WordPress Release: 4.9.6

TL;DR

WordPress 4.9.6 introduces comprehensive privacy and personal data tools to help site owners comply with privacy regulations like GDPR. This maintenance release adds features for creating privacy policies, exporting and erasing personal data, and obtaining user consent for storing comment information. It also includes several PHP compatibility improvements, REST API enhancements, and various bug fixes across the platform.

Highlight of the Release

• New privacy tools for creating privacy policies and handling personal data
• Data export and erasure request management system for GDPR compliance
• Comment cookie opt-out functionality for site visitors
• PHP 7.x compatibility improvements with new polyfills
• REST API enhancements for better integration with the block editor
• TinyMCE updated to version 4.7.11

Migration Guide

For Site Administrators

1. Review Privacy Settings: Navigate to Settings > Privacy to set up your privacy policy page.
2. Create or Update Privacy Policy: Use the provided guide and suggested content to create a comprehensive privacy policy.
3. Test Data Export/Erasure Tools: Familiarize yourself with the new tools under Tools > Export Personal Data and Tools > Erase Personal Data.
4. Check Theme Compatibility: Verify that your theme properly displays the privacy policy link in the footer.

For Developers

1. Review Privacy Hooks: If your plugin collects or processes personal data, implement the new privacy hooks:

   • Use wp_privacy_personal_data_exporters to add data to exports
   • Use wp_privacy_personal_data_erasers to handle data erasure requests
   • Use wp_add_privacy_policy_content() to suggest privacy policy content

2. Update PHP Compatibility Code: If you were using custom polyfills for is_countable() or is_iterable(), you can now rely on WordPress core's implementations.

3. Test with Comment Cookie Opt-out: If your site uses custom comment forms, ensure they include the new cookie consent checkbox.

4. Review REST API Usage: If you're using the REST API to query users, be aware of the new who=authors parameter behavior.

Upgrade Recommendations

Upgrade Priority: High

WordPress 4.9.6 is a privacy and maintenance release that introduces important tools for GDPR compliance and other privacy regulations. All site owners should upgrade as soon as possible, especially if:

1. Your site collects personal data from users (comments, contact forms, user registrations, etc.)
2. Your site serves visitors from regions with strict privacy regulations (like the EU)
3. You want to ensure your site has the latest security fixes and PHP compatibility improvements

This is not a security release, but it provides essential tools for regulatory compliance that many site owners will need. The upgrade process should be smooth for most sites, with no known major compatibility issues reported.

Bug Fixes

• Fixed incorrect parameter type documentation for old_slug_redirect_post_id filter.
• Fixed PHP 7.2 warning in get_theme_roots() when $wp_theme_directories is an uncountable value.
• Fixed TinyMCE conflicts when using custom themes by disabling concatenation.
• Fixed positioning issues with admin pointer for privacy features.
• Fixed styling issues on privacy-related screens for mobile and small viewports.
• Fixed potential conflicts with existing export folders by using a more specific directory name.
• Fixed accessibility issues in the comment cookie consent checkbox implementation.
• Fixed markup issues in the privacy policy guide table of contents.
• Fixed potential XSS vulnerability by escaping comment URLs in personal data exports.

New Features

Privacy and Personal Data Tools

• Privacy Policy Page Management: New dedicated settings page for creating and managing a site's privacy policy.
• Privacy Policy Guide: Comprehensive guide with suggested privacy policy content from WordPress core and plugins.
• Personal Data Export: Tools to export user personal data in a machine-readable format.
• Personal Data Erasure: Tools to erase or anonymize personal data upon user request.
• Request Management System: Complete workflow for handling personal data requests, including email confirmations and admin notifications.
• Comment Cookie Opt-out: Checkbox allowing commenters to opt out of storing their name, email, and website in cookies.
• Privacy Policy Links: Automatic links to privacy policy in login screens and theme footers.

Developer Features

• Privacy Hooks and Filters: Extensive set of hooks for developers to integrate with the privacy tools.
• PHP Compatibility Polyfills: Added polyfills for is_countable() (PHP 7.3) and is_iterable() (PHP 7.1).
• Theme Templates Filter: New theme_templates filter for page templates across all post types.
• REST API Enhancements: Added viewable attribute on Post Type resources and who=authors parameter for user queries.

Security Updates

• Enhanced security of personal data exports by using cryptographically secure random numbers for export filenames.
• Added nocache_headers() on Multisite signup and account activation pages to prevent caching of sensitive information.
• Improved security of personal data by automatically deleting export files after a configurable time period.
• Fixed potential XSS vulnerability by properly escaping comment URLs in personal data exports.

Performance Improvements

• Improved handling of personal data exports by reusing existing archive filenames to maintain URLs.
• Added automatic cleanup of expired personal data export files via cron job for better security and resource management.
• Optimized privacy policy content updates to use menu bubbles instead of intrusive admin notices, reducing UI clutter.

Impact Summary

WordPress 4.9.6 represents a significant enhancement to WordPress's privacy capabilities, introducing a comprehensive set of tools designed to help site owners comply with privacy regulations like GDPR. This release fundamentally changes how WordPress handles personal data by providing structured systems for creating privacy policies, exporting user data, and processing data erasure requests.

The impact is particularly important for site administrators who need to comply with privacy regulations. The new tools provide a standardized way to handle data subject requests and maintain transparency about data collection practices. For end users, the release improves transparency and control over their personal data, with clear opt-in mechanisms for comment cookies and easier access to privacy policies.

From a technical perspective, the release also improves PHP compatibility with polyfills for newer PHP functions, enhances the REST API with features needed by the block editor, and fixes several bugs across the platform. The TinyMCE update to version 4.7.11 ensures the editor remains secure and compatible with modern browsers.

While not a major feature release in terms of user-facing changes to content creation or site design, 4.9.6 represents one of the most significant updates to WordPress's data handling capabilities in recent years, establishing a foundation for privacy-conscious site management that will benefit both site owners and users.