The most popular website creation platform is constantly evolving from one release to the next. However, if you want to test an older version of WordPress, or are simply interested in the progression of WordPress, you can still review old release history.
This article will outline major security and version releases within WordPress 4.0, or “Benny,” – which was released on September 4, 2014. You can read more about WordPress 4 on WordPress.org. Continue reading to learn more about the WordPress release history for WordPress 4.
- WordPress 4.1
- WordPress 4.2
- WordPress 4.3
- WordPress 4.4
- WordPress 4.5
- WordPress 4.7
- WordPress 4.8
- WordPress 4.9
Say goodbye to slow loading times and hello to high-performance websites with our new WordPress VPS Hosting plans. Experience 40x faster WordPress page load speeds on purpose-built servers that guarantee 99.99% uptime.
High-Performance VPS Fully-Managed Support Free SSL & Dedicated IP Advanced Server Caching
WordPress 4.1
Security WordPress Update 4.1.2
Why was this update released?
WordPress versions 4.1.1 and earlier were affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. This was reported by Cedric Van Bockhaven and fixed by Gary Pendergast, Mike Adams, and Andrew Nacin of the WordPress security team. Three other security issues were also fixed:
- In WordPress 4.1 and higher, files with invalid or unsafe names could be uploaded. Discovered by Michael Kapfer and Sebastian Kraemer of HSASec.
- In WordPress 3.9 and higher, a very limited cross-site scripting vulnerability could be used as part of a social engineering attack. Discovered by Jakub Zoczek.
- Some plugins were vulnerable to an SQL injection vulnerability. Discovered by Ben Bidner of the WordPress security team.
WordPress 4.2
Major Version Release: WordPress 4.2
WordPress 4.2 – nicknamed “Powell” – was available for download on April 23, 2015. The version is named after Bud Powell, a legendary American jazz pianist. Here is a list of the major feature revisions:
- Improved Press This from the Tools Menu – This allows you to add the function to your browser bookmark bar or mobile device home screen so that you can quickly and easily share content such as video, images, or website pages.
- Extended Character Support – Version 4.2 now supports native Chinese, Japanese, and Korean characters, as well as musical and mathematical symbols and hieroglyphs. They have also added emojis!
- Switch themes in the Customizer – You can now directly switch and preview themes from the Customizer.
- Support for more embeds – Links from Tumblr and Kickstarter can now be embedded within the editor.
- Streamlined Plugin Updates – Updates for plugins have been streamlined and simplified.
There were also additions to WordPress 4.2 under the hood. These included:
- utf8mb4 support – Database character encoding changed from utf8 to utf8mb4, which adds support for a whole range of new 4-byte characters.
- JavaScript accessibility – You can now send audible notifications to screen readers in JavaScript with wp.a11y.speak(). Pass it a string, and an update will be sent to a dedicated ARIA live notifications area.
- Shared term splitting – Terms shared across multiple taxonomies will be split when one of them is updated.
- Complex query ordering – WP_Query, WP_Comment_Query, and WP_User_Query now support complex ordering with named meta query clauses.
Security WordPress Update 4.2.1
Why was this update released?
The WordPress team was made aware of a cross-site scripting vulnerability, which could enable commenters to compromise a site. The vulnerability was discovered by Jouko Pynnönen.
WordPress 4.2.1 has begun to roll out as an automatic background update, for sites that support those.
You can read more from the official WordPress site.
Security WordPress Update 4.2.2
Why was this update released?
This security release addresses two major issues. WordPress states the following:
- “The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated by the WordPress security team to address this issue by removing this nonessential file. To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it. Reported by Robert Abela of Netsparker.”
- “WordPress versions 4.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. WordPress 4.2.2 includes a comprehensive fix for this issue. Reported separately by Rice Adu and Tong Shi.”
“The release also includes hardening for a potential cross-site scripting vulnerability when using the visual editor. This issue was reported by Mahadev Subedi.”
