There are two changes to the way WordPress communicates with
In versions prior to WordPress 3.7, data that WordPress sends to (and receives from)
api.wordpress.org is serialized using PHP The web scripting language in which WordPress is primarily architected. WordPress requires PHP 5.6.20 or higher’s native serialization functions. PHP-serialization has two main problems:
- Security: It has the potential to lead to security exploits via PHP object injection.
- Portability: It’s hard to unserialize these strings in other languages besides PHP.
In WordPress 3.7, most API An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways. calls have now changed so they send and receive JSON encoded data instead. The three major ones are:
- Core Core is the set of software required to run WordPress. The Core Development Team builds WordPress. update checks
- Plugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party update checks
- Theme update checks
The following calls have also changed, but you’re probably not so interested in these:
- Importers list
- Credits list
- Browse Happy (the browser version check)
How might this affect plugin or theme developers?
In general this won’t affect developers at all. If your plugin or theme just consumes the API then you don’t have to make any changes. The API calls that send and received JSON encoded data have all had their version numbers bumped from 1.0 to 1.1 (for example,
api.wordpress.org/plugins/update-check/1.1/. If you are consuming the version 1.0 endpoints you’ll continue to get PHP-serialized data. If you want JSON encoded data, you can switch to using the version 1.1 endpoints.
There is one situation that developers may need to account for. If your plugin or theme hooks In WordPress theme and development, hooks are functions that can be applied to an action or a Filter in WordPress. Actions are functions performed when a certain event occurs in WordPress. Filters allow you to modify certain functions. Arguments used to hook both filters and actions look the same. into the update API requests in order to remove certain plugins or themes from the update checks, your code may need updating.
A common method for removing a plugin or theme from the update checks is to hook into
http_request_args, unserialize the data being sent to the API, remove the given theme or plugin from the data, and serialize it again. This will no longer work in WordPress 3.7 and your code will need to be updated so it decodes and encodes the data as JSON instead.
An example of a plugin which has been updated to handle JSON encoding along with fallback support for PHP-serialization (depending on the version number in the API call) can be seen here: https://github.com/cftp/external-update-api/compare/f4d58e2…281a0ef
Note that there are two API calls which have not yet changed to using JSON encoding:
These two calls will most likely be updated to use JSON encoding in WordPress 3.8.
As part of the hardening process of this release, WordPress 3.7 will only communicate with
api.wordpress.org using SSL (HTTPS HTTPS is an acronym for Hyper Text Transfer Protocol Secure. HTTPS is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between your browser and the website are encrypted. This is especially helpful for protecting sensitive data like banking information.) when the server supports it. This is an especially important security enhancement Enhancements are simple improvements to WordPress, such as the addition of a hook, a new feature, or an improvement to an existing feature., given that automatic background updates are now a part of WordPress. Indeed, automatic background updates are disabled if the server cannot communicate securely with the
How might this affect plugin or theme developers?
Again, this won’t affect developers in general. If your plugin or theme hooks into API calls you may need to update your code to it handles calls to
https://api.wordpress.org/ in addition to
JSON encoding and support for SSL means the WordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ APIs are in a much better position going forward.