This affects:
* `validate_plugin_requirements()`
* `validate_theme_requirements()`
Historically, the `Requires PHP` header was introduced in #meta2952 for the Plugin Directory first, so at the time it made sense to have it defined in the same place as `Requires at least`, which only existed in `readme.txt`.
Since parsing of PHP and WordPress requirements was later added to WordPress core, the core should retrieve all the necessary data from the main plugin or theme file and not from `readme.txt`, which only contains the data meant for the Plugin or Theme Directory.
The recommended place for `Requires PHP` and `Requires at least` headers is as follows:
* The plugin's main PHP file
* The theme's `style.css` file
The place for the `Tested up to` header remains in `readme.txt` for the time being, as it's not used by WordPress core.
Follow-up to [44978], [45546], [47573], [47574], [meta5841], [meta9050].
Props afragen, Otto42, joyously, williampatton, audrasjb.
Fixes#48520. See #48515, #meta2952, #meta4514, #meta4621.
Built from https://develop.svn.wordpress.org/trunk@51092
git-svn-id: http://core.svn.wordpress.org/trunk@50701 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Fix the enter key in profile form fields moving focus to the application password input instead of submitting the profile update for. Replace the submit button type used for application passwords with `button type="button"` and ensure that the enter key's native behavior isn't overwritten.
props audrasjb, alexstine, promz, sabernhardt.
Fixes#52849.
Built from https://develop.svn.wordpress.org/trunk@51086
git-svn-id: http://core.svn.wordpress.org/trunk@50695 1a063a9b-81f0-0310-95a4-ce76da25c4cd
By the time the tests run, both `wp_is_site_protected_by_basic_auth()` and `rest_url()` functions are available, so there is no need to check for their existence.
Follow-up to [44986], [51057].
Props Clorith, costdev, SergeyBiryukov.
Fixes#52642.
Built from https://develop.svn.wordpress.org/trunk@51066
git-svn-id: http://core.svn.wordpress.org/trunk@50675 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The test to confirm if Authorization headers can be used and recognized by WordPress needs to include a username and password combination that WordPress can compare against during the testing phase. The inclusion of credentials here would unfortunately also invalidate any existing basic auth session for the site, for example if the user had added this as an extra layer of security on their back-end.
This test is now skipped if the `wp_is_site_protected_by_basic_auth()` function detects that basic auth is being used, since the act of using basic auth to access the site confirms that this feature is working as expected in the first place.
Props WebDragon, TimothyBlynJacobs, costdev.
Fixes#52642.
Built from https://develop.svn.wordpress.org/trunk@51057
git-svn-id: http://core.svn.wordpress.org/trunk@50666 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Add `$status` parameter to `post_exists()` to allow developers to specify a post type, date and status to ensure they hit the `wp_posts` table's `type_status_date` index when determining if a post exists.
Props apokalyptik, boonebgorges, brettshumaker, DrewAPicture, MikeHansenMe, peterwilsoncc, whyisjake.
Fixes#34012.
Built from https://develop.svn.wordpress.org/trunk@51027
git-svn-id: http://core.svn.wordpress.org/trunk@50636 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The styles for the Privacy settings page were based on the Site Health section. These were duplicated into `edit.css` in #49264. This change merges the selectors from Site Health into the Privacy section, to reduce that duplicate code.
Props xkon, notlaura, clorith.
See #52429.
Built from https://develop.svn.wordpress.org/trunk@51025
git-svn-id: http://core.svn.wordpress.org/trunk@50634 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This provides direct links to install and activate the plugin, if the user has the capabilities to do so, instead of just linking to plugin search results.
It also matches more closely the message about installing the Classic Editor plugin for meta boxes incompatible with the block editor.
Follow-up to [22855], [44280], [45657].
Props tw2113, peterwilsoncc, SergeyBiryukov.
Fixes#52669.
Built from https://develop.svn.wordpress.org/trunk@51011
git-svn-id: http://core.svn.wordpress.org/trunk@50620 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Adds an option to bulk delete menu items from the core Navigation Menus screen, offering a considerable usability benefit when making significant changes to navigation menus.
Uses the bulk select pattern found in post and media lists for consistency with other core management screens, rather than the rapid delete pattern found in menus in the customizer.
Props wphound, welcher, melchoyce, maxpertici, audrasjb
Fixes#21603.
Built from https://develop.svn.wordpress.org/trunk@51006
git-svn-id: http://core.svn.wordpress.org/trunk@50615 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `update_user_option()` function is a way to update a user meta value after adding a blog’s prefix to the beginning of the meta key. But when the fourth parameter is `true`, the behavior is exactly the same as calling `update_user_meta()` directly.
This replaces all instances of `update_user_option()` when the fourth parameter is `true` in Core with a direct call to `update_user_meta()` to prevent an unnecessary call to `update_user_option()`.
Props johnjamesjacoby, zkancs, obenland, desrosj.
Fixes#43339.
Built from https://develop.svn.wordpress.org/trunk@50981
git-svn-id: http://core.svn.wordpress.org/trunk@50590 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This shows the parent theme name in a child theme's metadata section in the list table, in a similar way it is displayed in the theme details modal on the single site Themes screen.
