Security updates will cease for WordPress versions 4.1 through 4.6

The WordPress Security Team will cease providing updates for WordPress versions 4.1 – 4.6 in July 2025.

Officially only the latest version of WordPress is supported. The Security Team historically has a practice of backporting security fixes, as necessary, as a courtesy to sites on older versions in the expectation the sites will be automatically updated.

Background

Since December 2022 these courtesy backports have been applied when necessary to versions of WordPress back to 4.1. Versions 4.1 – 4.6 have now reached levels of usage where the benefit of providing these updates is outweighed by the significant effort involved in maintaining not only the branches themselves, but also the tooling and infrastructure for performing the backporting, building, testing, and releasing that’s required in order to continue having confidence in backporting to these branches.

Well below 1% of sites are running WordPress 4.1 – 4.6 as of June 2025. Conversely, backporting security updates to older versions of WordPress takes a substantial amount of time and effort that compounds when each new major version is released. The effect of this imbalance means that during a security release the security team spends most of the time preparing backports for a minority of WordPress installations. By dropping support for these older versions, the team can continue to focus on the latest versions of WordPress which are used by the overwhelming majority of WordPress websites.

Process

Versions older than 4.7 will display a non-dismissible notice in the admin dashboard informing users that an update is available. In the final updates for these WordPress versions, these notices will be made more prominent and inform the administrator that their version of WordPress is no longer receiving security updates.

The text strings and translations for these messages already exist in all branches and won’t change.

TracTrac Trac is the place where contributors create issues for bugs or feature requests much like GitHub.https://core.trac.wordpress.org/. ticket

Changes to the trunk branch and the affected branches can be tracked in this Core Trac ticket.

Thanks to @desrosj for reviewing this post prior to publishing

First major release of 2025: WordPress 6.8

WordPress 6.8 will be the first major releaseMajor Release A set of releases or versions having the same major version number may be collectively referred to as “X.Y” -- for example version 5.2.x to refer to versions 5.2, 5.2.1, and all other versions in the 5.2. (five dot two dot) branch of that software. Major Releases often are the introduction of new major features and functionality. this year. The BetaBeta A pre-release of software that is given out to a large group of users to trial under real conditions. Beta versions have gone through alpha testing in-house and are generally fairly close in look, feel and function to the final product; however, design changes often occur as part of the process. 1 version of this release cycle was published earlier today. With this, we’re inviting security researchers to help us make WordPress 6.8 as secure as possible!

As is our tradition, between the release of WordPress 6.8 Beta 1 and the final Release CandidateRelease Candidate A beta version of software with the potential to be a final product, which is ready to release unless significant bugs emerge. (RCRelease Candidate A beta version of software with the potential to be a final product, which is ready to release unless significant bugs emerge.), we are offering double bounties for valid security vulnerabilities found in the new code. WordPress 6.8 Beta 1 contains over 370 enhancements and 520 bug fixes – more details are in the release post and testing guidelines for key features are here.

Full schedule of the 6.8 release cycle is here, with Release Candidate 3 set to be released on April 8.

Think you have found a security issue? Please reach out via HackerOne and we will take a look.

WordPress 6.6 is coming!

WordPress 6.6 will be the next major releaseMajor Release A set of releases or versions having the same major version number may be collectively referred to as “X.Y” -- for example version 5.2.x to refer to versions 5.2, 5.2.1, and all other versions in the 5.2. (five dot two dot) branch of that software. Major Releases often are the introduction of new major features and functionality..

With its BetaBeta A pre-release of software that is given out to a large group of users to trial under real conditions. Beta versions have gone through alpha testing in-house and are generally fairly close in look, feel and function to the final product; however, design changes often occur as part of the process. 1 set to be released on June 4th, 2024, it is about time we start inviting security researchers to look into new bugs!

Any security issue that is found after the release of WordPress 6.6 Beta 1 and before the final RCRelease Candidate A beta version of software with the potential to be a final product, which is ready to release unless significant bugs emerge. is out, will be eligible for double the bounties. The security issue should be in the new code that is introduced in 6.6.

Full schedule of WordPress 6.6 Beta/RC releases is here. If you believe you have found a valid bug, please reach out to us via HackerOne. Please go through the program policy before submitting a report.

Welcoming 2024 with WordPress 6.5 Beta 1

It’s start of a new year, and WordPress 6.5 is almost ready – the first major releaseMajor Release A set of releases or versions having the same major version number may be collectively referred to as “X.Y” -- for example version 5.2.x to refer to versions 5.2, 5.2.1, and all other versions in the 5.2. (five dot two dot) branch of that software. Major Releases often are the introduction of new major features and functionality. of 2024!

