WordPress Release: 4.6.9

TL;DR

WordPress 4.6.9 is a security and maintenance release that addresses several important security vulnerabilities and fixes PHP notices. This update includes multiple hardening measures to prevent potential security exploits, including improved escaping of language attributes, proper handling of enclosure attributes in feeds, restrictions on JavaScript file uploads, and better hash generation for new blog users. It also fixes PHP notices related to undefined AUTH_SALT constants.

Highlight of the Release

• Multiple security hardening measures to prevent potential exploits
• Fixed PHP notices when AUTH_SALT is undefined
• Improved escaping for language attributes on HTML elements
• Better security for RSS and Atom feed enclosures
• Restricted JavaScript file uploads for users without proper permissions

Migration Guide

No specific migration steps are required for this update. This is a standard security and maintenance release that should be applied as soon as possible to ensure your WordPress installation is protected against the security vulnerabilities addressed.

Upgrade Recommendations

It is strongly recommended that all WordPress 4.6.x sites be updated to version 4.6.9 immediately. This release addresses several security vulnerabilities that could potentially be exploited if left unpatched.

For sites already on WordPress 4.6.x, this is a standard security update that should be applied as soon as possible. If you're running an older version of WordPress, consider updating to the latest version (beyond 4.6.9) to benefit from additional security improvements and features.

Bug Fixes

• Fixed PHP notices that occurred when the AUTH_SALT constant was undefined
• Added a check to ensure that AUTH_SALT is not empty, preventing potential issues with authentication
• Removed version number from the readme file in the 4.6 branch

New Features

No new features were introduced in this release. WordPress 4.6.9 is primarily a security and maintenance release focused on addressing security vulnerabilities and fixing bugs.

Security Updates

• Improved Hash Generation: Replaced deterministic substring with properly generated hash for the newbloguser key, enhancing security for new blog user creation
• Enhanced HTML Escaping: Added proper escaping to language attributes used on html elements to prevent potential XSS attacks
• Feed Security: Ensured attributes of enclosures are correctly escaped in RSS and Atom feeds, preventing potential injection vulnerabilities
• Upload Restrictions: Removed the ability to upload JavaScript files for users who do not have the unfiltered_html capability, reducing the risk of malicious code execution

Performance Improvements

No specific performance improvements were included in this release. The focus was on security hardening and bug fixes.

Impact Summary

WordPress 4.6.9 is primarily a security-focused release that addresses several potential vulnerabilities. The update includes multiple hardening measures such as improved hash generation, better escaping of HTML attributes and feed enclosures, and restrictions on JavaScript file uploads for users without appropriate permissions. It also fixes PHP notices related to the AUTH_SALT constant.

The security improvements in this release are particularly important for sites that allow multiple user roles or publish content via RSS/Atom feeds. Administrators should apply this update promptly to protect their sites from potential security exploits. While the changes are mostly under-the-hood security improvements, the restriction on JavaScript file uploads may affect some content creators who previously had this capability without the unfiltered_html permission.

This release demonstrates WordPress's ongoing commitment to security and maintaining compatibility with older branches of the software.