- The WordPress Security Team won’t be providing updates for WordPress versions 3.7 through 4.0 as of December 1, 2022.
- The team stated that backporting security fixes for older versions are taking too much time and versions 3.7 through 40 are less than 1% of total installs.
- By dropping support for old versions, the security team will be able to focus on the latest releases to provide security solutions.
The WordPress Security Team announced that they won’t be providing updates for WordPress versions 3.7 through 4.0 as of December 1, 2022. WordPress 3.7, dubbed Basie, was released in the October of 2013 and it introduced automatic background updates for security and minor releases. The team backports security fixes for the websites using older versions with the expectation the sites will be automatically updated.
Less than 1%
The courtesy backports included all versions with automatic updates until now. However, the percentage of websites using versions between 3.7 and 4.0 is less than 1% of total installs now, and the WordPress Security Team decided that benefit of providing these updates now outweighed doesn’t worth the effort involved.
The team stated that backporting a security update to older versions is a time-consuming process and this effect compounds with each major release. Thus, the team is spending most of its time preparing backports for the minority of WordPress installations, instead of working on new projects. Dropping support for old versions used by a few users will allow the team to focus on newer versions of WordPress, enabling them to focus on the needs of the users of newer versions.
WordPress versions 4.0 and older will include a non-dismissible notice in their dashboard to urge users to install the update. The WordPress Security team said,
« An out of date version of WordPress, in this case versions 4.0.* and older, will display a non-dismissible notice in the dashboard informing users an update is available. In the final updates for these WordPress versions, these notices will be made more prominent and inform the administrator their version of WordPress is no longer receiving security updates.
An additional string will be added to the code base to allow for the future dropping of security support. These strings will be committed to trunk and backported to each of the earlier versions prior to the release date. This will allow the Polyglot teams to translate them and for the strings to begin appearing in translation packages. »