Home > Blog > WordPress Drops Security Support for Legacy Versions in July 2025: What It Means for Your Site

WordPress Drops Security Support for Legacy Versions in July 2025: What It Means for Your Site

WordPress is ending security support for versions 4.1 through 4.6, leaving many sites exposed to unpatched vulnerabilities. Older PHP and database versions add to the risk, making modernization a crucial step for maintaining performance and security.

A close-up of a collapsing house of cards with a faint WordPress dashboard and lines of code in the background, symbolizing the fragility of outdated website infrastructure.
LinkedIn

IN THIS ARTICLE

WordPress legacy version statistics

Why WordPress dropping security support for older versions matters

Your options if you’re running a legacy WordPress version

The very real costs of not taking any action

How to make the case for upgrading within your organization

How to turn your legacy website problem into an opportunity

Common questions about upgrading legacy WordPress sites

Remember that old website you built back in 2015? The one that’s been humming along quietly, generating leads and serving customers without any fuss? Well, that peaceful existence just got a wake-up call. The call is coming from your legacy WordPress website.

WordPress just announced they’re pulling security support for versions 4.1 through 4.6 starting July 2025. This isn’t just another routine update notice you can ignore. For the first time in WordPress history, they’re actively cutting the cord on security patches for versions that some businesses still depend on.

While this change isn’t being called a formal “End of Life (EOL)” stage for these WordPress versions, it probably should be exactly that. End-of-life means the developers have stopped maintaining that version of the software. It will no longer receive security fixes, bug patches, or new features, so users should upgrade to a supported version to stay protected and compatible.

If you’re running one of these versions, you’re not alone. But you’re also not in great company anymore.

The WordPress legacy support numbers don’t lie (and they’re not pretty)

Click or tap to view full screen

Here’s what makes this particularly interesting: less than 1% of WordPress sites are running these versions. That sounds small until you remember there are roughly 533 million WordPress websites out there. We’re talking about potentially millions of sites that just lost their security lifeline.

But WordPress isn’t stopping there. They’re also implementing something called “maintenance mode” for legacy components. Features like TinyMCE, the Customizer, and even XML-RPC are getting moved to maintenance status, which means no new features and minimal attention from developers.

And if that wasn’t enough to keep you awake at night, over 37% of WordPress sites are running database versions that have reached end of life. That’s MySQL and MariaDB versions that aren’t getting security patches anymore either.

Think about that for a second. There are lots of websites out there running on three different layers of deprecated technology all at once.

Why this matters more than you think

Click or tap to view full screen

You might be wondering why these changes to WordPress legacy support are happening now. The answer comes down to resources and reality. The WordPress Security Team was spending most of their time creating security patches for less than 1% of installations. That’s like having your entire IT department focused on maintaining one old server while ignoring the rest of your infrastructure.

The shift makes sense from their perspective, but it creates a significant challenge for anyone still running these older versions. Every unpatched vulnerability that gets discovered becomes a permanent weakness in your system.

In 2024, over 1,600 plugins and themes were removed from the WordPress repository for unpatched security issues. That’s roughly four plugins getting kicked out every single day for security problems. Now imagine that same evacuation rate happening on your core WordPress installation, but with no patches coming.

The PHP problem makes everything more challenging

Here’s where things get really messy. Most sites running old WordPress versions are also running vulnerable PHP versions. PHP 7.4 reached end of life on November 28, 2022, but plenty of sites are still using it.

Only 12% of reported WordPress sites run on a PHP version actively supported by The PHP Group. The rest are essentially on a falling plane without a parachute.

The combination of outdated WordPress installations and deprecated server software creates a compounding effect. You’ve got an old WordPress version that won’t get security patches, running on old PHP that won’t get security patches, potentially using an old database that won’t get security patches. It’s like building a house of cards in a windstorm.

What happens when you do nothing

Let’s talk about what “doing nothing” actually looks like in practice. It’s not just about security vulnerabilities, though those are certainly scary enough. The deeper issue is that your website becomes increasingly isolated from the modern web ecosystem.

Applications running end-of-life versions face growing risks of downtime as their codebases become deprecated and bugs accumulate. Your site might be working fine today, but what happens when a plugin that isn’t compatible with your ancient WordPress version is updated? You end up with critical errors and the need for emergency fixes.

Performance becomes another casualty. New versions of PHP regularly add features and improvements that can reduce development, hosting, or hardware costs. Staying on old versions means missing out on speed improvements that could be making your site faster and your hosting bills smaller.

Click or tap to view full screen

There’s also the talent problem. Try finding a developer who wants to work on PHP 5.6 code in 2025. Most developers have moved on to modern tools and frameworks. When you need updates or fixes, you’ll be shopping in an increasingly shallow talent pool, often at premium prices.

The enterprise dilemma when WordPress legacy support isn’t available

For large organizations, the situation becomes even more complex. You might have dozens of WordPress sites across different divisions, some of them critical to business operations. The idea of updating them all simultaneously feels overwhelming.

But here’s what enterprise security teams understand: the community distrust towards WordPress.org has led to alternative projects providing backup repositories and update mechanisms. When your primary software source becomes unreliable or unsupported, you need alternatives.

Some organizations are looking at extended lifecycle support services. Companies like Zend provide security updates for end-of-life PHP versions, extending their useful life by years. Similar services exist for MySQL and MariaDB.

The question becomes: do you want to bet your business on third-party security patches for abandoned software, or do you want to modernize your infrastructure?

What your options actually look like

If you’re staring at this situation thinking “great, now what?”, you’ve got several paths forward.

Click or tap to view full screen

LinkedIn

Ryan Sullivan Avatar

by

Ryan Sullivan

,

Chief of Staff

5 min read

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

More reading

All Posts

Optimize Your WordPress Site with Expert Insights!

Get expert tips, actionable insights, and exclusive strategies to boost your site’s speed, security, and SEO—delivered straight to your inbox.

Close the CTA
Share to...
BufferCopyFlipboardHacker NewsLineLinkedInMastodonMessengerMixPinterestPocketPrintRedditSMSTelegramTumblrVKWhatsAppXingYummly