Starting July 2025, the WordPress Security Team will no longer provide updates for WordPress versions 4.1 through 4.6. While official support is limited to the latest WordPress release, the team has long offered backported security fixes to older versions in the hope that the sites will be updated to the latest version. With this change, site owners are strongly encouraged to upgrade to the latest version to maintain security and support.
Why Support for WordPress 4.1–4.6 Is Being Dropped
Since December 2022, the WordPress Security Team has been applying security backports to versions as old as 4.1. The usage of these versions ( 4.1 – 4.6) has considerably dropped, and maintaining them is no longer worth the effort. Maintaining these versions isn’t just about fixing code, it also involves keeping special tools, systems, and processes in place to safely backport, build, test, and release updates.
As John Blackbourn started, “Versions 4.1 – 4.6 have now reached levels of usage where the benefit of providing these updates is outweighed by the significant effort involved in maintaining not only the branches themselves, but also the tooling and infrastructure for performing the backporting, building, testing, and releasing that’s required in order to continue having confidence in backporting to these branches.”
As of now, the number of websites running WordPress 4.1-4.6 is less than 1%. Updating older versions of WordPress with security fixes already takes a lot of time and effort. But as new major versions of WordPress continue to be released, this workload keeps increasing, making the process even more demanding over time.
This leads to a situation where a good amount of the security team’s time is spent supporting a small share of specific WordPress version installations. As highlighted, “ Conversely, backporting security updates to older versions of WordPress takes a substantial amount of time and effort that compounds when each new major version is released. The effect of this imbalance means that during a security release the security team spends most of the time preparing backports for a minority of WordPress installations.”
Now, by dropping support for these older versions, the team can focus better, as stated, “ By dropping support for these older versions, the team can continue to focus on the latest versions of WordPress which are used by the overwhelming majority of WordPress websites.”
The process will involve WordPress versions below 4.7 showing a non-dismissible dashboard notice stating that security update support has ended and urging admins to update to the latest version.
A Core Trac ticket has also been created to track the changes.