Security: Cease support for WordPress 4.1 through 4.6.

johnbillion · johnbillion · commit 7c245ce79972 · 2025-06-23T18:26:45.000Z
Props desrosj, sirlouen, johnbillion. See #63595 git-svn-id: https://develop.svn.wordpress.org/trunk@60341 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/.github/workflows/reusable-phpunit-tests-v1.yml b/.github/workflows/reusable-phpunit-tests-v1.yml
@@ -3,7 +3,7 @@
 #
 # A reusable workflow that runs the PHPUnit test suite with the specified configuration.
 #
-# This workflow is used by branches 4.1 through 5.1.
+# This workflow is used by branches 4.7 through 5.1.
 ##
 name: Run PHPUnit tests
 
diff --git a/.github/workflows/test-old-branches.yml b/.github/workflows/test-old-branches.yml
@@ -47,7 +47,7 @@ jobs:
         branch: [
             '6.8', '6.7', '6.6', '6.5', '6.4', '6.3', '6.2', '6.1','6.0',
             '5.9', '5.8', '5.7', '5.6', '5.5', '5.4', '5.3', '5.2', '5.1', '5.0',
-            '4.9', '4.8', '4.7', '4.6', '4.5', '4.4', '4.3', '4.2', '4.1'
+            '4.9', '4.8', '4.7'
         ]
         include:
           # PHP Compatibility testing was introduced in 5.5.
diff --git a/.github/workflows/upgrade-testing.yml b/.github/workflows/upgrade-testing.yml
@@ -172,67 +172,12 @@ jobs:
       new-version: ${{ inputs.new-version && inputs.new-version || 'latest' }}
       multisite: ${{ matrix.multisite }}
 
-  # Tests 4.x releases where the WordPress database version changed on the oldest and newest supported versions of PHP 7.
-  #
-  # The oldest version of WordPress receiving security updates should always be tested.
-  upgrade-tests-wp-4x-php-7x-mysql:
-    name: ${{ matrix.wp }} to ${{ inputs.new-version && inputs.new-version || 'latest' }}
-    uses: ./.github/workflows/reusable-upgrade-testing.yml
-    if: ${{ github.repository == 'WordPress/wordpress-develop' || ( github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' ) }}
-    strategy:
-      fail-fast: false
-      matrix:
-        os: [ 'ubuntu-24.04' ]
-        php: [ '7.2', '7.4' ]
-        db-type: [ 'mysql' ]
-        db-version: [ '5.7', '8.4' ]
-        wp: [ '4.1', '4.2', '4.3', '4.4', '4.5', '4.6', '4.7' ]
-        multisite: [ false, true ]
-
-        exclude:
-          # The PHP <= 7.3/MySQL 8.4 jobs currently fail due to mysql_native_password being disabled by default. See https://core.trac.wordpress.org/ticket/61218.
-          - php: '7.2'
-            db-version: '8.4'
-    with:
-      os: ${{ matrix.os }}
-      php: ${{ matrix.php }}
-      db-type: ${{ matrix.db-type }}
-      db-version: ${{ matrix.db-version }}
-      wp: ${{ matrix.wp }}
-      new-version: ${{ inputs.new-version && inputs.new-version || 'latest' }}
-      multisite: ${{ matrix.multisite }}
-
-  # Tests 4.x releases where the WordPress database version changed on the oldest and newest supported versions of PHP 8.
-  #
-  # The oldest version of WordPress receiving security updates should always be tested.
+  # The oldest version of WordPress receiving security updates should always be tested against
+  # the widest possible list of PHP/MySQL combinations.
   #
-  # WordPress 4.6-4.9 are excluded from PHP 8+ testing because of the following fatal errors:
+  # WordPress 4.7 is excluded from PHP 8+ testing because of the following fatal errors:
   # - Use of __autoload().
   # - array/string offset with curly braces.
-  upgrade-tests-wp-4x-php-8x-mysql:
-    name: ${{ matrix.wp }} to ${{ inputs.new-version && inputs.new-version || 'latest' }}
-    uses: ./.github/workflows/reusable-upgrade-testing.yml
-    if: ${{ github.repository == 'WordPress/wordpress-develop' || ( github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' ) }}
-    strategy:
-      fail-fast: false
-      matrix:
-        os: [ 'ubuntu-24.04' ]
-        php: [ '8.0', '8.4' ]
-        db-type: [ 'mysql' ]
-        db-version: [ '5.7', '8.4' ]
-        wp: [ '4.1', '4.2', '4.3', '4.4', '4.5' ]
-        multisite: [ false, true ]
-    with:
-      os: ${{ matrix.os }}
-      php: ${{ matrix.php }}
-      db-type: ${{ matrix.db-type }}
-      db-version: ${{ matrix.db-version }}
-      wp: ${{ matrix.wp }}
-      new-version: ${{ inputs.new-version && inputs.new-version || 'latest' }}
-      multisite: ${{ matrix.multisite }}
-
-  # The oldest version of WordPress receiving security updates should always be tested against
-  # the full list of PHP/MySQL combinations.
   upgrade-tests-oldest-wp-mysql:
     name: ${{ matrix.wp }} to ${{ inputs.new-version && inputs.new-version || 'latest' }}
     uses: ./.github/workflows/reusable-upgrade-testing.yml
@@ -241,10 +186,10 @@ jobs:
       fail-fast: false
       matrix:
         os: [ 'ubuntu-24.04' ]
-        php: [ '7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3', '8.4' ]
+        php: [ '7.2', '7.3', '7.4' ]
         db-type: [ 'mysql' ]
         db-version: [ '5.7', '8.0', '8.4', '9.3' ]
-        wp: [ '4.1' ]
+        wp: [ '4.7' ]
         multisite: [ false, true ]
 