Props dpik, Mista-Flo, seanchayes, poena, johnbillion, jeremyfelt, bradt, jacklenox, helen, Travel_girl, karmatosed, Presskopp, joyously, SergeyBiryukov.
Fixes#30240.
Built from https://develop.svn.wordpress.org/trunk@50978
git-svn-id: http://core.svn.wordpress.org/trunk@50587 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This reverts the changes to `id_base` from [50953] due to backward compatibility concerns, and instead focuses on the `id` and `class` attributes specifically.
With this change, any backslashes in the `id` or `class` attributes for a namespaced widget class are converted to underscores, making it easier to style the output or target the widget with JavaScript.
Follow-up to [50953].
Fixes#44098.
Built from https://develop.svn.wordpress.org/trunk@50961
git-svn-id: http://core.svn.wordpress.org/trunk@50570 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This change fixes a false positive that would appear during scheduled events, by only running the REST test when a user visits the Site Health page, meaning an active session is available.
The test checking if the REST API is available, includes a parameter for `context=edit` to make sure the block editor can function properly. This means a user session with editor capabilities is required for the test to pass, which is not the case during a scheduled event.
Props szaqal21, TimothyBlynJacobs, hermpheus.
Fixes#52112.
Built from https://develop.svn.wordpress.org/trunk@50939
git-svn-id: http://core.svn.wordpress.org/trunk@50548 1a063a9b-81f0-0310-95a4-ce76da25c4cd
There are a few instances where two separate functions are used for both escaping and translating output. This change combines the two functions into the appropriate Core helper function.
Props dimadin, SergeyBiryukov.
Fixes#53153.
Built from https://develop.svn.wordpress.org/trunk@50931
git-svn-id: http://core.svn.wordpress.org/trunk@50540 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This allows third-party plugins to avoid accidentally being overwritten with an update of a plugin of a similar name from the WordPress.org Plugin Directory.
Additionally, introduce the `update_plugins_{$hostname}` filter, which third-party plugins can use to offer updates for a given hostname.
If set, the `Update URI` header field should be a URI and have a unique hostname.
Some examples include:
* `https://wordpress.org/plugins/example-plugin/`
* `https://example.com/my-plugin/`
* `my-custom-plugin-name`
`Update URI: false` also works, and unless there is code handling the `false` hostname, the plugin will never get an update notification.
If the header is present, the WordPress.org API will currently only return updates for the plugin if it matches the following format:
* `https://wordpress.org/plugins/{$slug}/`
* `w.org/plugin/{$slug}`
If the header has any other value, the API will not return a result and will ignore the plugin for update purposes.
Props dd32, DavidAnderson, meloniq, markjaquith, DrewAPicture, mweichert, design_dolphin, filosofo, sean212, nhuja, JeroenReumkens, infolu, dingdang, joyously, earnjam, williampatton, grapplerulrich, markparnell, apedog, afragen, miqrogroove, rmccue, crazycoders, jdgrimes, damonganto, joostdevalk, jorbin, georgestephanis, khromov, GeekStreetWP, jb510, Rarst, juliobox, Ipstenu, mikejolley, Otto42, gMagicScott, TJNowell, GaryJ, knutsp, mordauk, nvartolomei, aspexi, chriscct7, benoitchantre, ryno267, lev0, gregorlove, dougwollison, SergeyBiryukov.
See #14179, #23318, #32101.
Built from https://develop.svn.wordpress.org/trunk@50921
git-svn-id: http://core.svn.wordpress.org/trunk@50530 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Replace infinitely autoloading behavior on scroll with a user-controlled load more button. Fix a long standing accessibility issue in the media library. Infinite scroll poses a wide range of problems for accessibility, usability, and performance.
This change modifies the library to load 40 items in the initial view, with a load more button to load the next 40 items and a button to move focus from the load more region to the first of the most recently added items.
The text for communicating the jump target was broadly discussed, agreeing that the text incorporated here would most concisely and clearly convey the purpose of the button, and any further detail is learnable from use.
Props afercia, adamsilverstein, joedolson, audrasjb, francina
Fixes#50105. See #40330.
Built from https://develop.svn.wordpress.org/trunk@50829
git-svn-id: http://core.svn.wordpress.org/trunk@50438 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This change introduces the `delete_theme` and `deleted_theme` action hooks, which fire immediately before and after an attempt to delete a theme, respectively.
Props scottconnerly, ptahdunbar, pbiron, vetyst, desrosj.
Fixes#16401.
Built from https://develop.svn.wordpress.org/trunk@50826
git-svn-id: http://core.svn.wordpress.org/trunk@50435 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This adds additional information to the Media Handling section of the Site Health Info page. When ImageMagick is used as the site’s image editor, a full list of file formats supported will now be shown. This will help site owners debug any issues they encounter as support for newer, more modern image formats is added (such as WebP in [50810]).
Additionally, the version of Imagick installed. This will help site owners debug issues with generating images on the PHP side.
Some variables have also been renamed to more accurately represent what is being stored.
Props Clorith, desrosj.
Fixes#53022.
