WordPress Release: 4.7.8

TL;DR

WordPress 4.7.8 is a security and maintenance release that addresses several important security vulnerabilities and fixes a PHP notice issue. This update includes six security hardening measures that protect against potential exploits, including improved escaping of language attributes, better handling of enclosures in feeds, and restrictions on JavaScript file uploads for users without appropriate permissions. The release also fixes an issue with the AUTH_SALT constant and improves language attribute handling in the admin area.

Highlight of the Release

• Six security hardening measures to protect WordPress sites
• Fixed PHP notice when AUTH_SALT is undefined
• Improved language attribute handling in the admin area
• Restricted JavaScript file uploads for users without unfiltered_html capability

Migration Guide

No migration steps are required for this update. This is a standard security and maintenance release that can be applied through the normal WordPress update process.

After updating, site administrators should verify that:

• Any custom code that interacts with RSS or Atom feeds continues to function correctly
• Users with appropriate roles still have the expected file upload capabilities
• Multilingual functionality works as expected

Upgrade Recommendations

This release contains important security hardening measures that help protect your WordPress site from potential vulnerabilities.

Immediate upgrade is strongly recommended for all sites running WordPress 4.7.x.

The update can be downloaded directly from your WordPress dashboard by going to Dashboard → Updates, or you can download the release from the WordPress.org download page.

Bug Fixes

• Fixed a PHP notice that occurred when the AUTH_SALT constant was undefined
• Corrected the value of the lang attribute in the admin area when a user's language is set to English (United States) but the site language is not
• Improved handling of the AUTH_SALT constant by adding a check to ensure it's not empty

New Features

No new features were introduced in this release. WordPress 4.7.8 focuses on security hardening and bug fixes to improve the stability and security of existing functionality.

Security Updates

• Enhanced Hash Generation: Replaced deterministic substring with properly generated hash for the newbloguser key
• Language Attribute Escaping: Added proper escaping to language attributes used on html elements
• Feed Enclosure Security: Ensured attributes of enclosures are correctly escaped in RSS and Atom feeds
• JavaScript Upload Restrictions: Removed the ability to upload JavaScript files for users who do not have the unfiltered_html capability
• AUTH_SALT Validation: Added checks to ensure AUTH_SALT is defined and not empty, improving security of authentication processes

Performance Improvements

No specific performance improvements were included in this release. The focus was primarily on security hardening and bug fixes.

Impact Summary

WordPress 4.7.8 is primarily a security-focused release that addresses several potential vulnerabilities through improved escaping, better hash generation, and restricted JavaScript uploads. The security hardening measures significantly improve the protection of WordPress sites against potential exploits, particularly for sites with multiple authors or contributors who don't have the unfiltered_html capability.

The bug fixes address issues with PHP notices related to the AUTH_SALT constant and improve language attribute handling in multilingual environments. While these changes are relatively minor in scope, they contribute to a more stable and secure WordPress experience.

This release doesn't introduce any new features or breaking changes, making it a straightforward update that all WordPress 4.7.x users should apply promptly to maintain site security.