You can read the official announcement at the WordPress.org site.
Security WordPress Update 4.2.3
Why was this update released?
This security update corrects a cross-site scripting vulnerability, which would allow an anonymous user to exploit a site. The security release also includes a fix for an issue where it was possible for a user with “Subscriber” permissions to create a draft using Quick Draft. This new release also has roughly 20 fixes for bugs previously reported. Information on the bugs and their fixes can be seen here.
Security WordPress Update 4.2.4
Why was this update released?
This security update corrects six issues, including three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site, a fix for a potential timing side-channel attack, and prevents an attacker from locking a post from being edited. The security release also fixes four bugs. You can review the release notes for more information. Information on the bugs and their fixes can be seen here.
WordPress 4.3
Major Version Release: WordPress 4.3
WordPress 4.3 – nicknamed “Billie” after jazz singer Billie Holiday – was available for download in August of 2015. The new features of WordPress 4.3 include:
- Formatting shortcuts available in the post/page editor
- Add menus from the Customizer
- Add favicons (called site icons by WordPress) directly in the WordPress administrator
- Improved interface to create better passwords for yourself and your users
- Comments are turned off by default in pages
Security WordPress Update 4.3.1
Why was this update released?
According to the official WordPress news post, “This release addresses a cross-site scripting vulnerability.“
WordPress 4.4
Major Version Release: WordPress 4.4
WordPress version 4.4 – nicknamed “Clifford” after jazz musician Clifford Brown – was released on December 8, 2015. In this release, the database version was 35700.
Below we highlight features of the 4.4 release. For full information, be sure to check out the WordPress blog and the 4.4 changelogs.
Twenty Sixteen Theme – New to this version is the Twenty Sixteen default theme. This theme is a classic design that is built to look great on any device.
Responsive Images – WordPress ensures that your themes will work across any device by smartly resizing them as needed.
Embedding – As of this version, WordPress has become an oEmbed provider. This allows oEmbed consumers to embed posts directly from WordPress sites. More oEmbed provider support has been added as well.
Under the hood:
REST API infrastructure – WordPress has integrated infrastructure for the REST API directly into the core. This means that developers can extend RESTful APIs on top of WordPress. This is the first part of a multi-stage rollout.
Term meta – Metadata support for terms has now been added, just like posts.
Comment query improvements – To increase performance, cache handling has been added to comment queries.
Term, comment, and network objects – New objects were created to interact with terms, comments, and networks.
Security WordPress Update 4.4.1
Why was this update released?
According to the official WordPress news post, this release addresses a cross-site scripting vulnerability.
Security WordPress Update 4.4.2
Why was this update released?
The official WordPress.org post indicated that this was a security and maintenance release. There were two security issues addressed and 17 bugs from version 4.4 and 4.4.1. Please see list of changes for a comprehensive view of what was changed.
WordPress 4.5
Security WordPress Update 4.5.1
Why was this update released?
This maintenance release addresses 12 identified bugs in WordPress. For more detailed information, see the full version information listed here.
WordPress 4.7
Major Version Release: WordPress 4.7
WordPress 4.7 included many new features such as a brand new twenty seventeen theme, additional theme customizing tools, better PDF support, changes to REST API, expanded language options for users, increased functionality for the Customizer, and many more. WordPress also reports that “Over 447 bugs, 165 enhancements, 8 feature requests, and 15 blessed tasks have been marked as fixed in WordPress 4.7.“
Additional information:
Security WordPress Update 4.7.1
Why was this update released?
This security and maintenance release corrected the following issues as per official WordPress release information:
- Remote code execution (RCE) in PHPMailer – No specific issue appears to affect WordPress or any of the major plugins we investigated but, out of an abundance of caution, we updated PHPMailer in this release. This issue was reported to PHPMailer by Dawid Golunski and Paul Buonopane.
- The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API. Reported by Krogsgard and Chris Jean.
