WordPress Changelog

New in version 4.3.1

September 16th, 2015
  • This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
  • This release addresses three issues, including two cross-site scripting vulnerabilities and a potential privilege escalation.
  • WordPress versions 4.3 and earlier are vulnerable to a cross-site scripting vulnerability when processing shortcode tags (CVE-2015-5714). Reported by Shahar Tal and Netanel Rubin of Check Point.
  • A separate cross-site scripting vulnerability was found in the user list table. Reported by Ben Bidner of the WordPress security team.
  • Finally, in certain cases, users without proper permissions could publish private posts and make them sticky (CVE-2015-5715). Reported by Shahar Tal and Netanel Rubin of Check Point.
  • Our thanks to those who have practiced responsible disclosure of security issues.
  • WordPress 4.3.1 also fixes twenty-six bugs.

New in version 4.3 (August 18th, 2015)

  • Menus in the Customizer:
  • Create your menu, update it, and assign it, all while live-previewing in the customizer. The streamlined customizer design provides a mobile-friendly and accessible interface. With every release, it becomes easier and faster to make your site just the way you want it.
  • Formatting Shortcuts:
  • Your writing flow just got faster with new formatting shortcuts in WordPress 4.3. Use asterisks to create lists and number signs to make a heading. No more breaking your flow; your text looks great with a * and a #.
  • Site Icons:
  • Site icons represent your site in browser tabs, bookmark menus, and on the home screen of mobile devices. Add your unique site icon in the customizer; it will even stay in place when you switch themes. Make your whole site reflect your brand.
  • Better Passwords:
  • Keep your site more secure with WordPress’ improved approach to passwords. Instead of receiving passwords via email, you’ll get a password reset link. When you add new users to your site or edit a user profile, WordPress will automatically generate a secure password.
  • Other improvements:
  • A smoother admin experience – Refinements to the list view across the admin make your WordPress more accessible and easier to work with on any device.
  • Comments turned off on pages – All new pages that you create will have comments turned off. Keep discussions to your blog, right where they’re supposed to happen.
  • Customize your site quickly – Wherever you are on the front-end, you can click the customize link in the toolbar to swiftly make changes to your site.

New in version 4.2.4 (August 4th, 2015)

  • This release addresses six issues, including three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site.
  • It also includes a fix for a potential timing side-channel attack and prevents an attacker from locking a post from being edited.
  • In addition to the security fixes, WordPress 4.2.4 contains fixes for 4 bugs from 4.2.3, including:
  • FIX - WPDB: When checking the encoding of strings against the database, make sure we're only relying on the return value of strings that were sent to the database. #32279
  • FIX - Don't blindly trust the output of glob() to be an array. #33093
  • FIX - Shortcodes: Handle do_shortcode('

New in version 4.3 RC 1 (July 30th, 2015)

  • More than 100 changes

New in version 4.2.3 (July 23rd, 2015)

  • A security release for all previous versions and we strongly encourage you to update your sites immediately.
  • WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site. This was reported by Jon Cave and fixed by Robert Chapin, both of the WordPress security team.
  • Fixed an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft. Reported by Netanel Rubin from Check Point Software Technologies.
  • WordPress 4.2.3 also contains fixes for 20 bugs from 4.2.

New in version 4.3 Beta 4 (July 23rd, 2015)

  • Fixed several bugs and broken flows in the publish box in the edit screen.
  • Addressed a number of edge cases for word count in the editor.
  • Site icons can now be previewed within the customizer. The feature has been removed from general settings.
  • Various bug fixes. We’ve made more than 60 changes in the last week.

New in version 4.3 Beta 3 (July 16th, 2015)

  • Performance improvements for Menus in the Customizer, as well as bug fixes and visual enhancements.
  • Added Site Icon to the Customizer. The feature is now complete and requires lots of testing. Please help us ensure the site icon feature works well in both Settings and the Customizer.
  • The improvements to Passwords have been added to the installation flow. When installing and setting up WordPress, a strong password will be suggested to site administrators. Please test and let us know if you encounter issues.
  • Improved accessibility of comments and media list tables. If you use a screen reader, please let us know if you encounter any issues.
  • Lots and lots of code documentation improvements.
  • Various other bug fixes. We’ve made more than 140 changes in the last week.

New in version 4.3 Beta 2 (July 9th, 2015)

  • Fixed an issue in beta 1 where an alert appeared when saving or publishing a new post/page for the first time.
  • Customizer improvements including enhanced accessibility, smoother menu creation and location assignment, and the ability to handle nameless menus. Please help us test menus in the Customizer to fix any remaining edge cases!
  • More robust list tables with full content support on small screens and a fallback for the primary column for custom list tables. We’d love to know how these list tables, such as All Posts and Comments, work for you now on small screen devices.
  • The Site Icon feature has been improved so that cropping is skipped if the image is the exact size (512px square) and the media modal now suggests a minimum icon size. Please let us know how the flow feels and if you encounter any glitches!
  • The toolbar now has a direct link to the customizer, along with quick access to themes, widgets, and menus in the dashboard.
  • We enabled utf8mb4 for MySQL extension users, which was previously unintentionally limited to MySQLi users. Please let us know if you run into any issues.
  • Various bug fixes. We’ve made almost 100 changes in the last week.

New in version 4.3 Beta 1 (July 2nd, 2015)

  • Menus can now be managed with the Customizer, which allows you to live preview changes you’re making without changing your site for visitors until you’re ready. We’re especially interested to know if this helps streamline the process of setting up your site (#32576).
  • Take control of another piece of your site with the Site Icon feature. You can now manage your site’s favicon and app icon from the admin area (#16434).
  • We put a lot of work into Better Passwords throughout WordPress. Now, WordPress will limit the life time of password resets, no longer send passwords via email, and generate and suggest secure passwords for you. Try it out and let us know what you think! (#32589)
  • We’ve also added Editor Improvements. Certain text patterns are automatically transformed as you type, including * and - transforming into unordered lists, 1. and 1) for ordered lists, > for blockquotes and one to six number signs (#) for headings (#31441).
  • We’ve improved the list view across the admin dashboard. Now, when you view your posts and pages on small screen devices, columns are not truncated and can be toggled into view (#32395).
  • Developers: There have been a few of changes for you to test as well, including:
  • Taxonomy Roadmap: Terms shared across multiple taxonomies will now be split into separate terms on update to 4.3. Please let us know if you hit any snags (#30261).
  • Added singular.php to the template hierarchy as a fallback for single.php and page.php. (#22314).
  • The old Distraction Free Writing code was removed (#30949).
  • List tables now can (and often should) have a primary column defined. We’re working on a fallback for existing custom list tables but right now they likely have some breakage in the aforementioned responsive view (#25408).

New in version 4.2.2 (May 7th, 2015)

  • Critical security release for all previous versions and we strongly encourage you to update your sites immediately. Version 4.2.2 addresses two security issues:
  • The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file. To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it. Reported by Robert Abela of Netsparker.
  • WordPress versions 4.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. WordPress 4.2.2 includes a comprehensive fix for this issue.
  • The release also includes hardening for a potential cross-site scripting vulnerability when using the visual editor.
  • In addition to the security fixes, WordPress 4.2.2 contains fixes for 13 bugs from 4.2.1, including:
  • Fixes an emoji loading error in IE9 and IE10
  • Fixes a keyboard shortcut for saving from the Visual editor on Mac
  • Fixes oEmbed for YouTube URLs to always expect https
  • Fixes how WordPress checks for encoding when sending strings to MySQL
  • Fixes a bug with allowing queries to reference tables in the dbname.tablename format
  • Lowers memory usage for a regex checking for UTF-8 encoding
  • Fixes an issue with trying change the wrong index in the wp_signups table on utf8mb4 conversion
  • Improves performance of loop detection in _get_term_children()
  • Fixes a bug where attachment URLs were incorrectly being forced to use https in some contexts

New in version 4.2.1 (April 28th, 2015)

  • A critical security release for all previous versions and we strongly encourage you to update your sites immediately.
  • A few hours ago, the WordPress team was made aware of a cross-site scripting vulnerability, which could enable commenters to compromise a site. The vulnerability was discovered by Jouko Pynnönen.
  • WordPress 4.2.1 has begun to roll out as an automatic background update, for sites that support those.

