1. Kurt Schlatzer

    Ultimately, it’s not the WordPress Team who is responsible for the security of users’ websites. The users are. The team’s resources are better spent focused on making the current releases as secure as possible in the face of increasing, more complex threats.

    Stop coddling users who don’t keep up with upgrades.

    There’s no defendable excuse.


  2. Scott Hartley

    This is a good move if you’re going to be running an obsolete version of the software you know you run the risk of being vulnerable to exploits. You don’t complain to Microsoft that your Windows XP PC has been hacked when they stopped supporting it years ago.

    It’s a waste of the teams time to continuously support an obsolete version of WordPress.


  3. cfoellmann

    I think there should be timeframe (eg 2 years) and all versions released within that timeframe get a patch.
    Also an option to update to another version than the most current might help users


  4. Cavalary

    One of the few remaining good things of WP, that you know you’ll get security updates, and JUST security updates, no feature changes, and be able to stick to the version you’re comfortable with, for whatever reason. Get rid of this and… Not that it’d be unexpected, with the way it’s been going for years now.
    Also, never EVER force updates automatically. And yes, people do also complain about MS ending support, and forcing updates.
    Now LTS versions could be a compromise, but it’d still be way worse than what we have now, and they’d have to be selected very carefully, have one before each significant change, so if there were 2 or more major versions in a row that were major in name only, without significant changes, you could perhaps only continue to support the last, but that’s about it. And again, even then it’d be worse that now.
    And overall, I still say that for most purposes I’d much rather have just that when it comes to software, a version I decided suited me at some point and is kept stable and secure, with devs focusing on polishing and hardening more than on the next thing all the time. And do believe that many, likely most, who just want to get something done, use software for a particular purpose (even personal purpose, I mean, not just business environments, where stability really is key), would prefer the same.


    • Aaron D. Campbell

      This seems to be cross-posted from the comments on make/core, so I figured I’d cross-post my reply as well.

      The problem is that we don’t have the people power to continue to support all the currently supported versions (16!), and since we want the software to keep moving forward and improving, that number will continue to grow. If we don’t change the versions we support and reduce the load in that way, we still have to solve the problem in some other way.

      A team of people hired by some person or company to handle backports for these older versions would be another potential way to solve the problem I suppose, but I can’t think of any person or company that would want to invest that kind of money into keeping up old versions of WordPress (that doesn’t mean they don’t exist, but I can’t think of any).


      • Jake Spurlock

        Yeah, was kind of interesting to dig into a little bit of research around this. There are agencies that have developed LTS versions of Drupal and Magento, but using that software comes with support fees to pay for the active development of these older pieces of software.

        I think that for the most part, people that are staked to older versions of WordPress are doing it intentionally and if auto-updates were introduced would bypass them.

        Doing major before the auto-updater was terrifying, and I know that I overwrote my wp-content folder when I was getting started a million years ago… 😬


  5. Ryan Hellyer

    This isn’t the first time this issue has come up. WordPress 2.0 was meant to be a long term stable version, but support for that ended up being dropped before it was even officially stated until. At that time, it appeared (to me) that there would be no backported security fixes available in future at all.

    If the team wants to continue providing this backwards compatibility, then perhaps it should just be stipulated that it’s only for one or two point releases backwards. If someone can’t upgrade in six months, then they probably never will. You can’t keep backporting fixes eternally; it’s an ever growing number of versions to support.


Comments are closed.

%d bloggers like this: