WordPress Release: 4.6.18

TL;DR

WordPress 4.6.18 is a maintenance and security release that addresses several important issues. It includes security fixes for the Cache API, improvements to user account security, better handling of UTF-8 characters in filenames, and fixes for query handling. The release also removes outdated test code that was no longer relevant. This update is recommended for all WordPress 4.6.x installations to maintain security and stability.

Highlight of the Release

• Security enhancement for the Cache API with proper escaping
• Improved user account security by invalidating activation keys on password updates
• Better support for UTF-8 characters in filenames
• Fixed query handling to ensure only a single post is returned on date/time based queries

Migration Guide

No specific migration steps are required for this update. This is a maintenance and security release that should be applied to all WordPress 4.6.x installations without any special migration procedures.

Upgrade Recommendations

This release contains important security fixes and bug fixes. It is strongly recommended that all WordPress sites running version 4.6.x update to version 4.6.18 as soon as possible to maintain security and stability.

The update process should be straightforward and can be performed through the WordPress dashboard or via manual update procedures.

Bug Fixes

• Query Handling: Fixed an issue to ensure that only a single post can be returned on date/time based queries, preventing potential duplicate results.
• File Name Sanitization: Expanded sanitize_file_name() function to have better support for UTF-8 characters, improving handling of international filenames.
• Test Code Cleanup: Removed unused ::assertPostHasTerms() method from tests/term.php as the associated test was previously removed.

New Features

No significant new features were introduced in this maintenance release. The focus was on security enhancements, bug fixes, and code improvements.

Security Updates

• Cache API: Enhanced security by ensuring proper escaping around the stats method in the Cache API, preventing potential security vulnerabilities.
• User Authentication: Improved user account security by invalidating user_activation_key on password updates, reducing the risk of unauthorized access through outdated activation keys.
• oEmbed Tests: Removed external oEmbed tests for YouTube that no longer tested anything WordPress core has control over, improving test reliability and security posture.

Performance Improvements

No specific performance improvements were highlighted in this release. The changes were primarily focused on security enhancements and bug fixes rather than performance optimizations.

Impact Summary

WordPress 4.6.18 is primarily a security and maintenance release that addresses several important issues. The security enhancements to the Cache API and user authentication system help protect WordPress sites from potential vulnerabilities. The improvements to UTF-8 character handling in filenames benefit users working with international content, while the query handling fix ensures more reliable content retrieval.

The removal of outdated test code helps maintain a cleaner codebase, though this change will only be noticeable to developers working with the WordPress testing framework. Overall, this release strengthens the security posture of WordPress 4.6.x installations without introducing any breaking changes or requiring special migration steps.