New in version 4.2 (April 24th, 2015)

  • An easier way to share content:
  • Press ThisClip it, edit it, publish it. Get familiar with the new and improved Press This. From the Tools menu, add Press This to your browser bookmark bar or your mobile device home screen. Once installed you can share your content with lightning speed. Sharing your favorite videos, images, and content has never been this fast or this easy.
  • Extended character support:
  • Character support for emoji, special charactersWriting in WordPress, whatever your language, just got better. WordPress 4.2 supports a host of new characters out-of-the-box, including native Chinese, Japanese, and Korean characters, musical and mathematical symbols, and hieroglyphs.
  • Don’t use any of those characters? You can still have fun — emoji are now available in WordPress! Get creative and decorate your content with 💙, 🐸, 🐒, 🍕, and all the many other emoji.
  • Switch themes in the Customizer:
  • Browse and preview your installed themes from the Customizer. Make sure the theme looks great with your content, before it debuts on your site.
  • Even more embeds:
  • Paste links from Tumblr.com and Kickstarter and watch them magically appear right in the editor. With every release, your publishing and editing experience get closer together.
  • Streamlined plugin updates:
  • Goodbye boring loading screen, hello smooth and simple plugin updates. Click Update Now and watch the magic happen.
  • utf8mb4 support:
  • Database character encoding has changed from utf8 to utf8mb4, which adds support for a whole range of new 4-byte characters.
  • JavaScript accessibility:
  • You can now send audible notifications to screen readers in JavaScript with wp.a11y.speak(). Pass it a string, and an update will be sent to a dedicated ARIA live notifications area.
  • Shared term splitting:
  • Terms shared across multiple taxonomies will be split when one of them is updated. Find out more in the Plugin Developer Handbook.
  • Complex query ordering:
  • WP_Query, WP_Comment_Query, and WP_User_Query now support complex ordering with named meta query clauses.

New in version 4.1.2 (April 22nd, 2015)

  • A critical security release. WordPress versions 4.1.1 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site.
  • Fixed three other security issues:
  • In WordPress 4.1 and higher, files with invalid or unsafe names could be uploaded. Discovered by Michael Kapfer and Sebastian Kraemer of HSASec.
  • In WordPress 3.9 and higher, a very limited cross-site scripting vulnerability could be used as part of a social engineering attack. Discovered by Jakub Zoczek.
  • Some plugins were vulnerable to an SQL injection vulnerability. Discovered by Ben Bidner of the WordPress security team.

New in version 4.2 RC 1 (April 16th, 2015)

  • Made more than 140 changes since releasing Beta 4 a week and a half ago.

New in version 4.2 Beta 4 (April 4th, 2015)

  • Incrementally improved the experience when accessing the Customizer on mobile. Please test on your mobile devices and let us know if anything seems wonky.
  • Added the ability to make admin notices dismissible. Plugin and theme authors: adding .notice and .is-dismissible as adjacent classes to your notice containers should automatically make them dismissible. Please test.
  • Fixed some reported issues with backward-compatibility issues caused by the modularization of core JS files.
  • Removed the ability to swipe the admin menu open and closed on touch devices due to reports of some issues with built-in history navigation on certain platforms.
  • Improved accessibility of the WordPress admin by replacing skip-to-content links with landmark roles. Screen reader users: please test in any core admin screens.
  • Various bug fixes. We’ve made more than 90 changes in the last week.

New in version 4.2 Beta 3 (March 27th, 2015)

  • Removed Shiny Installs functionality due to concerns about the activation workflow. Please test the remaining “Shiny Updates” functionality from both the Plugins > Add New and Plugins screens to ensure in-line updating still works as well as before.
  • Fixed an issue with the Comments Quick Edit layout breaking on smaller screens. Please test on your mobile devices.
  • Improved accessibility of login screen errors. Screen reader users: please let us know if you encounter any issues.
  • Refined the emoji compatibility script to only load on the front- and back-end if the browser requires it. If you’re using a legacy web browser, please test.
  • Fixed several issues in Press This with inserted images being improperly linked to locations other than the source site. Go ahead, “press” a site with images on the page and tell us if the image links aren’t working as you’d expect.
  • Standardized the time display format in a variety of admin screens, switching to 24-hour notation where a.m. or p.m. are not specified. Please let us know if you notice you notice anything amiss!
  • Various other bug fixes. We’ve made more than 65 changes in the last week.

New in version 4.2 Beta 2 (March 20th, 2015)

  • Added support for entering FTP and SSH credentials when updating plugins in-place. FTP and SSH users, please test!
  • Improved cross-browser support for emoji throughout WordPress. If you’re using an older web browser, please tell us if you have problems using emoji.
  • Further refined Press This authoring with auto-embedded media and better content scanning. We’d love to know how auto-embeds work for you.
  • Added a constructor and improved method consistency in WP_Comment_Query. Developers: if you’re extending WP_Comment_Query, please let us know if you run into any issues.
  • Various bug fixes. We’ve made more than 70 changes in the last week.

New in version 4.2 Beta 1 (March 13th, 2015)

  • Press This has been completely revamped to make sharing content from around the web easier than ever. The new workflow is mobile friendly, and we’d love for you to try it out on all of your devices. Navigate to the Tools screen in your WordPress backend to get started (#31373).
  • Browsing and switching installed themes has been added to the Customizer to make switching faster and more convenient. We’re especially interested to know if this helps streamline the process of setting up your site (#31303).
  • The workflow for updating and installing plugins just got more intuitive with the ability to install or update in-place from the Plugins screens. Try it out and let us know what you think! (#29820)
  • If you felt like emoji were starkly missing from your content toolbox, worry no more. We’ve added emoji support nearly everywhere, even post slugs 👍 (#31242).
  • Taxonomy Roadmap: Terms shared across multiple taxonomies will now be split into separate terms when one of them is updated. Please let us know if you hit any snags (#5809).
  • New wp.a11y.speak() functionality helps your JavaScript talk to screen readers to better inform impaired users what’s happening on-screen. Try it out in your plugin or theme and let us know if you notice any adverse affects (#31368).
  • Named clause support has been added to WP_Query, WP_Comment_Query, and WP_User_Query, allowing specific meta_query clauses to be used with orderby. If you have any complex queries, please test them (#31045, #31265).

New in version 4.1.1 (February 19th, 2015)

  • Fixes 21 bugs in version 4.1.

New in version 4.1 (December 19th, 2014)

  • Our newest default theme, Twenty Fifteen, is a blog-focused theme designed for clarity.
  • Twenty Fifteen has flawless language support, with help from Google’s Noto font family.
  • The straightforward typography is readable on any screen size.
  • Your content always takes center stage, whether viewed on a phone, tablet, laptop, or desktop computer.
  • Just write.
  • Sometimes, you just need to concentrate on putting your thoughts into words. Try turning on distraction-free writing mode. When you start typing, all the distractions will fade away, letting you focus solely on your writing. All your editing tools instantly return when you need them.
  • Choose a language:
  • Right now, WordPress 4.1 is already translated into over forty languages, with more always in progress. You can switch to any translation on the General Settings screen.
  • Log out everywhere:
  • If you’ve ever worried you forgot to sign out from a shared computer, you can now go to your profile and log out everywhere.
  • Vine embeds:
  • Embedding videos from Vine is as simple as pasting a URL onto its own line in a post. See the full list of supported embeds.
  • Plugin recommendations:
  • The plugin installer suggests plugins for you to try. Recommendations are based on the plugins you and other users have installed.
  • Complex Queries:
  • Metadata, date, and term queries now support advanced conditional logic, like nested clauses and multiple operators — A AND ( B OR C ).
  • Customizer API:
  • The customizer now supports conditionally showing panels and sections based on the page being previewed.
  • tags in themes:
  • add_theme_support( 'title-tag' ) tells WordPress to handle the complexities of document titles.
  • Developer Reference:
  • Continued improvements to inline code documentation have made the developer reference more complete than ever.

New in version 4.0.1 (November 21st, 2014)

  • Addresses these eight security issues:
  • Three cross-site scripting issues that a contributor or author could use to compromise a site. Discovered by Jon Cave, Robert Chapin, and John Blackbourn of the WordPress security team.
  • A cross-site request forgery that could be used to trick a user into changing their password.
  • An issue that could lead to a denial of service when passwords are checked. Reported by Javier Nieto Arevalo and Andres Rojas Guerrero.
  • Additional protections for server-side request forgery attacks when WordPress makes HTTP requests. Reported by Ben Bidner (vortfu).
  • An extremely unlikely hash collision could allow a user’s account to be compromised, that also required that they haven’t logged in since 2008 (I wish I were kidding). Reported by David Anderson.
  • WordPress now invalidates the links in a password reset email if the user remembers their password, logs in, and changes their email address. Reported separately by Momen Bassel, Tanoy Bose, and Bojan Slavković of ManageWP.
  • Version 4.0.1 also fixes 23 bugs with 4.0, and we’ve made two hardening changes, including better validation of EXIF data we are extracting from uploaded photos.

New in version 4.1 Beta 1 (November 15th, 2014)

  • New default theme, Twenty Fifteen. It’s a clean, mobile-first, blog-focused theme designed through simplicity.
  • A new distraction-free writing mode for the editor. It’s enabled by default for beta, and we’d love feedback on it.
  • The ability to automatically install new language packs right from the General Settings screen (available as long as your site’s filesystem is writable).
  • A new inline formatting toolbar for images embedded into posts.
  • There have been a lot of changes for developers to test as well:
  • Improvements to meta, date, comment, and taxonomy queries, including complex (nested, multiple relation) queries; and querying comment types (#12668).
  • A single term shared across multiple taxonomies is now split into two when updated. For more, see this post, #5809, and #30335.
  • A new and better way for themes to handle title tags.
  • Several improvements to the Customizer API, including contextual panels and sections, and JavaScript templates for controls.

