WordPress Release: 4.4.10

TL;DR

WordPress 4.4.10 is a security and maintenance release that addresses several important security vulnerabilities and includes improvements to the build and test infrastructure. This update adds nonce verification for file system credentials, whitelists post arguments in XML-RPC, and fixes issues with the Customizer. It's a recommended update for all WordPress 4.4 installations to maintain site security.

Highlight of the Release

• Added nonce verification for file system credential updates to improve security
• Implemented whitelisting of post arguments in XML-RPC to prevent potential security issues
• Fixed issues with the Customizer to properly handle invalid customization sessions
• Improved Travis CI integration with Slack notifications and build caching

Migration Guide

No specific migration steps are required for this update. This is a standard security and maintenance release that should be applied through the normal WordPress update process.

To update:

1. Back up your WordPress site
2. Update through the WordPress admin dashboard or download the update and perform a manual installation
3. No database schema changes are included in this release

Upgrade Recommendations

This release contains important security fixes and is strongly recommended for all WordPress 4.4 installations.

Site administrators should update immediately to protect their sites from the security vulnerabilities addressed in this release. The security improvements for file system credentials, XML-RPC, and post meta handling are critical for maintaining site security.

As this is a maintenance release, it should be compatible with existing plugins and themes that work with WordPress 4.4.

Bug Fixes

Customizer Fixes

• Fixed an issue where invalid customization sessions weren't being properly ignored
• Resolved a logic inversion error in the Customizer that affected PHPUnit tests

Media Handling

• Simplified upload error message construction for better clarity and consistency

New Features

Build and Test Infrastructure Improvements

• Travis CI Caching: Added Composer files to the Travis cache, which speeds up subsequent builds once the cache is primed. The cache is specific to the branch and PHP version.

• Travis CI Slack Integration: Implemented posting of Travis build results to Slack from the WordPress/wordpress-develop GitHub repository, now that it's syncing correctly.

Security Updates

Security Improvements

• File System Credentials: Added nonce verification for updating file system credentials to prevent potential CSRF attacks

• XML-RPC Security: Implemented whitelisting of post arguments in XML-RPC to prevent potential security issues with unfiltered data

• Post Meta Handling: Adjusted post meta checks to improve security and prevent potential vulnerabilities

Performance Improvements

Build Performance

• Added Composer files to the Travis cache, which speeds up subsequent builds once the cache is primed. The cache is specific to the branch and PHP version, resulting in faster CI/CD processes for the WordPress development team.

Impact Summary

WordPress 4.4.10 is primarily a security-focused maintenance release that addresses several important vulnerabilities. The security improvements include adding nonce verification for file system credentials, whitelisting post arguments in XML-RPC, and adjusting post meta checks.

For developers, the release includes improvements to the build and test infrastructure, with Travis CI caching for Composer files and integration with Slack for build notifications. These changes won't affect end users but will improve the development workflow for WordPress contributors.

The Customizer fixes resolve issues with invalid customization sessions and correct a logic inversion error that affected tests. These changes improve the reliability of the Customizer component.

Overall, this release maintains backward compatibility while strengthening security and making targeted improvements to specific components. The changes are focused and minimal, as expected for a maintenance release in an established branch.