Relative security of different releases of WordPress

admin管理员组

文章数量:1122846

Since each major-version of WordPress (like 4.0 or 4.4) gets its own series of security updates (currently 4.0.10 or 4.4.2), are the updated newer major-versions significantly more secure than updated older ones? More specifically:

Is 4.4.2 (from 2/2/2016) much more secure that 4.0.10 (also from 2/2/2016)?

And will 4.5 (when it's first released, as 4.5.0) be much more secure than 4.4.2? Or might it be less secure than 4.4.2, since 4.5 won't have had a security update yet?

Since each major-version of WordPress (like 4.0 or 4.4) gets its own series of security updates (currently 4.0.10 or 4.4.2), are the updated newer major-versions significantly more secure than updated older ones? More specifically:

Is 4.4.2 (from 2/2/2016) much more secure that 4.0.10 (also from 2/2/2016)?

And will 4.5 (when it's first released, as 4.5.0) be much more secure than 4.4.2? Or might it be less secure than 4.4.2, since 4.5 won't have had a security update yet?

• security
• wordpress-version

Share Improve this question asked Apr 5, 2016 at 1:37 tzeldin88tzeldin88 31322 silver badges88 bronze badges 2

• 1 @MarkKaplun Do you have any evidence that they would patch, say, two security bugs, but only one in previous releases' security updates? Why would they do that? – NoBugs Commented Apr 13, 2016 at 13:33
• @NoBugs I didn't say such a thing, but it is obvious it may happen. No one will fix design problems in an older release – Mark Kaplun Commented Apr 13, 2016 at 14:17

Add a comment  | 

3 Answers 3

Sorted by: Reset to default 3

Wordpress's current security policy is at https://wordpress.org/about/security/:

While only the latest version of WordPress is officially supported, the Security Team also backports fixes to older versions as a courtesy, to ensure older sites receive critical security fixes via auto-updates.

As of 2024, security updates are backported to WordPress 4.1 and later, as you can see from the version list here. So all those versions should be equally secure.

WordPress 3.7 to 4.0 stopped receiving security updates in 2022.

are the updated newer major-versions significantly more secure than updated older ones?

This is quite ambiguous. How significant or insignificant security changes might be, it is totally irrelevant. There might or might not be significant security enhancements between minor and major versions or even major versions as such. To really know how significant changes are between versions, you will need to go through change logs, release archives and bug reports

Is 4.4.2 (from 2/2/2016) much more secure that 4.0.10 (also from 2/2/2016)

In all probability, yes. From what I could pick up, there where two security issues in WordPress v4.4.1 which where fixed in v4.4.2 and it was also fixed in v4.0 via v4.0.10. Apart from that, how v4.0 (through its minor versions) kept up with security updates in regards to v4.4, I don't know, this is something you need to backtrace. You need to remember, older versions are not actively maintained, so most updates might not reach older versions. A note from the release archive

None of these are safe to use, except the latest in the 4.4 series, which is actively maintained

And will 4.5 (when it's first released, as 4.5.0) be much more secure than 4.4.2? Or might it be less secure than 4.4.2, since 4.5 won't have had a security update yet?

This is impossible to answer correctly. There might be some minor security issues from v4.4.2 which will be fixed in v4.5, but to be sure, you will need to dig through the bug reports. In general, newer versions should be more secure.

I think you are really missing the bigger picture here. Apart from security updates and bug fixes, why do WordPress release major versions? The core developers made a promise to release two major versions per year, each one with at least one new feature which is totally open to ideas from anyone. Apart from that, a new theme gets released once a year which follows the year in which the theme is released. For example, this years theme is called twentysixteen

It is true that, with every new feature or major changes to current features, there will be bugs of some sort, which might or might not lead to security issues. There might still be hidden security issues from previous versions yet to be discovered

TO CONCLUDE

Keeping WordPrerss up-to-date has much more benefits to just security. Since the release of WordPress 4.0, all major releases after that saw significant changes with a lot of new exciting and very helpful features being introduced (and some not so great, like emojicons).

From a pure security point of view, it is definitely beneficial to stick to the latest stable release as it is the version that is actively being maintained, and therefor should be the most secure version. Any minor release, like version 4.0.10 is not actively maintained, and might have missed other minor security updates in the past.

As final thought, all of the above is totally irrelevant and a waste of time if your PHP version is as old as the dinosaurs and your theme and/or plugins you are using have loopholes in them the size of the union building. Remember, WordPress which uses PHP as language, is just a platform for themes and plugins. It really is of no use building a proper strong foundation (up-to-date WordPress) on a sandy beach (outdated PHP) and then building a house out of straw (bad security themes and plugins) and hoping that your house will withstand floods, tremors or fires (malicious attacks)

Always use the most recent version of WordPress, security fixes are always made to the latest version.

The only time this isn't the case is in that rare situation that an older version of WordPress has a bug, and it's updated in a point release to trigger the auto-updater. This is irrelevant though if you're using the latest version of WordPress.

本文标签： Relative security of different releases of WordPress