New in version 4.0 (September 5th, 2014)

  • Brings you a smoother writing and management experience.
  • Manage your media with style:
  • Explore your uploads in a beautiful, endless grid. A new details preview makes viewing and editing any amount of media in sequence a snap.
  • Working with embeds has never been easier
  • Paste in a YouTube URL on a new line, and watch it magically become an embedded video. Now try it with a tweet. Oh yeah — embedding has become a visual experience. The editor shows a true preview of your embedded content, saving you time and giving you confidence.
  • We’ve expanded the services supported by default, too — you can embed videos from CollegeHumor, playlists from YouTube, and talks from TED. Check out all of the embeds that WordPress supports.
  • Focus on your content:
  • Writing and editing is smoother and more immersive with an editor that expands to fit your content as you write, and keeps the formatting tools available at all times.
  • Add plugins:
  • There are more than 30,000 free and open source plugins in the WordPress plugin directory. WordPress 4.0 makes it easier to find the right one for your needs, with new metrics, improved search, and a more visual browsing experience.

New in version 4.0 Beta 4 (August 16th, 2014)

  • Further improvements to the editor scrolling experience, especially when it comes to the second column of boxes.
  • Better handling of small screens in the media library modals.
  • A separate bulk selection mode for the media library grid view.
  • Improvements to the installation language selector.
  • Visual tweaks to plugin details and customizer panels.

New in version 3.9.2 (August 7th, 2014)

  • Fixes a possible denial of service issue in PHP’s XML processing, reported by Nir Goldshlager of the Salesforce.com Product Security Team. It was fixed by Michael Adams and Andrew Nacin of the WordPress security team and David Rothstein of the Drupal security team. This is the first time our two projects have coordinated joint security releases.
  • Contains other security changes:
  • Fixes a possible but unlikely code execution when processing widgets (WordPress is not affected by default), discovered by Alex Concha of the WordPress security team.
  • Prevents information disclosure via XML entity attacks in the external GetID3 library, reported by Ivan Novikov of ONSec.
  • Adds protections against brute attacks against CSRF tokens, reported by David Tomaschik of the Google Security Team.
  • Contains some additional security hardening, like preventing cross-site scripting that could be triggered only by administrators.

New in version 4.0 Beta 2 (July 19th, 2014)

  • Further refinements for the the plugin installation and media library experiences.
  • Updated TinyMCE, which now includes better indentation for lists and the restoration of the color picker.
  • Cookies are now tied to a session internally, so if you have trouble logging in, #20276 may be the culprit.
  • Various bug fixes (there were nearly 170 changes since last week).

New in version 4.0 Beta 1 (July 10th, 2014)

  • Previews of embedding via URLs in the visual editor and the “Insert from URL” tab in the media modal. Try pasting a URL (such as a WordPress.tv or YouTube video) onto its own line in the visual editor. (#28195, #15490)
  • The Media Library now has a “grid” view in addition to the existing list view. Clicking on an item takes you into a modal where you can see a larger preview and edit information about that attachment, and you can navigate between items right from the modal without closing it. (#24716)
  • We’re freshening up the plugin install experience. You’ll see some early visual changes as well as more information when searching for plugins and viewing details. (#28785, #27440)
  • Selecting a language when you run the installation process. (#28577)
  • The editor intelligently resizes and its top and bottom bars pin when needed. Browsers don’t like to agree on where to put things like cursors, so if you find a bug here, please also let us know your browser and operating system. (#28328)
  • Made some improvements to how your keyboard and cursor interact with TinyMCE views such as the gallery preview. Much like the editor resizing and scrolling improvements, knowing about your setup is particularly important for bug reports here. (#28595)
  • Widgets in the Customizer are now loaded in a separate panel. (#27406)
  • Also made some changes to some formatting functions, so if you see quotes curling in the wrong direction, please file a bug report.

New in version 3.9.1 (May 9th, 2014)

  • Fixes 34 bugs in 3.9, including numerous fixes for multisite networks, customizing widgets while previewing themes, and the updated visual editor.
  • Made some improvements to the new audio/video playlists feature and made some adjustments to improve performance.

New in version 3.9 (April 17th, 2014)

  • Improved visual editing:
  • The updated visual editor has improved speed, accessibility, and mobile support. You can paste into the visual editor from your word processor without wasting time to clean up messy styling. (Yeah, we’re talking about you, Microsoft Word.)
  • Edit images easily:
  • With quicker access to crop and rotation tools, it’s now much easier to edit your images while editing posts. You can also scale images directly in the editor to find just the right fit.
  • Drag and drop your images:
  • Uploading your images is easier than ever. Just grab them from your desktop and drop them in the editor.
  • Galleries display a beautiful grid of images right in the editor, just like they do in your published post.
  • Images have galleries; now we’ve added simple audio and video playlists, so you can showcase your music and clips.
  • Add, edit, and rearrange your site’s widgets right in the theme customizer. No “save and surprise” — preview your changes live and only save them when you’re ready.
  • The improved header image tool also lets you upload, crop, and manage headers while customizing your theme.
Looking for a new theme should be easy and fun. Lose yourself in the boundless supply of free WordPress.org themes with the beautiful new theme browser.

New in version 3.9 RC 2 (April 15th, 2014)

  • Made about five dozen changes since the first release candidate.
  • Probably the biggest fixes are to live widget previews and the new theme browser, along with some extra TinyMCE compatibility and some RTL fixes.

New in version 3.8.3 (April 15th, 2014)

  • Fixes a small but unfortunate bug in the WordPress 3.8.2 security release.

New in version 3.9 RC 1 (April 9th, 2014)

  • If you’re a plugin author, there are two important changes in particular to be aware of:
  • TinyMCE received a major update, to version 4.0. Any editor plugins written for TinyMCE 3.x might require some updates. (If things broke, we’d like to hear about them so we can make adjustments.) For more, see TinyMCE’s migration guide and API documentation, and the notes on the core development blog.
  • WordPress 3.9 now uses the MySQLi Improved extension for sites running PHP 5.5. Any plugins that made direct calls to mysql_* functions will experience some problems on these sites. For more information, see the notes on the core development blog.

New in version 3.8.2 (April 9th, 2014)

  • This releases fixes a weakness that could let an attacker force their way into your site by forging authentication cookies.
  • It also contains a fix to prevent a user with the Contributor role from improperly publishing posts.
  • This release also fixes nine bugs and contains three other security hardening changes:
  • Pass along additional information when processing pingbacks to help hosts identify potentially abusive requests
  • Fix a low-impact SQL injection by trusted users. Reported by Tom Adams of dxw
  • Prevent possible cross-domain scripting through Plupload, the third-party library WordPress uses for uploading files.

New in version 3.9 Beta 3 (March 31st, 2014)

  • More than 200 changes, including:
  • New features like live widget previews and the new theme installer are now more ready for prime time, so check ‘em out.
  • UI refinements when editing images and when working with media in the editor. We’ve also brought back some of the advanced display settings for images.
  • If you want to test out audio and video playlists, the links will appear in the media manager once you’ve uploaded an audio or video file.
  • For theme developers, we’ve added HTML5 caption support (#26642) to match the new gallery support (#26697).
  • The formatting function that turns straight quotes into smart quotes (among other things) underwent some changes to drastically speed it up, so let us know if you see anything weird.

New in version 3.9 Beta 2 (March 20th, 2014)

  • Rendering of embedded audio and video players directly in the visual editor.
  • Visual and functional improvements to the editor, the media manager, and theme installer.
  • Various bug fixes to TinyMCE, the software behind the visual editor.
  • Lots of fixes to widget management in the theme customizer.

New in version 3.9 Beta 1 (March 12th, 2014)

  • Updated TinyMCE, the software powering the visual editor, to the latest version. Be on the lookout for cleaner markup. Also try the new paste handling — if you paste in a block of text from Microsoft Word, for example, it will no longer come out terrible. (The “Paste from Word” button you probably never noticed has been removed.) It’s possible some plugins that added stuff to the visual editor (like a new toolbar button) no longer work, so we’d like to hear about them (#24067). (And be sure to open a support thread for the plugin author.)
  • Added widget management to live previews (the customizer). Please test editing, adding, and rearranging widgets! (#27112) We’ve also added the ability to upload, crop, and manage header images, without needing to leave the preview. (#21785)
  • Brought 3.8′s beautiful new theme browsing experience to the theme installer. Check it out! (#27055)
  • Galleries now receive a live preview in the editor. Upload some photos and insert a gallery to see this in action. (#26959)
  • You can now drag-and-drop images directly onto the editor to upload them. It can be a bit finicky, so try it and help us work out the kinks. (#19845)
  • Some things got improved around editing images. It’s a lot easier to make changes to an image after you insert it into a post (#24409) and you no longer get kicked to a new window when you need to crop or rotate an image (#21811).
  • New audio/video playlists. Upload a few audio or video files to test these. (#26631)

New in version 3.8.1 (January 24th, 2014)

  • A maintenance releases that addresses 31 bugs in 3.8, including various fixes and improvements for the new dashboard design and new themes admin screen.
  • An issue with taxonomy queries in WP_Query was resolved. And if you’ve been frustrated by submit buttons that won’t do anything when you click on them (or thought you were going crazy, like some of us), we’ve found and fixed this “dead zone” on submit buttons.
  • It also contains a fix for embedding tweets (by placing the URL to the tweet on its own line), which was broken due to a recent Twitter API change.

