WordPress Release: 4.9.25

TL;DR

WordPress 4.9.25 is a maintenance and security release that addresses two key issues: improves the handling of options serialization during installation and enhances ZIP archive verification during uploads. The update also backports PHP 8 compatibility polyfills for string functions. This release is important for maintaining site security and ensuring compatibility with newer PHP versions while running WordPress 4.9.

Highlight of the Release

• Enhanced security for ZIP file uploads with improved verification
• Optimized options serialization during WordPress installation
• Added PHP 8 compatibility polyfills for string functions

Migration Guide

No specific migration steps are required for this update. This is a maintenance and security release that can be applied through the standard WordPress update process.

As always, it's recommended to:

1. Back up your website before updating
2. Update all themes and plugins to their latest versions
3. Test functionality after updating

Upgrade Recommendations

This update is highly recommended for all WordPress 4.9 users due to the security improvements for ZIP file uploads and the enhanced PHP compatibility.

While WordPress 4.9 is no longer receiving active feature development, these security and compatibility updates are crucial for sites that haven't yet upgraded to newer major versions.

For long-term security and feature improvements, consider upgrading to the latest WordPress major version when possible.

Bug Fixes

Installation Process

• Fixed an issue with options serialization during installation by implementing maybe_serialize() instead of always serializing options, ensuring proper data handling.

File Upload Security

• Improved security for ZIP archive uploads by adding additional verification checks to prevent potential security vulnerabilities.

New Features

PHP 8 Compatibility Polyfills

WordPress 4.9.25 backports polyfills for PHP 8 string functions:

• Added polyfill for str_ends_with() function
• Added polyfill for str_starts_with() function

These additions help maintain compatibility with newer PHP versions while running WordPress 4.9.

Security Updates

ZIP Archive Verification

• Enhanced security for file uploads by implementing additional checks to verify ZIP archives, helping to prevent potential security vulnerabilities related to malicious archive files.

This security improvement helps protect WordPress sites from attacks that might exploit vulnerabilities in the file upload system.

Performance Improvements

Installation Optimization

• Optimized the options serialization process during installation by using maybe_serialize() instead of always serializing, which can improve efficiency by avoiding unnecessary serialization operations.

Impact Summary

WordPress 4.9.25 focuses on security and compatibility improvements for the 4.9 branch. The enhanced ZIP archive verification addresses potential security vulnerabilities in the upload system, making sites more resistant to certain types of attacks. The optimization of options serialization during installation improves data handling reliability.

The addition of PHP 8 string function polyfills (str_ends_with() and str_starts_with()) is particularly significant as it helps maintain compatibility with newer PHP versions, extending the viability of WordPress 4.9 installations on updated server environments.

While these changes are relatively small in scope, they represent important maintenance updates for sites still running on the 4.9 branch, providing critical security patches and compatibility improvements without introducing new features that might affect existing functionality.