WordPress 4.9.1 Debuts with Updates to Improve Security | eWeek

WordPress 4.9.1 Debuts with Updates to Harden Security

wordpress 4.7.3
Nov 30, 2017
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

The open-source WordPress blogging and content management system (CMS) 4.9.1 update was released on Nov. 29, providing users with security and bug fix improvements.

WordPress is one of the most widely deployed CMS technologies on the internet today, powering 25 percent or more of all websites, according to some estimates. The security enhancements included in the 4.9.1 update have not been identified with a CVE (Common Vulnerabilities and Exposures) identifier and are considered to be improvements for security resiliency.

“WordPress versions 4.9 and earlier are affected by four security issues which could potentially be exploited as part of a multi-vector attack,” WordPress developer John Blackbourn wrote in a blog post.


Among the security hardening improvements that have landed in the WordPress 4.9.1 update is the use of a properly generated hash for the newbloguser key function which is used to create new users. The code commit for the change indicates that previously a determinate substring was being used for the newbloguser key, which is not as secure.


Additional attributes added to strengthen WordPress 4.9.1 include the proper use of code escaping to the language attributes used on html elements. WordPress developers have also taken steps in the 4.9.1 update to ensure RSS feed attribute enclosures are correctly escaped as well. The process of “escaping” user data is a well-known code security best practice.

“To escape is to take the data you may already have and help secure it prior to rendering it for the end user,” WordPress explains in is code documentation.

WordPress is also improving security by removing the ability to upload JavaScript files for users who do not have the capability to run what is known as “unfiltered_html”. According to WordPress, unfiltered_html allows users to post HTML or even JavaScript code in WordPress pages, posts, comments and widgets. 

“Enabling this option for untrusted users may result in their posting malicious or poorly formatted code,” WordPress warns in its code documentation for roles and capabilities.


WordPress 4.9

The WordPress 4.9.1 release is the first incremental update to WordPress 4.9, which became generally available on Nov. 16. The WordPress 4.9 release is codenamed Tipton, after Jazz musician and band leader Billy Tipton.

WordPress 4.9 added a number of new features including enhancements to the site customzizer that enables administrators to schedule when site design changes should go live. The WordPress 4.9 update was the second major release of WordPress in 2017, following the 4.8 update that was released on June 8.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.