WordPress Release: 5.7.0

TL;DR

WordPress 5.7 "Esperanza" introduces significant improvements to the editor experience, enhanced color palette management, and streamlined HTTPS migration. This release focuses on making the admin interface more accessible with a refreshed color scheme, improving site performance with lazy-loaded iframes, and enhancing security with better HTTPS support. It also includes important updates to the block editor, REST API improvements, and various developer-focused enhancements.

The update is recommended for all WordPress sites, with special benefits for site administrators looking to improve their workflow and developers working with the block editor.

Highlight of the Release

• One-click migration from HTTP to HTTPS with automatic URL replacement
• New admin color palette with improved accessibility and contrast
• Lazy-loading now applied to iframes for improved performance
• Simplified editor font stack using system fonts for better privacy and performance
• Enhanced block editor with custom spacing controls and defaultEditorStyles
• New batch image editing endpoints in the REST API
• Improved password reset functionality for user management
• Content-Security-Policy script loader functions for enhanced security

Migration Guide

Migrating from HTTP to HTTPS

If you're planning to migrate your site from HTTP to HTTPS:

1. Ensure your host supports HTTPS (most modern hosts do)
2. Visit the Site Health screen in your WordPress admin
3. Look for the HTTPS status check and use the one-click update option if available
4. If your site's URLs are controlled by constants in your configuration files, you'll need to update those manually

Note that the migration process doesn't actually update content in the database but replaces insecure URLs on the fly. If you prefer to update the database directly, you can prevent the migration logic from running by either deleting the https_migration_required option or using the new wp_should_replace_insecure_home_url filter.

jQuery Changes

WordPress 5.7 continues the jQuery updates started in previous versions. If you're maintaining custom jQuery code, ensure you're not using deprecated methods like:

• .unbind(), .bind() (use .off(), .on() instead)
• .ready() (use jQuery(function() {}) instead)
• .size() (use .length property instead)
• .error() (use .on('error', function() {}) instead)
• .load(), .unload() (use .on('load', function() {}) instead)

Block Editor Font Changes

The block editor now uses system fonts instead of loading Noto Serif. If your theme or plugin relied on the presence of Noto Serif in the editor, you may need to adjust your styles or include the font yourself.

REST API Validation Errors

The REST API now returns more detailed error information from request validation. If you're consuming the REST API and handling errors, you may want to update your code to take advantage of the new details section in validation errors.

Upgrade Recommendations

WordPress 5.7 is a recommended upgrade for all WordPress sites. The release includes important security enhancements, performance improvements, and usability features that benefit all users.

For site administrators, the simplified HTTPS migration process and improved password reset functionality make common tasks much easier. Content creators will appreciate the block editor improvements and enhanced media editing capabilities.

Developers should update to take advantage of the new APIs, filters, and functions that provide more flexibility and control. The improved REST API error reporting and Content-Security-Policy support are particularly valuable for building secure, robust applications.

As with any major WordPress update, it's recommended to:

1. Back up your website before updating
2. Test the update on a staging environment if possible
3. Check compatibility of your themes and plugins
4. Update all themes and plugins to their latest versions

After updating, site administrators should visit the Site Health screen to check for any potential issues and take advantage of the new HTTPS migration feature if not already using HTTPS.

Bug Fixes

Editor and Block-Related Fixes

• Fixed the "Use theme styles" setting which was not functioning properly due to missing defaultEditorStyles setting
• Fixed RTL version of editor styles not being loaded
• Fixed a bug where viewing an autosave on imported posts would throw PHP notices
• Fixed issues with reusable blocks to ensure subsequent renders work correctly and prevent recursion errors
• Fixed color support for dynamic blocks by checking for color instead of experimentalColor

Media Handling Improvements

• Fixed an issue where media would continue playing after closing the media modal
• Added proper alt text support to adjacent_image_link() function
• Fixed filename checks in wp_image_src_get_dimensions() to be less strict
• Added sanity check for image meta in wp_image_src_get_dimensions()
• Fixed issues with getimagesize() error suppression

Admin Interface Fixes

• Fixed background color of plugin update row on small screens
• Fixed color contrast issues on UI elements following the color palette changes
• Fixed admin color schemes in the customizer
• Fixed the "Are you sure?" prompt triggering incorrectly when navigating away from the classic editor
• Fixed keyboard navigation for the Tags meta box in classic editor

Other Fixes

• Fixed feed links when pretty permalinks are not in use
• Fixed a PHP 8 compatibility issue in the PclZip library
• Fixed duplicates in sticky posts option
• Fixed loopback test in Site Health to use home page and POST to wp-cron
• Fixed jQuery deprecations throughout WordPress core

New Features

One-click HTTPS Migration

WordPress 5.7 introduces a streamlined process for migrating sites from HTTP to HTTPS. The new system allows for one-click migration when HTTPS is supported by your host, automatically updating the site and WordPress addresses while replacing insecure URLs in your content on the fly. This makes the previously tedious task of switching to HTTPS much simpler.