Built from https://develop.svn.wordpress.org/trunk@50817
git-svn-id: http://core.svn.wordpress.org/trunk@50426 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Add support for uploading, editing and saving WebP images when supported by the server.
Add 'image/webp' to supported mime types. Correctly identify WebP images and sizes even when PHP doesn't support WebP. Resize uploaded WebP files (when supported) and use for front end markup.
Props markoheijne, blobfolio, Clorith, joemcgill, atjn, desrosj, spacedmonkey, marylauc, mikeschroder, hellofromtonya, flixos90.
Fixes#35725.
Built from https://develop.svn.wordpress.org/trunk@50810
git-svn-id: http://core.svn.wordpress.org/trunk@50419 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This avoids accidentally overriding some variables in the scope of `activate_plugin()`, e.g. `$silent` or `$network_wide`.
Plugins expecting to have access to `$network_wide` directly on inclusion should receive it as an argument of the activation hook callback instead, on any of these actions:
* `activate_plugin`
* `activate_{$plugin}`
* `activated_plugin`
Follow-up to [28644].
Props Mike_Cowobo, dd32, DrewAPicture, mensmaximus, SergeyBiryukov.
Fixes#31104.
Built from https://develop.svn.wordpress.org/trunk@50787
git-svn-id: http://core.svn.wordpress.org/trunk@50396 1a063a9b-81f0-0310-95a4-ce76da25c4cd
There are several WordPress hooks defined on the server that depend on $post object that isn’t present on the new screens like edit site, edit widgets, or edit navigation. This patch deprecates existing filters and introduces replacements that are context-aware.
Props azaozz, andraganescu, jeremyfelt, nosolosw, youknowriad.
See #52920.
Built from https://develop.svn.wordpress.org/trunk@50776
git-svn-id: http://core.svn.wordpress.org/trunk@50385 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Allow developers to extend the Site Health screen with their own custom navigation tabs and pages.
This implements a new filter, `site_health_navigation_tabs`, which takes an associated array of tab identifiers/slugs, and tab labels, allowing developers to add their own subpage to the Site Health interface as new tabs.
To output a custom page, or add to an existing page, the `site_health_tab_content` action is triggered whenever the `tab` query argument is present and not empty. This action includes the current tab as its argument, which a developer would match against to only output content when relevant.
Props ramiy for initial patch.
Fixes#47225.
Built from https://develop.svn.wordpress.org/trunk@50764
git-svn-id: http://core.svn.wordpress.org/trunk@50373 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Previously, when exporting personal data, if the JSON encoding of the data failed, the invalid JSON was still written to `export.json`. This change captures the JSON encoding failure and adds a notice to the UI.
Props hellofromTonya, jrf, SergeyBiryukov.
Fixes#52892.
Built from https://develop.svn.wordpress.org/trunk@50713
git-svn-id: http://core.svn.wordpress.org/trunk@50322 1a063a9b-81f0-0310-95a4-ce76da25c4cd
After [48390], plugins and themes can be updated with an uploaded ZIP file. Strings were added for comparing the "current" and "uploaded" versions of a plugin or theme, but lacked context for each as to the object being referenced. This change adds a `plugin` or `theme` context to each of these strings for disambiguation.
Props dimadin, SergeyBiryukov.
Fixes#53017.
Built from https://develop.svn.wordpress.org/trunk@50705
git-svn-id: http://core.svn.wordpress.org/trunk@50314 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Variables created within the scope of a function are discarded automatically when PHP leaves the scope of the function, i.e. on `return`, so doing a call to `unset()` straight before a `return` statement is redundant.
Props jrf, ravipatel, rachelbaker, mukesh27.
Fixes#52996.
Built from https://develop.svn.wordpress.org/trunk@50692
git-svn-id: http://core.svn.wordpress.org/trunk@50301 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Reduce severity of failing HTTPS tests from critical to warning. Stop reporting failures if the site is being accessed over HTTPS but `wp_is_https_supported()` indicates a lack of support.
Props annalamprou, AnotherDave, ayeshrajans, bobbingwide, Clorith, dragongate, eatsleepcode, gab81, geoffrey1963, Ipstenu, k3nsai, mmuyskens, nicegamer7, peterwilsoncc, pwallner, SergeyBiryukov, TimothyBlynJacobs, Toru.
Fixes#52783.
Built from https://develop.svn.wordpress.org/trunk@50659
git-svn-id: http://core.svn.wordpress.org/trunk@50271 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This avoids a fatal error on PHP 8 in `wp_privacy_generate_personal_data_export_file()` if the `_export_data_grouped` post meta exists but is not an array.
Additionally, refactor unit tests for the function to:
* Reduce redundant code
* Switch to data provider
* Test on the full HTML output instead of select pieces of the output
* Expand unhappy path coverage
Follow-up to [43012], [44786], [47146], [47278].
Props hellofromTonya, jrf, xknown.
See #51423.
Built from https://develop.svn.wordpress.org/trunk@50613
git-svn-id: http://core.svn.wordpress.org/trunk@50226 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This change switches out `sprintf` for `printf` on the "Copy suggested policy text from..." button screen reader text. Also, wrap the actual button text in a `<span aria-hidden="true">` to prevent both the button text and the screen reader text from being spoken.
