The WordPress security team announced yesterday that they have decided to stop providing security updates for WordPress versions 3.7 through 4.0 as of December 1, 2022.
Officially, WordPress only offers support for the latest version of the software. The security team has historically provided security updates as a goodwill gesture to sites with older versions, with the expectation that the sites would be updated automatically. So far, these backports include all versions of WordPress that support automatic updates. WordPress versions 3.7-4.0 currently account for less than 1% of total installs.
Sites running WordPress 3.7-4.0 make up a very small percentage of all WordPress installations. Conversely, transferring security updates to older versions of WordPress takes a long time; this effect increases with each new major version.
As a result, the security team spends most of their time preparing backports for the majority of WordPress installations. By deprecating these older versions, newer versions of WordPress become more secure as more time can be spent on their needs. The decision on which versions to de-support was made based on the percentage of sites listed on the statistics page.
Older versions of WordPress will display an alert in the dashboard informing administrators that an update is available. In the latest updates to these WordPress versions, in this case version 4.0.* and older versions, these notifications will be more prominent and inform administrators that the WordPress version will no longer receive security updates.