Social Entrepreneur blog for the world changers
Mark Jaquith
This user hasn't shared any biographical information
Homepage: http://wordpress.org/development
Posts by Mark Jaquith
WordPress 3.1.3 (and WordPress 3.2 Beta 2)
May 25th
WordPress 3.1.3 is available now and is a security update for all previous versions. It contains the following security fixes and enhancements:
- Various security hardening by Alexander Concha.
- Taxonomy query hardening by John Lamansky.
- Prevent sniffing out user names of non-authors by using canonical redirects. Props Verónica Valeros.
- Media security fixes by Richard Lundeen of Microsoft, Jesse Ou of Microsoft, and Microsoft Vulnerability Research.
- Improves file upload security on hosts with dangerous security settings.
- Cleans up old WordPress import files if the import does not finish.
- Introduce “clickjacking” protection in modern browsers on admin and login pages.
Consult the change log for more details.
Download WordPress 3.1.3 or update automatically from the Dashboard → Updates menu in your site’s admin area.
WordPress 3.2 Beta 2 also available
In other news, our development of WordPress 3.2 development continues right on schedule. We released Beta 1 thirteen days ago, and today we’re putting out Beta 2 for your testing pleasure.
This is still beta software, so we don’t recommend that you use it on production sites. But if you’re a plugin developer, a theme developer, or a site administrator, you should be running this on your test environments and reporting any bugs you find. If you’re a WordPress user who wants to open your presents early, take advantage of WordPress’ famous 5-minute install and spin up a secondary test site. Let us know what you think!
The plan is to start putting out release candidates in early June, and to release WordPress 3.2 by the end of the month. The more you help us iron out issues during the beta period, the more likely we are to hit those dates. To misappropriate and mangle a quote from Mahatma Gandhi: “Be the punctuality you want to see in the WordPress.” In other words, test now!
Here are some of the things that changed since Beta 1:
- Google Chrome Frame is now supported in the admin, if you have it installed. This is especially useful for IE 6 users (remember, IE 6 is otherwise deprecated for the admin).
- The admin is less ugly in IE 7.
- The blue admin color scheme has caught up to the grey one, and is ready for testing.
- We are now bundling jQuery 1.6.1. You should test any JS that uses jQuery. WordPress JavaScript guru Andrew Ozz has a post with more info.
WordPress 3.0.2
Nov 30th
WordPress 3.0.2 is available and is a mandatory security update for all previous WordPress versions. Haiku has become traditional:
Fixed on day zero
One-click update makes you safe
This used to be hard
This maintenance release fixes a moderate security issue that could allow a malicious Author-level user to gain further access to the site, addresses a handful of bugs, and provides some additional security enhancements. Big thanks to Vladimir Kolesnikov for detailed and responsible disclosure of the security issue!
Download 3.0.2 or update automatically from the Dashboard > Updates menu in your site’s admin area. You should update immediately even if you do not have untrusted users.
PHP 4 and MySQL 4 End of Life Announcement
Jul 23rd
Our approach with WordPress has always been to make it run on common server configurations. We want users to have flexibility when choosing a host for their precious content. Because of this strategy, WordPress runs pretty much anywhere. Web hosting platforms, however, change over time, and we occasionally are able to reevaluate some of the requirements for running WordPress. Now is one of those times. You probably guessed it from the title — we’re finally ready to announce the end of support for PHP 4 and MySQL 4!
First up, the announcement that developers really care about. WordPress 3.1, due in late 2010, will be the last version of WordPress to support PHP 4.
For WordPress 3.2, due in the first half of 2011, we will be raising the minimum required PHP version to 5.2. Why 5.2? Because that’s what the vast majority of WordPress users are using, and it offers substantial improvements over earlier PHP 5 releases. It is also the minimum PHP version that the Drupal and Joomla projects will be supporting in their next versions, both due out this year.
