WordPress To Show Warnings on Servers Running Outdated PHP Versions

The WordPress open-source content management system (CMS) will show warnings in its backend admin panel if the site runs on top of an outdated PHP version. From a report: The current plan is to have the warnings appear for sites using a PHP version prior to the 5.6.x branch (5.6 or lower). The warnings will contain a link to a WordPress support page with information on how site owners can update their server's underlying PHP version. In instances where site owners are running their WordPress portals on top of tightly-controlled web hosting environments, the web host has the option to change this link with a custom URL pointing at its own support site. [...] Around 66.7 percent of all Internet sites run an unsupported PHP version, according to W3Techs. Almost a quarter of all internet sites run on top of a WordPress CMS.

Re:

[Anonymous Coward]

Wordpress and PHP are a cancer on the Internet. Just stop this shit already.

PHP is scripted C

[KalvinB]

Hating on PHP is a litmus test for who not to hire.

PHP lets you write code as good or bad as you are as a developer.

Re:

[Anonymous Coward]

Defending PHP vs everything else that does it better without the 0-days is a litmus test for who not to hire. Learn a real language or don't, but stop lying.

Re:

[slazzy]

What do you recommend for a CMS? I'd love to point my clients in a better direction.

Re:

[rhodium_mir]

That is useful information. Thank you.

Re:

[Anonymous Coward]

Wordpress itself is bad. It allows people who don't know a single thing about security operate a website that inevitably becomes a spam magnet and malware/phishing site once the user doesn't monitor it for a few days.

In all seriousness, people who hate on PHP are very likely racist jackasses in real life and we would be better off without them developing anything. If a specific language is popular for a specific reason, it's because it's the most practical use case for that language. Hence PHP is the ideal

wow. such innovation

[Anonymous Coward]

other similar software already does this on the backend, and have for years. color me impressed with the wordpress team.

The next step

[Jeremy Erwin]

And if that doesn't work we'll start posting warnings to the front end!

"Proudly Powered by an pwnable package of PHP"

Re:

[Tablizer]

Cue the obligatory PHP-vs-Python fights in 3...2...1...

Re:

[infolation]

Or (maintaining recursive alliteration) 'Pwnable Hypertext Preprocessor'.

Re: The next step

[johnsnails]

Leave my Personal Home Page alone

Joomla already does...

[demon driver]

... and it already complains about PHP 7.0 being outdated, although that's still the default on current long-time support systems like Debian Stretch or Ubuntu Server 16.04...

The number of sites I host is not huge, but I've run into problems with some current software like MyBB while in the process of switching as many sites as possible to at least PHP 7.2.

If many PHP sites still run on outdated PHP versions, it's not necessarily just because the admins were lazy and irresponsible...

Re:

[UnknownSoldier]

Using a shitty fucked up language like PHP is lazy and irresponsible in the first place.

Re:

[drinkypoo]

Using a shitty fucked up language like PHP is lazy and irresponsible in the first place.

PHP is still here because it's convenient and good enough. Why isn't something better as convenient as PHP? I don't even mean installed base, I just mean as convenient to install and use. And custom repos are acceptable.

Re:Joomla already does...

[fendragon]

I suspect PHP continues to be popular because of apache2's mod-php. It's just too easy to use that instead of figuring out all the CGI/FCGI options to run Python or other language of choice.

Re:

[drinkypoo]

I recently speculated that it was because mod_perl is a pita. I wanted to use Perl rather than PHP but gave up for that reason and now I run Drupal.

Re:

[demon driver]

No matter how much truth may be in that, I'll neither re-write every web app I find appropriate for my purpose in another language just because it was done in PHP, nor will I force myself or my customers to stick to web apps written in other languages...

Re:

[UnknownSoldier]

Thanks for taking the time to reply.

Ad hominem fallacies aside (*) that doesn't change the fact that some programming languages are total shit.

What is THE purpose of a programming language? To communicate with a machine. You can communicate in an obtuse way, verbose way, in a precise way, in an ambiguous way, etc. There is a range of QUALITY. There is poor communication and there is good communication.

The reality is that ALL programming languages suck -- some just more then others. One of the properties

Re:

[93 Escort Wagon]

Yeah, I am wondering how this will work on, say, Red Hat, where they back port security fixes but don't bump the version. PHP is in @base, while Wordpress is in @epel - so it may be unlikely the Wordpress package will get updated to remove this new "feature".

