible and should not affect existing functionality while providing important security protections.