WordPress To Show Warnings on Servers Running Outdated PHP Versions

The WordPress open-source content management system (CMS) will show warnings in its backend admin panel if the site runs on top of an outdated PHP version. From a report: The current plan is to have the warnings appear for sites using a PHP version prior to the 5.6.x branch (5.6 or lower). The warnings will contain a link to a WordPress support page with information on how site owners can update their server's underlying PHP version. In instances where site owners are running their WordPress portals on top of tightly-controlled web hosting environments, the web host has the option to change this link with a custom URL pointing at its own support site. [...] Around 66.7 percent of all Internet sites run an unsupported PHP version, according to W3Techs. Almost a quarter of all internet sites run on top of a WordPress CMS.

The next step

[Jeremy+Erwin]

And if that doesn't work we'll start posting warnings to the front end!

"Proudly Powered by an pwnable package of PHP"

Joomla already does...

[demon+driver]

... and it already complains about PHP 7.0 being outdated, although that's still the default on current long-time support systems like Debian Stretch or Ubuntu Server 16.04...

The number of sites I host is not huge, but I've run into problems with some current software like MyBB while in the process of switching as many sites as possible to at least PHP 7.2.

If many PHP sites still run on outdated PHP versions, it's not necessarily just because the admins were lazy and irresponsible...

Re:Joomla already does...

[93+Escort+Wagon]

Yeah, I am wondering how this will work on, say, Red Hat, where they back port security fixes but don't bump the version. PHP is in @base, while Wordpress is in @epel - so it may be unlikely the Wordpress package will get updated to remove this new "feature".

Red Hat / CentOS 7.6 is current, and it offers (a patched version of) PHP 5.4.

Re:Joomla already does...

[fendragon]

I suspect PHP continues to be popular because of apache2's mod-php. It's just too easy to use that instead of figuring out all the CGI/FCGI options to run Python or other language of choice.

The PHP way

[JohnnyBGod]

I bet the typical "solution" to this problem will be not to update WordPress.

PHP is scripted C

[KalvinB]

Hating on PHP is a litmus test for who not to hire.

PHP lets you write code as good or bad as you are as a developer.

Deflecting blame

[Dracos]

Since WP's initial release in 2004, PHP has improved a lot, WordPress has not. WP is the textbook for writing terrible PHP.

Now WP thinks they can shame hosting providers into upgrading PHP, while their own product is insecure by design? Good luck with that.

Re:I'm already &*)ing tired of this.

[laffer1]

This. Redhat and centos releases are patched beyond the EOL date from upstream. The version number isn't enough to know if patches have been applied in these extended support OS.

Re:Warning :

[slazzy]

What do you recommend for a CMS? I'd love to point my clients in a better direction.

Higher noise floor

[WoodstockJeff]

One of the things that pops up in regular security audits is that the version of PHP or SQL we use "has bugs", and we should update immediately. When pressed to tell us which bugs make it insecure, we get a list... which does not include any features we use. And when they try to exploit the vulnerability, they find that it doesn't work... since they can't trigger something that isn't there.

It doesn't mean we do not move forward - just that, if you write good code to begin with, the bugs are not a factor.

It also means that we do not use ANY outside libraries, because we cannot control how well THEY were written. Hence, no Wordpress on any of our servers!