New in version 3.8 (December 13th, 2013)

  • Named “Parker” in honor of Charlie Parker, bebop innovator
  • Introducing a modern new design:
  • WordPress has gotten a facelift. 3.8 brings a fresh new look to the entire admin dashboard. Gone are overbearing gradients and dozens of shades of grey — bring on a bigger, bolder, more colorful design!
  • about-modern-wordpress
  • Modern aesthetic - The new WordPress dashboard has a fresh, uncluttered design that embraces clarity and simplicity.
  • Clean typography - The Open Sans typeface provides simple, friendly text that is optimized for both desktop and mobile viewing. It’s even open source, just like WordPress.
  • Refined contrast - We think beautiful design should never sacrifice legibility. With superior contrast and large, comfortable type, the new design is easy to read and a pleasure to navigate.
  • WordPress on every device:
  • We all access the internet in different ways. Smartphone, tablet, notebook, desktop — no matter what you use, WordPress will adapt and you’ll feel right at home.
  • High definition at high speed:
  • WordPress is sharper than ever with new vector-based icons that scale to your screen. By ditching pixels, pages load significantly faster, too.
  • Admin color schemes to match your personality
  • WordPress just got a colorful new update. We’ve included eight new admin color schemes so you can pick the one that suits you best.
  • Color schemes can be previewed and changed from your Profile page.
  • Refined theme management:
  • The new themes screen lets you survey your themes at a glance. Or want more information? Click to discover more. Then sit back and use your keyboard’s navigation arrows to flip through every theme you’ve got.
  • Smoother widget experience:
  • Drag-drag-drag. Scroll-scroll-scroll. Widget management can be complicated. With the new design, we’ve worked to streamline the widgets screen.
  • Have a large monitor? Multiple widget areas stack side-by-side to use the available space. Using a tablet? Just tap a widget to add it.
  • Twenty Fourteen, a sleek new magazine theme
  • The new Twenty Fourteen theme displayed on a laptop. tablet and phone
  • Turn your blog into a magazine:
  • Create a beautiful magazine-style site with WordPress and Twenty Fourteen. Choose a grid or a slider to display featured content on your homepage. Customize your site with three widget areas or change your layout with two page templates.
  • With a striking design that does not compromise our trademark simplicity, Twenty Fourteen is our most intrepid default theme yet.

New in version 3.8 Beta 1 (November 22nd, 2013)

  • The new admin design, especially the responsive aspect of it. Try it out on different devices and browsers, see how it goes, especially the more complex pages like widgets or seldom-looked-at-places like Press This. Color schemes, which you can change on your profile, have also been spruced up.
  • The dashboard homepage has been refreshed, poke and prod it.
  • Choosing themes under Appearance is completely different, try to break it however possible.
  • There’s a new default theme, Twenty Fourteen.
  • Over 250 issues closed already.

New in version 3.7.1 (November 8th, 2013)

  • This maintenance release addresses 11 bugs in WordPress 3.7, including:
  • Images with captions no longer appear broken in the visual editor.
  • Allow some sites running on old or poorly configured servers to continue to check for updates from WordPress.org.
  • Avoid fatal errors with certain plugins that were incorrectly calling some WordPress functions too early.
  • Fix hierarchical sorting in get_pages(), exclusions in wp_list_categories(), and in_category() when called with empty values.
  • Fix a warning that may occur in certain setups while performing a search, and a few other notices.

New in version 3.7 (October 28th, 2013)

  • This release features some of the most important architectural updates we’ve made to date. Here are the big ones:
  • Updates while you sleep: With WordPress 3.7, you don’t have to lift a finger to apply maintenance and security updates. Most sites are now able to automatically apply these updates in the background. The update process also has been made even more reliable and secure, with dozens of new checks and safeguards.
  • Stronger password recommendations: Your password is your site’s first line of defense. It’s best to create passwords that are complex, long, and unique. To that end, our password meter has been updated in WordPress 3.7 to recognize common mistakes that can weaken your password: dates, names, keyboard patterns (123456789), and even pop culture references.
  • Better global support: Localized versions of WordPress will receive faster and more complete translations. WordPress 3.7 adds support for automatically installing the right language files and keeping them up to date, a boon for the many millions who use WordPress in a language other than English.
  • For developers there are lots of options around how to control the new updates feature, including allowing it to handle major upgrades as well as minor ones, more sophisticated date query support, and multisite improvements.

New in version 3.7 RC 1 (October 23rd, 2013)

  • Automatic background updates for security and minor releases will update every 12 hours or so to the latest development version, and then email you the results.

New in version 3.7 Beta 1 (September 30th, 2013)

  • If you’re running WordPress in another language, we’ll automatically download any available translations for official WordPress importers and the default themes. (More to come here.)
  • Our password meter got a whole lot better, thanks to Dropbox’s zxcvbn library. Again, subtle but effective. Strong passwords are very important!
  • Search results are now ordered by relevance, rather than just by date. When your keywords match post titles and not just content, they’ll be pushed to the top.
  • Developers should check out the new advanced date queries in WP_Query.

New in version 3.6.1 (September 12th, 2013)

  • Block unsafe PHP unserialization that could occur in limited situations and setups, which can lead to remote code execution.
  • Prevent a user with an Author role, using a specially crafted request, from being able to create a post “written by” another user.
  • Fix insufficient input validation that could result in redirecting or leading a user to another website.

New in version 3.6 (August 2nd, 2013)

  • Highlights:
  • Includes a beautiful new blog-centric theme, bullet-proof autosave and post locking, a revamped revision browser, native support for audio and video embeds, and improved integrations with Spotify, Rdio, and SoundCloud.
  • User Features:
  • The new Twenty Thirteen theme inspired by modern art puts focus on your content with a colorful, single-column design made for media-rich blogging.
  • Revamped Revisions save every change and the new interface allows you to scroll easily through changes to see line-by-line who changed what and when.
  • Post Locking and Augmented Autosave will especially be a boon to sites where more than a single author is working on a post. Each author now has their own autosave stream, which stores things locally as well as on the server (so much harder to lose something) and there’s an interface for taking over editing of a post, as demonstrated beautifully by our bearded buddies in the video above.
  • Built-in HTML5 media player for native audio and video embeds with no reliance on external services.
  • The Menu Editor is now much easier to understand and use.
  • Developer features:
  • A new audio/video API gives you access to metadata like ID3 tags.
  • You can now choose HTML5 markup for things like comment and search forms, and comment lists.
  • Better filters for how revisions work, so you can store a different amount of history for different post types.
  • Tons more listed on the Codex, and of course you can always browse the over 700 closed tickets.

New in version 3.6 RC 2 (July 30th, 2013)

  • Revisions so smooth
  • We autosave your changes
  • Data loss begone!

New in version 3.5.2 (June 22nd, 2013)

  • This is the second maintenance release of 3.5, fixing 12 bugs.
  • This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
  • The WordPress security team resolved seven security issues, and this release also contains some additional security hardening.
  • The security fixes included:
  • Blocking server-side request forgery attacks, which could potentially enable an attacker to gain access to a site.
  • Disallow contributors from improperly publishing posts, reported by Konstantin Kovshenin, or reassigning the post’s authorship, reported by Luke Bryan.
  • An update to the SWFUpload external library to fix cross-site scripting vulnerabilities. Reported by mala and Szymon Gruszecki.
  • Prevention of a denial of service attack, affecting sites using password-protected posts.
  • An update to an external TinyMCE library to fix a cross-site scripting vulnerability. Reported by Wan Ikram.
  • Multiple fixes for cross-site scripting. Reported by Andrea Santese and Rodrigo.
  • Avoid disclosing a full file path when a upload fails. Reported by Jakub Galczyk.

New in version 3.6 Beta 3 (May 11th, 2013)

  • Contains about a hundred changes, including improvements to the image Post Format flow (yay, drag-and-drop image upload!)
  • A more polished revision comparison screen
  • A more quote-like quote format for Twenty Thirteen.
  • Now has oEmbed support for the popular music-streaming services Rdio and Spotify.

New in version 3.6 Beta 2 (April 30th, 2013)

  • Contains a modified approach for format choosing and switching.
  • Made the Post Formats UI hide-able via Screen Options, and set a reasonable default based on what your theme supports.
  • A lot of bug fixes and polishing tweaks.

New in version 3.6 Beta 1 (April 5th, 2013)

  • Post Formats: Post Formats now have their own UI, and theme authors have access to templating functions to access the structured data.
  • Twenty Thirteen: We’re shipping this year’s default theme in our first release of the year. Twenty Thirteen is an opinionated, color-rich, blog-centric theme that makes full use of the new Post Formats support.
  • Audio/Video: You can embed audio and video files into your posts without relying on a plugin or a third party media hosting service.
  • Autosave: Posts are now autosaved locally. If your browser crashes, your computer dies, or the server goes offline as you’re saving, you won’t lose the your post.
  • Post Locking: See when someone is currently editing a post, and kick them out of it if they fall asleep at the keyboard.
  • Nav Menus: Nav menus have been simplified with an accordion-based UI, and a separate tab for bulk-assigning menus to locations.
  • Revisions: The all-new revisions UI features avatars, a slider that “scrubs” through history, and two-slider range comparisons.