The numbers are now, finally, strongly in favor of this move. Only around 11 percent of WordPress installs are running on a PHP version below 5.2. Many of them are on hosts who support PHP 5.2 — users merely need to change a setting in their hosting control panel to activate it. We believe that percentage will only go down over the rest of the year as hosting providers realize that to support the newest versions of WordPress (or Drupal, or Joomla), they’re going to have to pull the trigger.
In less exciting news, we are also going to be dropping support for MySQL 4 after WordPress 3.1. Fewer than 6 percent of WordPress users are running MySQL 4. The new required MySQL version for WordPress 3.2 will be 5.0.15.
WordPress users will not be able to upgrade to WordPress 3.2 if their hosting environment does not meet these requirements (the built-in updater will prevent it). In order to determine which versions your host provides, we’ve created the Health Check plugin. You can download it manually, or use this handy plugin installation tool I whipped up. Right now, Health Check will only tell you if you’re ready for WordPress 3.2. In a future release it will provide all sorts of useful information about your server and your WordPress install, so hang on to it!
In summary: WordPress 3.1, due in late 2010, will be the last version of WordPress to support PHP 4 and MySQL 4. WordPress 3.2, due in the first half of 2011, will require PHP 5.2 or higher, and MySQL 5.0.15 or higher. Install the Health Check plugin to see if you’re ready!
Plugin Compatibility Beta
Oct 28th
The number one reason people give us for not upgrading to the latest version of WordPress is fear that their plugins won’t be compatible. As part of our continuing efforts to make WordPress core, plugin, and theme upgrades as painless as possible, Michael Adams developed and launched a beta of a new “Compatibility” feature in the plugin directory, powered by your votes. When viewing a plugin in the directory, select a WordPress version and a plugin version from the drop-downs. If there has been feedback about this WordPress / plugin version combination, we’ll show you what percentage of responses marked that combination as compatible vs how many marked it as incompatible.
If you log in, you’ll be able to help us gather this information! Just select a WordPress version / plugin version combination and click the “Works” or the “Broken” button. Please note that this shouldn’t be used to report minor issues with a plugin. You should mark a plugin as “Broken” only if its core functionality is truly broken when run on the specified WordPress version.
Right now we’re just in information gathering mode. So get out there and vote! Don’t just vote on broken plugins… cast a “Works” vote for every plugin that works on the version of WordPress you are using. This can help improve the signal-to-noise ratio in our data and prevent a few mistaken “Broken” votes from weighing too heavily.
For developers, we’re now including this data in our API. The plugin_information action now returns a “compatibility” member with the multidimensional array format:
array( {WP version} => array( {plugin version} => array( {% of reporters who say it works}, {# responses} ) ) )
If the API knows which version of WordPress you are using (for example, if you are making this query using the plugins_api() function from with WordPress), the API will only return compatibility information for your version of WordPress.
Eventually, we’d like to gather this compatibility feedback from within WordPress, allowing you to vote directly from your plugins admin screen. The ultimate goal is to use this information to inform you of plugin incompatibilities with a new version of WordPress during the upgrade process. For that to be useful we need a large set of high quality compatibility data. Start voting!
The WordPress 2.0.x Legacy Branch is Deprecated
Jul 29th
The WordPress team had initially committed to maintaining the WordPress 2.0.x legacy branch until 2010. Unfortunately, we bit off more than we could chew—the 2.0.x branch is now retired and deprecated, a few months shy of 2010.
Many of the security improvements to the new versions of WordPress in the last couple of years were complete reworks of how various systems were handled. Porting those changes to the 2.0.x branch would have been a monumental task and could have introduced instability or new bugs. We had to make hard decisions between stability and merging in the latest security enhancements. Additionally, far fewer people stayed on the 2.0.x branch than we anticipated. I take that as a testament to the new features in WordPress and perhaps even more the features offered by plugins, many of which don’t support older versions of WordPress!
I’m disappointed that we weren’t able to keep the branch maintained until 2010, but since one of the big reasons for that failure was the massive scope of our security improvements for the newer versions of WordPress, 2.0.x doesn’t die in vain!
Recent Comments