This maintenance release fixes an issue introduced in WordPress 5.5.2 which makes it impossible to install WordPress on a brand new website that does not have a database connection configured. This release does not affect sites where a database connection is already configured, for example, via one-click installers or an existing wp-config.php file.
5.5.3-alpha Issue
Earlier today — between approximately 15:30 and 16:00 UTC — the auto-update system for WordPress updated some sites from version 5.5.2 to version 5.5.3-alpha. This auto-update was due to an error in the Updates API caused by the 5.5.3 release preparations (see more here). The 5.5.3-alpha version at this point was functionally identical to 5.5.2 as no development work had been started on 5.5.3; however, the following changes may have been made to your site:
The default “Twenty” themes installed as part of the pre-release package.
The “Akismet” plugin installed as part of the pre-release package.
These themes and plugins were not activated and therefore remain non-functional unless you installed them previously. It is safe to delete these features should you prefer not to use them.
If you are not on 5.5.2, or have auto-updates for minor releases disabled, please manually update to the 5.5.3 version by downloading WordPress 5.5.3 or visiting Dashboard → Updates and click “Update Now.”
This security and maintenance release features 14 bug fixes in addition to 10 security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.
WordPress 5.5.2 is a short-cycle security and maintenance release. The next major release will be version 5.6.
You can download WordPress 5.5.2 by downloading from WordPress.org, or visit your Dashboard → Updates and click Update Now.
If you have sites that support automatic background updates, they’ve already started the update process.
Security Updates
Ten security issues affect WordPress versions 5.5.1 and earlier. If you haven’t yet updated to 5.5, all WordPress versions since 3.7 have also been updated to fix the following security issues:
Props to Alex Concha of the WordPress Security Team for their work in hardening deserialization requests.
Props to David Binovec on a fix to disable spam embeds from disabled sites on a multisite network.
Thanks to Marc Montas from Sucuri for reporting an issue that could lead to XSS from global variables.
Thanks to Justin Tran who reported an issue surrounding privilege escalation in XML-RPC. He also found and disclosed an issue around privilege escalation around post commenting via XML-RPC.
Props to Omar Ganiev who reported a method where a DoS attack could lead to RCE.
Thanks to Karim El Ouerghemmi from RIPS who disclosed a method to store XSS in post slugs.
Thanks to Slavco for reporting, and confirmation from Karim El Ouerghemmi, a method to bypass protected meta that could lead to arbitrary file deletion.
Thanks to Erwan LR from WPScan who responsibly disclosed a method that could lead to CSRF.
And a special thanks to @zieladam who was integral in many of the releases and patches during this release.
Thank you to all of the reporters for privately disclosing the vulnerabilities. This gave the security team time to fix the vulnerabilities before WordPress sites could be attacked.
For many years, WordPress enthusiasts have filled out an annual survey to share their experiences and feelings about WordPress. Interesting results from this survey have been shared in the annual State of the Word address and/or here on WordPress News.
This survey helps those who build WordPress understand more about how the software is used, and by whom. The survey also helps leaders in the WordPress open source project learn more about our contributors’ experience.
To ensure that your WordPress experience is represented in the 2020 survey results,
You can also take the survey in French, German, Japanese, Russian, and Spanish! The survey will be open for at least 6 weeks, and results will be posted on this blog.
The 2019 survey included some new questions to better understand why people continue to use WordPress as their preferred CMS, as well as a section directed toward WordPress contributors. For the first time in 2019, this survey was translated into 5 different languages: French, German, Japanese, Russian, and Spanish.
The first WordPress Contributor Survey was conducted in 2015, but unfortunately the results were never published. This report includes Contributor Survey results from both 2015 and 2019.
Survey Segments
Major groups in the survey included: WordPress Professionals, WordPress Users, and Others.
The WordPress Professionals group consists of those who: work for a company that designs/develops websites; use WordPress to build websites and/or blogs for others; design or develop themes, plugins, or other custom tools for WordPress sites; or are a designer, developer, or other web professional working with WordPress.
This WordPress Professionals group is further divided into WordPress Company Pros (those who work for a company that designs/develops websites) and WordPress Freelancers/Hobbyists (all other professional types) subgroups.
