WordPress Release: 4.7.10

TL;DR

WordPress 4.7.10 is a security and maintenance release that addresses several important security issues and includes bug fixes. This update enhances security by improving redirect handling during login, fixing how localhost is treated in HTTP requests, optimizing metadata deletion queries, and ensuring proper escaping of version strings in templates. The update also includes the annual copyright year update to 2018.

Highlight of the Release

• Enhanced login security with proper HTTPS redirects
• Fixed localhost host handling in HTTP requests
• Optimized metadata deletion queries for better performance
• Improved template version string escaping for attributes
• Updated copyright year to 2018 in license.txt

Migration Guide

No specific migration steps are required for this update. WordPress 4.7.10 is a maintenance and security release that should be compatible with existing themes and plugins.

However, developers who have custom code that:

• Relies on specific behavior of localhost in HTTP requests
• Uses custom implementations interacting with the delete_metadata() function
• Has custom login redirect handling

Should test their code after updating to ensure compatibility with the security changes in this release.

Upgrade Recommendations

This release contains important security fixes, so it is strongly recommended that all WordPress sites running version 4.7.x update to version 4.7.10 immediately.

For sites on WordPress 4.8 or newer, it's recommended to update to the latest version of WordPress instead of this release, as newer branches contain these fixes along with additional features and security enhancements.

WordPress 4.7.10 is compatible with existing 4.7.x installations and should not cause any issues with themes or plugins that work with previous 4.7.x versions.

Bug Fixes

• Login Security: Fixed an issue with login page redirects when forced to use HTTPS by implementing wp_safe_redirect() instead of standard redirects.
• HTTP Request Handling: Addressed a security concern by changing how localhost is treated in HTTP requests, no longer considering it as same host by default.
• Template Escaping: Fixed improper escaping of version strings in templates to prevent potential XSS vulnerabilities when used in HTML attributes.
• Copyright Year: Updated the copyright year to 2018 in license.txt (fixes #43007).

New Features

No significant new features were added in this maintenance release. WordPress 4.7.10 focuses primarily on security enhancements and bug fixes to improve the stability and security of existing functionality.

Security Updates

• Login Redirect Protection: Implemented wp_safe_redirect() for the login page when forced to use HTTPS, preventing potential open redirect vulnerabilities.
• HTTP Request Security: Modified how localhost is treated in HTTP requests to prevent potential server-side request forgery (SSRF) attacks.
• XSS Prevention: Improved escaping of version strings in templates to prevent cross-site scripting vulnerabilities when these values are used in HTML attributes.

These security enhancements address potential vulnerabilities that could be exploited by malicious actors.

Performance Improvements

• Metadata Handling: Simplified and optimized the delete all meta query in delete_metadata() function, which improves performance when bulk deleting metadata from the database.
• Database Queries: The optimization of metadata deletion queries reduces database load during cleanup operations, particularly beneficial for sites with large amounts of post, comment, term, or user metadata.

Impact Summary

WordPress 4.7.10 is primarily a security-focused maintenance release that addresses several important vulnerabilities and includes performance optimizations. The security enhancements focus on preventing potential redirect exploits during login, improving HTTP request handling for localhost, and fixing template escaping issues.

The performance improvement to metadata deletion queries will be particularly beneficial for sites that frequently delete or update large amounts of metadata. While this release doesn't introduce new features, it strengthens the security posture of WordPress 4.7.x installations.

Site administrators should prioritize this update due to its security implications. The changes are targeted and specific, minimizing the risk of compatibility issues with existing themes and plugins while providing important protections against potential security threats.