Props mukesh27, SergeyBiryukov, sabernhardt.
Fixes#52891.
Built from https://develop.svn.wordpress.org/trunk@50585
git-svn-id: http://core.svn.wordpress.org/trunk@50198 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Replace loopback health check URL with a `POST` request to `wp-cron.php` in the WordPress install directory. This more closely represents how WordPress uses loopback requests.
A `POST` request is used to cause `wp-cron.php` to exit prior to running any cron jobs. This allows the test to indicate success quicker and accounts for sites that set the `DISABLE_WP_CRON` constant to avoid running cron jobs on loopback requests.
Props clorith, peterwilsoncc, TimothyBlynJacobs.
Fixes#52547.
Built from https://develop.svn.wordpress.org/trunk@50399
git-svn-id: http://core.svn.wordpress.org/trunk@50010 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This adds a more descriptive text in scenarios where `post_max_size` and `upload_max_filesize` differ, and `post_max_size` is set to a value of `0`.
In some scenarios, PHP may read `0` as a literal zero size, and not as unlimited, which it also means in other scenarios.
See https://www.php.net/manual/en/ini.core.php#ini.post-max-size for details, as PHP 5.3.4 introduced this behavior for literal zero interpretation when the content type of a request is `application/x-www-form-urlencoded` or is not registered with PHP.
Props Clorith, pixolin, helen, ratneshk.
Fixes#51466.
Built from https://develop.svn.wordpress.org/trunk@50263
git-svn-id: http://core.svn.wordpress.org/trunk@49908 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Previously, date information was unable to be changed when using `media_handle_sideload()`.
Now you can override the date for a media item using `$post_data['post_date']` before using the function.
Props jamesgol, mukesh27, SergeyBiryukov, hellofromTonya, Mista-Flo.
Fixes#50972.
Built from https://develop.svn.wordpress.org/trunk@50258
git-svn-id: http://core.svn.wordpress.org/trunk@49903 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Previously, we used `DIR_TESTDATA` to determine if a test should skip a newly silenced error in `wp_getimagesize()`.
We are now using `WP_RUN_CORE_TESTS` instead for consistency.
Props hellofromTonya, SergeyBiryukov.
See #49889.
Built from https://develop.svn.wordpress.org/trunk@50170
git-svn-id: http://core.svn.wordpress.org/trunk@49849 1a063a9b-81f0-0310-95a4-ce76da25c4cd
As this can cause large, long running queries on sites with many posts, this filter allows the query to be modified, bypassing entirely if needed.
Fixes#51660.
Props geoffguillain, SergeyBiryukov, hareesh-pillai, hellofromTonya, TimothyBlynJacobs, whyisjake.
Built from https://develop.svn.wordpress.org/trunk@50163
git-svn-id: http://core.svn.wordpress.org/trunk@49842 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The Privacy settings pages now use the same design patterns as the Site Health screen. Additionally, each privacy policy guide is now contained in an accordion to make the page easier to navigate when multiple plugins are in use.
Props xkon, hedgefield, garrett-eclipse, hellofromTonya, paaljoachim, joedolson.
Fixes#49264.
Built from https://develop.svn.wordpress.org/trunk@50161
git-svn-id: http://core.svn.wordpress.org/trunk@49840 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This adds a form option to skip the admin email alert when exporting personal data.
Props xkon, azaozz, TZ-Media, iandunn, desrosj, iprg, allendav, wesselvandenberg, karmatosed, birgire, davidbaumwald, estelaris, paaljoachim, hellofromTonya.
Fixes#43890.
Built from https://develop.svn.wordpress.org/trunk@50159
git-svn-id: http://core.svn.wordpress.org/trunk@49838 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Previously, it was unclear that the displayed password is only being suggested and should be saved by clicking the Reset Password button.
This adds separate Generate Password and Save Password buttons, for clarity.
Props xkon, estelaris, jaymanpandya, hedgefield, audrasjb, erichmond, magicroundabout, lukecavanagh, knutsp, tinodidriksen, nico_martin, markhowellsmead, kara.mcnair, e_baker, pixelverbieger, souri_wpaustria, megabyterose, poena, whyisjake.
Fixes#39638.
Built from https://develop.svn.wordpress.org/trunk@50153
git-svn-id: http://core.svn.wordpress.org/trunk@49832 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Previously, all logic utilizing `getimagesize()` was supressing errors making it difficult to debug usage of the function.
A new `wp_getimagesize()` function has been added to allow the errors to no longer be suppressed when `WP_DEBUG` is enabled.
Props Howdy_McGee, SergeyBiryukov, mukesh27, davidbaumwald, noisysocks, hellofromTonya.
Fixes#49889.
Built from https://develop.svn.wordpress.org/trunk@50146
git-svn-id: http://core.svn.wordpress.org/trunk@49825 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This brings some consistency with other list tables and allows for adding custom column data to columns registered with `manage_export-personal-data_columns` or `manage_erase-personal-data_columns` filters.
Props xkon, garrett-eclipse, birgire, pbiron, hellofromTonya, TimothyBlynJacobs, 7studio, mukesh27, Mista-Flo.
