Hi @nnikolov,
Thank you for the suggestion! Older major versions of WordPress (such as 4.*) are still getting security updates which makes them as secure as 5.*.
I’ll send a message to the team to see what they think about it.
Dave
Hi again,
So I have an update, it does look like the team has thought about this (internal ref: #FB4041).
There are quite a bit of people who would like to remain on WordPress 4.x, so it makes a lot of sense to consider this was a notice, rather than a warning or critical issue.
Dave
Thanks for the update.
However you decide if fine for me. But it will make the scan a little smarter in my opinion. I noticed for example that the sucuri site scan shows the version 4.9.9 as green and not a problem at all. So they know it is secure, but WordFence thinks it is a critical issue. Not a good look 😉
Actually, I am not entirely sure that WordPress will always push security updates to older major versions. They say they will do it on one page, but on another they say they may or may not do it.
When a security update is pushed for the current stable release of WordPress, the core team will also push security updates for all the releases that are capable of background updates (since WordPress 3.7), so these older but still recent versions of WordPress will receive security enhancements.
– https://wordpress.org/about/security/
The only current officially supported version is WordPress 5.0.3. Previous major releases before this may or may not get security updates as serious exploits are discovered.
– https://codex.wordpress.org/Supported_Versions
It’s definitely something we will need to bring up with WordPress directly!
Thanks for the page links, that’ll come in handy when we decide to move such updates into Warnings or Info instead of critical issues.
Dave