The WordPress User group consists of those who: own or run a blog that is built with WordPress; own or run a website that is built with WordPress; write for or contribute to a blog/website that is built with WordPress; use WordPress for school as a teacher; use WordPress for school as a student, or are learning to build websites using WordPress.
The Others group consists of those who did not self-identify with any of the options provided for the question, “Which of the following best describes how you use WordPress?”
2019 Survey Results Summary
WordPress remains the platform of choice for future projects among those surveyed. Overwhelmingly, the reasons cited for this are that WordPress is the CMS people already know, and that the community supporting it is valuable. Professionals and users report similar levels of frustration with updates and Gutenberg. Both groups also love the ease of use they find in WordPress.
The number of professionals who report providing a heavily customized experience to clients has increased substantially, while at the same time the amount of time reported on creating those sites has decreased. Regardless of frustrations felt with various features, this seems to indicate that ease of use has been on the rise.
More details on sentiment, usage, and other interesting topics are available in the report: check it out!
Before you go: take the 2020 Survey!
Knowing why and how people use WordPress helps those who build WordPress to keep your needs and preferences in mind.
The survey will be open for at least 6 weeks, and results will be published on this blog. All data will be anonymized: no email addresses or IP addresses will be associated with published results. To learn more about WordPress.org’s privacy practices, check out the privacy policy.
Like last year, the 2020 survey will be promoted via a banner on WordPress.org, as well as by WordPress enthusiasts. Each of the translated surveys will be promoted through banners on their associated localized-language WordPress.org sites. Please encourage your WordPress pals and social media followers to take the survey too!
To ensure your WordPress experience is represented in the 2020 survey results… don’t delay!
WordPress 5.6 is slated for release on December 8, 2020, and we need your help to get there!
Thank you to all of the contributors that tested the beta 1 development release and provided feedback. Testing for bugs is an important part of polishing each release and a great way to contribute to WordPress.
Some highlights
Since beta 1, 53 bugs have been fixed. Here is a summary of a few changes included in beta 2:
6 additional bugs have been fixed in the block editor (see #26442).
Unified design for search forms and results across the admin (#37353).
Exposed the embed Gutenberg block to Core (#51531).
Updated Twemoji (#51356), React (#51505), and Akismet versions (#51610).
Added accessibility improvements (among other things) to Application Passwords (#51580).
Added indicator to image details for images attached to a site option (#42063).
Developer notes
WordPress 5.6 has lots of refinements to the developer experience as well. To keep up, subscribe to the Make WordPress Core blog and pay special attention to the developers’ notes for updates on those and other changes that could affect your products.
How to Help
If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you!
The current target for final release is December 8, 2020. This is just seven weeks away, so your help is needed to ensure this release is tested properly.
Improvements in the Editor
WordPress 5.6 includes seven Gutenberg plugin releases. Here are a few highlighted enhancements:
Improved support for video positioning in cover blocks.
Enhancements to Block Patterns including translatable strings.
Character counts in the information panel, improved keyboard navigation, and other adjustments to help users find their way better.
Improved UI for drag and drop functionality, as well as block movers.
To see all of the features for each release in detail check out the release posts: 8.6, 8.7, 8.8, 8.9, 9.0, 9.1, and 9.2 (link forthcoming).
Improvements in Core
A new default theme
The default theme is making its annual return with Twenty Twenty-One. This theme features a streamlined and elegant design, which aims to be AAA ready.
Auto-update option for major releases
The much anticipated opt-in for major releases of WordPress Core will ship in this release. With this functionality, you can elect to have major releases of the WordPress software update in the background with no additional fuss for your users.
Increased support for PHP 8
The next major version release of PHP, 8.0.0, is scheduled for release just a few days prior to WordPress 5.6. The WordPress project has a long history of being compatible with new versions of PHP as soon as possible, and this release is no different.
Because PHP 8 is a major version release, changes that break backward compatibility or compatibility for various APIs are allowed. Contributors have been hard at work fixing the known incompatibilities with PHP 8 in WordPress during the 5.6 release cycle.
While all of the detectable issues in WordPress can be fixed, you will need to verify that all of your plugins and themes are also compatible with PHP 8 prior to upgrading. Keep an eye on the Making WordPress Core blog in the coming weeks for more detailed information about what to look for.