Fixes#44354.
Built from https://develop.svn.wordpress.org/trunk@50145
git-svn-id: http://core.svn.wordpress.org/trunk@49824 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When no events are available in the Events Widget, people have always been shown a message encouraging them to help organize one (see `tmpl-community-events-no-upcoming-events`). Now that it's common for online WordCamps and Learn discussion groups to be pinned to the Events API, it's rare that there are no events in the widget, even if there are no _local_ events. Because of that, users are rarely encouraged to join their local community and help organize.
This commit adds an additional call-to-action message, which is shown when there are only 1 or 2 events available.
Props anyssa, sippis, AmethystAnswers.
Fixes#51664.
Built from https://develop.svn.wordpress.org/trunk@50133
git-svn-id: http://core.svn.wordpress.org/trunk@49812 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Switching a WordPress site from HTTP to HTTPS has historically been a tedious task. While on the surface the Site Address and WordPress Address have to be updated, existing content still remains using HTTP URLs where hard-coded in the database. Furthermore, updating _two_ URLs to migrate to HTTPS is still a fairly unintuitive step which is not clearly explained.
This changeset simplifies migration from HTTP to HTTPS and, where possible, makes it a one-click interaction.
* Automatically replace insecure versions of the Site Address (`home_url()`) with its HTTPS counterpart on the fly if the site has been migrated from HTTP to HTTPS. This is accomplished by introducing a `https_migration_required` option and enabling it when the `home_url()` is accordingly changed.
* A new `wp_replace_insecure_home_url()` function is hooked into various pieces of content to replace URLs accordingly.
* The migration only kicks in when the Site Address (`home_url()`) and WordPress Address (`site_url()`) match, which is the widely common case. Configurations where these differ are often maintained by more advanced users, where this migration routine would be less essential - something to potentially iterate on in the future though.
* The migration does not actually update content in the database. More savvy users that prefer to do that can prevent the migration logic from running by either deleting the `https_migration_required` option or using the new `wp_should_replace_insecure_home_url` filter.
* For fresh sites that do not have any content yet at the point of changing the URLs to HTTPS, the migration will also be skipped since it would not be relevant.
* Expose a primary action in the Site Health recommendation, if HTTPS is already supported by the environment, built on top of the HTTPS detection mechanism from [49904]. When clicked, the default behavior is to update `home_url()` and `site_url()` in one go to their HTTPS counterpart.
* A new `wp_update_urls_to_https()` function takes care of the update routine.
* A new `update_https` meta capability is introduced to control access.
* If the site's URLs are controlled by constants, this update is not automatically possible, so in these scenarios the user is informed about that in the HTTPS status check in Site Health.
* Allow hosting providers to modify the URLs linked to in the HTTPS status check in Site Health, similar to how that is possible for the URLs around updating the PHP version.
* A `WP_UPDATE_HTTPS_URL` environment variable or `wp_update_https_url` filter can be used to provide a custom URL with guidance about updating the site to use HTTPS.
* A `WP_DIRECT_UPDATE_HTTPS_URL` environment variable or `wp_direct_update_https_url` filter can be used to provide a custom URL for the primary CTA to update the site to use HTTPS.
Props flixos90, timothyblynjacobs.
Fixes#51437.
Built from https://develop.svn.wordpress.org/trunk@50131
git-svn-id: http://core.svn.wordpress.org/trunk@49810 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Add a feature so Admins can send users a 'password reset' email. This doesn't change the password or force a password change. It only emails the user the password reset link.
The feature appears in several places:
* A "Send Reset Link" button on user profile screen.
* A "Send password reset" option in the user list bulk action dropdown.
* A "Send password reset" quick action when hovering over a username in the user list.
Props Ipstenu, DrewAPicture, eventualo, wonderboymusic, knutsp, ericlewis, afercia, JoshuaWold, johnbillion, paaljoachim, hedgefield.
Fixes#34281.
Built from https://develop.svn.wordpress.org/trunk@50129
git-svn-id: http://core.svn.wordpress.org/trunk@49808 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Fix an issue where viewing an autosave created on a post without any previous revisions would throw a PHP notice. Also fixes the revision screen which was broken in these cases and showed a console error.
Props iseulde.
Fixes#31249.
Built from https://develop.svn.wordpress.org/trunk@50128
git-svn-id: http://core.svn.wordpress.org/trunk@49807 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Previously, "You are using a development version" message could be displayed if the user has configured core updates to receive Beta or RC versions, but the update has not happened yet.
This brings some consistency with displaying a similar message in `core_upgrade_preamble()` on WordPress Updates screen.
Follow-up to [49708], [49736].
Props afragen, pbiron, azaozz, audrasjb, SergeyBiryukov.
Fixes#51976.
Built from https://develop.svn.wordpress.org/trunk@50121
git-svn-id: http://core.svn.wordpress.org/trunk@49800 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `WP_AUTO_UPDATE_CORE` constant now supports `development` and `branch-development` values.
This makes it possible for sites to opt-in to updating to nightly builds without having to install a plugin.
Follow-up to [49245], [49292].
Props xkon, knutsp, afragen, audrasjb, dd32.
