WordPress Release: 4.6.8

TL;DR

WordPress 4.6.8 is a maintenance release that addresses two key issues: restoring support for numbered placeholders in wpdb::prepare() and fixing test cases for PHPUnit compatibility. This release ensures backward compatibility for plugins and themes that relied on the previously undocumented numbered placeholders feature, while also improving the security of database queries by adding extra validation checks.

Highlight of the Release

• Restored support for numbered placeholders in wpdb::prepare() database queries
• Added extra validation checks to ensure correct number of arguments in database queries
• Fixed test cases for better PHPUnit compatibility

Migration Guide

No migration steps are required for this update. The changes are backward compatible and designed to maintain functionality that developers may have been relying on.

If you're a developer who uses wpdb::prepare() with numbered placeholders, your code should continue to work as before, but now with additional validation to ensure you're providing the correct number of arguments.

Upgrade Recommendations

This update is recommended for all WordPress 4.6.x installations as it fixes important database query handling and improves security validation. The update is backward compatible and should not break existing functionality.

As always with any WordPress update:

1. Back up your website before updating
2. Test the update in a staging environment if possible
3. Update all sites running WordPress 4.6.x to version 4.6.8

Bug Fixes

Database Query Preparation Fix

Restored support for numbered placeholders in wpdb::prepare(). A previous update (in [41496]) had removed support for these placeholders, which despite being undocumented, were commonly used in many plugins and themes. This fix:

• Restores support for numbered placeholders (like %1$s, %2$d)
• Adds support for a subset of placeholder formatting options
• Implements additional validation to ensure the correct number of arguments are passed to wpdb::prepare() based on the number of placeholders in the query

Test Suite Improvements

Fixed the WP_UnitTestCase::setExpectedException() method calls in:

• Tests_Ajax_CompressionTest::test_logged_out()
• Tests_Ajax_TagSearch::test_no_results()

These tests now correctly pass the $message argument, addressing an issue that went unnoticed because PHPUnit 6.4.1 and earlier versions ignored the '0' value.

New Features

No new features were introduced in this maintenance release. The focus was on fixing bugs and ensuring compatibility.

Security Updates

While not explicitly labeled as a security fix, the improvements to wpdb::prepare() enhance security by:

1. Adding extra validation checks to ensure the correct number of arguments are provided for database queries
2. Maintaining proper query preparation patterns that help prevent SQL injection vulnerabilities

These changes help maintain the security of WordPress database operations while preserving backward compatibility.

Performance Improvements

No specific performance improvements were included in this release.

Impact Summary

WordPress 4.6.8 is primarily a compatibility and security-focused maintenance release that addresses an important regression in database query handling. By restoring support for numbered placeholders in wpdb::prepare() while adding improved validation, this update ensures that existing plugins and themes continue to function correctly while benefiting from enhanced security checks.

The fix for numbered placeholders is particularly important as many developers had come to rely on this undocumented feature. Without this fix, sites updating from earlier versions of WordPress 4.6 to later versions could experience broken functionality in plugins or themes that used this query pattern.

The test suite improvements, while less visible to end users, help ensure WordPress's testing infrastructure remains compatible with different versions of PHPUnit, supporting the project's ongoing development and quality assurance efforts.