Application Passwords for REST API Authentication
Since the REST API was merged into Core, only cookie & nonce based authentication has been available (without the use of a plugin). This authentication method can be a frustrating experience for developers, often limiting how applications can interact with protected endpoints.
With the introduction of Application Password in WordPress 5.6, gone is this frustration and the need to jump through hoops to re-authenticate when cookies expire. But don’t worry, cookie and nonce authentication will remain in WordPress as-is if you’re not ready to change.
Application Passwords are user specific, making it easy to grant or revoke access to specific users or applications (individually or wholesale). Because information like “Last Used” is logged, it’s also easy to track down inactive credentials or bad actors from unexpected locations.
Better accessibility
With every release, WordPress works hard to improve accessibility. Version 5.6 is no exception and will ship with a number of accessibility fixes and enhancements. Take a look:
Announce block selection changes manually on windows.
Avoid focusing the block selection button on each render.
Avoid rendering the clipboard textarea inside the button
Fix dropdown menu focus loss when using arrow keys with Safari and Voiceover
Fix dragging multiple blocks downwards, which resulted in blocks inserted in wrong position.
Fix incorrect aria description in the Block List View.
Add arrow navigation in Preview menu.
Prevent links from being focusable inside the Disabled component.
Testing for bugs is an important part of polishing the release during the beta stage and a great way to contribute.
If you think you’ve found a bug, please post to the Alpha/Beta area in the support forums. We would love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac. That’s also where you can find a list of known bugs.
This month was characterized by some exciting announcements from the WordPress core team! Read on to catch up with all the WordPress news and updates from September.
WordPress 5.5.1 Launch
On September 1, the Core team released WordPress 5.5.1. This maintenance release included several bug fixes for both core and the editor, and many other enhancements. You can update to the latest version directly from your WordPress dashboard or download it directly from WordPress.org. The next major release will be version 5.6.
The core team launched version 9.0 of the Gutenberg plugin on September 16, and version 9.1 on September 30. Version 9.0 features some useful enhancements — like a new look for the navigation screen (with drag and drop support in the list view) and modifications to the query block (including search, filtering by author, and support for tags). Version 9.1 adds improvements to global styles, along with improvements for the UI and several blocks. Version 8.9 of Gutenberg, which came out earlier in September, enables the block-based widgets feature (also known as block areas, and was previously available in the experiments section) by default — replacing the default WordPress widgets to the plugin. You can find out more about the Gutenberg roadmap in the What’s next in Gutenberg blog post.
Twenty Twenty One is the WordPress 5.6 default theme
Twenty Twenty One, the brand new default theme for WordPress 5.6, has been announced! Twenty Twenty One is designed to be a blank canvas for the block editor, and will adopt a straightforward, yet refined, design. The theme has a limited color palette: a pastel green background color, two shades of dark grey for text, and a native set of system fonts. Twenty Twenty One will use a modified version of the Seedlet theme as its base. It will have a comprehensive system of nested CSS variables to make child theming easier, a native support for global styles, and full site editing.
Follow the Make/Core blog if you wish to contribute to Twenty Twenty One. There will be weekly meetings every Monday at 15:00 UTC and triage sessions every Friday at 15:00 UTC in the #core-themes Slack channel. Theme development will happen on GitHub.
The Themes team has added a delist feature to the themes directory. The feature will allow a theme to be temporarily hidden from search, while still making it available. The team may delist themes if they violate the Theme Directory guidelines.
The Themes Team has also released its new web fonts Loader project. The webfonts loader will allow theme developers to load web fonts from the user’s site, rather than through a third-party CDN. The project lives in the team’s GitHub repository.
Members of the Polyglots and Marketing teams are celebrating the International Translation Day for WordPress over the week of September 28 – October 4! Community members can join or organize translation events, or contribute to WordPress core, theme, or plugin translations during this period.
This maintenance release features 34 bug fixes, 5 enhancements, and 5 bug fixes for the block editor. These bugs affect WordPress version 5.5, so you’ll want to upgrade.
You can download WordPress 5.5.1 directly, or visit the Dashboard → Updates screen and click Update Now. If your sites support automatic background updates, they’ve already started the update process.
