WordPress Release: 4.7.1

TL;DR

WordPress 4.7.1 is a maintenance and security release that addresses 62 bugs and includes an important security update to PHPMailer. This release focuses on fixing issues with the Customizer, REST API, and various UI improvements. Key highlights include better handling of custom CSS, fixes for media handling, and improvements to Twenty Seventeen theme functionality. This update is recommended for all WordPress 4.7 users.

Highlight of the Release

• Security update to PHPMailer to address vulnerabilities
• Multiple fixes for the WordPress REST API
• Improved Customizer functionality and performance
• Fixed issues with the Twenty Seventeen theme
• Enhanced media handling including better image filetype checking

Migration Guide

WordPress 4.7.1 is a maintenance and security release that doesn't require any special migration steps. However, there are a few things to note:

• If you've built custom applications using the WordPress REST API, you may need to update your code to handle the following changes:

  • The users endpoint now only shows users who have authored posts with show_in_rest set to true
  • Empty JSON bodies are now handled differently
  • Error handling in buildModelGetter of wp-api.js has been improved

• If you're a theme developer using the Customizer:

  • Custom CSS now runs at wp_head priority 101 instead of 11
  • Edit shortcuts for nav menus have been fixed for instances using the menu arg

• If you're using Twenty Seventeen theme and have customized the starter content, you can now use the new twentyseventeen_starter_content filter instead of directly modifying the theme files.

Upgrade Recommendations

It is strongly recommended that all WordPress 4.7 users upgrade to version 4.7.1 immediately. This release includes important security updates to PHPMailer and fixes several bugs that could affect site functionality.

The security update to PHPMailer addresses vulnerabilities that could potentially be exploited, making this an important security release.

Additionally, this release fixes several issues with the REST API, Customizer, and media handling that could impact site functionality and user experience.

The upgrade process should be straightforward and doesn't require any special steps beyond the normal WordPress update process.

Bug Fixes

Customizer

• Fixed inability to delete nav menus by preventing preview filters from being added during customize_save admin ajax request.
• Fixed issues with single quotes (apostrophes) in custom_css values causing false positives for unbalanced character validation errors.
• Fixed scrolling custom_css textarea to top when pressing tab.
• Fixed visible edit shortcuts for wp_nav_menu() instances using the menu arg.
• Fixed ability to shift-click on placeholder/pre-saved nav menu items in preview.
• Fixed handling of external header video URLs by trimming whitespace.
• Fixed intercepted calls to history.pushState() and history.replaceState() in customize preview.
• Prevented navigation in preview when clicking on child elements of preview links with non-previewable URLs.
• Removed extra left padding in core for site title and widgets in preview.
• Prevented removal of underline upon hover/focus for nav menu deletion links.
• Ensured theme_mod-cache of custom_css lookup of -1 short-circuits a WP_Query from being made.
• Bumped wp_custom_css_cb from running at wp_head priority 11 to 101 to ensure Custom CSS overrides other CSS.

REST API

• Fixed handling of empty JSON body to prevent errors.
• Fixed handling of password argument when getting media items.
• Fixed PHP warnings when get_theme_support('post-formats') is not an array.
• Fixed the rest_{$taxonomy}_collection_params filter to use double quotes for dynamic filtering.
• Fixed schema sanitization to allow null to bypass fallback sanitization functions.
• Added error handling for fetch error in buildModelGetter of wp-api.js.
• Fixed setup of models used by wp.api.collections objects.
• Fixed handling of empty or no-op comment updates.
• Changed which users are shown in the users endpoint to only show users that have authored a post with show_in_rest set to true.

Editor

• Fixed target=_blank removal when unchecked in the link modal.
• Fixed Add New link disappearance in Distraction-Free Writing mode.
• Added page-template-default class to the editor body when template is not specified.

Media

• Fixed handling of PDF fallbacks to process custom sizes.
• Fixed variable definition for PDF preview URL calculation.
• Improved image filetype checking with new wp_get_image_mime() function.

Twenty Seventeen Theme

• Fixed incorrect $content_width value.
• Ensured functions in customize-controls.js don't count on Customizer sections always being present.
• Added theme-specific filter for customizing starter content.

Other

• Fixed handling of falsy values in rest_allow_anonymous_comments filter.
• Fixed bootstrap re-initialization of hooks added manually by object-cache.php.
• Fixed is_page_template() to only return true when viewing a singular post query.
• Fixed taxonomy handling to restore string-based $args in wp_get_object_terms().
• Fixed feed handling to not translate the lastBuildDate field in RSS feeds.
• Fixed database connection restoration when switching test groups.
• Fixed comment pagination to ignore the 'comment_order' setting.
• Fixed theme deletion UI in Safari.
• Fixed markup for theme name fallbacks.
• Added nonce for widget accessibility mode.
• Fixed wp-mail.php to disable when mailserver_url is mail.example.com.
• Used wp_rand() in multisite signup key creation for better security.

New Features

• Twenty Seventeen Theme: Added a theme-specific filter twentyseventeen_starter_content for customizing the starter content array.
• REST API: Added support for filename search in media endpoint.
• Media: Improved image filetype checking with new wp_get_image_mime() function that uses exif_imagetype() when available for better performance.

Security Updates

• PHPMailer Update: Updated PHPMailer from version 5.2.14 to 5.2.22 to address security vulnerabilities.

• Authentication: Avoided creating nonce during installation to prevent database errors.

• Multisite: Improved security by using wp_rand() in signup key creation.

• Media: Improved image filetype checking to better validate uploaded files.

• REST API: Changed which users are shown in the users endpoint to only show users that have authored a post of a post type that has show_in_rest set to true, improving privacy.

• Widget Security: Added nonce for widget accessibility mode to prevent potential CSRF issues.

Performance Improvements

• Media Handling: Added a new function wp_get_image_mime() which uses exif_imagetype() if available instead of getimagesize(). This is more performant and doesn't depend on GD.

• Customizer: Improved performance by preventing unnecessary queries:

  • Don't query for postmeta for Custom CSS (for not-current-themes) and Customizer Changeset posts.
  • Ensured theme_mod-cache of custom_css lookup of -1 short-circuits a WP_Query from being made.

• REST API: Improved model handling in the JavaScript client to prevent unnecessary API calls.

Impact Summary

WordPress 4.7.1 is an important maintenance and security release that addresses 62 bugs and includes a critical security update to PHPMailer. This update significantly improves the stability and security of WordPress 4.7.

The most notable impact is the security enhancement from updating PHPMailer, which protects sites from potential vulnerabilities. For site administrators and developers, the fixes to the REST API improve reliability when building applications on top of WordPress.

Content creators will benefit from numerous fixes to the editor, Customizer, and media handling, resulting in a smoother content creation experience. The improvements to the Twenty Seventeen theme also enhance the default WordPress experience for new users.

For developers, the REST API improvements provide better error handling and parameter sanitization, making API interactions more reliable. Theme developers will appreciate the fixes to Customizer functionality, particularly around edit shortcuts and selective refresh.

Overall, this release focuses on stability, security, and refinement of the features introduced in WordPress 4.7, making it an essential update for all WordPress users.