Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
PHP Security IT

WordPress To Show Warnings on Servers Running Outdated PHP Versions (zdnet.com) 52

The WordPress open-source content management system (CMS) will show warnings in its backend admin panel if the site runs on top of an outdated PHP version. From a report: The current plan is to have the warnings appear for sites using a PHP version prior to the 5.6.x branch (5.6 or lower). The warnings will contain a link to a WordPress support page with information on how site owners can update their server's underlying PHP version. In instances where site owners are running their WordPress portals on top of tightly-controlled web hosting environments, the web host has the option to change this link with a custom URL pointing at its own support site. [...] Around 66.7 percent of all Internet sites run an unsupported PHP version, according to W3Techs. Almost a quarter of all internet sites run on top of a WordPress CMS.
This discussion has been archived. No new comments can be posted.

WordPress To Show Warnings on Servers Running Outdated PHP Versions

Comments Filter:
  • by Anonymous Coward

    other similar software already does this on the backend, and have for years. color me impressed with the wordpress team.

  • by Jeremy Erwin ( 2054 ) on Tuesday January 15, 2019 @01:18PM (#57966806) Journal

    And if that doesn't work we'll start posting warnings to the front end!

    "Proudly Powered by an pwnable package of PHP"

  • by demon driver ( 1046738 ) on Tuesday January 15, 2019 @01:21PM (#57966836) Journal

    ... and it already complains about PHP 7.0 being outdated, although that's still the default on current long-time support systems like Debian Stretch or Ubuntu Server 16.04...

    The number of sites I host is not huge, but I've run into problems with some current software like MyBB while in the process of switching as many sites as possible to at least PHP 7.2.

    If many PHP sites still run on outdated PHP versions, it's not necessarily just because the admins were lazy and irresponsible...

    • Using a shitty fucked up language like PHP is lazy and irresponsible in the first place.

      • Using a shitty fucked up language like PHP is lazy and irresponsible in the first place.

        PHP is still here because it's convenient and good enough. Why isn't something better as convenient as PHP? I don't even mean installed base, I just mean as convenient to install and use. And custom repos are acceptable.

      • No matter how much truth may be in that, I'll neither re-write every web app I find appropriate for my purpose in another language just because it was done in PHP, nor will I force myself or my customers to stick to web apps written in other languages...

    • Yeah, I am wondering how this will work on, say, Red Hat, where they back port security fixes but don't bump the version. PHP is in @base, while Wordpress is in @epel - so it may be unlikely the Wordpress package will get updated to remove this new "feature".

      Red Hat / CentOS 7.6 is current, and it offers (a patched version of) PHP 5.4.

    • PHP7.0 will continue to get security fixes on Debian Stretch for a year or two, certainly until after the next Debian release comes out.
    • by Zocalo ( 252965 )

      [Joomla] already complains about PHP 7.0 being outdated, although that's still the default on current long-time support systems like Debian Stretch or Ubuntu Server 16.04.

      Which is still fine for both Joomla and WordPress, because it still hopefully achieves the goal of getting at least some admins to notice there may be an issue and to assure themselves that they are getting any necessary security patches. An incompetent admin will ignore the message regardless, or course, but at least Joomla and WordPre

      • [Joomla] already complains about PHP 7.0 being outdated, although that's still the default on current long-time support systems like Debian Stretch or Ubuntu Server 16.04.

        Which is still fine for both Joomla and WordPress, because it still hopefully achieves the goal of getting at least some admins to notice there may be an issue and to assure themselves that they are getting any necessary security patches. An incompetent admin will ignore the message regardless, or course, but at least Joomla and WordPress will have led their horses to the water and offered them a drink.

        Yes, but then there are those admins running hosting services on always up-to-date LTS platforms who have to deal with customers (running Joomla & Co.) who complain about outdated PHP versions...

        • by Zocalo ( 252965 )
          Sure, but if you're in that boat then you presumably have a *lot* of instances and Joomla and WordPress are both open source, no? You could always create a patch to remove the prompt. I used to create custom versions of some RPMs from SRPMs for deployment to a data processing cluster and relatively minor tweaks like this were pretty easy to do with a quick edit of the source files - for most of them I wrote a shell script do all the work for me. Alternatively, if you're VM base and if the prompt is in ed
  • by JohnnyBGod ( 1088549 ) on Tuesday January 15, 2019 @01:23PM (#57966864)

    I bet the typical "solution" to this problem will be not to update WordPress.

  • 7.0 is current on most every stable release. Running Raspian Stretch, 7.0 is my best version. Loading a Buster image is costing too much space, and I'm not ready to put the 32GB chip in there just to satisfy some nerdy desire to align with the most current PHP version. This isn't the 90s, and PHP-Nuke isn't a thing so much. Let it go. And forcing me to third-party repos isn't necessarily an improvement to security.

    Buster seems ready to freeze in a few months. WordPress should kindly let this go, also. There

    • CentOS 6 is still on php 5.3.

      • by laffer1 ( 701823 )

        This. Redhat and centos releases are patched beyond the EOL date from upstream. The version number isn't enough to know if patches have been applied in these extended support OS.


  • Doesn't that cover all of them?
  • Deflecting blame (Score:5, Insightful)

    by Dracos ( 107777 ) on Tuesday January 15, 2019 @01:57PM (#57967172)

    Since WP's initial release in 2004, PHP has improved a lot, WordPress has not. WP is the textbook for writing terrible PHP.

    Now WP thinks they can shame hosting providers into upgrading PHP, while their own product is insecure by design? Good luck with that.

    • by trawg ( 308495 )

      While calling it "insecure by design" is arguably true, I think it's worth noting that it's not (really) through ignorance or apathy or anything - WP has made a conscious design decision to trade off security for usability.

      I am assuming you're referring to WP's (soft[1]) requirement for the website to be writeable by the web user. For the uninitiated with WordPress, this leads to a lot of problems when (usually) third party plugins/themes are exploited and people can write their own code to the disk, leadin

  • What about redhat / centos php?? will it flag it?

  • Joomla has been doing this for awhile.

    It's a nice help for getting clients to see the need for upgrading the PHP version.

  • ... is to hold a printout of it's Datamodell in front of your webcam when logged in to the Dashboard. WordPress then usually just blushes ashamed, wordlessly crawls into a corner and doesn't bug you for the rest of the day.

    Works every time.

  • Higher noise floor (Score:5, Informative)

    by WoodstockJeff ( 568111 ) on Tuesday January 15, 2019 @03:49PM (#57968166) Homepage

    One of the things that pops up in regular security audits is that the version of PHP or SQL we use "has bugs", and we should update immediately. When pressed to tell us which bugs make it insecure, we get a list... which does not include any features we use. And when they try to exploit the vulnerability, they find that it doesn't work... since they can't trigger something that isn't there.

    It doesn't mean we do not move forward - just that, if you write good code to begin with, the bugs are not a factor.

    It also means that we do not use ANY outside libraries, because we cannot control how well THEY were written. Hence, no Wordpress on any of our servers!

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...