WordPress 5.5.2 is now available!
This security and maintenance release features 14 bug fixes in addition to 10 security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.
WordPress 5.5.2 is a short-cycle security and maintenance release. The next major release will be version 5.6.
You can download WordPress 5.5.2 by downloading from WordPress.org, or visit your Dashboard → Updates and click Update Now.
If you have sites that support automatic background updates, they’ve already started the update process.
Ten security issues affect WordPress versions 5.5.1 and earlier. If you haven’t yet updated to 5.5, all WordPress versions since 3.7 have also been updated to fix the following security issues:
- Props to Alex Concha of the WordPress Security Team for their work in hardening deserialization requests.
- Props to David Binovec on a fix to disable spam embeds from disabled sites on a multisite network.
- Thanks to Marc Montas from Sucuri for reporting an issue that could lead to XSS from global variables.
- Thanks to Justin Tran who reported an issue surrounding privilege escalation in XML-RPC. He also found and disclosed an issue around privilege escalation around post commenting via XML-RPC.
- Props to Omar Ganiev who reported a method where a DoS attack could lead to RCE.
- Thanks to Karim El Ouerghemmi from RIPS who disclosed a method to store XSS in post slugs.
- Thanks to Slavco for reporting, and confirmation from Karim El Ouerghemmi, a method to bypass protected meta that could lead to arbitrary file deletion.
- Thanks to Erwan LR from WPScan who responsibly disclosed a method that could lead to CSRF.
- And a special thanks to @zieladam who was integral in many of the releases and patches during this release.
Thank you to all of the reporters for privately disclosing the vulnerabilities. This gave the security team time to fix the vulnerabilities before WordPress sites could be attacked.
For more information, browse the full list of changes on Trac, or check out the version 5.5.2 HelpHub documentation page.
Thanks and props!
The 5.5.2 release was led by @whyisjake and the following release squad: @audrasjb, @davidbaumwald, @desrosj, @johnbillion, @metalandcoffee, @noisysocks @planningwrite, @sarahricker and @sergeybiryukov.
In addition to the security researchers and release squad members mentioned above, thank you to everyone who helped make WordPress 5.5.2 happen:
Aaron Jorbin, Alex Concha, Amit Dudhat, Andrey “Rarst” Savchenko, Andy Fragen, Ayesh Karunaratne, bridgetwillard, Daniel Richards, David Baumwald, Davis Shaver, dd32, Florian TIAR, Hareesh, Hugh Lashbrooke, Ian Dunn, Igor Radovanov, Jake Spurlock, Jb Audras, John Blackbourn, Jonathan Desrosiers, Jon Brown, Joy, Juliette Reinders Folmer, kellybleck, mailnew2ster, Marcus Kazmierczak, Marius L. J., Milan Dinić, Mohammad Jangda, Mukesh Panchal, Paal Joachim Romdahl, Peter Wilson, Regan Khadgi, Robert Anderson, Sergey Biryukov, Sergey Yakimov, Syed Balkhi, szaqal21, Tellyworth, Timi Wahalahti, Timothy Jacobs, Towhidul I. Chowdhury, Vinayak Anivase, and zieladam.
For many years, WordPress enthusiasts have filled out an annual survey to share their experiences and feelings about WordPress. Interesting results from this survey have been shared in the annual State of the Word address and/or here on WordPress News.
This survey helps those who build WordPress understand more about how the software is used, and by whom. The survey also helps leaders in the WordPress open source project learn more about our contributors’ experience.
To ensure that your WordPress experience is represented in the 2020 survey results,
You can also take the survey in French, German, Japanese, Russian, and Spanish! The survey will be open for at least 6 weeks, and results will be posted on this blog.
2019 Survey Results
The 2019 survey included some new questions to better understand why people continue to use WordPress as their preferred CMS, as well as a section directed toward WordPress contributors. For the first time in 2019, this survey was translated into 5 different languages: French, German, Japanese, Russian, and Spanish.
The first WordPress Contributor Survey was conducted in 2015, but unfortunately the results were never published. This report includes Contributor Survey results from both 2015 and 2019.
Major groups in the survey included: WordPress Professionals, WordPress Users, and Others.
The WordPress Professionals group consists of those who: work for a company that designs/develops websites; use WordPress to build websites and/or blogs for others; design or develop themes, plugins, or other custom tools for WordPress sites; or are a designer, developer, or other web professional working with WordPress.
This WordPress Professionals group is further divided into WordPress Company Pros (those who work for a company that designs/develops websites) and WordPress Freelancers/Hobbyists (all other professional types) subgroups.
The WordPress User group consists of those who: own or run a blog that is built with WordPress; own or run a website that is built with WordPress; write for or contribute to a blog/website that is built with WordPress; use WordPress for school as a teacher; use WordPress for school as a student, or are learning to build websites using WordPress.
The Others group consists of those who did not self-identify with any of the options provided for the question, “Which of the following best describes how you use WordPress?”
2019 Survey Results Summary
WordPress remains the platform of choice for future projects among those surveyed. Overwhelmingly, the reasons cited for this are that WordPress is the CMS people already know, and that the community supporting it is valuable. Professionals and users report similar levels of frustration with updates and Gutenberg. Both groups also love the ease of use they find in WordPress.
