HomeContent Toolkit Logo

Content Toolkit

Home

>

Tools

>

WordPress

>

Releases

>

4.8.6

WordPress Release: 4.8.6

Tag Name: 4.8.6

Release Date: 4/3/2018

View Release
WordPress LogoWordPress

World's most popular open-source content management system powering over 40% of all websites. Offers extensive plugin ecosystem, themes, and robust community support for blogs, e-commerce, and corporate websites. Highly customizable and scalable platform suitable for beginners and advanced developers.

Open SourceBloggingWebsite Builder

TL;DR

WordPress 4.8.6 is a security and maintenance release that addresses several important security issues and includes bug fixes. This update focuses on improving security by fixing how redirects are handled during login, preventing potential security issues with localhost requests, and ensuring proper escaping of version strings in templates. It also includes performance improvements for metadata handling and updates the copyright year in license files.

Highlight of the Release

    • Enhanced login security with proper HTTPS redirects
    • Fixed security issue with localhost request handling
    • Improved metadata deletion performance
    • Better escaping of version strings in templates

Migration Guide

No specific migration steps are required for this maintenance release. WordPress 4.8.6 is a backward-compatible update that focuses on security improvements and bug fixes.

If you're a developer who has built custom code that:

  • Relies on localhost being treated as the same host
  • Interacts with the metadata deletion process
  • Works with template version strings

You may want to review your code to ensure compatibility with these security changes.

Upgrade Recommendations

Priority: High

This release contains important security fixes, so it is strongly recommended that all WordPress 4.8.x sites be updated to version 4.8.6 immediately.

WordPress 4.8.6 is a security and maintenance release that addresses several potential vulnerabilities. Sites running older versions may be exposed to security risks that have been patched in this version.

The update process is straightforward:

  1. Back up your website files and database
  2. Update through your WordPress dashboard or via manual update
  3. Verify your site functionality after the update

For sites that cannot update immediately, consider implementing additional security measures until the update can be applied.

Bug Fixes

  • Login Redirect Security: Fixed an issue with login page redirects when forced to use HTTPS by implementing wp_safe_redirect() instead of standard redirects, preventing potential security vulnerabilities.

  • HTTP Request Security: Addressed a security concern by changing how WordPress treats localhost requests. localhost is no longer treated as the same host by default, which helps prevent certain types of security exploits.

  • Template Version String: Fixed improper escaping of version strings in templates, ensuring that version information is correctly escaped for use in HTML attributes to prevent potential XSS vulnerabilities.

  • Copyright Year: Updated the copyright year to 2018 in license.txt file.

New Features

No significant new features were introduced in this maintenance release. WordPress 4.8.6 focuses primarily on security enhancements and bug fixes to improve the stability and security of existing functionality.

Security Updates

  • Login Security Enhancement: Implemented wp_safe_redirect() for the login page when forced to use HTTPS, preventing potential redirect-based attacks and ensuring users are always directed to secure endpoints.

  • HTTP Request Protection: Modified how WordPress handles localhost in HTTP requests to prevent it from being treated as the same host by default. This change helps protect against Server-Side Request Forgery (SSRF) attacks that could exploit localhost connections.

  • XSS Prevention: Improved escaping of version strings in templates to prevent potential cross-site scripting (XSS) vulnerabilities that could occur if version strings contained malicious code.

Performance Improvements

  • Metadata Handling: Simplified the delete all meta query in delete_metadata() function, which improves performance when deleting metadata across the WordPress system. This optimization reduces database query complexity and can lead to faster operations when working with post, comment, term, or user metadata.

Impact Summary

WordPress 4.8.6 is primarily a security-focused maintenance release that addresses several important vulnerabilities and includes performance improvements. The security enhancements focus on three key areas: login redirects, HTTP request handling, and template escaping.

The login security improvement ensures that redirects during HTTPS-forced logins use WordPress's safe redirect functionality, preventing potential security issues. The change to how localhost is treated in HTTP requests helps protect against server-side request forgery attacks. The template escaping fix ensures version strings are properly sanitized to prevent XSS vulnerabilities.

On the performance side, the optimization of metadata deletion queries improves database efficiency when removing metadata, which can benefit sites with extensive use of custom fields and metadata.

While this release doesn't introduce new features, it strengthens WordPress's security posture and should be applied promptly to all WordPress 4.8.x installations. The changes are backward compatible and shouldn't require any modifications to themes or plugins unless they specifically rely on the modified behaviors.

Statistics:

File Changed8
Line Additions19
Line Deletions17
Line Changes36
Total Commits7

User Affected:

  • Enhanced login security with improved HTTPS redirects
  • Better protection against potential security vulnerabilities related to localhost requests
  • Improved metadata handling performance when deleting metadata

Contributors:

SergeyBiryukovocean90aaroncampbell