The recent security Update to WP 5.0.1 also brough an update with Version 4 to 4.9.9.
I got a clients project which where build on swamp land ages ago. Every Update is Hoping nothing will happen.
Now i do think of staying with WordPress 4 for my maintained nightmare project, if they still develop important security updates.
There is also the classic editor Plugin, which isn't working for every case. Got already another Project where an very old unmaintained Plugin get unusable. I do fear even interrupting changes with placing the classic editor. It's a quite big page and i guess my client isn't willing easily to pay a refactoring which needs several weeks on programming. Of course i can test everything on a testing system..
But of course it won't be a comfortable click of a button to update. I will need to go with SVN or GitHub i guess.
The recent security Update to WP 5.0.1 also brough an update with Version 4 to 4.9.9.
I got a clients project which where build on swamp land ages ago. Every Update is Hoping nothing will happen.
Now i do think of staying with WordPress 4 for my maintained nightmare project, if they still develop important security updates.
There is also the classic editor Plugin, which isn't working for every case. Got already another Project where an very old unmaintained Plugin get unusable. I do fear even interrupting changes with placing the classic editor. It's a quite big page and i guess my client isn't willing easily to pay a refactoring which needs several weeks on programming. Of course i can test everything on a testing system..
But of course it won't be a comfortable click of a button to update. I will need to go with SVN or GitHub i guess.
It is not recommended in any way to maintain a website on the 4.9.9 WordPress release to support legacy code that is poorly written. Although some of the security patches may be backported, scriptbots will target your website seeking out known exploits to access user data. According to WordPress:
"The only current officially supported version is WordPress 5.0.1. Previous major releases before this may or may not get security updates as serious exploits are discovered... WordPress will be backported security updates when possible, but there are no guarantee and no timeframe for older releases. There are no fixed period of support nor Long Term Support (LTS) version such as Ubuntu's. None of these are safe to use, except the latest series, which is actively maintained."
Explaining this to your client directly & making clear the security risks is most important. Create a development sandbox on a subdomain & test the WordPress updates for compatibility before you commit the changes to the live production website.
Everything that is so deep in technical debt that you are afraid to touch it needs the debt to be "paid out" and relevant upgrades to be done. If not done at some point the site will just die and there will be nothing to do about it as the upgrade paths might also not be usable any more at that point.
Generally there is no problem with keeping wordpress on older release and install the security updates when they are available, but if it is just a plot to avoid handling technical debt forever (instead of waiting for a nore appropriate time) then the end will be grim.
