Slashdot Mirror

← Back to Stories (view on slashdot.org)

WordPress To Show Warnings on Servers Running Outdated PHP Versions (zdnet.com)

Posted by msmash on from the enough-is-enough dept.

The WordPress open-source content management system (CMS) will show warnings in its backend admin panel if the site runs on top of an outdated PHP version. From a report: The current plan is to have the warnings appear for sites using a PHP version prior to the 5.6.x branch (5.6 or lower). The warnings will contain a link to a WordPress support page with information on how site owners can update their server's underlying PHP version. In instances where site owners are running their WordPress portals on top of tightly-controlled web hosting environments, the web host has the option to change this link with a custom URL pointing at its own support site. [...] Around 66.7 percent of all Internet sites run an unsupported PHP version, according to W3Techs. Almost a quarter of all internet sites run on top of a WordPress CMS.

33 of 52 comments (clear)

  1. Re:Warning : by Anonymous Coward · · Score: 1

    Wordpress and PHP are a cancer on the Internet. Just stop this shit already.

  2. wow. such innovation by Anonymous Coward · · Score: 1

    other similar software already does this on the backend, and have for years. color me impressed with the wordpress team.

  3. The next step by Jeremy+Erwin · · Score: 2

    And if that doesn't work we'll start posting warnings to the front end!

    "Proudly Powered by an pwnable package of PHP"

    1. Re:The next step by Tablizer · · Score: 1

      Cue the obligatory PHP-vs-Python fights in 3...2...1...

      --
      Table-ized A.I.
    2. Re:The next step by infolation · · Score: 1

      Or (maintaining recursive alliteration) 'Pwnable Hypertext Preprocessor'.

    3. Re: The next step by johnsnails · · Score: 1

      Leave my Personal Home Page alone

  4. Joomla already does... by demon+driver · · Score: 3, Insightful

    ... and it already complains about PHP 7.0 being outdated, although that's still the default on current long-time support systems like Debian Stretch or Ubuntu Server 16.04...

    The number of sites I host is not huge, but I've run into problems with some current software like MyBB while in the process of switching as many sites as possible to at least PHP 7.2.

    If many PHP sites still run on outdated PHP versions, it's not necessarily just because the admins were lazy and irresponsible...

    1. Re:Joomla already does... by drinkypoo · · Score: 1

      Using a shitty fucked up language like PHP is lazy and irresponsible in the first place.

      PHP is still here because it's convenient and good enough. Why isn't something better as convenient as PHP? I don't even mean installed base, I just mean as convenient to install and use. And custom repos are acceptable.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:Joomla already does... by 93+Escort+Wagon · · Score: 2

      Yeah, I am wondering how this will work on, say, Red Hat, where they back port security fixes but don't bump the version. PHP is in @base, while Wordpress is in @epel - so it may be unlikely the Wordpress package will get updated to remove this new "feature".

      Red Hat / CentOS 7.6 is current, and it offers (a patched version of) PHP 5.4.

      --
      #DeleteChrome
    3. Re:Joomla already does... by fendragon · · Score: 1

      PHP7.0 will continue to get security fixes on Debian Stretch for a year or two, certainly until after the next Debian release comes out.

    4. Re:Joomla already does... by fendragon · · Score: 4, Insightful

      I suspect PHP continues to be popular because of apache2's mod-php. It's just too easy to use that instead of figuring out all the CGI/FCGI options to run Python or other language of choice.

    5. Re:Joomla already does... by Zocalo · · Score: 1

      [Joomla] already complains about PHP 7.0 being outdated, although that's still the default on current long-time support systems like Debian Stretch or Ubuntu Server 16.04.

      Which is still fine for both Joomla and WordPress, because it still hopefully achieves the goal of getting at least some admins to notice there may be an issue and to assure themselves that they are getting any necessary security patches. An incompetent admin will ignore the message regardless, or course, but at least Joomla and WordPress will have led their horses to the water and offered them a drink.

      --
      UNIX? They're not even circumcised! Savages!
    6. Re:Joomla already does... by demon+driver · · Score: 1

      No matter how much truth may be in that, I'll neither re-write every web app I find appropriate for my purpose in another language just because it was done in PHP, nor will I force myself or my customers to stick to web apps written in other languages...

