WordPress drops security support for older installs

WordPress has issued a three month warning that it is pausing all security updates for older installations, versions 3.7 to 4.0. Affected facilities will display a permanent notice that cannot be ignored.

Outdated WordPress installations

WordPress versions 3.7 to 4.0 will no longer receive security updates starting December 1, 2022.

Anyone using these outdated versions of WordPress will put their sites at risk of hacking after the final support date.

The reason given for dropping security support is so that the core WordPress development team can better focus on updating to the latest versions without having to maintain older versions.

According to the WordPress announcement:

“Officially, WordPress only supports the latest version of the software.

It has historically been the practice of the security team to backport security patches as a courtesy to sites on older versions in the hope that the sites will be automatically updated.

So far, these courtesy backports have included all versions of WordPress that support automatic updates.

WordPress versions 3.7 to 4.0 have reached usage levels, namely less than 1% of total installs, where the benefit of providing these updates is outweighed by the effort involved.

… By removing support for these older versions, new versions of WordPress will become more secure because more time can be spent on their needs.

Which version should publishers update to?

WordPress advises publishers to update to the latest installation, currently at version 6.0.2.

That said, WordPress will still provide security support for version 4.01, which was released in 2015.

This means that publishers using older versions of WordPress could upgrade to 4.01 so as not to introduce instability to their websites due to old themes, plugins or PHP versions being used.

But this is not recommended by WordPress because although security updates are backported to older versions, hardening updates are not backported to older versions.

Security updates are patches designed to block specific critical vulnerabilities.

Hardening updates the code to make it more secure.

Some believe that asking users of older versions of WordPress to update to the newer version can be seen as risky, as it could result in a non-functional website.

A commenter posted:

“Skipping 8 years of new releases at once is a risky operation, and offering only this option may discourage many site owners from doing so. The thought process is going to be “Should I push the button and see if 8 years of updates avoid breaking anything, or should I just hope for the best by leaving it on the current version which has worked until ‘now? »

Notification permanente

WordPress has released that installations from versions 4.0 and earlier will receive a notification in the WordPress installation that alerts publishers that their version is outdated and security updates have ceased, with an encouragement to update to the last version.

Persistent notification screenshot

Number of older versions still in use

According to WordPress statistics, the number of older versions affected by this decision constitutes less than 1% of total installs.

This change should therefore not affect the vast majority of WordPress publishers.


Read the official announcement

Removal of security updates for WordPress versions 3.7 to 4.0

Featured image by Shutterstock/Luis Molinero

Screenshot by author

Leave a Comment