- Cross-site scripting (XSS) via the plugin name or version header on update-core.php. Reported by Dominik Schilling of the WordPress Security Team.
- Cross-site request forgery (CSRF) bypass via uploading a Flash file. Reported by Abdullah Hussam.
- Cross-site scripting (XSS) via theme name fallback. Reported by Mehmet Ince.
- Post via email checks mail.example.com if default settings aren’t changed. Reported by John Blackbourn of the WordPress Security Team.
- A cross-site request forgery (CSRF) was discovered in the accessibility mode of widget editing. Reported by Ronnie Skansing.
- Weak cryptographic security for multisite activation key. Reported by Jack.
Additionally, WordPress 4.7.1 fixes 62 bugs from 4.7. For more information, see the release notes or consult the list of changes.
Security WordPress Update 4.7.2
Why was this update released?
WordPress has released version 4.7.2. This release addresses three main security issues:
- The user interface for assigning taxonomy terms in Press This – users without permission are seeing it
- SQL injection in the WP_Query table – The wp_query table is vulnerable when passing unsafe data.
- Cross-site scripting (XSS) – vulnerability was discovered in the posts list table
For more specific information concerning the security fixes, please go to the WordPress 4.7.2 Security Release page.
Security WordPress Update 4.7.3
Why was this update released?
WordPress has released version 4.7.3. This release addresses six main security issues (source):
- Cross-site scripting (XSS) via media file metadata.
- Control characters can trick redirect URL validation.
- Unintended files can be deleted by administrators using the plugin deletion functionality.
- Cross-site scripting (XSS) via video URL in YouTube embeds.
- Cross-site scripting (XSS) via taxonomy term names.
- Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources.
Security WordPress Update 4.7.5
Why was this update released?
WordPress has released a security and maintenance version (4.7.5) that addresses the following issues:
- Insufficient redirect validation in the HTTP class
- Improper handling of post metadata values in the XML-RPC API
- Lack of capability checks for post metadata in the XML-RPC API
- A Cross Site Request Forgery (CRSF) vulnerability in the file system credentials dialog
- A cross-site scripting (XSS) vulnerability uploading very large files
- A cross-site scripting (XSS) vulnerability when using the Customizer
WordPress 4.7.5 also includes 3 maintenance fixes for the 4.7 releases.
WordPress 4.8
Major Version Release: WordPress 4.8
WordPress 4.8 includes many new widget features such as the Image, Video, Audio, and Rich Text Widgets. You can read more about them on the official WordPress blog post.
Security WordPress Update 4.8.3
Why was this update released?
WordPress 4.8.3 is a security release. Here is a summary of the updates:
- Addresses issues of unsafe queries and potential SQL injection using $wpdb->prepare()
- Increased security for WordPress core to prevent vulnerabilities
- Behavior change for the esc_sql() function
WordPress 4.9
Major Version Release: WordPress 4.9
WordPress version 4.9 was named “Tipton” after the jazz musician and bandleader Billy Tipton. The updates included changes to the customizer workflow, code error checking, widgets, theme switching, and developer improvements. Here’s a quick summary list of the updates in version 4.9:
Customizer Workflow Improvements
- Draft and schedule Site design customizations
- Design preview links
- Design locking to prevent accidental changes
- Prompt to save changes after unattended time periods
Coding Enhancements
- Syntax highlighting and error checking
- Sandbox to help avoid errors when working with themes and plugin code
- Warning when directly editing themes or plugins
Widget Updates
- Add a gallery via widget
- Add Media button widget
Site Building Improvements
- Persistent menu and widget placement when switching themes
- Find and Preview Themes
- Better menu instructions
The new Gutenberg Editor
The new editor makes the page and post building experience effortless. The “blocks” structure allows you to easily complete tasks that use to take shortcodes or custom HTML.
WordPress is constantly evolving! Stay up to date with the latest WordPress news and releases to keep your website modern and secure!