    7. Re:Joomla already does... by demon+driver · · Score: 1

      [Joomla] already complains about PHP 7.0 being outdated, although that's still the default on current long-time support systems like Debian Stretch or Ubuntu Server 16.04.

      Which is still fine for both Joomla and WordPress, because it still hopefully achieves the goal of getting at least some admins to notice there may be an issue and to assure themselves that they are getting any necessary security patches. An incompetent admin will ignore the message regardless, or course, but at least Joomla and WordPress will have led their horses to the water and offered them a drink.

      Yes, but then there are those admins running hosting services on always up-to-date LTS platforms who have to deal with customers (running Joomla & Co.) who complain about outdated PHP versions...

    8. Re:Joomla already does... by Zocalo · · Score: 1

      Sure, but if you're in that boat then you presumably have a *lot* of instances and Joomla and WordPress are both open source, no? You could always create a patch to remove the prompt. I used to create custom versions of some RPMs from SRPMs for deployment to a data processing cluster and relatively minor tweaks like this were pretty easy to do with a quick edit of the source files - for most of them I wrote a shell script do all the work for me. Alternatively, if you're VM base and if the prompt is in editable file, then you could just edit the necessary file on the master server image that you are using to virtualise your hosted servers.

      --
      UNIX? They're not even circumcised! Savages!
    9. Re:Joomla already does... by drinkypoo · · Score: 1

      I recently speculated that it was because mod_perl is a pita. I wanted to use Perl rather than PHP but gave up for that reason and now I run Drupal.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    10. Re:Joomla already does... by UnknownSoldier · · Score: 1

      Thanks for taking the time to reply.

      Ad hominem fallacies aside (*) that doesn't change the fact that some programming languages are total shit.

      What is THE purpose of a programming language? To communicate with a machine. You can communicate in an obtuse way, verbose way, in a precise way, in an ambiguous way, etc. There is a range of QUALITY. There is poor communication and there is good communication.

      The reality is that ALL programming languages suck -- some just more then others. One of the properties of a good programming language is that it is consistent. i.e. See PHP is a fractal of bad design

      > Sometimes I think you just hate any language that's actually useful ...

      IF I was idealist I wouldn't use any programming language -- but that is not realistic. I'm a pragmatist -- things need to get implemented in the Real World TM. However, that doesn't mean I'm going to just blindly accept and ignore the problems of a language.

      > ... extremely useful JavaScript ..

      Let's talk about Javaschit.

      Is it useful? Yes! It has become the new BASIC of the millennium. It is ubiquitous.

      I'm NOT against useful languages -- I'm against the BAD DESIGN and IMPLEMENTATION of them.

      Do you know how many man years are wasted tracking down bugs simply due to misspelling??? All because the language designer was too fucking lazy to make the KLUDGE "use strict"; the DEFAULT. It's as if NOTHING was learnt from the experience of BASIC. Gee, if only the computer could tell us about misspelled variable names, oh wait, they can! Good engineering is about FAIL EARLY. Javascript was never designed with that mindset -- it was literally hacked together in 10 days. And 20+ years later we are STILL paying the price.

      On the other end of the spectrum we have over-engineered shit like Boost where a simple to Read and Write ~25 lines implementation of CRC32 turns into 1,100+ lines of Crap++. WHEN was the last time you _actually_ needed to modify a CRC implementation??? If you need a stronger hash than CRC32 then, chances are, you are probably using a DIFFERENT hash such as FNV, SHA1, etc. due to a) performance, or b) more cryptographically secure (i.e. less collisions.) reasons. The Boost guys have become so obsessed over one little tree that they COMPLETELY missed the entire fucking forest.

      Let's talk about C. It was a stupid decision to default every function as returning int. Why wasn't the return type mandatory? Having to run a "lint" program is a SYMPTOM. So why wasn't the CAUSES addressed?

      Let's talk about C++. We are STILL waiting for modules -- something that has been standard in Pascal for 35+ years! Why aren't error messages _standardized_ ?? One of the few things MS Visual C++ does right -- is to provide an unique error code. This makes it easier to search for solutions. Go figure!