The BetaBeta A pre-release of software that is given out to a large group of users to trial under real conditions. Beta versions have gone through alpha testing in-house and are generally fairly close in look, feel and function to the final product; however, design changes often occur as part of the process. 1 is set to be launched tomorrow, February 13, 2024. Like previous major releases, we’re inviting security researchers to try and find security issues between Beta 1 and the final release candidateRelease Candidate A beta version of software with the potential to be a final product, which is ready to release unless significant bugs emerge. that target the new code. Valid submissions will be eligible for double the bounties.

Several new features and improvements are planned for WordPress 6.5. As an example, here’s a summary of the improvements we’re going to see in the Editor, where one likely spends most of their time.

Full release schedule is here.

How to report security issues?
WordPress security team accepts security issues through our HackerOne program. The general eligibility criteria for reports is mentioned in the program policy and must be followed.

As a reminder, reports that highlight issues in the new code will be eligible for double bounties.

X-post: Incident Response Team: Call for Nominations

X-comment from +make.wordpress.org/project: Comment on Incident Response Team: Call for Nominations

X-post: Update on Matrix Migration: Pausing the Transition

X-comment from +make.wordpress.org/project: Comment on Update on Matrix Migration: Pausing the Transition

X-post: Embracing Matrix for Enhanced Communication

X-comment from +make.wordpress.org/project: Comment on Embracing Matrix for Enhanced Communication

X-post: Create Tours for Make P2s

X-comment from +make.wordpress.org/meta: Comment on Create Tours for Make P2s

Bug bounty for WordPress 6.4 Beta

Think you found a security bug in WordPress 6.4 BetaBeta A pre-release of software that is given out to a large group of users to trial under real conditions. Beta versions have gone through alpha testing in-house and are generally fairly close in look, feel and function to the final product; however, design changes often occur as part of the process.?

The WordPress Security Team wants to find potential security issues before they land in the final WordPress release. Like last time, we’d love to see researchers focusing more of their attention on new code being introduced in beta releases, so we’re offering to double the bounty for any new vulnerability in CoreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. that is reported after Beta 1 and before the final release candidateRelease Candidate A beta version of software with the potential to be a final product, which is ready to release unless significant bugs emerge. (RCRelease Candidate A beta version of software with the potential to be a final product, which is ready to release unless significant bugs emerge.).

For example, a bug that would normally be awarded $600 would be doubled to $1200 if reported in the new code between Beta 1 and the final RC.

Release schedule for WordPress 6.4 Beta/RC releases can be found here (Beta 1 is scheduled for today). There’s usually about a month between the first beta and the last release candidate (RC).

How can I report security issues?

WordPress security team accepts security issues through our HackerOne program. The general eligibility criteria for reports is mentioned in the program policy and must be followed.

Do existing vulnerabilities qualify if I report them during the beta period?

No, the intent of the bonus is to catch security bugs before they make it into a final release, so only vulnerabilities in new code qualify.

Doubling the Bounties for WordPress 6.3 Beta

WordPress 6.3 BetaBeta A pre-release of software that is given out to a large group of users to trial under real conditions. Beta versions have gone through alpha testing in-house and are generally fairly close in look, feel and function to the final product; however, design changes often occur as part of the process. 1 will be released later today, June 28th. As with the previous release cycles, this time too we’re focused on finding new security issues before they make it to the final release.

WordPress security team is inviting security researchers to find security bugs in WordPress 6.3. We will double the bounties for any new vulnerabilities reported in the new code for WordPress. The submission window will open today with the release of Beta 1 and close before the final release candidateRelease Candidate A beta version of software with the potential to be a final product, which is ready to release unless significant bugs emerge. (RCRelease Candidate A beta version of software with the potential to be a final product, which is ready to release unless significant bugs emerge.) is out.

We post here whenever a beta or RC release is ready: https://wordpress.org/news/.

Release schedule for WordPress 6.3 beta/RC releases can be found here.

How can I report security issues?

WordPress security team accepts security issues through our HackerOne program, which can be found here. The general eligibility criteria for reports is mentioned in the program policy and must be followed.

Do existing vulnerabilities qualify if I report them during the beta period?

No, the intent of the bonus is to catch security bugs before they make it into a final release, so only vulnerabilities in new code qualify.

We have more info in this previous announcement.

#bounties