WordPress Release: 5.5.2

TL;DR

WordPress 5.5.2 is a security and maintenance release that addresses several PHP notices and warnings, fixes bugs in the comment system, improves the Community Events dashboard widget, and removes Facebook and Instagram as oEmbed sources due to API deprecation. This release includes important security fixes that protect against potential vulnerabilities, making it a recommended update for all WordPress sites.

Highlight of the Release

• Security fixes to protect against potential vulnerabilities
• Fixed multiple PHP notices and warnings throughout the admin interface
• Removed Facebook and Instagram as oEmbed sources due to API deprecation
• Community Events dashboard widget now displays dates in user's timezone
• Fixed issues with the comment reply system
• Build tools updated to support Composer 2.0

Migration Guide

Facebook and Instagram Embeds Migration

The most significant change requiring migration is the removal of Facebook and Instagram as oEmbed sources. Facebook has deprecated all non-authenticated endpoints for these platforms.

What you need to do:

1. Option 1: Use a plugin that provides authentication

   • Several plugins are available that add the necessary authentication functionality
   • These plugins typically require you to create a Facebook Developer account and obtain an app or client token

2. Option 2: Manually embed content

   • Use Facebook's official embed code snippets instead of URLs
   • For Instagram, consider using screenshots or alternative embedding methods

3. Option 3: Use alternative content

   • Consider replacing Facebook/Instagram embeds with other content types
   • Link directly to the social media posts instead of embedding them

For more information, see the official announcement.

Other Changes

No other changes in this release require specific migration steps. Simply update to WordPress 5.5.2 following the standard update procedure.

Upgrade Recommendations

Priority: High

WordPress 5.5.2 is a security and maintenance release that includes several important security fixes. All WordPress site owners should update to this version as soon as possible.

Reasons to upgrade immediately:

1. Security Improvements: This release includes multiple security fixes that protect against potential vulnerabilities.

2. Bug Fixes: Several PHP notices and warnings have been fixed, improving the stability of your WordPress installation.

3. Facebook/Instagram Embed Changes: If your site uses Facebook or Instagram embeds, you'll need to update and implement an alternative solution as these oEmbed sources have been removed due to API changes by Facebook.

Upgrade Path:

• For most sites, you can use the automatic update feature in your WordPress dashboard.
• If you manage multiple WordPress sites, consider using a management tool to update all sites simultaneously.
• As always, make a complete backup of your site before updating.

Compatibility Notes:

• This release is compatible with PHP 5.6.20+ and MySQL 5.0+
• No known plugin compatibility issues have been reported with this release
• If you use Facebook or Instagram embeds, you'll need to implement an alternative solution after updating

Bug Fixes

Administration and UI Fixes

• Fixed variable name conflict in wp-admin/admin-header.php that caused issues in Theme Editor
• Fixed PHP notice when editing an image in the Media Library
• Fixed PHP notice after submitting the Edit Comment form
• Fixed issue with the reply heading not updating correctly when replying to comments
• Ensured that filtered arguments in get_search_form() contain all required default values

Core Functionality Fixes

• Fixed length validation of anonymous commenter's email address in XML-RPC
• Fixed PHP notice when creating a post with multiple taxonomies having default terms
• Fixed PHP notice for undefined index in auto update email notification filters
• Fixed handling of attachment IDs in XML-RPC to ensure correct return signature
• Improved logic check when determining installation status
• Fixed sanitization of meta keys before checking protection status

JavaScript and Package Updates

• Updated multiple WordPress packages to fix various issues
• Fixed issues with the block editor and related components

New Features

WordPress 5.5.2 doesn't introduce new features as it's primarily a security and maintenance release. However, it does include some enhancements to existing functionality:

Community Events Dashboard Widget Improvements

• Events now display in the user's local timezone rather than UTC
• Improved date and time formatting for better readability
• Added proper UTF-8 encoding for QUnit test suite

Build Tools Enhancements

• Added support for Composer 2.0 by updating the dealerdirect/phpcodesniffer-composer-installer package
• Improved local Docker development environment with ability to specify PHPUnit version
• Set local development environment to a local environment type by default

Security Updates

WordPress 5.5.2 includes several important security fixes:

1. Requests Library Security: Disabled deserialization in Requests_Utility_FilteredIterator to prevent potential object injection vulnerabilities.

2. Multisite Embeds Security: Disabled embeds on deactivated Multisite sites to prevent potential misuse.

3. Escaping Functions: Modified escaping functions to avoid potential false positives that could lead to security issues.

4. XML-RPC Security Improvements:

   • Added better error handling for incorrect attachment IDs
   • Improved error messages for unprivileged users
   • Added specific permission checks to avoid ambiguous failure messages

5. Meta Data Protection: Enhanced sanitization of meta keys before checking protection status.

6. Theme Background Image Security: Ensured that only privileged users can set a background image when a theme is using the deprecated custom background page.

7. Installation Status Check: Improved handling of ambiguous return values when determining if a blog is installed.

8. Strict Comparison: Implemented strict comparison operators when comparing values to prevent potential type juggling issues.

Performance Improvements

This release doesn't include significant performance improvements as it's primarily focused on security fixes and bug fixes. However, by addressing various PHP notices and warnings, the release contributes to smoother operation of WordPress sites with fewer error logs, which can indirectly improve performance in certain scenarios.

The fixes to the Community Events dashboard widget may also result in slightly improved performance when loading the WordPress dashboard, as the widget now handles timezone conversions more efficiently.

Impact Summary

WordPress 5.5.2 is primarily a security and maintenance release that addresses several important issues:

1. Security Enhancements: The release includes multiple security fixes that protect WordPress sites from potential vulnerabilities. These improvements strengthen the core platform's security posture and should be implemented promptly.

2. PHP Notice Fixes: Several PHP notices and warnings that could appear in error logs have been fixed, resulting in cleaner operation and fewer distractions for developers and site administrators.

3. Social Media Embed Changes: The removal of Facebook and Instagram as oEmbed sources represents a significant change for content creators who rely on these embeds. This change was necessary due to Facebook's API deprecation, but it requires site owners to find alternative solutions for embedding this content.

4. Comment System Improvements: Fixes to the comment reply system ensure a better user experience when visitors engage with content on WordPress sites.

5. Developer Tools: Updates to build tools and testing environments improve the development experience, particularly for those using Composer 2.0 and local Docker environments.

Overall, this release focuses on stability, security, and addressing necessary changes due to third-party API modifications. While it doesn't introduce new features, it strengthens WordPress's foundation and addresses several pain points reported by the community.