The WordPress security team’s biggest battle is not against hackers but its own users, millions of which continue to run sites on older versions of the CMS, and who regularly fail to apply updates to the CMS core, plugins, or themes.
Speaking at the DerbyCon cyber-security conference earlier this month, WordPress Security Team lead Aaron Campbell gave the public an insight into how the WordPress team has been addressing this issue for the past years.