Fixes#51978.
Built from https://develop.svn.wordpress.org/trunk@50082
git-svn-id: http://core.svn.wordpress.org/trunk@49782 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Following up on [49904], this changeset focuses mainly on improving the guidance about the current state of HTTPS in Site Health.
* Correct the existing copy to indicate that both the Site Address and the WordPress Address need to be changed to fully switch to HTTPS.
* Link to the respective input fields via anchor links rather than to the overall General Settings screen.
* Show different copy if the site is using HTTPS for the WordPress Address (for example to have only the administration panel in HTTPS), but not for the Site Address.
* Inform the user about potential problems even when the site is already using HTTPS, for example if the SSL certificate was no longer valid.
* Always rely on fresh information for determining HTTPS support issues in Site Health, and therefore change the `https_status` test to become asynchronous.
* Rename the new private `wp_is_owned_html_output()` function to a more appropriate `wp_is_local_html_output()`.
Props adamsilverstein, flixos90, johnjamesjacoby, timothyblynjacobs.
See #47577.
Built from https://develop.svn.wordpress.org/trunk@50072
git-svn-id: http://core.svn.wordpress.org/trunk@49773 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The function `wp_text_diff` generated an invalid table structure if the $args parameter contained any values. This patch corrects the structure generated by `wp_text_diff` and related usages so that the column count matches the data generated. Additionally, this patch passes arguments to the Revisions screen so that the screen has column headings that reflect the content in each column. Improves the accessibility and usability of the Revisions table.
Props joedolson, mehulkaklotar, afercia, adamsilverstein, zodiac1978, jeremyfelt
Fixes#25473
Built from https://develop.svn.wordpress.org/trunk@50034
git-svn-id: http://core.svn.wordpress.org/trunk@49735 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Italicized text can be difficult to read for some people with dyslexia or related forms of reading disorders. This removes italics on a number of larger blocks onpm run grunt rpf text in the admin. This has been a task 5.3; this commit closes the task. Further instances of italicized text should be addressed individually.
Props afercia, xkon, audrasjb
Fixes#47327
Built from https://develop.svn.wordpress.org/trunk@50032
git-svn-id: http://core.svn.wordpress.org/trunk@49733 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This is part of a larger project in cleaning up core's admin CSS. This collapses all colors used in the CSS to one of 12 blues, greens, reds, and yellows, 13 grays, pure black, and pure white. The colors are perceptually uniform from light to dark, half of each range has a 4.5 or higher contrast against white, the other half has a 4.5 or higher contrast against black.
Standardizing on this set of colors will help contributors make consistent, accessible design decisions. The full color palette can be seen here: https://codepen.io/ryelle/full/WNGVEjw
Props notlaura, danfarrow, kburgoine, drw158, audrasjb, Joen, hedgefield, ibdz, melchoyce.
See #49999.
Built from https://develop.svn.wordpress.org/trunk@50025
git-svn-id: http://core.svn.wordpress.org/trunk@49726 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Since WordPress 2.5 and 2.6, `post_content` and `post_excerpt` have both had export-specific filters: `the_content_export`, and `the_excerpt_export`, respectively. `post_title`, however, has used `the_title_rss`, which behaves differently in two important ways:
- It strips HTML tags from the string.
- It HTML-encodes the title string.
These behaviours are not ideal for exports, since it changes the post title, resulting in data loss in export files, and incorrect post duplicate matching on import. This changes replaces the usage of `the_title_rss` with a new filter, `the_title_export`. The new filter is intended to be used in the same as `the_content_export` and `the_excerpt_export`.
Props jmdodd, audrasjb.
Fixes#52250.
Built from https://develop.svn.wordpress.org/trunk@50011
git-svn-id: http://core.svn.wordpress.org/trunk@49712 1a063a9b-81f0-0310-95a4-ce76da25c4cd
To be able to disable jQuery Migrate as step 3 of updating the jQuery version shipped with WordPress, all `JQMIGRATE` warnings in the browser console will have to be addressed.
This includes many minor adjustments to a wide array of core files.
Follow-up to:
* Step 1: Disabling jQuery Migrate 1.4.1 in WordPress 5.5: [48323], [48324]
* Step 2: Updating jQuery to 3.5.1 and adding jQuery Migrate 3.3.x in WordPress 5.6: [49101], [49338], [49615], [49649]
Props Clorith, azaozz.
See #51812.
Built from https://develop.svn.wordpress.org/trunk@50001
git-svn-id: http://core.svn.wordpress.org/trunk@49702 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This joyous marriage means that users will no longer find a selected top bulk action on a list table unexpectedly being applied instead of their selected bottom bulk action. The top and bottom controls for changing user roles are equally wedded forever too.
Props clayray, subrataemfluence, garrett-eclipse, pbiron, hareesh-pillai
Fixes#46872
Built from https://develop.svn.wordpress.org/trunk@49944
git-svn-id: http://core.svn.wordpress.org/trunk@49643 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In [49154] the async Site Health tests were changed to use the REST API instead of admin-ajax. An unintended side effect of this change was that the loopback tests which tried to ping the site's `admin_url()` were no longer authenticated because admin-cookies aren't provided to the REST API.