Red Hat / CentOS 7.6 is current, and it offers (a patched version of) PHP 5.4.

Re:

[fendragon]

PHP7.0 will continue to get security fixes on Debian Stretch for a year or two, certainly until after the next Debian release comes out.

Re:

[Zocalo]

[Joomla] already complains about PHP 7.0 being outdated, although that's still the default on current long-time support systems like Debian Stretch or Ubuntu Server 16.04.

Which is still fine for both Joomla and WordPress, because it still hopefully achieves the goal of getting at least some admins to notice there may be an issue and to assure themselves that they are getting any necessary security patches. An incompetent admin will ignore the message regardless, or course, but at least Joomla and WordPre

Re:

[demon driver]

[Joomla] already complains about PHP 7.0 being outdated, although that's still the default on current long-time support systems like Debian Stretch or Ubuntu Server 16.04.

Which is still fine for both Joomla and WordPress, because it still hopefully achieves the goal of getting at least some admins to notice there may be an issue and to assure themselves that they are getting any necessary security patches. An incompetent admin will ignore the message regardless, or course, but at least Joomla and WordPress will have led their horses to the water and offered them a drink.

Yes, but then there are those admins running hosting services on always up-to-date LTS platforms who have to deal with customers (running Joomla & Co.) who complain about outdated PHP versions...

Re:

[Zocalo]

Sure, but if you're in that boat then you presumably have a *lot* of instances and Joomla and WordPress are both open source, no? You could always create a patch to remove the prompt. I used to create custom versions of some RPMs from SRPMs for deployment to a data processing cluster and relatively minor tweaks like this were pretty easy to do with a quick edit of the source files - for most of them I wrote a shell script do all the work for me. Alternatively, if you're VM base and if the prompt is in ed

The PHP way

[JohnnyBGod]

I bet the typical "solution" to this problem will be not to update WordPress.

I'm already &*)ing tired of this.

[rickb928]

7.0 is current on most every stable release. Running Raspian Stretch, 7.0 is my best version. Loading a Buster image is costing too much space, and I'm not ready to put the 32GB chip in there just to satisfy some nerdy desire to align with the most current PHP version. This isn't the 90s, and PHP-Nuke isn't a thing so much. Let it go. And forcing me to third-party repos isn't necessarily an improvement to security.

Buster seems ready to freeze in a few months. WordPress should kindly let this go, also. There

Re:

[whoever57]

CentOS 6 is still on php 5.3.

Re:

[laffer1]

This. Redhat and centos releases are patched beyond the EOL date from upstream. The version number isn't enough to know if patches have been applied in these extended support OS.

.......outdated PHP versions....

[OutOnARock]

Doesn't that cover all of them?

Deflecting blame

[Dracos]

Since WP's initial release in 2004, PHP has improved a lot, WordPress has not. WP is the textbook for writing terrible PHP.

Now WP thinks they can shame hosting providers into upgrading PHP, while their own product is insecure by design? Good luck with that.

Re:

[trawg]

While calling it "insecure by design" is arguably true, I think it's worth noting that it's not (really) through ignorance or apathy or anything - WP has made a conscious design decision to trade off security for usability.

I am assuming you're referring to WP's (soft[1]) requirement for the website to be writeable by the web user. For the uninitiated with WordPress, this leads to a lot of problems when (usually) third party plugins/themes are exploited and people can write their own code to the disk, leadin

What about redhat / centos php?? will it flag it?

[Joe_Dragon]

What about redhat / centos php?? will it flag it?

So, like Joomla

[cascadingstylesheet]

Joomla has been doing this for awhile.

It's a nice help for getting clients to see the need for upgrading the PHP version.

The way to make WordPress shut up ...

[Qbertino]

... is to hold a printout of it's Datamodell in front of your webcam when logged in to the Dashboard. WordPress then usually just blushes ashamed, wordlessly crawls into a corner and doesn't bug you for the rest of the day.

Works every time.

Higher noise floor

[WoodstockJeff]

One of the things that pops up in regular security audits is that the version of PHP or SQL we use "has bugs", and we should update immediately. When pressed to tell us which bugs make it insecure, we get a list... which does not include any features we use. And when they try to exploit the vulnerability, they find that it doesn't work... since they can't trigger something that isn't there.

It doesn't mean we do not move forward - just that, if you write good code to begin with, the bugs are not a factor.

It also means that we do not use ANY outside libraries, because we cannot control how well THEY were written. Hence, no Wordpress on any of our servers!