WordPress 5.5.1 is a short-cycle maintenance release. The next major release will be version 5.6.
August was special for WordPress lovers, as one of the most anticipated releases, WordPress 5.5, was launched. The month also saw several updates from various contributor teams, including the soft-launch of the Learn WordPress project and updates to Gutenberg. Read on to find out about the latest updates from the WordPress world.
WordPress 5.5 Launch
The team launched WordPress 5.5 on August 11. The major release comes with a host of features like automatic updates for plugins and themes, enabling updates over uploaded ZIP files, a block directory, XML sitemaps, block patterns, inline image editing, and lazy-loading images, to name a few. WordPress 5.5 is now available in 50 languages too! You can update to the latest version directly from your WordPress dashboard or download it directly from WordPress.org. Subsequent to the 5.5 release, the 5.5.1 release candidate came out on August 28, which will be followed by its official launch of the minor release on September 1.
The core team launched Gutenberg 8.7 and 8.8. Version 8.7 saw many improvements to the Post Block suite, along with other changes like adding a block example to the Buttons block, consistently autosaving edits, and updating the group block description. Version 8.8 offers updates to Global Styles, the Post Block suite, and Template management. The release significantly improves the back-compatibility of the new Widget Screen, and also includes other important accessibility and mobile improvements to user interfaces like the Toolbar, navigation menus, and Popovers. For full details on the latest versions of these Gutenberg releases, visit these posts about 8.7 and 8.8.
Learn WordPress is a brand new cross-team initiative led by the WordPress Community team, with support from the training team, the TV team, and the meta team. This platform is a learning repository on learn.wordpress.org, where WordPress learning content will be made available. Video workshops published on the site will be followed up by supplementary discussion groups based on workshop content. The first of these discussion groups have been scheduled, and you can join an upcoming discussion on the dedicated meetup group. The community team invites members to contribute to the project. You can apply to present a workshop, assist with reviewing submitted workshops, and add ideas for workshops that you would like to see on the site. You can also apply to be a discussion group leader to organize discussions directly through the learn.wordpress.org platform. We are also creating a dedicated Learn WordPress working group and have posted a call for volunteers. Meetup organizers can use Learn WordPress content for their meetup events (without applying as a discussion group leader). Simply ask your meetup group to watch one of the workshops in the weeks leading up to your scheduled event, and then host a discussion group for that content as your event.
The community team has decided to cancel in-person flagship WordPress events in 2021. While new applications for flagship events in 2021 will not be accepted, organizers of existing flagship events (such as WordCamp US, Europe, and Asia) will have the option to move their event online.
The WordPress documentation team is continuing its discussion on modifying the external linking policy. The conversation is taking place on a shared Google doc. Feel free to add comments if you have any thoughts on the topic.
The maiden edition of do_action India online was held from August 15 to 23. The event, which was held online with collaboration tools, had 94 participants who built fully functional websites for five NGOs from across the country. You can read more about 2020 do_action events on the WordPress Foundation blog.
WordCamp Minneapolis/St. Paul was held successfully on August 21. The event, which sold over 1400 tickets, had 18 speakers and 12 sponsors.
The Polyglots team has completed the translation handbook structure organization. The handbook now has clear guides for translators, PTEs/GTEs, global mentors, and Plugin/Theme authors.
Have a story that we should include in the next “Month in WordPress” post? Please submit it here.
Here it is! Named “Eckstine” in honor of Billy Eckstine, this latest and greatest version of WordPress is available for download or update in your dashboard.
Welcome to WordPress 5.5.
In WordPress 5.5, your site gets new power in three major areas: speed, search, and security.
Speed
Posts and pages feel faster, thanks to lazy-loaded images.
Images give your story a lot of impact, but they can sometimes make your site seem slow.
In WordPress 5.5, images wait to load until they’re just about to scroll into view. The technical term is ‘lazy loading.’
On mobile, lazy loading can also keep browsers from loading files meant for other devices. That can save your readers money on data — and help preserve battery life.
Search
Say hello to your new sitemap.
WordPress sites work well with search engines.
Now, by default, WordPress 5.5 includes an XML sitemap that helps search engines discover your most important pages from the very minute you go live.