New in version 3.5.1 (January 25th, 2013)

  • A server-side request forgery vulnerability and remote port scanning using pingbacks. This vulnerability, which could potentially be used to expose information and compromise a site, affects all previous WordPress versions. This was fixed by the WordPress security team. We’d like to thank security researchers Gennady Kovshenin and Ryan Dewhurst for reviewing our work.
  • Two instances of cross-site scripting via shortcodes and post content. These issues were discovered by Jon Cave of the WordPress security team.
  • A cross-site scripting vulnerability in the external library Plupload. Thanks to the Moxiecode team for working with us on this, and for releasing Plupload 1.5.5 to address this issue.

New in version 3.5 (December 12th, 2012)

  • The most dramatic new change you’ll notice is a completely re-imagined flow for uploading photos and creating galleries. Media has long been a friction point and we’ve listened hard and given a lot of thought into crafting this new system.
  • Includes a new default theme, Twenty Twelve, which has a very clean mobile-first responsive design and works fantastic as a base for a CMS site.
  • Refreshed the styles of the dashboard, updating everything to be Retina-ready with beautiful high resolution graphics, a new color picker, and streamlining a couple of fewer-used sections of the admin.

New in version 3.5 RC3 (December 4th, 2012)

  • Final UI improvements for the new media manager, based on lots of great feedback.
  • Show more information about uploading errors when they occur.
  • When inserting an image into a post, don’t forget the alternative text.
  • Fixes for the new admin button styles.
  • Improvements for mobile devices, Internet Explorer, and right-to-left languages.
  • Fix cookies for subdomain installs when multisite is installed in a subdirectory.
  • Fix ms-files.php rewriting for very old multisite installs.

New in version 3.5 Beta 3 (November 13th, 2012)

  • The Add Media dialog is complete.
  • Also updated to jQuery UI 1.9.1, SimplePie 1.3.1, and TinyMCE 3.5.7.

New in version 3.5 Beta 2 (October 13th, 2012)

  • New workflow for working with image galleries, including drag-and-drop reordering and quick caption editing.
  • New user interface for setting static front pages for the Reading Settings screen.
  • New image editing API.

New in version 3.5 Beta 1 (September 28th, 2012)

  • Appearance: A simplified welcome screen. A new color picker. And the all-HiDPI (retina) dashboard.
  • Accessibility: Keyboard navigation and screen reader support have both been improved.
  • Plugins: You can browse and install plugins you’ve marked as favorites on WordPress.org, directly from your dashboard.
  • Mobile: It’ll be easier to link up your WordPress install with our mobile apps, as XML-RPC is now enabled by default.
  • Links: We’ve hidden the Link Manager for new installs.
  • External libraries updated: TinyMCE 3.5.6. SimplePie 1.3. jQuery 1.8.2. jQuery UI 1.9 (and it’s not even released yet). We’ve also added Backbone 0.9.2 and Underscore 1.3.3, and you can use protocol-relative links when enqueueing scripts and styles. (#16560)
  • WP Query: You can now ask to receive posts in the order specified by post__in. (#13729)
  • XML-RPC: New user management, profile editing, and post revision methods. We’ve also removed AtomPub. (#18428, #21397, #21866)
  • Multisite: switch_to_blog() is now used in more places, is faster, and more reliable. Also: You can now use multisite in a subdirectory, and uploaded files no longer go through ms-files (for new installs). (#21434, #19796, #19235)
  • TinyMCE: We’ve added API support for “views” which you can use to offer previews and interaction of elements from the visual editor. (#21812)
  • Posts API: Major performance improvements when working with hierarchies of pages and post ancestors. Also, you can now “turn on” native custom columns for taxonomies on edit post screens. (#11399, #21309, #21240)
  • Comments API: Search for comments of a particular status, or with a meta query (same as with WP_Query). (#21101, #21003)
  • oEmbed: We’ve added support for a few oEmbed providers, and we now handle SSL links. (#15734, #21635, #16996, #20102)

New in version 3.4.2 (September 7th, 2012)

  • Fix some issues with older browsers in the administration area.
  • Fix an issue where a theme may not preview correctly, or its screenshot may not be displayed.
  • Improve plugin compatibility with the visual editor.
  • Address pagination problems with some category permalink structures.
  • Avoid errors with both oEmbed providers and trackbacks.
  • Prevent improperly sized header images from being uploaded.
  • Also fixes a few security issues and contains some security hardening. The vulnerabilities included potential privilege escalation and a bug that affects multisite installs with untrusted users. These issues were discovered and fixed by the WordPress security team.

New in version 3.4.1 (June 28th, 2012)

  • Fixes an issue where a theme’s page templates were sometimes not detected.
  • Addresses problems with some category permalink structures.
  • Better handling for plugins or themes loading JavaScript incorrectly.
  • Adds early support for uploading images on iOS 6 devices.
  • Allows for a technique commonly used by plugins to detect a network-wide activation.
  • Better compatibility with servers running certain versions of PHP (5.2.4, 5.4) or with uncommon setups (safe mode, open_basedir), which had caused warnings or in some cases prevented emails from being sent.
  • Fixes a few security issues and contains some security hardening. The vulnerabilities included potential information disclosure as well as an bug that affects multisite installs with untrusted users.

New in version 3.4 (June 14th, 2012)

  • Includes significant improvements to theme customization, custom headers, Twitter embeds, and image captions.
  • For Users:
  • The biggest change in 3.4 is the theme customizer which allows you to play around with various looks and settings for your current theme or one you’re thinking about switching to without publishing those changes to the whole world. For themes that support it, you can change colors, backgrounds, and of course custom image headers. We have more planned for the customizer down the road.
  • Throughout the rest of the admin you’ll notice tweaks to make your everyday life easier. For example, if you have lots of themes we’ve made it quicker to browse them all at once without paging. We’ve made it possible to use images from your media library to populate custom headers, and for you to choose the height and width of your header images.
  • Expanded the embed support to include tweets: just put a Twitter permalink on its own line in the post editor and we’ll turn it into a beautiful embedded Tweet. And finally, image captions have been improved to allow HTML, like links, in them.
  • For Developers:
  • There are hundreds of under-the-hood improvements in this release, notably in the XML-RPC, themes, and custom header APIs, and significant performance improvements in WP_Query and the translation system. The Codex has a pretty good summary of the developer features, and you can always dive into Trac directly.

New in version 3.4 RC 3 (June 12th, 2012)

  • Fixed a few lingering issues with the new live preview feature, as well as with custom headers and backgrounds.

New in version 3.4 Beta 4 (May 3rd, 2012)

  • Less bugs, more polish

New in version 3.4 Beta 3 (April 21st, 2012)

  • Nearly 90 changes have been made since Beta 2.

New in version 3.3.2 (April 21st, 2012)

  • A security update for all previous versions.
  • Three external libraries included in WordPress received security updates:
  • Plupload (version 1.5.4), which WordPress uses for uploading media.
  • SWFUpload, which WordPress previously used for uploading media, and may still be in use by plugins.
  • SWFObject, which WordPress previously used to embed Flash content, and may still be in use by plugins and themes.
  • Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances, disclosed by Jon Cave of our WordPress core security team, and Adam Backstrom.
  • Cross-site scripting vulnerability when making URLs clickable, by Jon Cave.
  • Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs. Thanks to Mauro Gentile for responsibly disclosing these issues to the security team.

New in version 3.4 Beta 2 (April 12th, 2012)

  • Committed more than 60 bug fixes and feature adjustments based on testing and feedback.

New in version 3.4 Beta 1 (April 5th, 2012)

  • New:
  • Theme Customizer with Previewer
  • Flexible Custom Header Sizes
  • Selecting Custom Header and Background Images from Media Library
  • Better experience searching for and choosing a theme
  • And some of the under-the-hood changes:
  • New XML-RPC API for external and mobile applications
  • New API for registering theme support for custom headers and backgrounds
  • Performance improvements to WP_Query by splitting the query (Please test!)
  • Internationalization improvements (improved performance and locale support)
  • Performance and API improvements when working with lists of installed themes
  • Support for installing child themes from the WordPress Themes Directory

New in version 3.3.1 (January 4th, 2012)

  • Fixes 15 issues with WordPress 3.3, as well as a fix for a cross-site scripting vulnerability that affected version 3.3.

New in version 3.3 (December 13th, 2011)

  • For Users - Experienced users will appreciate the new drag-and-drop uploader, hover menus for the navigation, the new toolbar, improved co-editing support, and the new Tumblr importer. We’ve also been thinking a ton about what the WordPress experience is like for people completely new to the software. Version 3.3 has significant improvements there with pointer tips for new features included in each update, a friendly welcome message for first-time users, and revamped help tabs throughout the interface. Finally we’ve improved the dashboard experience on the iPad and other tablets with better touch support.
  • For Developers - There is a ton of candy for developers as well. I’d recommend starting your exploration with the new editor API, new jQuery version, better ways to hook into the help screens, more performant post-slug-only permalinks, and of course the entire list of improvements on the Codex and in Trac.