      I am extremely vocal about shitty engineering practices because I'm tired of having to deal with other people's retarded designs and waste MY timing tracking down WTF is wrong with their broken, inconsistent, implementations.

      If nothing is ever said about WHY said designs are crap then nothing will ever change.

      I am only one voice out of many saying WHY PHP sucks (When even diehard PHP users say PHP needs to die you know there is a problem.)

      People who use PHP are either ignorant, stupid, lazy or some combination of them. But that should come as no surprise -- it was designed for non-programmers. Gee and is there ANY wonder it has problems when any decent prog

  5. The PHP way by JohnnyBGod · · Score: 2

    I bet the typical "solution" to this problem will be not to update WordPress.

  6. PHP is scripted C by KalvinB · · Score: 3, Insightful

    Hating on PHP is a litmus test for who not to hire.

    PHP lets you write code as good or bad as you are as a developer.

    --
    Work Safe Porn
    1. Re:PHP is scripted C by Anonymous Coward · · Score: 1

      Defending PHP vs everything else that does it better without the 0-days is a litmus test for who not to hire. Learn a real language or don't, but stop lying.

  7. I'm already &*)ing tired of this. by rickb928 · · Score: 1

    7.0 is current on most every stable release. Running Raspian Stretch, 7.0 is my best version. Loading a Buster image is costing too much space, and I'm not ready to put the 32GB chip in there just to satisfy some nerdy desire to align with the most current PHP version. This isn't the 90s, and PHP-Nuke isn't a thing so much. Let it go. And forcing me to third-party repos isn't necessarily an improvement to security.

    Buster seems ready to freeze in a few months. WordPress should kindly let this go, also. There are greater threats. It's interesting that PHP updates and everyone loses their mind UPGRADE ALL THE PHP NOW!

    --
    deleting the extra space after periods so i can stay relevant, yeah.
    1. Re:I'm already &*)ing tired of this. by whoever57 · · Score: 1

      CentOS 6 is still on php 5.3.

      --
      The real "Libtards" are the Libertarians!
    2. Re:I'm already &*)ing tired of this. by laffer1 · · Score: 2

      This. Redhat and centos releases are patched beyond the EOL date from upstream. The version number isn't enough to know if patches have been applied in these extended support OS.

      --
      MidnightBSD: The BSD for Everyone
  8. .......outdated PHP versions.... by OutOnARock · · Score: 1, Troll


    Doesn't that cover all of them?

  9. Deflecting blame by Dracos · · Score: 5, Insightful

    Since WP's initial release in 2004, PHP has improved a lot, WordPress has not. WP is the textbook for writing terrible PHP.

    Now WP thinks they can shame hosting providers into upgrading PHP, while their own product is insecure by design? Good luck with that.

    1. Re:Deflecting blame by trawg · · Score: 1

      While calling it "insecure by design" is arguably true, I think it's worth noting that it's not (really) through ignorance or apathy or anything - WP has made a conscious design decision to trade off security for usability.

      I am assuming you're referring to WP's (soft[1]) requirement for the website to be writeable by the web user. For the uninitiated with WordPress, this leads to a lot of problems when (usually) third party plugins/themes are exploited and people can write their own code to the disk, leading to sites being compromised with malware of all sorts, or simply filling them with spam, or any number of other malicious things.

      They've made this trade off because it greatly simplifies the use of WordPress as a tool by the non-technical, in no small part due to its popularity. Arguably this is a Bad Thing because it encourages users to install their own themes/plugins/code without vetting it carefully, leading to more exploits, etc - but when used carefully and deployed with some small amount of training, it allows many users to quickly and easily deploy and manage websites.

      One interesting thing though is that it also allows them to remotely and automatically update WordPress installs. I haven't seen hard data on this but I would say purely anecdotally this has cut down on the number of exploited sites.

