X-comment from +make.wordpress.org/core: Comment on Proposal: Clarifying Core's Database Support Policy
Category Archives: status
X-post: The Incident Response Team is looking for new members
X-comment from +make.wordpress.org/community: Comment on The Incident Response Team is looking for new members
Security updates will cease for WordPress versions 4.1 through 4.6
The WordPress Security Team will cease providing updates for WordPress versions 4.1 – 4.6 in July 2025.
Officially only the latest version of WordPress is supported. The Security Team historically has a practice of backporting security fixes, as necessary, as a courtesy to sites on older versions in the expectation the sites will be automatically updated.
Background
Since December 2022 these courtesy backports have been applied when necessary to versions of WordPress back to 4.1. Versions 4.1 – 4.6 have now reached levels of usage where the benefit of providing these updates is outweighed by the significant effort involved in maintaining not only the branches themselves, but also the tooling and infrastructure for performing the backporting, building, testing, and releasing that’s required in order to continue having confidence in backporting to these branches.
Well below 1% of sites are running WordPress 4.1 – 4.6 as of June 2025. Conversely, backporting security updates to older versions of WordPress takes a substantial amount of time and effort that compounds when each new major version is released. The effect of this imbalance means that during a security release the security team spends most of the time preparing backports for a minority of WordPress installations. By dropping support for these older versions, the team can continue to focus on the latest versions of WordPress which are used by the overwhelming majority of WordPress websites.
Process
Versions older than 4.7 will display a non-dismissible notice in the admin dashboard informing users that an update is available. In the final updates for these WordPress versions, these notices will be made more prominent and inform the administrator that their version of WordPress is no longer receiving security updates.
The text strings and translations for these messages already exist in all branches and won’t change.
TracTrac Trac is the place where contributors create issues for bugs or feature requests much like GitHub.https://core.trac.wordpress.org/. ticket
Changes to the trunk branch and the affected branches can be tracked in this Core Trac ticket.
Thanks to @desrosj for reviewing this post prior to publishing
X-post: Incident Response Team: Call for Nominations
X-comment from +make.wordpress.org/project: Comment on Incident Response Team: Call for Nominations
X-post: Update on Matrix Migration: Pausing the Transition
X-comment from +make.wordpress.org/project: Comment on Update on Matrix Migration: Pausing the Transition
X-post: Embracing Matrix for Enhanced Communication
X-comment from +make.wordpress.org/project: Comment on Embracing Matrix for Enhanced Communication
X-post: Create Tours for Make P2s
X-comment from +make.wordpress.org/meta: Comment on Create Tours for Make P2s
Dropping security updates for WordPress versions 3.7 through 4.0
The WordPress Security Team will cease providing updates for WordPress versions 3.7 – 4.0 in three months time, as of December 1, 2022.
Officially WordPress only provides support for the latest version of the software. The Security team historically has a practice of backporting security fixes as a courtesy to sites on older versions in the expectation the sites will be automatically updated.
Until now, these courtesy backports have included all versions of WordPress supporting automatic updates. Versions WordPress 3.7 – 4.0 have reached levels of usage, namely less than 1% of total installs, where the benefit of providing these updates is outweighed by the effort involved.
Background
Sites running WordPress 3.7 – 4.0 form a very low percentage of total WordPress installations. Conversely, backporting security updates to older versions of WordPress takes a substantial amount of time; this effect compounds with each new major version released.
The effect of this imbalance means that the Security team spends most of the time preparing backports for the vast minority of WordPress installations. By dropping support for these older versions, the newer versions of WordPress will become more secure as more time can be focused on their needs.
The decision on which versions to drop support for was based on the percentage of sites reported on the statistics page.
Process
An out of date version of WordPress, in this case versions 4.0.* and older, will display a non-dismissible notice in the dashboard informing users an update is available. In the final updates for these WordPress versions, these notices will be made more prominent and inform the administrator their version of WordPress is no longer receiving security updates.
An additional string will be added to the code base to allow for the future dropping of security support.
These strings will be committed to trunk and backported to each of the earlier versions prior to the release date. This will allow the Polyglot teams to translate them and for the strings to begin appearing in translation packages. Don’t panic: not all of the versions of WordPress containing these strings will be affected any time soon.
X-post: Contributor Teams: Submit WCUS 2022 Table Leads Signup Form by July 29
X-comment from +make.wordpress.org/community: Comment on Contributor Teams: Submit WCUS 2022 Table Leads Signup Form by July 29
X-post: Announcement: Incident Response Training
X-comment from +make.wordpress.org/updates: Comment on Announcement: Incident Response Training