New in version 3.3 Beta 4 (November 25th, 2011)

  • Fixed a bunch of bugs
  • Cleaned up the UI
  • Added real text in some of the screens that still had placeholder text in Beta 3 (post-update screen, the Dashboard welcome area, new feature pointers), and generally tightened things up.

New in version 3.3 Beta 2 (October 20th, 2011)

  • Updated the Blue theme
  • Fixed IE7 and RTL support
  • Improved flyout menu styling and fixed several glitches
  • Finished the Pointers implementation
  • Landed the dashboard Welcome box for new installs
  • Improved contextual help styling
  • Tweaked the admin bar a little more
  • Fixed a bunch of bugs

New in version 3.3 Beta 1 (October 11th, 2011)

  • Media uploader
  • Improved admin bar
  • Fly out admin menus

New in version 3.2.1 (July 13th, 2011)

  • A maintenance release fixes a server incompatibility related to JSON that’s unfortunately affected some of you, as well as a few other fixes in the new dashboard design and the Twenty Eleven theme.

New in version 3.2 (July 5th, 2011)

  • Refreshed dashboard design.
  • Faster and lighter.
  • Distraction-free writing or zen mode.
  • New Twenty Eleven theme.

New in version 3.2 RC3 (June 30th, 2011)

  • Contains all of the fixes in 3.1.4; few minor RTL, JavaScript, and user interface fixes; and ensures graceful failures if 3.2 is run on PHP4.

New in version 3.2 RC2 (June 25th, 2011)

  • Handled a number of issues since RC1, including additional Twenty Eleven tweaks, a new theme support option for defaulting to randomized headers, and various RTL fixes.

New in version 3.2 RC1 (June 14th, 2011)

  • More than 350 tickets closed

New in version 3.2 Beta 2 (May 26th, 2011)

  • Google Chrome Frame is now supported in the admin, if you have it installed. This is especially useful for IE 6 users (remember, IE 6 is otherwise deprecated for the admin).
  • The admin is less ugly in IE 7.
  • The blue admin color scheme has caught up to the grey one, and is ready for testing.

New in version 3.1.3 (May 26th, 2011)

  • Various security hardening by Alexander Concha.
  • Taxonomy query hardening by John Lamansky.
  • Prevent sniffing out user names of non-authors by using canonical redirects. Props Verónica Valeros.
  • Media security fixes by Richard Lundeen of Microsoft, Jesse Ou of Microsoft, and Microsoft Vulnerability Research.
  • Improves file upload security on hosts with dangerous security settings.
  • Cleans up old WordPress import files if the import does not finish.
  • Introduce “clickjacking” protection in modern browsers on admin and login pages.

New in version 3.2 Beta 1 (May 12th, 2011)

  • Performance improvements like you wouldn’t believe. What’s that mean? Things are faster!
  • Distraction-free Writing. The visual editor’s full-screen composing experience has gotten a major overhaul, and is now available from HTML mode, too. More than ever, WordPress allows you to focus on what matters most — your content.
  • Admin UI Refresh. The last major redesign of the WordPress admin was in 2008. This isn’t a major redesign, just a little facelift to keep us feeling young. WordPress turns 8 later this month, you know.
  • New Default Theme. Introducing Twenty Eleven, based on the popular Duster theme. Rotating header images, post format support, and more.
  • Browse Happy. WordPress is made to work with modern browsers. If you visit your Dashboard using an outdated web browser, we’ll let you know there’s a newer version available.
  • Admin Bar. We’ve added more links to the admin bar to make it even more useful.

New in version 3.1.2 (April 26th, 2011)

  • A security release for all previous WordPress versions.
  • This release addresses a vulnerability that allowed Contributor-level users to improperly publish posts.
  • The issue was discovered by a member of our security team, WordPress developer Andrew Nacin, with Benjamin Balter.
  • The developers suggest you update to 3.1.2 promptly, especially if you allow users to register as contributors or if you have untrusted users. This release also fixes a few bugs that missed the boat for version 3.1.1.

New in version 3.1 (February 24th, 2011)

  • WordPress 3.1 “Reinhardt” is named in honor of the jazz guitarist Django Reinhardt.
  • This release features a lightning fast redesigned linking workflow which makes it easy to link to your existing posts and pages, an admin bar so you’re never more than a click away from your most-used dashboard pages, a streamlined writing interface that hides many of the seldom-used panels by default to create a simpler and less intimidating writing experience for new bloggers (visit Screen Options in the top right to get old panels back), and a refreshed blue admin scheme available for selection under your personal options.
  • There’s a bucket of candy for developers as well, including our new Post Formats support which makes it easy for themes to create portable tumblelogs with different styling for different types of posts, new CMS capabilities like archive pages for custom content types, a new Network Admin, an overhaul of the import and export system, and the ability to perform advanced taxonomy and custom fields queries.

New in version 3.1 RC 4 (February 8th, 2011)

  • includes the security fixes and enhancements included in 3.0.5 and addresses about two dozen additional bugs.
  • Includes fixes for:
  • Deleting a user and reassigning their posts to another user.
  • Marking multiple users or sites as spam in multisite.
  • PHP4 compatibility.

New in version 3.0.5 (February 8th, 2011)

  • This security release is required if you have any untrusted user accounts, but it also comes with important security enhancements and hardening. All WordPress users are strongly encouraged to update.
  • Two moderate security issues were fixed that could have allowed a Contributor- or Author-level user to gain further access to the site.
  • One information disclosure issue was addressed that could have allowed an Author-level user to view contents of posts they should not be able to see, such as draft or private posts.
  • Two security enhancements were added. One improved the security of any plugins which were not properly leveraging our security API. The other offers additional defense in depth against a vulnerability that was fixed in previous release.

New in version 3.1 RC 3 (January 24th, 2011)

  • The biggest change is the removal of AJAX list tables, which had been an effort to move all of our list-style screens to full AJAX for pagination, searches, and column sorts, and to consolidate the list-style screens into a single API that plugins could leverage. Unfortunately, with more testing came realizations that there were too many major bugs and usability issues with how the functionality was implemented, so we’ve spent the last week rolling back the most important portions of the feature.
  • For users: AJAX has been entirely disabled for the list tables. We hope to bring this back again, in a form that is properly and fully implemented, in a future release. Column sorting remains, but everything else has returned to its 3.0 state.
  • For developers: The entire list table API is now marked private. If you attempt to leverage new components of the API, you are pretty much guaranteeing that your plugins will break in a future release, so please don’t do that. :-) We hope to enable all the fun new goodies for public use in a future release.
  • This is the only way it could be prevented any regressions in functionality and usability from WordPress 3.0 to 3.1. That’s right, users and plugin authors can still do everything you used to be able to do (and a little bit more).
  • Because of the code churn between RC2 and RC3, this release candidate needs a lot of testing. Every list screen needs testing. In particular, the comment moderation screen needs testing, especially with keyboard shortcuts (if you didn’t know about those, now’s your chance to try them out).
  • Other fixes in RC3 include:
  • Properly display the author dropdown in Quick Edit
  • Various important fixes to numerous taxonomy query variables
  • Fixes to the theme deletion process
  • Fixes to pages used for posts
  • IIS and Multisite: Avoid resetting web.config on permalink save
  • Properly validate post formats and their rewrite rules

New in version 3.1 RC 2 (January 3rd, 2011)

  • The security fixes included in WordPress 3.0.4
  • Fix issues related to handling a static front page
  • Fixes and enhancements for the pagination buttons
  • Fix searching for partial usernames
  • Properly reactivate plugins after editing them
  • Always show the current author in the author dropdown when editing a post
  • Fixes for attachment taxonomies
  • Fix node removal for the admin bar
  • Fix the custom post type show_in_menu argument
  • Various fixes for right-to-left languages
  • and a few dozen more changes

New in version 3.0.4 (December 30th, 2010)

  • A very important update to apply to your sites as soon as possible because it fixes a core security bug in our HTML sanitation library, called KSES. The release is rated as “critical.”

New in version 3.0.3 (December 9th, 2010)

  • Fixes issues in the remote publishing interface, which under certain circumstances allowed Author- and Contributor-level users to improperly edit, publish, or delete posts.
  • These issues only affect sites that have remote publishing enabled.
  • Remote publishing is disabled by default, but you may have enabled it to use a remote publishing client such as one of the WordPress mobile apps. You can check these settings on the “Settings → Writing” screen.

New in version 3.0.2 (December 1st, 2010)

  • Fixes a moderate security issue that could allow a malicious Author-level user to gain further access to the site, addresses a handful of bugs, and provides some additional security enhancements.

New in version 3.0.1 (July 30th, 2010)

  • Fixed 55 tickets total. A break down of ticket status by component can be found in Trac.
  • Added unregister_nav_menu(), for child themes.

New in version 3.0 (June 18th, 2010)

  • Major new features in this release include a sexy new default theme called Twenty Ten. Theme developers have new APIs that allow them to easily implement custom backgrounds, headers, shortlinks, menus (no more file editing), post types, and taxonomies. (Twenty Ten theme shows all of that off.)
  • Developers and network admins will appreciate the long-awaited merge of MU and WordPress, creating the new multi-site functionality which makes it possible to run one blog or ten million from the same installation.
  • As a user, you will love the new lighter interface, the contextual help on every screen, the 1,217 bug fixes and feature enhancements, bulk updates so you can upgrade 15 plugins at once with a single click.