      I can't comment on the terribleness of the rest of the code; I tinker with it a bit and generally find it fairly easy to figure out what is going on. I would love to see the writing-to-disk requirement removed but it would change the whole thing in major ways. I have a few WordPress sites that I run with no disk writing permissions; I have a separate httpd running on a different port as a user with write permissions, so that I can maintain it easily via the website but public access all happens on an account with no write access. I lose automatic updates but I feel safer :)

      [1] I say 'soft' because you can run a WordPress site quite happily with no disk writing access; you just need to manually perform any actions that require disk access (updating core, installing themes/plugins, modifying .htaccess if on Apache, etc). This limits the impact of many exploits.

  10. What about redhat / centos php?? will it flag it? by Joe_Dragon · · Score: 1

    What about redhat / centos php?? will it flag it?

  11. So, like Joomla by cascadingstylesheet · · Score: 1

    Joomla has been doing this for awhile.

    It's a nice help for getting clients to see the need for upgrading the PHP version.

  12. The way to make WordPress shut up ... by Qbertino · · Score: 1

    ... is to hold a printout of it's Datamodell in front of your webcam when logged in to the Dashboard. WordPress then usually just blushes ashamed, wordlessly crawls into a corner and doesn't bug you for the rest of the day.

    Works every time.

    --
    We suffer more in our imagination than in reality. - Seneca
  13. Re:Warning : by slazzy · · Score: 2

    What do you recommend for a CMS? I'd love to point my clients in a better direction.

    --
    Website Just Down For Me? Find out
  14. Higher noise floor by WoodstockJeff · · Score: 4, Informative

    One of the things that pops up in regular security audits is that the version of PHP or SQL we use "has bugs", and we should update immediately. When pressed to tell us which bugs make it insecure, we get a list... which does not include any features we use. And when they try to exploit the vulnerability, they find that it doesn't work... since they can't trigger something that isn't there.

    It doesn't mean we do not move forward - just that, if you write good code to begin with, the bugs are not a factor.

    It also means that we do not use ANY outside libraries, because we cannot control how well THEY were written. Hence, no Wordpress on any of our servers!

  15. Re:Warning : by Anonymous Coward · · Score: 1

    Wordpress itself is bad. It allows people who don't know a single thing about security operate a website that inevitably becomes a spam magnet and malware/phishing site once the user doesn't monitor it for a few days.

    In all seriousness, people who hate on PHP are very likely racist jackasses in real life and we would be better off without them developing anything. If a specific language is popular for a specific reason, it's because it's the most practical use case for that language. Hence PHP is the ideal language for server-sided scripting. Not NPM. Not Java. Not Python or Ruby. Most of the shit developed with Python or Ruby is even easier broken just by updating the OS.

    Javascript remains the de-facto language used by the web-clients. It's a pity that during the development of the two (PHP and Javascript) that something like JSON was part of the core spec, and instead both embraced XML which was overtly convoluted, yet worked if both ends knew what they were doing.

    What we have today are piles of shitty frameworks (eg Symphony) and javascript libraries (eg jQuery being the most notorious) that hide the security issues from the end developer, and instead require duplicating efforts 4 or more times, once in PHP, one in Javascript, once in YML, a second time in the javascript helper tool. And for what? Big, Ugly, Bloated "responsive" websites that break if you if so much as breathe on them.

    I don't appreciate all the updates to PHP, because they have this shitty habit of depreciating things that do not need to be depreciated. They just arbitrarily change things and don't put in any translation layers. Take for example Wordpress was still using the MySQL functions instead of MySQLi or any other DBAL as recently as 2017, and sure enough broke a shit-tonne of shitty wordpress plugins. They only made the switch after PHP deferred removal of MySQL to 7.0, which they were going to remove it in 5.6.

    Yet, there is no reason to remove that function series at all, they want to remove it keep the OOP nerds happy. Another thing that changed for no damn reason was all the functions that involve regex. I won't even get into it, but in converting sites from 5.4 and earlier to 7.0 compatible, the mysql functions and the regex functions are the biggest issues. Another one is how php access system functions, completely broken, but that's a good thing.

    You should not have php accessing system functions unless it's a system script. Accessing them from the web is plain stupid.

  16. Re: Warning : by rhodium_mir · · Score: 1

    That is useful information. Thank you.

    --
    You can't spell "oneiromancy" without "roman".