WordPress Release: 4.6.16

TL;DR

WordPress 4.6.16 is a security and maintenance release that addresses several critical vulnerabilities and adds developer convenience with .nvmrc files for older WordPress versions. This update includes important security fixes for the HTTP API, Filesystem API, admin authentication, and REST API, making it an essential upgrade for all WordPress 4.6.x installations.

Highlight of the Release

• Critical security fixes for HTTP API, Filesystem API, admin authentication, and REST API
• Added .nvmrc files to older WordPress versions for easier development environment setup
• Fixed query handling by removing static query property
• Improved REST API security with proper Origin header handling

Migration Guide

No specific migration steps are required for this update. This is a straightforward security and maintenance release that should be applied as soon as possible.

To update:

1. Back up your WordPress site (files and database)
2. Update through the WordPress admin dashboard or download the update from wordpress.org
3. Test your site functionality after the update

Upgrade Recommendations

Immediate Upgrade Recommended

This release contains critical security fixes that protect your WordPress installation from potential vulnerabilities. All users running WordPress 4.6.x should upgrade to version 4.6.16 immediately.

If you're running an older version of WordPress, consider updating to the latest supported version for improved security and features.

Bug Fixes

Query Handling

• Removed static query property: Fixed an issue with the WordPress query handling that could potentially cause unexpected behavior.

REST API

• Added Vary: Origin header on GET requests: Ensures proper caching behavior when the same resource is requested from different origins, improving compatibility with CDNs and browsers.

New Features

Developer Convenience Improvements

• Added .nvmrc files to older WordPress versions: Developers working across different WordPress branches can now automatically use the correct Node.js version when switching between versions. This makes development environment setup more convenient and helps prevent version compatibility issues.

Security Updates

HTTP API Security

• Protection against hex interpretation: Fixed a vulnerability in the HTTP API that could allow malicious requests to be interpreted as hexadecimal values, potentially leading to security issues.

Filesystem API Security

• Prevention of directory traversals: Fixed a security vulnerability that could allow attackers to traverse directories when creating new folders, potentially accessing sensitive files outside the intended directory structure.

Administration Security

• Enhanced admin referrer nonce validation: Improved validation of admin referrer nonces to prevent potential CSRF (Cross-Site Request Forgery) attacks, ensuring that administrative actions can only be performed by authorized users.

Performance Improvements

No specific performance improvements were mentioned in this release.

Impact Summary

WordPress 4.6.16 is primarily a security-focused release that addresses several critical vulnerabilities that could potentially be exploited by malicious actors. The security fixes target core WordPress components including the HTTP API, Filesystem API, admin authentication, and REST API.

The addition of .nvmrc files for older WordPress versions is a developer-focused enhancement that improves the development workflow when working across different WordPress versions.

This release is essential for maintaining the security of WordPress 4.6.x installations and should be applied promptly by all site administrators. While the changes are focused on security and developer convenience, they don't introduce any breaking changes to the platform.