Dropping security updates for WordPress versions 3.7 through 4.0

The WordPress Security Team will cease providing updates for WordPress versions 3.7 – 4.0 in three months time, as of December 1, 2022.

Officially WordPress only provides support for the latest version of the software. The Security team historically has a practice of backporting security fixes as a courtesy to sites on older versions in the expectation the sites will be automatically updated.

Until now, these courtesy backports have included all versions of WordPress supporting automatic updates. Versions WordPress 3.7 – 4.0 have reached levels of usage, namely less than 1% of total installs, where the benefit of providing these updates is outweighed by the effort involved.

Background

Sites running WordPress 3.7 – 4.0 form a very low percentage of total WordPress installations. Conversely, backporting security updates to older versions of WordPress takes a substantial amount of time; this effect compounds with each new major version released.

The effect of this imbalance means that the Security team spends most of the time preparing backports for the vast minority of WordPress installations. By dropping support for these older versions, the newer versions of WordPress will become more secure as more time can be focused on their needs.

The decision on which versions to drop support for was based on the percentage of sites reported on the statistics page.

Process

An out of date version of WordPress, in this case versions 4.0.* and older, will display a non-dismissible notice in the dashboard informing users an update is available. In the final updates for these WordPress versions, these notices will be made more prominent and inform the administrator their version of WordPress is no longer receiving security updates.

Update notice for sites no longer receiving security updates: "WordPress 6.0.2 is available! Please update now. Important! Your version of WordPress (3.8.39) is no longer supported, you will not receive any security updates for your website. To keep your site secure, please update to the latest version of WordPress".

An additional string will be added to the code base to allow for the future dropping of security support.
These strings will be committed to trunk and backported to each of the earlier versions prior to the release date. This will allow the Polyglot teams to translate them and for the strings to begin appearing in translation packages. Don’t panic: not all of the versions of WordPress containing these strings will be affected any time soon.

X-post: Contributor Teams: Submit WCUS 2022 Table Leads Signup Form by July 29

X-comment from +make.wordpress.org/community: Comment on Contributor Teams: Submit WCUS 2022 Table Leads Signup Form by July 29

X-post: Announcement: Incident Response Training

X-comment from +make.wordpress.org/updates: Comment on Announcement: Incident Response Training

X-post: Experiment: A Public Channel for All Team Reps

X-comment from +make.wordpress.org/updates: Comment on Experiment: A Public Channel for All Team Reps