This commit adjusts the loopback test to use the front-end `site_url` which checks that cron will function properly. A follow-up ticket will focus on tests that will cover the file editor checks.
Props Clorith.
Fixes#52097.
See #48105.
Built from https://develop.svn.wordpress.org/trunk@49917
git-svn-id: http://core.svn.wordpress.org/trunk@49616 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This allows for more flexibility when determining which version of a post is the latest one, and makes it possible to implement import logic involving updating and adding revisions to existing posts or pages.
Props jmdodd.
Fixes#52180.
Built from https://develop.svn.wordpress.org/trunk@49910
git-svn-id: http://core.svn.wordpress.org/trunk@49609 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset modifies the Site Health panel for HTTPS to provide more accurate recommendations based on whether the environment is already set up for HTTPS.
* Introduces `wp_is_using_https()` to check whether the site is configured to use HTTPS (via its Site Address and WordPress Address).
* Introduces `wp_is_https_supported()` to check whether the environment supports HTTPS. This relies on a cron job which periodically checks support using a loopback request.
Props Clorith, flixos90, miinasikk, westonruter.
Fixes#47577.
Built from https://develop.svn.wordpress.org/trunk@49904
git-svn-id: http://core.svn.wordpress.org/trunk@49603 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Whether App Passwords are being used is a global featurel, not a per-network feature. This fixes issues on Multi Network installs if App Passwords are used on a different network from where they were created.
Props spacedmonkey.
Fixes#51939.
See [49752].
Built from https://develop.svn.wordpress.org/trunk@49764
git-svn-id: http://core.svn.wordpress.org/trunk@49487 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Application Passwords uses Basic Authentication to transfer authentication details. If the site is already using Basic Auth, for instance to implement a private staging environment, then the REST API will treat this as an authentication attempt and would end up generating an error for any REST API request.
Now, Application Password authentication will only be attempted if Application Passwords is in use by a site. This is flagged by setting an option whenever an Application Password is created. An upgrade routine is added to set this option if any App Passwords already exist.
Lastly, creating an Application Password will be prevented if the site appears to already be using Basic Authentication.
Props chexwarrior, georgestephanis, adamsilverstein, helen, Clorith, marybaum, TimothyBlynJacobs.
Fixes#51939.
Built from https://develop.svn.wordpress.org/trunk@49752
git-svn-id: http://core.svn.wordpress.org/trunk@49475 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `date_i18n` function is now used when formatting the dates in PHP instead of `gmdate` which doesn't handle localization properly.
Additionally, we now use a translation to get the date format to use instead of pulling from the `date_format` option which is only supposed to affect the front-end.
Lastly, when passing the date format to the Backbone JS template, we now use `wp_json_encode()` to format the value for JavaScript. This ensures that backslashes are properly preserved which are used by some locales to escape date formatting control characters.
Props pedromendonca, TimothyBlynJacobs, ocean90, hellofromtonya, SergeyBiryukov, antpb.
Fixes#51918.
See [35811].
Built from https://develop.svn.wordpress.org/trunk@49746
git-svn-id: http://core.svn.wordpress.org/trunk@49469 1a063a9b-81f0-0310-95a4-ce76da25c4cd
r49212 greatly improved the performance of `get_dirsize()`, but also changed the structure of the data stored in the `dirsize_cache` transient. It stored relative paths instead of absolute ones, and also removed the unnecessary `size` array.
That difference in data structures led to a fatal error in the following environment:
* PHP 8
* Multisite
* A custom `WP_CONTENT_DIR` which is not a child of WP's `ABSPATH` folder (e.g., [https://roots.io/bedrock/ Bedrock])
* The `upload_space_check_disabled` option set to `0`
After upgrading to WP 5.6, the `dirsize_cache` transient still had data in the old format. When `wp-admin.php/index.php` was visited, `get_space_used()` received an `array` instead of an `int`, and tried to divide it by another `int`. PHP 7 would silently cast the arguments to match data types, but [https://wiki.php.net/rfc/arithmetic_operator_type_checks PHP 8 throws a fatal error]:
`Uncaught TypeError: Unsupported operand types: array / int`
`recurse_dirsize()` was using `ABSPATH` to convert the absolute paths to relative ones, but some upload locations are not located under `ABSPATH`. In those cases, `$directory` and `$cache_path` were identical, and that triggered the early return of the old `array`, instead of the expected `int`.
In order to avoid that, this commit restores the absolute paths, but without the `size` array. It also adds a type check when returning cached values. Using absolute paths without `size` has the result of overwriting the old data, so that it matches the new format. The type check and upgrade routine are additional safety measures.
Props peterwilsoncc, janthiel, helen, hellofromtonya, francina, pbiron.
Fixes#51913. See #19879.
Built from https://develop.svn.wordpress.org/trunk@49744
git-svn-id: http://core.svn.wordpress.org/trunk@49467 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This brings some consistency with the same check in `core_upgrade_preamble()` and avoids a PHP warning if `$cur->version` is not set.
Additionally, remove the check for `$cur->url` property, unused since [8595].
Follow-up to [49708], [49709].
