WordPress Release: 4.4.6

TL;DR

WordPress 4.4.6 is a maintenance and security release that includes several important updates. It improves media handling with better filename-to-title conversion, enhances security with PHPMailer upgrades to version 5.2.22, adds widget accessibility improvements, and fixes various bugs. This release focuses on security hardening, media improvements, and multisite enhancements while maintaining compatibility with the 4.4 branch.

Highlight of the Release

• PHPMailer upgraded to version 5.2.22 to address security vulnerabilities
• Improved media title generation from filenames, preserving spaces and creating cleaner titles
• Enhanced image filetype validation with new wp_get_image_mime() function
• Added nonce protection for widget accessibility mode
• Improved security in multisite signup key creation

Migration Guide

WordPress 4.4.6 is a maintenance and security release that doesn't require any specific migration steps. The update process should be straightforward:

1. Backup your site: Always create a complete backup of your files and database before updating.

2. Update WordPress: Use the automatic update feature or download the package from wordpress.org and update manually.

3. Test your site: After updating, thoroughly test your site's functionality, especially if you use features related to:

   • Media uploads
   • Email sending
   • Multisite functionality
   • Widgets in accessibility mode

4. Update plugins and themes: Ensure all plugins and themes are compatible with this version.

No database schema changes or template modifications are required for this update.

Upgrade Recommendations

Immediate upgrade is strongly recommended for all WordPress 4.4.x installations due to the security fixes included in this release, particularly the PHPMailer upgrade to version 5.2.22.

This maintenance release addresses several security vulnerabilities and bugs that could affect your site's security and functionality. The PHPMailer update is especially important as it fixes security issues in the mail handling system.

While WordPress 4.4 is no longer the latest major version, sites still running WordPress 4.4.x should update to 4.4.6 immediately, and then consider upgrading to the latest WordPress major version for continued security updates and new features.

Bug Fixes

• Theme Name Fallbacks: Fixed markup issues with theme name fallbacks.

• Mail Security: Disabled wp-mail.php when mailserver_url is set to the default value (mail.example.com).

• Image Filetype Checking: Improved validation of image filetypes with better checks and fallbacks.

• Copyright Year: Updated copyright year to 2017 in license.txt.

New Features

New Functions and Improvements

• New wp_get_image_mime() function: Added to improve image filetype validation, using the more efficient exif_imagetype() when available instead of getimagesize().

• Enhanced Media Title Generation: The system now preserves spaces and creates more accurate, cleaner titles from filenames when uploading media files.

• Widget Accessibility Mode Security: Added nonce protection to widget accessibility mode for improved security.

• Translation Improvements: Plugin data on the Updates screen is now properly translated.

Security Updates

• PHPMailer Upgrade: Updated PHPMailer from 5.2.21 to 5.2.22 to address security vulnerabilities. This is a critical security update that fixes issues in the mail handling system.

• Multisite Signup Security: Enhanced security in multisite signup key creation by using wp_rand() for better randomization.

• Widget Accessibility Mode: Added nonce verification to widget accessibility mode to prevent potential CSRF attacks.

• Mail Security: Disabled wp-mail.php when default mail server settings are used (mailserver_url is mail.example.com) to prevent potential misuse.

Performance Improvements

• Image Processing: Switched to using exif_imagetype() instead of getimagesize() when available for image validation, which is more performant and doesn't depend on GD library.

• Multisite Signup: Improved the security and efficiency of signup key creation in multisite installations by using wp_rand() for better randomization.

Impact Summary

WordPress 4.4.6 is primarily a security and maintenance release that strengthens the platform's security posture while fixing several bugs. The most significant impact comes from the PHPMailer upgrade to version 5.2.22, which addresses important security vulnerabilities in the mail handling system.

Content creators will benefit from improved media handling, with better filename-to-title conversion that preserves spaces and creates cleaner titles. The new image filetype validation system using wp_get_image_mime() improves both security and reliability of media uploads.

For administrators, several security enhancements have been implemented, including better protection for widget accessibility mode, improved randomization in multisite signup key creation, and disabling wp-mail.php when default mail server settings are used.

Multilingual sites will see improvements with better translation of plugin data on the Updates screen. While this release doesn't introduce major new features, it provides important security hardening and bug fixes that maintain the stability and security of WordPress 4.4.x installations.