WordPress Drops Security Support for Older Installations

WordPress announced a three month warning that it is halting all security updates for older installations, versions 3.7- 4.0. The affected installations will display a permanent notice that cannot be dismissed.

Out of Date WordPress Installations

WordPress versions 3.7 – 4.0 will no longer receive security updates beginning on December 1, 2022.

Anyone using these out of date versions of WordPress will put their sites at risk for hacking after the final date of support.

The reason given for dropping dropping security support is that the WordPress core development team can better focus on updating the latest versions without the burden of keeping older versions up to date.

According to the WordPress announcement:

“Officially WordPress only provides support for the latest version of the software.

The Security team historically has a practice of backporting security fixes as a courtesy to sites on older versions in the expectation the sites will be automatically updated.

Until now, these courtesy backports have included all versions of WordPress supporting automatic updates.

Versions WordPress 3.7 – 4.0 have reached levels of usage, namely less than 1% of total installs, where the benefit of providing these updates is outweighed by the effort involved.

…By dropping support for these older versions, the newer versions of WordPress will become more secure as more time can be focused on their needs.”

Which Version Should Publishers Update To?

WordPress is advising publishers to update to the very latest installation, currently at version 6.0.2.

See also  12 GA4 Expectations You Need To Have As It Replaces Universal Analytics

That said, WordPress will still be providing security support for version 4.01, which was released in 2015.

This means that publishers using older versions of WordPress could upgrade to 4.01 in order to not introduce instability to their websites because of older themes, plugins or PHP versions that may be in use.

But doing so is not recommended by WordPress because while security updates are backported to older versions, hardening updates are not backported to older versions.

Security updates are patches designed to block specific critical vulnerabilities.

Hardening is updating the code to make it more secure.

Some believe that requiring users of older versions of WordPress to update to the most up to date version may be perceived as risky because it could result in a non-functional website.

One commenter posted:

“Skipping through 8 years of new releases in one go is a risky operation, and by only offering that option, it’s likely to disincentivize lots of site owners from doing it. The thought process is going to be “Shall I press the button and see if 8 years of updates avoids breaking anything, or shall I just hope for the best leaving it on the current version which has worked thus far?””

Permanent Notification

WordPress posted that installations from versions 4.0 and older will receive a notification within the WordPress installation that alerts publishers that their version is obsolete and that security updates have ceased, with an encouragement to update to the latest version.

Screenshot of Permanent Notification

Number of Old Versions Still in Use

According to WordPress statistics, the number of older versions that are affected by this decision constitute less than 1% of total installations.

See also  WordPress Security Release Fixes 16 Vulnerabilities

This change should therefore not affect the vast majority of WordPress publishers.


Citation

Read the Official Announcement

Dropping security updates for WordPress versions 3.7 through 4.0

Featured image by Shutterstock/Luis Molinero

Screenshot by Author