Refreshed Admin Color Palette

The admin interface has been updated with a simplified color palette, reducing the number of colors by approximately 50% and using fewer color variations. This improves accessibility with better contrast while maintaining a clean, professional look.

Lazy-loading for iFrames

Building on the lazy-loading for images introduced in WordPress 5.5, version 5.7 now extends this functionality to iframes. This helps improve page load performance by only loading iframe content when it's about to enter the viewport.

Batch Image Editing via REST API

New REST API endpoints allow for batch image editing operations. These endpoints can take an array of modifiers that will be applied in the order they appear, making programmatic image editing more efficient.

Enhanced Password Reset Functionality

Administrators can now send users a password reset link directly from the user management interface. This feature is available from the user profile screen, as a bulk action, and as a quick action in the users list.

Content-Security-Policy Script Loaders

New functions (wp_get_script_tag(), wp_print_script_tag(), wp_print_inline_script_tag(), and wp_get_inline_script_tag()) have been added to support script attributes like async or nonce, creating a path forward for enabling Content-Security-Policy in core, plugins, and themes.

Block Editor Improvements

• Added defaultEditorStyles setting to properly support the "Use theme styles" option
• Added enableCustomSpacing editor setting to enable custom block spacing
• Removed Noto Serif in favor of system fonts for better privacy and performance
• Added support for apiVersion field when preparing server-registered blocks

Security Updates

Enhanced HTTPS Support

WordPress 5.7 significantly improves HTTPS support with a one-click migration feature and better detection of HTTPS capabilities. The Site Health tool now provides more accurate messaging about HTTPS support and offers a primary action to update site URLs to HTTPS when supported by the environment.

Content-Security-Policy Script Support

New functions have been added to support script attributes such as async or nonce, creating a foundation for enabling Content-Security-Policy in WordPress core, plugins, and themes. This helps prevent cross-site scripting (XSS) attacks by controlling which scripts can be executed on your site.

Improved App Password Capabilities

App passwords now have more fine-grained capabilities: create_app_password, list_app_passwords, read_app_password, edit_app_password, delete_app_password, and delete_app_passwords. These capabilities all map to edit_user by default but can be customized by developers for more precise access control.

Search Results Protection

WordPress now adds a noindex robots meta tag to search results pages to prevent search engines from indexing internal search results. This helps protect against reflected web spam attacks.

Private Post Protection

The canonical URL system has been updated to ensure private posts only redirect for logged-in users with appropriate permissions, preventing potential information disclosure through URL enumeration.

Performance Improvements

Lazy-loading for iFrames

WordPress 5.7 extends lazy-loading support to iframes, building on the image lazy-loading introduced in WordPress 5.5. This means iframes will only load when they're about to enter the viewport, reducing initial page load times and saving bandwidth for visitors who don't scroll to sections containing embedded content.

Simplified Editor Font Stack

The block editor now uses system fonts instead of loading Noto Serif. This change improves both privacy (by reducing external requests) and performance (by eliminating the need to download additional font files). The editor will now use fonts already available on the user's device.

Optimized Term Deletion

The wp_delete_term() function has been optimized for large object counts when no default term is required. By calling wp_remove_object_terms() directly in these cases, WordPress can skip the terms fetch/diff step, significantly speeding up the deletion process for taxonomies with many objects.

Alternative WP-Cron Improvements

Cron jobs now run later on sites using alternative cron (with the ALTERNATE_WP_CRON constant set to true), ensuring custom post types and taxonomies are registered before jobs run. This provides better compatibility and prevents potential issues with scheduled tasks.

Impact Summary

WordPress 5.7 "Esperanza" represents a significant step forward in making WordPress more user-friendly, secure, and performant. The release focuses on four key areas of improvement:

1. Simplified Administration: The one-click HTTPS migration feature removes a major pain point for site administrators, while the refreshed admin color palette improves accessibility and provides a cleaner interface. The enhanced password reset functionality streamlines user management tasks.

2. Performance Enhancements: Lazy-loading for iframes, system fonts in the editor, and optimized term deletion all contribute to better performance for both administrators and site visitors. These changes reduce bandwidth usage, speed up page loads, and improve server response times.

3. Security Improvements: The focus on HTTPS migration, Content-Security-Policy support, and protection for search results and private posts demonstrates WordPress's commitment to security best practices. These changes help protect sites against common vulnerabilities and align with modern web security standards.

4. Developer Experience: New APIs, filters, and functions give developers more control and flexibility when extending WordPress. The improved REST API validation error reporting, fine-grained app password capabilities, and dynamic block filters make it easier to build robust, secure applications.

Overall, WordPress 5.7 makes the platform more accessible to newcomers while providing powerful tools for experienced users and developers. The focus on performance and security ensures that WordPress remains a reliable foundation for websites of all sizes.