The recent WordPress including the WordPress 4.9.1 updates have seen more emphasis given to security than for a long time. This comes from a renewed commitment by the team towards hardening security. In their blog, WordPress mentioned that the WordPress 4.9.1 update fixes four security issues that affected WordPress versions 4.9 and earlier.
Major Security issues fixed in WordPress 4.9.1:
i. Using properly generated hash key for newbloguser: Using a properly generated hash key means it harder to hackers to add new users to your WordPress database and use that account to take your WordPress website.
ii. Adding escape to language attributes in the HTML elements: In certain cases where the language attributes have unsecured strings in them, they are now filtered and also the quotes are escaped correctly.
iii. Escaping Attributes of Enclosures in RSS and Atom Feeds: Enclosures are used by RSS and Atom Feeds as a means of attaching multimedia files to your feed. These enclosure tags use attributes which were previously insecure. With WordPress 4.9.1, they are properly escaped.
iv. Prevent users without unfiltered_html capability from uploading Javascript files: This is another great improved in preventing script attacks by unauthorized users. Uploading Javascript files is a cunning way of attacking a WordPress website and that has been resolved now.
Other bugs resolved in WordPress 4.9.1:
Apart from these four security fixes, there were eleven other fixes:
- An issue, where user’s, could not use theme and plugin file editors due to a caching issue:
The WordPress development team reported that the caching was done to a list of files fetched from the themes and so they don’t immediately show up in the filesystem. This issue was also fixed with WordPress 4.9.1. -
JS errors caused when using certain languages:
Due to MediaElement upgrade, there has been JS errors caused when certain laguages are being used. A memeber of the WordPress Core Development team shares that it affects javascript heavy pages like the customizer page and the widgets page. - An Issue where the logic of extracting from the .htaccess file is wrong:
The extract_from_market() function in WordPress is used to extract the content of the .htaccess file to use it to render basic server settings. But, there was an error of logic in this from some time which has been fixed in WordPress 4.9.1 - An issue with translating codex URL in theme-editor.php
- Issue editing files with Theme editor when running on a Windows server:
In WordPress 4.9, we have a new ajax based editor that calls a new function called wp_edit_theme_plugin_file() to edit the file. This function fails on a Windows server because of the file structure in a Windows system. However, this issue is fixed in 4.9.1. - An issue with flatten_dirlist() function:
flatten_dirlist() is a function introduced in WordPress 4.9, which did not play nice with folder names with numbers in them. In such cases, the filename is replaced with 0. Because of this, the folder becomes unwritable and hence the plugin update would fail. - Issue parsing certain DB_HOSTS paths in WordPress 4.9.1:
The new method wpdb::parse_db_host() which was introduced in 4.9.1 has issues parsing databases with colon correctly, because by virtue it expects the IPv6 addresses would have more than one colon. In WordPress 4.9.1, this issue was resolved. - An issue with upgrading wp_blog_versions table in WordPress Multisite:
This issue was fixed within 3 weeks of reporting. Kudos to the WordPress team. - JS error when only one theme is installed:
There was an error reported about a Javascript issue when only one theme installed. This does not cause any noticeable issue for the end user, but this error has been fixed.
As you can see that a few of those issues are caused by the WordPress 4.9 update and might not have affected anything long term. The major security fixes, however, are fixes for pre-WordPress 4.9.1 versions and hence it is strongly adviced that you update your WordPress website now.