The number of professionals who report providing a heavily customized experience to clients has increased substantially, while at the same time the amount of time reported on creating those sites has decreased. Regardless of frustrations felt with various features, this seems to indicate that ease of use has been on the rise.
More details on sentiment, usage, and other interesting topics are available in the report: check it out!
Before you go: take the 2020 Survey!
Knowing why and how people use WordPress helps those who build WordPress to keep your needs and preferences in mind.
Like last year, the 2020 survey will be promoted via a banner on WordPress.org, as well as by WordPress enthusiasts. Each of the translated surveys will be promoted through banners on their associated localized-language WordPress.org sites. Please encourage your WordPress pals and social media followers to take the survey too!
To ensure your WordPress experience is represented in the 2020 survey results… don’t delay!
(Also available in French, German, Japanese, Russian, and Spanish!)
WordPress 5.6 beta 2 is now available for testing!
This software is still in development, so we recommend that you run this version on a test site.
You can test the WordPress 5.6 beta in two ways:
WordPress 5.6 is slated for release on December 8, 2020, and we need your help to get there!
Thank you to all of the contributors that tested the beta 1 development release and provided feedback. Testing for bugs is an important part of polishing each release and a great way to contribute to WordPress.
Since beta 1, 53 bugs have been fixed. Here is a summary of a few changes included in beta 2:
- 6 additional bugs have been fixed in the block editor (see #26442).
- Unified design for search forms and results across the admin (#37353).
- Exposed the
embed Gutenberg block to Core (#51531).
- Updated Twemoji (#51356), React (#51505), and Akismet versions (#51610).
- Added accessibility improvements (among other things) to Application Passwords (#51580).
- Added indicator to image details for images attached to a site option (#42063).
WordPress 5.6 has lots of refinements to the developer experience as well. To keep up, subscribe to the Make WordPress Core blog and pay special attention to the developers’ notes for updates on those and other changes that could affect your products.
How to Help
If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you!
If you’re comfortable writing a reproducible bug report, file one on WordPress Trac, where you can also find a list of known bugs.
WordPress 5.6 Beta 1 is now available for testing!
This software is still in development, so we recommend that you run this version on a test site.
You can test the WordPress 5.6 beta in two ways:
The current target for final release is December 8, 2020. This is just seven weeks away, so your help is needed to ensure this release is tested properly.
Improvements in the Editor
WordPress 5.6 includes seven Gutenberg plugin releases. Here are a few highlighted enhancements:
- Improved support for video positioning in cover blocks.
- Enhancements to Block Patterns including translatable strings.
- Character counts in the information panel, improved keyboard navigation, and other adjustments to help users find their way better.
- Improved UI for drag and drop functionality, as well as block movers.
To see all of the features for each release in detail check out the release posts: 8.6, 8.7, 8.8, 8.9, 9.0, 9.1, and 9.2 (link forthcoming).
Improvements in Core
A new default theme
The default theme is making its annual return with Twenty Twenty-One. This theme features a streamlined and elegant design, which aims to be AAA ready.
Auto-update option for major releases
The much anticipated opt-in for major releases of WordPress Core will ship in this release. With this functionality, you can elect to have major releases of the WordPress software update in the background with no additional fuss for your users.
Increased support for PHP 8
The next major version release of PHP, 8.0.0, is scheduled for release just a few days prior to WordPress 5.6. The WordPress project has a long history of being compatible with new versions of PHP as soon as possible, and this release is no different.
Because PHP 8 is a major version release, changes that break backward compatibility or compatibility for various APIs are allowed. Contributors have been hard at work fixing the known incompatibilities with PHP 8 in WordPress during the 5.6 release cycle.
While all of the detectable issues in WordPress can be fixed, you will need to verify that all of your plugins and themes are also compatible with PHP 8 prior to upgrading. Keep an eye on the Making WordPress Core blog in the coming weeks for more detailed information about what to look for.
Application Passwords for REST API Authentication
Since the REST API was merged into Core, only cookie & nonce based authentication has been available (without the use of a plugin). This authentication method can be a frustrating experience for developers, often limiting how applications can interact with protected endpoints.
With the introduction of Application Password in WordPress 5.6, gone is this frustration and the need to jump through hoops to re-authenticate when cookies expire. But don’t worry, cookie and nonce authentication will remain in WordPress as-is if you’re not ready to change.
Application Passwords are user specific, making it easy to grant or revoke access to specific users or applications (individually or wholesale). Because information like “Last Used” is logged, it’s also easy to track down inactive credentials or bad actors from unexpected locations.
With every release, WordPress works hard to improve accessibility. Version 5.6 is no exception and will ship with a number of accessibility fixes and enhancements. Take a look:
- Announce block selection changes manually on windows.
- Avoid focusing the block selection button on each render.
- Avoid rendering the clipboard textarea inside the button
- Fix dropdown menu focus loss when using arrow keys with Safari and Voiceover
- Fix dragging multiple blocks downwards, which resulted in blocks inserted in wrong position.
- Fix incorrect aria description in the Block List View.
