WordPress Release: 4.6.6

TL;DR

WordPress 4.6.6 is a security and maintenance release that addresses several important security vulnerabilities and includes improvements to the build and test infrastructure. This update strengthens WordPress against potential security exploits in XML-RPC, file system credentials, and customization sessions, while also enhancing redirect handling and Travis CI integration.

This release is critical for all WordPress site owners as it patches multiple security issues that could potentially be exploited by malicious actors. The security fixes focus on properly validating and sanitizing data in various components of WordPress.

Highlight of the Release

• Added nonce verification for file system credential updates to enhance security
• Implemented whitelisting of post arguments in XML-RPC to prevent potential exploits
• Improved Travis CI integration with the WordPress/wordpress-develop GitHub repository
• Enhanced redirect handling for better security and reliability
• Fixed issues with invalid customization sessions

Migration Guide

No specific migration steps are required for this security and maintenance release. As with any WordPress update, it's recommended to:

1. Back up your website before updating
2. Update all themes and plugins to their latest versions
3. Test your website functionality after the update

This release does not introduce any breaking changes or require modifications to existing code.

Upgrade Recommendations

Priority: Critical

All WordPress site owners should update to version 4.6.6 immediately. This release contains several important security fixes that address vulnerabilities which could potentially be exploited by malicious actors.

The security team has addressed multiple issues related to XML-RPC, file system credentials, and customization sessions. These fixes are crucial for maintaining the security integrity of your WordPress installation.

To update:

• Use the automatic update feature in your WordPress dashboard
• Download the update from WordPress.org for manual installation
• Update through your hosting provider's management interface if available

Bug Fixes

• Customization Sessions: Fixed issues with invalid customization sessions by implementing proper validation checks.
• PHPUnit Tests: Resolved logic inversion error in PHPUnit tests for customization sessions after previous fixes.
• Post Meta Handling: Adjusted post meta checks to improve reliability and security.
• Media Upload Errors: Simplified the construction of upload error messages to provide clearer feedback when uploads fail.

New Features

Build and Test Infrastructure Improvements

• Travis CI Integration: Added integration with the WordPress/wordpress-develop GitHub repository for Travis CI, allowing for better continuous integration workflows.
• Travis Cache Optimization: Added Composer files to the Travis cache, which speeds up subsequent builds once the cache is primed. The cache is specific to the branch and PHP version.
• Slack Notifications: Implemented posting of Travis build results to Slack, improving team visibility into build status.

Security Updates

• XML-RPC Security: Implemented whitelisting of post arguments in XML-RPC to prevent potential security vulnerabilities that could allow unauthorized access or data manipulation.
• File System Credentials: Added nonce verification for updating file system credentials, protecting against cross-site request forgery (CSRF) attacks.
• Customization Sessions: Added validation for customization sessions to prevent potential security issues from invalid or malicious session data.
• Redirect Handling: Enhanced the security of redirect handling to prevent potential redirect-based attacks.

Performance Improvements

• Build Performance: The addition of Composer files to the Travis cache significantly improves build times for subsequent builds, as dependencies don't need to be re-downloaded for each build.
• Redirect Handling: Improved the redirect handling mechanism, which can lead to better performance and reliability when processing redirects.

Impact Summary

WordPress 4.6.6 is primarily a security-focused release that addresses several important vulnerabilities while also improving the development infrastructure. The security fixes strengthen WordPress against potential exploits in XML-RPC, file system credentials handling, and customization sessions.

For site administrators, this update is critical as it patches security holes that could potentially be exploited. The changes to redirect handling and post meta checks also improve the overall stability and security of WordPress sites.

For developers, the improvements to the build and test infrastructure, particularly the Travis CI integration with the WordPress/wordpress-develop GitHub repository and the addition of Composer files to the Travis cache, will lead to more efficient development workflows.

Content creators benefit from more secure XML-RPC handling for remote publishing and clearer error messages when media uploads fail.

Overall, this release represents an important security update that all WordPress users should implement promptly to protect their sites from potential vulnerabilities.