WordPress Ends Security Updates for Versions 4.1 Through 4.6

The WordPress Security Team has announced that as of July 2025, it will no longer release security updates for WordPress versions 4.1 through 4.6. These versions, first released nine or more years ago, now account for less than 1% of all WordPress installations. The move is part of a routine lifecycle management process, as the project focuses resources on the most recent, actively supported version.

Sites still running these outdated versions will become increasingly vulnerable to exploitation, as any newly discovered security flaws will remain unpatched. The WordPress Security Team emphasizes that the only fully supported version is the latest release, and security updates for older branches have been provided as a courtesy. Administrators are strongly advised to upgrade to the current version immediately.

To check their site's version, administrators can log into the WordPress dashboard and look for a notice indicating an outdated installation. The version number is displayed at the bottom of the "At a Glance" section. The Make WordPress Security blog provides further details on the end-of-support process.

This decision affects a small but potentially high-risk group of sites, particularly those that have not been maintained for years. Such sites are often targeted by automated attacks exploiting known vulnerabilities. The WordPress ecosystem, which powers over 40% of the web, regularly phases out support for older versions to encourage updates and improve overall security.

Users running versions 4.1 through 4.6 should plan an upgrade as soon as possible. The process typically involves backing up the site, updating core files, and checking plugin and theme compatibility. For those unable to upgrade immediately, additional security measures such as web application firewalls and strict access controls are recommended as temporary mitigations.