Yes, sometimes we backport critical vulnerabilities. Other times we don’t bother. It depends a lot on what’s happening – for example, a vulnerability affecting xmlrpc.php and subscribers isn’t an issue if you don’t allow subscribers on the site!

The rule is – if you don’t understand the security issue, then the simple option is to keep yourself bang up to date and hope for the best. But if it’s a big project you need sysadmins with a good understanding of web security, and you need WP developers who can understand the security issues being raised. If not, hire somebody who does. If your large project needs secure hosting or support we’re developing our support desk offering along with creating a hosting partnership with a client. Alternatively there’s always wordpress.com’s VIP hosting.

Anyway, after getting hacked in 2008, I’ve always upgraded asap on all the sites I manage (on top of other security measures of course . Most of them aren’t terribly complex, so that’s fine. But there’s a much larger project I’m working on that definitely needs a lot of breathing space between major releases. I’ve been discussing (on wp-hackers) the issue of whether older WP versions are maintained with security patches, and it seems like the current plan is to basically support X.Y until X.Y+2 is current, i.e. support the current and previous release.

I just wondered how you’ve managed this on sites you’ve not upgraded quickly. Do you apply security fixes manually?