WordPress To Drop Security Updates for Versions 3.7 Through 4.0 by December, 2022

WordPress’ Security Team announced it will be dropping support for versions 3.7 through 4.0 on December 1, 2022. To give some context for how old these versions are, in 2013, WordPress 3.7 introduced automatic background updates and 3.8 updated the admin with a new design based on the MP6 plugin.

WordPress’ official policy is that the security team only provides support for the most recent version, but as a courtesy has extended backporting security fixes to older versions that are able to receive automatic updates.

“Until now, these courtesy backports have included all versions of WordPress supporting automatic updates,” 10up-sponsored Security Team member Peter Wilson said. “Versions WordPress 3.7 – 4.0 have reached levels of usage, namely less than 1% of total installs, where the benefit of providing these updates is outweighed by the effort involved.”

More than half of all WordPress sites are on the latest version – 6.0+ (54.3%), and security updates will still be available to more than 99% of sites on older versions after this change. Wilson said the decision to drop support for 3.7 through 4.0 was based off the information reported on the statistics page.

WordPress version stats – 9/7/2022

“The effect of this imbalance means that the Security team spends most of the time preparing backports for the vast minority of WordPress installations,” Wilson said. “By dropping support for these older versions, the newer versions of WordPress will become more secure as more time can be focused on their needs.”

Over the next three months, versions 4.0 and older will receive their final updates and will also display a non-dismissible notice in the dashboard, advising users to upgrade to the latest version as their sites will no longer receive security updates.

3

3 responses to “WordPress To Drop Security Updates for Versions 3.7 Through 4.0 by December, 2022”

  1. Finally.

    People need to update things. Yes they might break, hence you do not update on the live site until you tried things out on a test site (or local version).
    I had to update a client this morning from 4.0 to 6.0.2.

    Yes, I had to remove a few plugins and replace them with newer ones that do the same thing but they are recently updated.

    I have zero sympathy for anyone’s site that gets hacked because you have plugins/themes/core that hasn’t been updated since I was a teenager (I turned 44 a week ago).
    IF you hire someone to maintain your website, they give you whatever excuse to not do it right away…then fire them. If they are paid to do updates but use the automatic updates feature…..fire them.

    There is absolutely no excuse to have an old out of date WP, Drupal, Joomla or whatever else………

    Obviously if the person you hired them is in Sydney Australia (05:54) even though I, in Eastern Time (Toronto, Canada) is at 15:54…yes I would understand why they would not do the updates right away at 6 minutes before 6am.

  2. Smart move. It’s in everyone’s interest to stay current with their versions. I once cleaned a hacked site that was using WP v2.x. I’m pretty sure the ghost of Elvis was living in a hidden directory under wp-includes.

Leave a Reply to Steve Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Newsletter

Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: