WordPress Release: 4.1.30

TL;DR

WordPress 4.1.30 is a maintenance and security release that addresses several important issues. It includes security improvements for user accounts, better handling of UTF-8 characters in filenames, fixes for query handling, and improvements to the cache API. This release also removes outdated tests and cleans up testing infrastructure.

This update is important for maintaining the security and stability of WordPress 4.1 installations, particularly for sites that haven't upgraded to more recent major versions. The security enhancements help protect user accounts and improve data handling throughout the system.

Highlight of the Release

• Enhanced security for user accounts by invalidating activation keys on password updates
• Improved UTF-8 character support in filenames
• Fixed query handling to ensure only a single post is returned on date/time based queries
• Added proper escaping in the cache API stats method

Migration Guide

No specific migration steps are required for this maintenance release. WordPress 4.1.30 is a backward-compatible update that focuses on security improvements and bug fixes.

To update to WordPress 4.1.30:

1. Back up your website files and database before updating
2. Use the automatic update feature in your WordPress dashboard
3. Alternatively, download the update from wordpress.org and perform a manual update

No changes to themes, plugins, or custom code should be necessary as a result of this update.

Upgrade Recommendations

This release contains important security fixes and is strongly recommended for all sites running WordPress 4.1.x.

While WordPress 4.1.30 addresses several security concerns, it's important to note that the 4.1 branch is quite old (originally released in December 2014). For optimal security and to benefit from the latest features, we strongly recommend upgrading to the latest version of WordPress if your site's themes and plugins support it.

If you're unable to upgrade to the latest major version, installing this maintenance release is essential to maintain the best possible security for your WordPress 4.1 installation.

Bug Fixes

Query Handling Fix

Fixed an issue where date/time based queries could potentially return multiple posts when only a single post should be returned. This ensures more predictable and accurate query results.

User Account Security

Addressed a security concern by ensuring that user activation keys are properly invalidated when passwords are updated. This prevents potential security issues where old activation keys might remain valid after password changes.

Test Infrastructure Cleanup

Removed outdated and unused test methods:

• Removed external oEmbed tests for YouTube that no longer test anything WordPress core has control over
• Removed the unused ::assertPostHasTerms() method from tests/term.php

New Features

Improved UTF-8 Support in Filenames

The sanitize_file_name function has been expanded to provide better support for UTF-8 characters. This improvement allows for more reliable handling of international characters in uploaded file names, making WordPress more accessible for non-English users.

Enhanced Cache API

The cache API has been updated with proper escaping around the stats method, improving security and reliability when working with cached data.

Security Updates

User Account Security Enhancement

The release includes an important security improvement that invalidates user_activation_key values when a user's password is updated. This prevents potential security vulnerabilities where old activation keys might remain valid after password changes, which could potentially be exploited for unauthorized access.

Cache API Escaping

Added proper escaping around the stats method in the cache API, preventing potential security issues related to improper data handling.

Performance Improvements

No specific performance improvements were highlighted in this release. The changes were primarily focused on security enhancements, bug fixes, and test infrastructure improvements.

Impact Summary

WordPress 4.1.30 is primarily a security and maintenance release that addresses several important issues in the WordPress 4.1 branch. The most significant changes include security improvements for user accounts by properly invalidating activation keys on password updates, enhanced UTF-8 character support in filenames, and fixes for query handling and cache API escaping.

While these changes are important for maintaining security and stability, they don't introduce new features or major changes to functionality. The impact is largely behind-the-scenes, improving security and reliability without changing the user experience or requiring modifications to themes or plugins.

This release is particularly important for sites that are still running WordPress 4.1.x and haven't upgraded to more recent major versions. For these sites, this update provides critical security improvements while maintaining compatibility with older themes and plugins.