Props pbiron, afragen, audrasjb.
Fixes#51892.
Built from https://develop.svn.wordpress.org/trunk@49736
git-svn-id: http://core.svn.wordpress.org/trunk@49459 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This enables, for example, the previous post status to be used by this hook without the need to first capture it on an earlier hook.
This also fixes the value of the `$fire_after_hooks` parameter in `get_default_post_to_edit()` so the `wp_after_insert_post` action correctly fires just once on the new post screen.
Props Collizo4sky, peterwilsoncc, hellofromTonya, TimothyBlynJacobs, SergeyBiryukov
Fixes#45114
Built from https://develop.svn.wordpress.org/trunk@49731
git-svn-id: http://core.svn.wordpress.org/trunk@49454 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Application Passwords introduced a new Rewrite Rule to handle the Authorization header on certain systems.
This bumps the database version and updates the file so the change is applied to sites upon upgrading to 5.6.
Follow-up to [49534].
Props pbiron, TimothyBlynJacobs, SergeyBiryukov.
Fixes#51723.
Built from https://develop.svn.wordpress.org/trunk@49632
git-svn-id: http://core.svn.wordpress.org/trunk@49370 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This adds clearer messages about what your current settings mean for updates, uses a more compact link-based action instead of a checkbox to change the setting, and respects constants and filters.
Props audrasjb, karmatosed, helen, azaozz, hedgefield, marybaum.
Fixes#51742.
Built from https://develop.svn.wordpress.org/trunk@49587
git-svn-id: http://core.svn.wordpress.org/trunk@49325 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Its presence may conflict with `WP_Post::__get()`, which should generally fill the non-existent `post_category` property, but is not triggered if the column exists in the database.
Follow-up to [10895].
Props leogermani, davidbaumwald, hellofromTonya.
Fixes#51288.
Built from https://develop.svn.wordpress.org/trunk@49572
git-svn-id: http://core.svn.wordpress.org/trunk@49310 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Deleting all visible items on the last page of the media library previously left a blank page with no media items available. Using `wp_count_attachements` instead of `found_posts` solves the problem.
Props donsony, karmatosed, desrosj, mista-flo, justinahinon.
Fixes#39968.
Built from https://develop.svn.wordpress.org/trunk@49567
git-svn-id: http://core.svn.wordpress.org/trunk@49305 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- Add a label to the readonly password input.
- Handle focus loss after revoking app passwords.
- Handle focus loss after dismissing notices.
- Mark app name as `aria-required`.
- Use `aria-label` for detailed revoke button text instead of `title`.
- Use `-1` for `tabindex` instead of `0`.
Props alexstine, afercia, sabernhardt, audrasjb, joedolson, TimothyBlynJacobs.
Fixes#51580.
Built from https://develop.svn.wordpress.org/trunk@49549
git-svn-id: http://core.svn.wordpress.org/trunk@49287 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This switches to using `wp_parse_args()` instead of a combination of `array_merge()` and `array_intersect_key()` when ensuring that all expected default keys are present in the update information for a plugin.
This prevents non-default data returned by 3rd-party plugins from being unintentionally stripped out.
Props peterwilsoncc, chriscct7.
Fixes#51609.
Built from https://develop.svn.wordpress.org/trunk@49477
git-svn-id: http://core.svn.wordpress.org/trunk@49236 1a063a9b-81f0-0310-95a4-ce76da25c4cd
App Passwords rely on the Authorization header to transport the Basic Auth credentials. For Apache web servers, WordPress automatically includes a RewriteRule to populate the value for servers running in CGI or FastCGI that wouldn't ordinarily populate the value.
This tests if the header is being filled with the expected values. For Apache users, we direct the user to visit the Permalinks settings to flush their permalinks. For all other users, we direct them to a help document on developer.wordpress.org.
Props Clorith, marybaum, TimothyBlynJacobs.
Fixes#51638.
Built from https://develop.svn.wordpress.org/trunk@49334
git-svn-id: http://core.svn.wordpress.org/trunk@49095 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- Make form inputs stacked instead of inline.
- Provide a visible label for the app name.
- Add screen reader text to dismiss button.
- Make "Revoke" button label more descriptive.
- Use aria-disabled instead of disabled to avoid focus loss.
- Display password in a readonly input to assist copy and paste.
- Remove large sections of italic text.
- Use `.form-wrap` and `.form-field` to give consistent form styling.
- Improve labeling and placeholder text.
Props alexstine, georgestephanis, afercia, TimothyBlynJacobs.
Fixes#51580.
Built from https://develop.svn.wordpress.org/trunk@49294
git-svn-id: http://core.svn.wordpress.org/trunk@49056 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This updates `core_auto_updates_settings()` to account for the new `beta` and `rc` values for the `WP_AUTO_UPDATE_CORE` constant.
Additionally, recognize these new values as acceptable in Site Health tests.
Follow-up to [48804], [49245], [49254].
Fixes#51319. See #50907.
Built from https://develop.svn.wordpress.org/trunk@49292
git-svn-id: http://core.svn.wordpress.org/trunk@49054 1a063a9b-81f0-0310-95a4-ce76da25c4cd