New in version 3.0 RC 1 (May 28th, 2010)

  • Custom menus are finished!
  • Multi-site is all set.
  • The look of the WordPress admin has been lightened up a little bit, so you can focus more on your content.
  • There are a ton of changes, so plugin authors, please test your plugins now, so that if there is a compatibility issue, we can figure it out before the final release.
  • Plugin and theme *users* are also encouraged to test things out. If you find problems, let your plugin/theme authors know so they can figure out the cause.

New in version 3.0 Beta 1 (April 6th, 2010)

  • The custom menus system (Appearance > Menus) is not quite finished. In Beta 2, the layout will be different and a bunch of the functionality will be improved, but we didn’t want to hold things up for this one screen. You can play with making custom menus, and report bugs if you find them, but this is not how the final screen will look/work, so don’t get attached to it.
  • The merge! Yes, WordPress and WordPress MU have merged. This does not mean that you can suddenly start adding a bunch of new blogs from within your regular WordPress Dashboard. If you’re interested in testing the Super Admin stuff associated with multiple sites, you’ll need some simple directions to get started.
  • Fiddling with a few small things in the UI, as we were focused on getting the more function-oriented code finished first. For example, we’re getting a new icon for the Super Admin section.
  • New default theme, Twenty Ten, including the custom background and header options.
  • Custom Post Type functionality has been beefed up. It’s really easy to add new types, so do that and see how it looks!
  • WordPress MU users should test the multiple sites functionality to make sure nothing broke during the merge.

New in version 2.9.2 (February 15th, 2010)

  • There is a problem where logged in users can peek at trashed posts belonging to other authors. If you have untrusted users signed up on your blog and sensitive posts in the trash, you should upgrade to 2.9.2.

New in version 2.9.1 (January 5th, 2010)

  • Addresses a handful of minor issues as well as a rather annoying problem where scheduled posts and pingbacks are not processed correctly due to incompatibilities with some hosts.

New in version 2.9.1 RC 1 (December 30th, 2009)

  • Contains a few more fixes, bringing the number of fixed tickets up to 23.

New in version 2.9.1 Beta 1 (December 28th, 2009)

  • The recent 2.9 release triggered a bug in certain versions of PHP’s curl extension. With these versions of curl, scheduled posts and pingbacks are not processed correctly. This version fixes this problem as well as a handful of other.

New in version 2.9 (December 19th, 2009)

  • The coolest new stuff from a user point of view is:
  • Global undo/”trash” feature, which means that if you accidentally delete a post or comment you can bring it back from the grave (i.e., the Trash). This also eliminates those annoying “are you sure” messages we used to have on every delete.
  • Built-in image editor allows you to crop, edit, rotate, flip, and scale your images to show them who’s boss. This is the first wave of our many planned media-handling improvements.
  • Batch plugin update and compatibility checking, which means you can update 10 plugins at once, versus having to do multiple clicks for each one, and we’re using the new compatibility data from the plugins directory to give you a better idea of whether your plugins are compatible with new releases of WordPress. This should take the fear and hassle out of upgrading.
  • Easier video embeds that allow you to just paste a URL on its own line and have it magically turn it into the proper embed code, with Oembed support for YouTube, Daily Motion, Blip.tv, Flickr, Hulu, Viddler, Qik, Revision3, Scribd, Google Video, Photobucket, PollDaddy, and WordPress.tv (and more in the next release).
  • 2.9 provides the smoothest ride yet because of a number of improvements under the hood and more subtle improvements you’ll begin to appreciate once you’ve been around the block a few times. Here’s just a sampling:
  • We now have rel=canonical support for better SEO.
  • There is automatic database optimization support, which you can enable in your wp-config.php file by adding define('WP_ALLOW_REPAIR', true);.
  • Themes can register “post thumbnails” which allow them to attach an image to the post, especially useful for magazine-style themes.
  • A new commentmeta table that allows arbitrary key/value pairs to be attached to comments, just like posts, so you can now expand greatly what you can do in the comment framework.
  • Custom post types have been upgraded with better API support so you can juggle more types than just post, page, and attachment. (More of this planned for 3.0.)
  • You can set custom theme directories, so a plugin can register a theme to be bundled with it or you can have multiple shared theme directories on your server.
  • We’ve upgraded TinyMCE WYSIWYG editing and Simplepie.
  • Sidebars can now have descriptions so it’s more obvious what and where they do what they do.
  • Specify category templates not just by ID, like before, but by slug, which will make it easier for theme developers to do custom things with categories — like post types!
  • Registration and profiles are now extensible to allow you to collect things more easily, like a user’s Twitter account or any other fields you can imagine.
  • The XML-RPC API has been extended to allow changing the user registration option. We fixed some Atom API attachment issues.
  • Create custom galleries with the new include and exclude attributes that allow you to pull attachments from any post, not just the current one.
  • When you’re editing files in the theme and plugin editors it remembers your location and takes you back to that line after you save. (Thank goodness!!!)
  • The Press This bookmarklet has been improved and is faster than ever; give it a try for on-the-fly blogging from wherever you are on the internet.
  • Custom taxonomies are now included in the WXR export file and imported correctly.
  • Better hooks and filters for excerpts, smilies, HTTP requests, user profiles, author links, taxonomies, SSL support, tag clouds, query_posts and WP_Query

New in version 2.8.6 (November 18th, 2009)

  • Fixes two security problems that can be exploited by registered, logged in users who have posting privileges. If you have untrusted authors on your blog, upgrading to 2.8.6 is recommended.
  • The first problem is an XSS vulnerability in Press This. The second problem is an issue with sanitizing uploaded file names that can be exploited in certain Apache configurations.

New in version 2.8.5 (October 21st, 2009)

  • A fix for the Trackback Denial-of-Service attack that is currently being seen.
  • Removal of areas within the code where php code in variables was evaluated.
  • Switched the file upload functionality to be whitelisted for all users including Admins.
  • Retiring of the two importers of Tag data from old plugins.

New in version 2.8.4 (August 13th, 2009)

  • Yesterday a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.
  • We fixed this problem last night and have been testing the fixes and looking for other problems since then.

New in version 2.8.2 (July 21st, 2009)

  • WordPress 2.8.2 fixes an XSS vulnerability.
  • Comment author URLs were not fully sanitized when displayed in the admin.
  • This could be exploited to redirect you away from the admin to another site.

New in version 2.8 (June 12th, 2009)

