Should Security Fixes Continue to Be Backported to very old versions of WordPress?

Almost six years ago, WordPress 3.7 was released and one the of the major features was the new automated installation process for security and maintenance releases. Since then, this process has been used by millions of sites to stay safe and secure by receiving regular security updates. In the six years since, WordPress 3.7 as an example, has received 29 security and maintenance releases.

For the Core Security team, that means when security updates need to be released, we have to take the testing and release process not just to the current version of WordPress, but we have to test the changes, create code patches, and then release to every major version all the way back to 3.7. With 5.3 around the corner that puts us at over fifteen major versions of WordPress to support long term.

WordPress 3.7 represents 0.1% of all WordPress sites.

There is a great deal of work in supporting this small userbase. It takes a large amount of time and energy and hurts the team’s ability to work effectively.

Looking for Feedback

We would like to find a solution to this problem and are looking for ideas on how the security team can support fewer versions of WordPress while keeping users secure against hackers and other rogue agents. Please share your thoughts in the comments!