WordPress’ Security Team announced it will be dropping support for versions 3.7 through 4.0 on December 1, 2022. To give some context for how old these versions are, in 2013, WordPress 3.7 introduced automatic background updates and 3.8 updated the admin with a new design based on the MP6 plugin.
WordPress’ official policy is that the security team only provides support for the most recent version, but as a courtesy has extended backporting security fixes to older versions that are able to receive automatic updates.
“Until now, these courtesy backports have included all versions of WordPress supporting automatic updates,” 10up-sponsored Security Team member Peter Wilson said. “Versions WordPress 3.7 – 4.0 have reached levels of usage, namely less than 1% of total installs, where the benefit of providing these updates is outweighed by the effort involved.”
More than half of all WordPress sites are on the latest version – 6.0+ (54.3%), and security updates will still be available to more than 99% of sites on older versions after this change. Wilson said the decision to drop support for 3.7 through 4.0 was based off the information reported on the statistics page.
“The effect of this imbalance means that the Security team spends most of the time preparing backports for the vast minority of WordPress installations,” Wilson said. “By dropping support for these older versions, the newer versions of WordPress will become more secure as more time can be focused on their needs.”
Over the next three months, versions 4.0 and older will receive their final updates and will also display a non-dismissible notice in the dashboard, advising users to upgrade to the latest version as their sites will no longer receive security updates.