As an example of how many times would you have updated within a year:
If you were on the latest version of WordPress on 5th of September 2013 which was version 3.6 then by the 5th of September 2014 you would have updated 11 times.
|#||Version||Date||Days Since Previous Update||Update Type||Comments|
|1.||3.6||1 August 2013||–||Feature Release|
|2.||3.6.1||11 September 2013||41 days||Maintenance and Security Release||fixes 13 bugs in version 3.6 – security release for all previous WordPress versions and we strongly encourage you to update your sites immediately.|
|3.||3.7||24 October 2013||43 days||Feature Release|
|4.||3.7.1||29 October 2013||5 days||Maintenance Release||addresses 11 bugs in WordPress 3.7|
|5.||3.8||12 December 2013||44 days||Feature Release||3.8 brings a fresh new look to the entire admin dashboard. WordPress is sharper than ever with new vector-based icons that scale to your screen. By ditching pixels, pages load significantly faster, too.|
|6.||3.8.1||23 January 2014||42 days||Maintenance Release||addresses 31 bugs in 3.8|
|7.||3.8.2||8 April 2014||75 days||Security Release||This is an important security release for all previous versions and we strongly encourage you to update your sites immediately.|
|8.||3.8.3||14 April 2014||6 days||Maintenance Release||fix a small but unfortunate bug in the WordPress 3.8.2 security release|
|9.||3.9||16 April 2014||2 days||Feature Release||Improved visual editing, Edit images easily, Drag and drop your images, Gallery previews etc.|
|10.||3.9.1||8 May 2014||22 days||Maintenance Release||fixes 34 bugs in 3.9|
|11.||3.9.2||6 August 2014||90 days||Security Release||This release fixes a possible denial of service issue in PHP’s XML processing amongst other fixes|
|12.||4.0||4 September 2014||29 days||Feature Release||brings you a smoother writing and management experience. Example: an editor that expands to fit your content as you write, and keeps the formatting tools available at all times|
|13.||4.0.1||20 November 2014||77 days||Critical Security Release||WordPress versions 3.9.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. This issue does not affect version 4.0, but version 4.0.1 does address eight other security issues.|
|14.||4.1||17 December 2014||27 days||Feature Release||Distraction-free writing mode, vine embeds, new Twenty Fifteen theme and more.|
|15.||4.1.1||18 February 2015||63 days||Maintenance Release||fixes 21 bugs in version 4.1|
|16.||4.1.2||21 April 2015||62 days||Critical Security Release||Fixes a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. Fixes three other security issues.|
|17.||4.2||23 April 2015||2 days||Feature Release||Browse and preview your installed themes from the Customizer. Emoji and Press This improvements and more.|
|18.||4.2.1||27 April 2015||4 days||Critical Security Release||Fixes a cross-site scripting vulnerability, which could enable commenters to compromise a site.|
|19.||4.2.2||7 May 2015||10 days||Maintenance and Security Release||Various cross-site scripting vulnerability fixes.|
|20.||4.2.3||23 July 2015||77 days||Maintenance and Security Release||Fixes some big cross-site scripting vulnerabilities and also contains fixes for 20 bugs from 4.2|
|21.||4.2.4||4 August 2015||12 days||Maintenance and Security Release||This release addresses six issues, including three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site.|
It is true that since WordPress 3.7, automatic maintenance and security updates are possible on many hosting platforms. But as part of our proactive stance to improve security and reliability we advise a different approach, one we take with our own sites. We believe that security trumps convenience. But we do also believe in timely updates of those maintenance and security updates. Through our maintenance package we first update your site on a staging server to ensure the update ran smoothly and nothing breaks while updating. Occasionally there is a plugin incompatibility with an update or other code in your theme becomes incompatible with an update. We then take up to an hour to try to resolve this issue and if we can’t then we halt the update and inform you.
3.6.1 Additional Notes: Security release for all previous WordPress versions and we strongly encourage you to update your sites immediately. It addresses three issues fixed by the WordPress security team:
- Block unsafe PHP unserialization that could occur in limited situations and setups, which can lead to remote code execution. Reported by Tom Van Goethem.
- Prevent a user with an Author role, using a specially crafted request, from being able to create a post “written by” another user. Reported by Anakorn Kyavatanakij.
- Fix insufficient input validation that could result in redirecting or leading a user to another website. Reported by Dave Cummo, a Northrup Grumman subcontractor for the U.S. Centers for Disease Control and Prevention.
Additionally, security restrictions have been adjusted around file uploads to mitigate the potential for cross-site scripting.
3.7.1 Additional Notes: Bug fixes
- Images with captions no longer appear broken in the visual editor.
- Allow some sites running on old or poorly configured servers to continue to check for updates from WordPress.org.
- Avoid fatal errors with certain plugins that were incorrectly calling some WordPress functions too early.
- Fix hierarchical sorting in get_pages(), exclusions in wp_list_categories(), and in_category() when called with empty values.
- Fix a warning that may occur in certain setups while performing a search, and a few other notices.
3.8.2 Additional Notes: This releases fixes a weakness that could let an attacker force their way into your site by forging authentication cookies.
- Fixes nine bugs
4.0.1 Additional Notes: This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.
- Three cross-site scripting issues that a contributor or author could use to compromise a site.
- A cross-site request forgery that could be used to trick a user into changing their password.
- An issue that could lead to a denial of service when passwords are checked.
- Additional protections for server-side request forgery attacks when WordPress makes HTTP requests.
- An extremely unlikely hash collision could allow a user’s account to be compromised, that also required that they haven’t logged in since 2008 (I wish I were kidding).
- WordPress now invalidates the links in a password reset email if the user remembers their password, logs in, and changes their email address.
Version 4.0.1 also fixes 23 bugs with 4.0, and we’ve made two hardening changes, including better validation of EXIF data we are extracting from uploaded photos.