diff --git a/WordPressSecurityWhitePaper.html b/WordPressSecurityWhitePaper.html index 0712f64..a3e1f8b 100644 --- a/WordPressSecurityWhitePaper.html +++ b/WordPressSecurityWhitePaper.html @@ -73,7 +73,7 @@

WordPress Security Risks, Process, and History

Automatic Background Updates for Security Releases

Starting with version 3.7, WordPress introduced automated background updates for all minor releases7, such as 3.7.1 and 3.7.2. The WordPress Security Team can identify, fix, and push out automated security enhancements for WordPress without the site owner needing to do anything on their end, and the security update will install automatically.

-

When a security update is pushed for the current stable release of WordPress, the core team will also push security updates for all the releases that are capable of background updates (since WordPress 3.7), so these older but still recent versions of WordPress will receive security enhancements.

+

When a security update is pushed for the current stable release of WordPress, the core team will also push security updates for all the releases that are capable of background updates (since WordPress 3.7). From September 2022, versions >= WordPress 4.130 will receive these updates, which currently represents over XX% of all tracked WordPress installs.

Individual site owners can opt to remove automatic background updates through a simple change in their configuration file, but keeping the functionality is strongly recommended by the core team, as well as running the latest stable release of WordPress.

2013 OWASP Top 10

@@ -205,6 +205,7 @@

Footnotes

  • [27] https://developer.wordpress.org/plugins/http-api/
  • [28] https://wordpress.org/support/wordpress-version/version-2-7/
  • [29] https://developer.wordpress.org/reference/functions/current_user_can/
    • +
  • [30] https://wordpress.org/news/2022/09/dropping-security-updates-for-wordpress-versions-3-7-through-4-0/