  • Highlights:
  • New drag-and-drop widgets admin interface and new widgets API
  • Syntax highlighting and function lookup built into plugin and theme editors
  • Browse the theme directory and install themes from the admin
  • Allow the dashboard widgets to be arranged in up to four columns
  • Allow configuring the number of items to show on management pages with an option in Screen Options
  • Support timezones and automatic daylight savings time adjustment
  • Support IIS 7.0 URL Rewrite Module
  • Faster loading of admin pages via script compression and concatenation
  • New Features:
  • User Features:
  • New Theme Installer routines
  • Add CodePress syntax highlighting to Theme and Plugin editors
  • Add Documentation(function) lookup to Theme and Plugin editors
  • Use "Custom Header" for menu text and revise Default theme to reflect change
  • Separate Comments into a separate postbox, from Discussion postbox, on the Edit Post screen
  • Make tags accessible without Javascript on the edit screen
  • Don't ask for confirmation when marking a comment as spam
  • Don't notify post author of own comments
  • Fix comment paging for static front page
  • Allow the dashboard widgets to be arranged in up to four columns as set via the Screen Options tab
  • Make titles into links in Dashboard Right Now module (this was in 2.7.1)
  • Improved Admin icons (grey-to-transparent shadows)
  • Update Blue Admin Color Scheme
  • Press This improvements UI, quoting fixes, plus ability for Contributors to use Press This
  • Add a Cancel Upload button and a Delete link to Administration > Media > Add New
  • Add column "Rating" in Administration > Links > Edit
  • Improve installer to help people entering wrong email addresses
  • Improved Widget user interface
  • Allow editing of all plugin files (Ticket 6732)
  • Improved Plugin search (this was in 2.7.1) on Administration > Plugins > Add New
  • Per Page option for plugins
  • Move "Install a plugin in .zip format" to new Upload tab under Administration > Plugins > Add New
  • Show absolute date instead of relative date for scheduled posts
  • Fix tags suggest for post quick edit and bulk edit
  • Permalink editor changes and fix for pages
  • Autosave post/page when pressing Control/Command+S
  • Add toggle all button to the Gallery tab in the uploader
  • Support more than one gallery on the same page
  • Add per page option to Screen Options for comments, posts, pages, media, categories, and tags
  • Overhaul of LiveJournal importer (also add define WP_IMPORTING)
  • Import category descriptions for Administration > Tools > Import > WordPress
  • Show Tools menu for all users so they can access Turbo
  • Check for new version when visiting Administration > Tools > Upgrade
  • In upgrade process, provide better explanation for database upgrade message
  • Fix most popular link category list
  • Add description field for Tags in Administration > Posts > Tags
  • WAI-ARIA landmark roles to added to WordPress Default theme
  • "Choose a city in the same timezone as you" for Timezone in Administration > Settings > General
  • Remove My Hacks option from Administration > Settings > Miscellaneous
  • Hide email addresses from low privilege users on Administration > Comments
  • Allow case-insensitive logins
  • Login and Registration pages noindex followed
  • Give login screen proper iPhone viewport
  • Enforce unique email addresses in Add/Edit users
  • Make user_nicenames unique during registration
  • Add "Send this password to the new user by email" option to Administration > Users > Add New
  • Don't set user's Website url to http:// in Administration > Users > Add New
  • Add password strength meter to Add User and Edit User
  • Hide things that need to be available to screen readers via offscreen positioning
  • Use invisible class for hiding labels and legends
  • Use a semantic class name for text targeted to screen readers
  • Development, Themes, Plugins:
  • Improved database performance
  • Drop post_category column from wp_posts table, and link_category column from wp_links schemas
  • Fix delete statements to ensure data integrity when innodb and foreign keys are used
  • Enforce consistent ID types to allow for foreign keys to be defined between tables
  • Add Sticky to list of post states
  • Add a filter to the post states list
  • Introduction and widespread use of transient and related filters
  • Add filters so AIM, Yahoo, and Jabber IM labels, in user profile, can be changed
  • Add hook "after_db_upgrade"
  • Add hooks for the Users, Categories, Link Categories, Tags and Comments table columns
  • HTTP API updates and fixes
  • Add support for blocking all outbound HTTP requests
  • Updated List of HTTP status codes (Ticket 9297)
  • Use SimplePie for widget and dashboard feeds
  • Switch to pomo lib. Support gettext contexts. Deprecate long form functions
  • TinyMCE
  • Use Jcrop 0.9.8 for cropping
  • Update pclzip to 2.8
  • Update PHPMailer to 2.0.4
  • Update SWFUpload to
  • Improved performance for script loading
  • Improved archive and calendar queries
  • Cron spawning improvements
  • Timezone enhancements for PHP 5
  • Add WP_Widget class and move native widgets into WP_Widget
  • Allow other taxonomies (e.g. post categories) to be used with wp_tag_cloud (Changeset 10554)
  • Add echo argument to wp_tag_cloud()
  • Allow a plugin to control how many posts are displayed on edit pages
  • Add "style" and "html" arguments to wp_list_authors (Ticket 4420)
  • Add "exclude_tree" argument to wp_list_categories and make exclude behave like exclude_tree when hierarchical is specified--this was actually a 2.7.1 change (Ticket 8614)
  • New Template Tag, the_modified_author (Ticket 9154)
  • Enhanced support for custom taxonomies
  • Put page title before blog name in admin title (Ticket 9028)
  • Use https://api.wordpress.org/secret-key/1.1/ for the WordPress.org secret-key service
  • Various phpDoc updates
  • Refactor filters to avoid potential XSS attacks
  • XMLRPC improvements
  • Improved mysql2date coding
  • Make authentication more pluggable
  • Switch to using the ID when calling get_avatar internally to support caching plugins
  • Allow plugins to provide a canonical redirect_url even if WordPress does not provide its own
  • Drafts have post_date populated now, so look for a zeroed out post_date_gmt to determine non-scheduled nature
  • Fixes to query_posts (obey post_type, drop orderby=category, use group by for meta key queries, remove meta_value from selected fields)
  • New orderby=none parameter for use with query_posts
  • Allow a plugin to filter the classes applied in wp_list_pages()
  • Functions (get_adjacent_post_rel_link() and adjacent_post_rel_link()) to display relational links for adjacent posts in the head (Ticket 8703)
  • Add the sticky post grey background to the default theme
  • Proxy support
  • Let a plugin filter the expanded capabilities returned by map_meta_cap
  • Allow the update period to be filtered in RSS/RDF feeds
  • Store field types in wpdb object
  • Add tag description functions tag_description and term_description
  • Add page class to get_body_class()
  • Deprecate get_catname()
  • Use comments_open() and pings_open() in WordPress Default and Classic themes
  • Add wp_trim_excerpt() filter
  • Consolidate plugin/theme/core upgrade/install functions
  • Add page-id-x class to body for pages
  • Return empty list in wp_list_bookmarks() if requested bookmark category does not exist
  • Allow menu reordering via plugin
  • Add hook for updating user profile
  • Add redirect argument to wp_loginout
  • Add wp_lostpassword_url (Ticket 9932)
  • Add get_the_author_meta() and the_author_meta() functions
  • Deprecate the_author_ID, the_author_login, the_author_firstname, the_author_lastname, the_author_nickname, the_author_email, the_author_url, the_author_aim, the_author_yim, the_author_mns, the_author_description and all their "get_*()" functions. (The full list at wp-includes/deprecated.php)
  • Let plugins use screen layout columns
  • Add labels to titles and text inputs
  • Add hook for adding info to plugin update message
  • Don't do core version check from front page loads
  • Allow a plugin to vary the comment cookie lifetime (or even remove the cookies altogether)
  • Allow plugin to replace just the default help while preserving the contextual help
  • New escaping naming convention Ticket 9650
  • Deprecate wp_specialchars() in favor of esc_html(). Encode quotes for esc_html() as in esc_attr(), to improve plugin security (ref. Development Updates)
  • Deprecate sanitize_url() and clean_url() in favor of esc_url_raw() and esc_url() (ref. Development Updates)
  • Add number/offset arguments to get_pages() (same parameters can be used for wp_list_pages()
  • Make login more pluggable
  • Add the_widget() function to output a generic widget anywhere in a template (Ticket 9701)
  • Allow plugins to override tz support enable/disable
  • Fix combining category and tag queries
  • Support IIS 7.0 URL Rewrite Module
  • Recognize Expression Web 2 as IIS
  • Allow multiple search form templates
  • Introduce sanitize_html_class() and use it to give categories, tags, users etc meaningful classnames where possible but fallback to the id if necessary (Ticket 8446)
  • Allow a different role to be set for users when they are created in a call to wp_insert_user()
  • Improve Filesystem method choice for 'direct'; introduce FS_METHOD constant
  • Add a hook in print_footer_scripts as in print_head_scripts
  • Add a comment_moderation_headers filter
  • Move upload_dir filter to before directory is created, so plugins can have a better effect
  • Pass name to sidebar, footer, and header get actions
  • Upgrader improvements, including move curl to last position and fockopen to 2nd position due to higher compatibility
  • Updated Trac
  • Advanced Features:
  • JS script loader Improvements:
  • jQuery 1.3.2
  • Improvements to the script loader: allows plugins to queue scripts for the front end head and footer, adds hooks for server side caching of compressed scripts, adds support for ENFORCE_GZIP constant (deflate is used by default since it's faster)
  • Load the minified versions of the scripts by default, define('SCRIPT_DEBUG', true); can be used to load the development versions
  • Remove events from categories chechboxes in quick edit to speed up page unload
  • Make simple form validation and ajax-add new categories compatible with jQuery 1.3.1
  • Load farbtastic.js has to be loaded in the head
  • Note: see Lester Chan's Loading Javascript in Footer blog and Andrew Ozz's Script Loader Updates blog
  • New Widgets API:
  • WP_Widget is a class that abstracts away much of the complexity involved in writing a widget, especially multi-widgets.
  • Basically, you extend WP_Widget with your own class that provides a constructor and three methods -- widget(), form(), and update().
  • widget() - outputs the actual content of the widget.
  • update() - processes options to be saved.
  • form() - outputs the options form.
  • A widget is registered by passing the name of the widget class to register_widget().
  • All widgets written with WP_Widget are multiple instance capable.
  • Options
  • Options for old single-instance widgets ported to WP_Widget will be upgraded to the new multi-option storage format, which is simply a multi-dimensional array keyed by instance ID.
  • Options for widgets using the old multi-instance pattern should work as is.
  • If your widget has custom option storage needs, you can provide your own get_settings() and save_settings() methods.
  • The WP_Widget source can be viewed here (read the phpdoc for moreinfo on usage): http://core.trac.wordpress.org/browser/trunk/wp-includes/widgets.php
  • You can see examples of how to use it here: http://core.trac.wordpress.org/browser/trunk/wp-includes/default-widgets.php
  • If you author any widgets, try porting them to WP_Widget and give your feedback on what can be improved an Trac Ticket 8441.
  • Props to the MultiWidget class, on which WP_Widget is based: http://blog.firetree.net/2008/11/30/wordpress-multi-widget/
  • The above extracted from Ryan Boren's wp-hackers post.
  • Menu reordering via plugin:
  • Example plugin demonstrates menus with Dashboard, Posts, and Comments in the first menu group. The remaining menus follow in their usual order.
  • When filtering the order array, any menus that are not mentioned in the array will be sorted after ones that are mentioned.
  • Unmentioned menus are sorted in their usual order, relative to other unmentioned menus.
  • Information extracted from Ryan Boren's comments on Trac Ticket 9652