WordPress Release: 4.3.7

TL;DR

WordPress 4.3.7 is a maintenance and security release that addresses several important issues. It includes updates to PHPMailer (now at version 5.2.22), improvements to media handling, enhanced security measures, and various bug fixes. This release focuses on strengthening the core functionality while addressing potential vulnerabilities, making it an important update for all WordPress site owners.

Highlight of the Release

• Updated PHPMailer to version 5.2.22 for improved security and functionality
• Enhanced media title generation from filenames with better space preservation
• Added security nonce for widget accessibility mode
• Improved image filetype validation with new wp_get_image_mime() function
• Better security in multisite signup key creation using wp_rand()
• Fixed translation issues for plugin data on the Updates screen

Migration Guide

This maintenance release doesn't require any specific migration steps. Simply update your WordPress installation to version 4.3.7 through your admin dashboard or via manual update.

If you're using custom code that relies on image validation or media handling, note that:

• The new wp_get_image_mime() function is now used for image validation
• wp_check_filetype_and_ext() now returns false for ext/MIME values when it can't validate the filetype
• If you've customized email functionality, be aware of the PHPMailer update to version 5.2.22

No database schema changes are included in this release, so the update process should be smooth and straightforward.

Upgrade Recommendations

Immediate upgrade is recommended for all WordPress 4.3.x users.

This release contains important security updates, particularly to the PHPMailer library, which addresses potential vulnerabilities in email handling. The improvements to image validation and multisite signup security also make this an important update for maintaining site security.

The update process should be straightforward with no expected compatibility issues. As always, it's recommended to:

1. Back up your website before updating
2. Update all sites running WordPress 4.3.x to version 4.3.7
3. Test your site functionality after the update

If you're running an older version of WordPress, consider updating to the latest major release for access to all current features and security improvements.

Bug Fixes

• Theme Name Fallbacks: Fixed markup issues for theme name fallbacks, ensuring proper display in the admin interface.

• Email Configuration: Disabled wp-mail.php when mailserver_url is set to the default value (mail.example.com) to prevent potential misconfigurations.

• Image Filetype Validation: Fixed issues with image filetype checking by improving the validation process and providing better fallbacks when primary validation methods aren't available.

• Copyright Year: Updated copyright year to 2017 in license.txt.

New Features

New Functions and Improvements

• New wp_get_image_mime() Function: Added to improve image filetype validation, using exif_imagetype() when available for better performance than getimagesize().

• Enhanced Media Title Generation: Media titles created from filenames now preserve spaces and produce cleaner, more accurate titles when uploading files.

• Improved Plugin Translation: Plugin data on the Updates screen is now properly translated, enhancing the experience for non-English users.

• Better Security Measures: Added nonce verification for widget accessibility mode to prevent potential CSRF vulnerabilities.

Security Updates

• PHPMailer Update: Updated PHPMailer from 5.2.21 to 5.2.22 to address security vulnerabilities in the email handling system.

• Widget Accessibility Mode: Added security nonce for widget accessibility mode to prevent potential CSRF attacks.

• Multisite Signup Security: Enhanced security in multisite installations by using wp_rand() for signup key creation, providing more secure random number generation.

• Image Validation: Improved image filetype checking to prevent potential security issues related to malicious file uploads.

• Email Configuration: Disabled wp-mail.php when using default mail server configuration to prevent potential security issues from misconfigured mail settings.

Performance Improvements

• Image Processing: Improved image validation by using exif_imagetype() when available instead of getimagesize(), which is less performant and dependent on GD library.

• Fallback Mechanisms: Enhanced fallback mechanisms for image validation to ensure consistent performance across different server configurations.

• PHPMailer Updates: The upgrade to PHPMailer 5.2.22 includes various performance improvements and optimizations for email handling.

Impact Summary

WordPress 4.3.7 is primarily a security and maintenance release that strengthens core functionality while addressing several potential vulnerabilities. The update to PHPMailer 5.2.22 is particularly important as it resolves security issues in the email handling system.

Content creators will benefit from improved media handling, particularly with better title generation from filenames and more reliable image validation. Site administrators gain enhanced security measures across several areas including widget accessibility, multisite signup, and email configuration.

For developers, the addition of the wp_get_image_mime() function and improvements to image validation provide more reliable tools for handling media uploads. The changes to how WordPress validates filetypes may require attention if you've built custom upload functionality.

Overall, this release focuses on behind-the-scenes improvements rather than user-facing features, with an emphasis on security, stability, and performance. The changes are designed to be non-disruptive while providing important protections against potential vulnerabilities.