Current WP version vs latest. WordPress core upgrades patch security CVEs almost monthly, running 2+ versions behind = active exposure. Top-3 store-breaker (WC02).
At a glance
Current WordPress core version compared against the latest release. WP core ships security CVEs almost monthly; running 2+ versions behind is active exposure.
| What it counts | installed_wp_version vs latest_wp_version (semver). Alerts when the installed minor is more than 2 releases behind. |
| REST API endpoint | GET /wp-json returns wp_version in the metadata. Latest version polled from https://api.wordpress.org/core/version-check/1.7/. |
| VAT / tax / shipping / discounts | Not applicable. |
| Status filter | All sites with REST access. |
| Refunds / cancelled / failed orders | Not applicable. |
| Currency | Not applicable. |
| Channels / sources | Affects the entire WP install. |
| Self-hosted vs managed-Woo | Self-hosted owners apply WP updates manually; many lag 1-3 minor releases. Managed-Woo auto-applies minor / security releases. WordPress.com auto-applies all releases. |
| Time window | RT (polled hourly) |
| Alert trigger | version >2 minor releases behind latest; sentiment_key stack_health |
| Roles | owner, operations |
Calculation
Calculated automatically from your WooCommerce data. See the At a glance summary above for what the metric tracks and the worked example below for a typical reading.Worked example
A self-hosted UK fashion brand. Polled 12 Apr 26.| Check | Value |
|---|---|
| Installed WP version | 6.4.3 |
| Latest WP version | 6.6.1 |
| Releases behind | 2 minors + 1 patch |
| Alert? | YES (2+ minors threshold met) |
- Self-hosted variance is the recurring theme. This brand applies WP core updates monthly during a maintenance window. Two minor versions behind is typical for self-hosted Woo. Managed-Woo (Pressable, WP Engine) auto-applies minor releases within 24-72 hours.
- WordPress core CVEs are common. The 6.4.x branch has shipped 4 security releases since 6.5.0 dropped. The merchant is exposed to all 4 unless they have a WAF (Wordfence, Sucuri) blocking the relevant attack patterns. Patching to 6.6.x closes them.
- Plugin-induced data shape variance: WP version reporting is reliable. Unlike commercial plugins, WP core version reports identically via REST API and via filesystem inspection. False positives on this card are rare.
Sibling cards merchants should reference together
| Card | Why pair it with WP Core Version |
|---|---|
| WC WC Core Version | WooCommerce plugin version; track separately. |
| WC Plugins Outdated | Stack-health peer. |
| WC Plugin Security Breach Alert | The urgent-action subset. |
| WC SSL Status | Stack-health companion. |
Reconciling against the vendor’s own dashboard
Where to look in WordPress Admin: WP Admin → Dashboard → Updates. The “WordPress” section at the top shows the installed version and any available core update. Why our number may differ from WP Admin:| Reason | Direction |
|---|---|
| Time-zone. WP transients cache update info for up to 12 hours. | Ours fresher |
| Self-hosted server uptime. Hourly poll lag if outage. | Self-resolves |
| Plugin-version compatibility. None, WP version is canonical. | n/a |
| Auto-updates. Sites configured for auto-updates may already be on the latest version even if WP Admin shows a brief “update available” between check and apply. | Self-resolves |
| Card | Expected relationship |
|---|---|
website.security_headers | Stale WP core often correlates with weak headers. |
Known limitations / merchant FAQs
Self-hosted vs managed-Woo, why does it matter? Self-hosted owns updates. Managed-Woo applies minor releases automatically. WordPress.com is fully managed. Status-filter selection, why >2 minor releases threshold? A 1-minor lag is normal (some merchants wait 2-4 weeks for stability). 2+ minors lagging means CVE exposure is accumulating; that is the right action threshold. Refund-object accounting? Not applicable. Plugin-induced data shape variance? Some “version masking” security plugins hide WP version from public-facing pages. They do NOT mask the REST API metadata, so this card detects accurately. Multi-currency, does it affect this card? No. Why does Woo and Stripe disagree? Stripe does not track WP version. Today is jumpy, why? Stable; flips on / off with version changes. Sync-lag from self-hosted server slowness? Hourly poll. Brief outages delay detection by 1-2 hours. My WP Admin shows the latest version, why is the alert firing?- Force a “Check again” in
Dashboard → Updates. - Verify the version reported in
wp-load.phpconstant$wp_version. - If genuinely up-to-date, contact support; the WordPress.org API may have stale data.