- Add arrow navigation in Preview menu.
- Prevent links from being focusable inside the Disabled component.
How You Can Help
Keep your eyes on the Make WordPress Core blog for 5.6-related developer notes in the coming weeks, breaking down these and other changes in greater detail.
So far, contributors have fixed 188 tickets in WordPress 5.6, including 82 new features and enhancements, and more bug fixes are on the way.
Do some testing!
Testing for bugs is an important part of polishing the release during the beta stage and a great way to contribute.
If you think you’ve found a bug, please post to the Alpha/Beta area in the support forums. We would love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac. That’s also where you can find a list of known bugs.
Props to @webcommsat, @yvettesonneveld, @estelaris, @cguntur, @desrosj, and @marybaum for editing/proof reading this post, and @davidbaumwald for final review.
This month was characterized by some exciting announcements from the WordPress core team! Read on to catch up with all the WordPress news and updates from September.
WordPress 5.5.1 Launch
On September 1, the Core team released WordPress 5.5.1. This maintenance release included several bug fixes for both core and the editor, and many other enhancements. You can update to the latest version directly from your WordPress dashboard or download it directly from WordPress.org. The next major release will be version 5.6.
Want to be involved in the next release? You can help to build WordPress Core by following the Core team blog, and joining the #core channel in the Making WordPress Slack group.
Gutenberg 9.1, 9.0, and 8.9 are out
The core team launched version 9.0 of the Gutenberg plugin on September 16, and version 9.1 on September 30. Version 9.0 features some useful enhancements — like a new look for the navigation screen (with drag and drop support in the list view) and modifications to the query block (including search, filtering by author, and support for tags). Version 9.1 adds improvements to global styles, along with improvements for the UI and several blocks. Version 8.9 of Gutenberg, which came out earlier in September, enables the block-based widgets feature (also known as block areas, and was previously available in the experiments section) by default — replacing the default WordPress widgets to the plugin. You can find out more about the Gutenberg roadmap in the What’s next in Gutenberg blog post.
Want to get involved in building Gutenberg? Follow the Core team blog, contribute to Gutenberg on GitHub, and join the #core-editor channel in the Making WordPress Slack group.
Twenty Twenty One is the WordPress 5.6 default theme
Twenty Twenty One, the brand new default theme for WordPress 5.6, has been announced! Twenty Twenty One is designed to be a blank canvas for the block editor, and will adopt a straightforward, yet refined, design. The theme has a limited color palette: a pastel green background color, two shades of dark grey for text, and a native set of system fonts. Twenty Twenty One will use a modified version of the Seedlet theme as its base. It will have a comprehensive system of nested CSS variables to make child theming easier, a native support for global styles, and full site editing.
Follow the Make/Core blog if you wish to contribute to Twenty Twenty One. There will be weekly meetings every Monday at 15:00 UTC and triage sessions every Friday at 15:00 UTC in the #core-themes Slack channel. Theme development will happen on GitHub.
- WordPress plugin authors can now opt into confirming plugin updates via email. This feature will allow plugin authors to approve any plugin updates over email before release.
- September was the busiest month for online WordCamps so far, with seven events taking place: WordCamp Ogijima Online, WordCamp Colombia Online, WordCamp Asheville, NC USA, WordCamp São Paulo, Brazil, WordCamp Virginia Beach, WordCamp Lima Peru, and WordCamp Philadelphia, PA, USA. You can find live stream recaps of these events on their websites. The camps are also in the process of uploading their videos to WordPress.tv. Check out the WordCamp Schedule to follow upcoming online WordCamps!
- The Themes team has added a delist feature to the themes directory. The feature will allow a theme to be temporarily hidden from search, while still making it available. The team may delist themes if they violate the Theme Directory guidelines.
- The Themes Team has also released its new web fonts Loader project. The webfonts loader will allow theme developers to load web fonts from the user’s site, rather than through a third-party CDN. The project lives in the team’s GitHub repository.
- The Support team is discussing the level of control users should have over their support forum topics. The team is thinking of allowing users to archive their topics and lengthen time-to-edit to remove any semi-sensitive data. In a separate, but related, post, Support team members have started discussing how to curb support requests for commercial products.
- The Mobile team came up with a proposal for dual licensing Gutenberg under GPL 2.0 and MPL (Mozilla Public License) 2.0, so that non-WordPress software developers can potentially use it for their projects.
- Since Facebook and Instagram are deprecating oEmbeds, the Core Team will be removing Facebook and Instagram’s oEmbed endpoints from WordPress core code.
- Following extensive discussion, the Documentation team has tentatively decided to allow external and commercial links in the WordPress documentation. The team aims to publish a formal proposal that will be left open for feedback before finalizing it.
- Members of the Polyglots and Marketing teams are celebrating the International Translation Day for WordPress over the week of September 28 – October 4! Community members can join or organize translation events, or contribute to WordPress core, theme, or plugin translations during this period.
WP Accessibility day — a 24-hour global online event dedicated to addressing website accessibility in WordPress, is being held on October 2. The event is open for all and has experts from all over the world as speakers.
Have a story that we should include in the next “Month in WordPress” post? Please submit it here.