WordPress has announced a three-month warning period, indicating that it will cease all security updates for older installations, specifically versions 3.7 through 4.0. Users of these versions will see a permanent notice that cannot be dismissed.
Outdated WordPress Installations
Starting December 1, 2022, WordPress versions 3.7 through 4.0 will no longer receive security updates. This cessation of support means that sites using these outdated versions will be at increased risk of hacking after the deadline.
The primary reason for discontinuing security support is to allow the WordPress core development team to focus on updating the latest versions without the added burden of maintaining older versions.
Official WordPress Announcement
According to the WordPress announcement:
“Officially, WordPress only provides support for the latest version of the software. The Security team historically has a practice of backporting security fixes as a courtesy to sites on older versions in the expectation the sites will be automatically updated. Until now, these courtesy backports have included all versions of WordPress supporting automatic updates. Versions 3.7 through 4.0 have reached levels of usage, namely less than 1% of total installs, where the benefit of providing these updates is outweighed by the effort involved. … By dropping support for these older versions, the newer versions of WordPress will become more secure as more time can be focused on their needs.”
Recommended Updates for Publishers
WordPress advises publishers to update to the latest version, which is currently 6.0.2. However, security support will still be provided for version 4.01, released in 2015. This means that publishers using older versions could upgrade to 4.01 to avoid potential instability caused by outdated themes, plugins, or PHP versions. Nonetheless, WordPress does not recommend this, as hardening updates are not backported, even though security patches are.
Security updates are patches for specific critical vulnerabilities, while hardening involves updating the code to make it more secure. Some believe that updating from older to the most recent versions could be risky and might lead to a non-functional website.
One commenter stated:
“Skipping through 8 years of new releases in one go is a risky operation, and by only offering that option, it’s likely to disincentivize lots of site owners from doing it. The thought process is going to be ‘Shall I press the button and see if 8 years of updates avoids breaking anything, or shall I just hope for the best leaving it on the current version which has worked thus far?’”
Permanent Notification
WordPress has indicated that installations from version 4.0 and older will receive a permanent notification within the WordPress installation. This notice will alert publishers that their version is obsolete and security updates have stopped, encouraging them to update to the latest version.
Number of Outdated Versions in Use
According to WordPress statistics, the versions affected by this decision make up less than 1% of total installations. Therefore, this change is unlikely to affect the majority of WordPress users.
Citation
For further details, refer to the official announcement regarding the cessation of security updates for WordPress versions 3.7 through 4.0.
Header Image by Shutterstock/Luis Molinero
Screenshot by Author
