WordPress Release: 4.7.28

TL;DR

WordPress 4.7.28 Release

WordPress 4.7.28 is a security and maintenance release that addresses important security vulnerabilities and adds compatibility improvements. This update includes fixes for installation options handling, ZIP archive verification during uploads, and adds PHP 8 compatibility through polyfills for string functions. These changes enhance security and ensure WordPress 4.7 continues to function properly on newer PHP versions.

Highlight of the Release

• Security improvements for ZIP archive uploads with additional verification
• Enhanced options handling during WordPress installation
• Added PHP 8 compatibility through polyfills for string functions
• Backported critical security fixes from newer WordPress versions

Migration Guide

No specific migration steps are required for this update. This is a maintenance and security release that should be applied to all WordPress 4.7 installations.

To update:

1. Back up your WordPress files and database
2. Update through the WordPress dashboard or download the update from wordpress.org
3. No additional configuration changes are needed after update

This release maintains backward compatibility with existing themes and plugins.

Upgrade Recommendations

Priority: High - Security Update

All WordPress 4.7 users should update to version 4.7.28 immediately to protect their sites from security vulnerabilities addressed in this release.

While WordPress 4.7 is no longer receiving active development, this security release is critical for sites still running this version. However, for optimal security and features, users are strongly encouraged to upgrade to the latest WordPress major version.

The update process should be straightforward with no expected compatibility issues.

Bug Fixes

Installation Process Improvements

• Fixed how options are handled during installation by using maybe_serialize() instead of always serializing
• This ensures proper data format for options and prevents potential issues during the installation process

Upload Security Enhancements

• Added verification steps for ZIP archives during uploads
• Improved security checks to prevent potentially malicious ZIP files from being processed

New Features

PHP 8 Compatibility Improvements

• Added polyfills for PHP 8's str_starts_with() and str_ends_with() functions
• Implemented in wp-includes/functions.php to maintain backward compatibility
• Ensures WordPress 4.7 branch can run on newer PHP versions without errors related to these string functions

Security Updates

Security Enhancements

• ZIP Archive Verification: Added additional security checks when processing ZIP file uploads to prevent potential security vulnerabilities
• Installation Options Handling: Improved the way options are serialized during installation to prevent potential security issues
• Backported Security Fixes: Includes security fixes from newer WordPress versions backported to the 4.7 branch

These security enhancements help protect WordPress sites from potential vulnerabilities related to file uploads and installation processes.

Performance Improvements

No specific performance improvements were mentioned in this release. The changes focus primarily on security enhancements, bug fixes, and compatibility improvements rather than performance optimizations.

Impact Summary

WordPress 4.7.28 focuses on security hardening and compatibility improvements for sites still running on the 4.7 branch. The security enhancements for ZIP file uploads and installation processes address potential vulnerabilities that could be exploited by malicious actors. The addition of PHP 8 compatibility polyfills ensures that sites running on newer PHP versions can continue to function properly with WordPress 4.7.

While this update is important for sites still on WordPress 4.7, it's worth noting that this branch is no longer receiving active feature development. The changes in this release are targeted specifically at maintaining security and basic compatibility for legacy installations.

Site administrators should apply this update immediately to protect their sites, while also planning for an eventual upgrade to a more recent WordPress major version to benefit from ongoing security updates, performance improvements, and new features.