         exclude:
@@ -273,7 +218,7 @@ jobs:
     permissions:
       actions: read
       contents: read
-    needs: [ upgrade-tests-recent-releases, upgrade-tests-wp-6x-mysql, upgrade-tests-wp-5x-php-7x-mysql, upgrade-tests-wp-5x-php-8x-mysql, upgrade-tests-wp-4x-php-7x-mysql, upgrade-tests-wp-4x-php-8x-mysql, upgrade-tests-oldest-wp-mysql ]
+    needs: [ upgrade-tests-recent-releases, upgrade-tests-wp-6x-mysql, upgrade-tests-wp-5x-php-7x-mysql, upgrade-tests-wp-5x-php-8x-mysql, upgrade-tests-oldest-wp-mysql ]
     if: ${{ github.repository == 'WordPress/wordpress-develop' && github.event_name != 'pull_request' && always() }}
     with:
       calling_status: ${{ contains( needs.*.result, 'cancelled' ) && 'cancelled' || contains( needs.*.result, 'failure' ) && 'failure' || 'success' }}
diff --git a/.version-support-mysql.json b/.version-support-mysql.json
@@ -182,47 +182,5 @@
 		"5.5",
 		"5.1",
 		"5.0"
-	],
-	"4-6": [
-		"5.7",
-		"5.6",
-		"5.5",
-		"5.1",
-		"5.0"
-	],
-	"4-5": [
-		"5.7",
-		"5.6",
-		"5.5",
-		"5.1",
-		"5.0"
-	],
-	"4-4": [
-		"5.7",
-		"5.6",
-		"5.5",
-		"5.1",
-		"5.0"
-	],
-	"4-3": [
-		"5.7",
-		"5.6",
-		"5.5",
-		"5.1",
-		"5.0"
-	],
-	"4-2": [
-		"5.7",
-		"5.6",
-		"5.5",
-		"5.1",
-		"5.0"
-	],
-	"4-1": [
-		"5.7",
-		"5.6",
-		"5.5",
-		"5.1",
-		"5.0"
 	]
 }
diff --git a/.version-support-php.json b/.version-support-php.json
@@ -219,50 +219,5 @@
 		"5.6",
 		"7.0",
 		"7.1"
-	],
-	"4-6": [
-		"5.2",
-		"5.3",
-		"5.4",
-		"5.5",
-		"5.6",
-		"7.0"
-	],
-	"4-5": [
-		"5.2",
-		"5.3",
-		"5.4",
-		"5.5",
-		"5.6",
-		"7.0"
-	],
-	"4-4": [
-		"5.2",
-		"5.3",
-		"5.4",
-		"5.5",
-		"5.6",
-		"7.0"
-	],
-	"4-3": [
-		"5.2",
-		"5.3",
-		"5.4",
-		"5.5",
-		"5.6"
-	],
-	"4-2": [
-		"5.2",
-		"5.3",
-		"5.4",
-		"5.5",
-		"5.6"
-	],
-	"4-1": [
-		"5.2",
-		"5.3",
-		"5.4",
-		"5.5",
-		"5.6"
 	]
 }
diff --git a/SECURITY.md b/SECURITY.md
@@ -32,13 +32,7 @@ Full details of the WordPress Security Policy and the list of covered projects a
 | 4.9.x   | Yes       |
 | 4.8.x   | Yes       |
 | 4.7.x   | Yes       |
-| 4.6.x   | Yes       |
-| 4.5.x   | Yes       |
-| 4.4.x   | Yes       |
-| 4.3.x   | Yes       |
-| 4.2.x   | Yes       |
-| 4.1.x   | Yes       |
-| < 4.1.0 | No        |
+| < 4.7.0 | No        |
 
 ## Reporting a Vulnerability
 

Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@`
`3`	`3`	`#`
`4`	`4`	`# A reusable workflow that runs the PHPUnit test suite with the specified configuration.`
`5`	`5`	`#`
`6`		`-# This workflow is used by branches 4.1 through 5.1.`
	`6`	`+# This workflow is used by branches 4.7 through 5.1.`
`7`	`7`	`##`
`8`	`8`	`name: Run PHPUnit tests`
`9`	`9`
Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,7 @@ jobs:`
`47`	`47`	`branch: [`
`48`	`48`	`'6.8', '6.7', '6.6', '6.5', '6.4', '6.3', '6.2', '6.1','6.0',`
`49`	`49`	`'5.9', '5.8', '5.7', '5.6', '5.5', '5.4', '5.3', '5.2', '5.1', '5.0',`
`50`		`- '4.9', '4.8', '4.7', '4.6', '4.5', '4.4', '4.3', '4.2', '4.1'`
	`50`	`+ '4.9', '4.8', '4.7'`
`51`	`51`	`]`
`52`	`52`	`include:`
`53`	`53`	`# PHP Compatibility testing was introduced in 5.5.`