WordPress Release: 4.8.4

TL;DR

WordPress 4.8.4 is a security and maintenance release that addresses several important security vulnerabilities and fixes bugs in the core platform. This update includes multiple security hardening measures, particularly around escaping and file upload restrictions, as well as fixes for PHP notices and language attribute handling in the admin area. The release focuses primarily on security improvements rather than new features.

Highlight of the Release

• Multiple security hardening measures to protect WordPress sites
• Fixed PHP notice when AUTH_SALT is undefined
• Improved language attribute handling in the admin area
• Restricted JavaScript file uploads for users without proper permissions

Migration Guide

No specific migration steps are required for this update. This is a standard security and maintenance release that should be applied to all WordPress 4.8.x installations.

When updating:

1. Back up your website before updating
2. Update through the WordPress admin dashboard or via your preferred method
3. Test your website functionality after the update is complete

Upgrade Recommendations

This release contains important security fixes, so it is strongly recommended that all WordPress sites running version 4.8.3 or earlier update to version 4.8.4 as soon as possible.

The security improvements in this release address several potential vulnerabilities that could be exploited if left unpatched. As with any security update, prompt application is advised to maintain the security integrity of your WordPress installation.

Bug Fixes

• Fixed a PHP notice that occurred when AUTH_SALT was undefined in the WordPress database class (WPDB)
• Corrected the value of the lang attribute in the admin area when the user's language is set to English (United States) but the site language is different
• Improved handling of empty AUTH_SALT values to prevent potential issues

New Features

No new features were introduced in this release. WordPress 4.8.4 is primarily a security and maintenance release focused on addressing security vulnerabilities and fixing bugs.

Security Updates

• Improved Hash Generation: Replaced deterministic substring with properly generated hash for the newbloguser key
• Enhanced HTML Escaping: Added proper escaping to language attributes used on html elements
• Feed Security: Ensured attributes of enclosures are correctly escaped in RSS and Atom feeds
• File Upload Restrictions: Removed the ability to upload JavaScript files for users who do not have the unfiltered_html capability

These security improvements help protect WordPress sites from potential vulnerabilities and strengthen the overall security posture of the platform.

Performance Improvements

• Trimmed the test matrix on Travis CI to speed up the 4.8 branch build by removing PHP 7.0, 5.5, 5.4, 5.3, and nightly jobs

Impact Summary

WordPress 4.8.4 is primarily a security-focused release that addresses several important vulnerabilities and fixes bugs in the core platform. The security hardening measures include improved hash generation, enhanced HTML escaping, better feed security, and restrictions on JavaScript file uploads for users without appropriate permissions.

The bug fixes address issues with PHP notices when AUTH_SALT is undefined and correct language attribute handling in the admin area. While this release doesn't introduce new features, it significantly improves the security posture of WordPress sites.

This update is particularly important for site administrators and developers who need to ensure their WordPress installations are protected against potential security threats. The changes are mostly under-the-hood improvements that strengthen security without changing the user experience or requiring workflow adjustments.