So more people will find your site sooner, giving you more time to engage, retain and convert them to subscribers, customers or whatever fits your definition of success.
Security
Auto-updates for Plugins and Themes
Now you can set plugins and themes to update automatically — or not! — in the WordPress admin. So you always know your site is running the latest code available.
You can also turn auto-updates on or off for each plugin or theme you have installed — all on the same screens you’ve always used.
Update by uploading ZIP files
If updating plugins and themes manually is your thing, now that’s easier too — just upload a ZIP file.
Highlights from the block editor
Once again, the latest WordPress release packs a long list of exciting new features for the block editor. For example:
Block patterns
New block patterns make it simple and fun to create complex, beautiful layouts, using combinations of text and media that you can mix and match to fit your story.
You will also find block patterns in a wide variety of plugins and themes, with more added all the time. Pick any of them from a single place — just click and go!
The new block directory
Now it’s easier than ever to find the block you need. The new block directory is built right into the block editor, so you can install new block types to your site without ever leaving the editor.
Inline image editing
Crop, rotate, and zoom your photos right from the image block. If you spend a lot of time on images, this could save you hours!
And so much more.
The highlights above are a tiny fraction of the new block editor features you’ve just installed. Open the block editor and enjoy!
Accessibility
Every release adds improvements to the accessible publishing experience, and that remains true for WordPress 5.5.
Now you can copy links in media screens and modal dialogs with a button, instead of trying to highlight a line of text.
You can also move meta boxes with the keyboard, and edit images in WordPress with your assistive device, as it can read you the instructions in the image editor.
For developers
5.5 also brings a big box of changes just for developers.
Server-side registered blocks in the REST API
The addition of block types endpoints means that JavaScript apps (like the block editor) can retrieve definitions for any blocks registered on the server.
Defining environments
WordPress now has a standardized way to define a site’s environment type (staging, production, etc). Retrieve that type with wp_get_environment_type() and execute only the appropriate code.
Dashicons
The Dashicons library has received its final update in 5.5. It adds 39 block editor icons along with 26 others.
Passing data to template files
The template loading functions (get_header(), get_template_part(), etc.) have a new $args argument. So now you can pass an entire array’s worth of data to those templates.
More changes for developers
The PHPMailer library just got a major update, going from version 5.2.27 to 6.1.6.
Now get more fine-grained control of redirect_guess_404_permalink().
Sites that use PHP’s OPcache will see more reliable cache invalidation, thanks to the new wp_opcache_invalidate() function during updates (including to plugins and themes).
Custom post types associated with the category taxonomy can now opt-in to supporting the default term.
Default terms can now be specified for custom taxonomies in register_taxonomy().
The REST API now officially supports specifying default metadata values through register_meta().
You will find updated versions of these bundled libraries: SimplePie, Twemoji, Masonry, imagesLoaded, getID3, Moment.js, and clipboard.js.
Marketing/Comms Coordinator: Mary Baum (@marybaum)
Joining the squad throughout the release cycle were 805 generous volunteer contributors who collectively worked on over 523 tickets on Trac and over 1660 pull requests on GitHub.
Put on a Billy Eckstine playlist, click that update button (or download it directly), and check the profiles of the fine folks that helped:
Many thanks to all of the community volunteers who contribute in the support forums. They answer questions from people across the world, whether they are using WordPress for the first time or since the first release. These releases are more successful for their efforts!
Finally, thanks to all the community translators who worked on WordPress 5.5. Their efforts bring WordPress fully translated to 46 languages at release time, with more on the way.
Thank you to all of the contributors who tested the Beta releases and gave feedback. Testing for bugs is a critical part of polishing every release and a great way to contribute to WordPress.
Plugin and Theme Developers
Please test your plugins and themes against WordPress 5.5 and update the Tested up to version in the readme file to 5.5. If you find compatibility problems, please be sure to post to the support forums, so those can be figured out before the final release.
For a more detailed breakdown of the changes included in WordPress 5.5, check out the WordPress 5.5 beta 1 post. The WordPress 5.5 Field Guide is also out! It’s your source for details on all the major changes.
If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, fill one on WordPress Trac, where you can also find a list of known bugs.