Blog & Company News

Aug 6, 2012

Tech News: WordPress ‘Hardens Up’ With Release of Version 3.4.1

WordPress users can now update maintenance and security with WordPress 3.4.1. The new version was released just two weeks after WordPress 3.4 and already addresses 18 bugs within the program. WordPress 3.4, named “Green” in honor of guitarist Grant Green, included many improvements for users such as theme customization, custom headers and Twitter embeds. WordPress 3.4 is also capable of HTML support in image captions. WordPress also notes with the new theme customizer, users can play around with the looks of their page without having it published automatically to the Web. Additionally, users are able to change colors, backgrounds and custom image headers. According to an official WordPress blog post,[1] WordPress 3.4 also made some under the hood improvements including:
  • Different split in translation POT files for faster translations
  • Code XML-RPC information update accessed via XML-RPC_WordPress_API
  • Improvements in WordPress internationalization and localization
  • WP_Query impovements
Although WordPress says it has been a “very smooth” release with nearly 3 million downloads in two weeks, version 3.4.1 was already a much needed release. In a blog post on June 27, WordPress lists six of the 18 bugs that were corrected with version 3.4.1 including:
  • Fixes issues within the theme’s page templates went undetected sometimes.
  • Addresses problems with some category permalink structures.
  • Plugins or themes loading JavaScript incorrectly are now better handled.
  • Adds early support for uploading images on iOS 6 devices.
  • Provides a new commonly used technique for plugins to detect a network-wide activation.
  • More compatible with servers running certain version of PHP (5.2.4, 5.4) or with uncommon setups (safe mode, open_basedir), which has caused warnings or prevented emails from being sent.
Along with fixing several security issues, version 3.4.1 also hardens the security of the software even more so. According to Andrew Nacin, core developer for WordPress, “The vulnerabilities included potential information disclosures as well as a bug that affects multisite installs and untrusted users,” adding, “These issues were discovered and fixed by the WordPress security team.” Additional issues to security discovered, according to WordPress, include:
  • “CSRF. Additional CSRF protection in the customizer;
  • Information Disclosure: Disclosure of post contents to authors and contributors (private or draft posts);
  • Hardening: Deprecate wp_explain_nonce(), which could reveal unnecessary information;
  • Hardening: Require a child theme to be activated with its intended parent only.”
If developers find any other bugs in WordPress 3.4, they are asked to write a reproducible bug report and file it on WordPress Trac.
[1] Official WordPress Blog