"WordPress’ core team stance on bumping the PHP version requirement is two fold:
1. Too many WP users are still on old versions like 5.2 and 5.3
2. They don’t care about new "features""
If you really do power 20%+ of the websites out there, do you not perhaps have enough influence to influence a change? I could almost buy this reasoning 6-7 years ago. "If we start requiring PHP 5.1... all our users might flock to something else that still only needs 4.3! We better not push things too much".
A large segment of the hosting world caters to the wordpress user (casual and professional) and they will jump to whatever requirements Wordpress puts out. Where are they going to go? No one will want to upset this golden goose. WP, make version 5.0 require PHP 7 and be done with it. People will upgrade. They have no real choice - you've killed most any platform that might be a serious competitor for the next several years.
You're absolutely correct. However, according to WP core devs, nothing should ever be done to inconvenience the user. Moving to a new version of PHP when apparently, user's who have websites don't even know the name of the language their website is built in, should not be put off by having to upgrade this strange thing.
I can't agree enough though, WP can be a huge driving force in making all hosting providers utilize modern versions of PHP. However, instead of using that weight to make a difference, they're completely content to hold PHP back. All at the expense and detriment of the user, in the name of the user.
"nothing should ever be done to inconvenience the user."
Having sites hacked due to old version of PHP is an inconvenience.
Why not just tell everyone to chmod 777 the entire website too, just so they're not inconvenienced?
Tongue-in-cheek, of course, but there's a balance to be struck between convenience and security, and I think they're somewhat on the wrong side.
I was really mixed on the 'auto-update' wordpress core stuff. While I get it - it keeps some people up to date - it also means my system needs to be left in a state where software can be altered, and that means it can be maliciously altered too.
The "moving to a new version when they don't know the language" argument - I don't buy it. Almost everyone I know who has wordpress installed who is not a techie has a host that manages it, or presses a button on a control panel. Pressing another button, or having the host do some more stuff - neither of these are inconveniences that outweigh the security benefits - not just to that site owner, but the rest of the internet.
Why not just tell everyone to chmod 777 the entire website
I run a cron job on my hosting server that detects clients that have done that. I alert several a week regarding the state of their security. I'm nearly always told they followed some "Wordpress installation guide" they found online and won't be changing it.
We (the Roots team) have had this same opinion for years now. I feel that WordPress underestimates the power they have.
Now WordPress does actually work with a lot of the top hosting companies to get their PHP versions upgraded. They do this quietly but they do talk about it from time to time. But they don't go nearly far enough with this outreach program and by still allowing 5.2 and not setting any deprecation timelines it really hurts their efforts.
Interesting to know, but... man... they've got some opportunity with PHP hitting a 7.0 and there not being a WP 5.0 released yet.
Upgrading PHP isn't just about using "new features" - WP doesn't even have to use any new stuff, but still require higher versions for security and speed benefits would help move the web forward a lot.
I agree but that is okay. If you have a site where security is irrelevant (or you think you do) then stay on WP 4 and don't upgrade. Let the those who need new features and modern security update.
I think it's worse to think you're up to date because your Wordpress install is up to date, but you are hashing with md5 and using php 5.2.
Managed WordPress hosts have solved a part of this problem, but the issue is that the vast majority of WordPress sites are on cheap, shared hosting in unmanaged environments. It's currently up to the users to upgrade their sites, which means versions of PHP and WP don't get upgraded...ever.
The only realistic solution would be for hosts to forcibly upgrade customers' sites, which causes significant breakage (even < 1% is thousands and thousands of sites). Is that acceptable? Who's job is it to fix that? Are hosts expected to just eat the churn from customers cancelling?
I'm not agreeing or disagreeing, just sharing the reality of the situation.
> The only realistic solution would be for hosts to forcibly upgrade customers' sites,
They could stop putting new customers on outdated systems, for a start. I routinely still see shared hosting delivering PHP 5.4, in 2015 (last I saw something that jarring).
You want to keep people on old stuff? Quanrantine them, and have all new customers going forward on newer stuff, and develop a plan for upgrading. "Guys, yes, you want to keep running PHP 5.3, but for the security of the entire data center, we have to upgrade. You may need to upgrade your wordpress/etc - we'll do what we can to help mitigate problems, but not addressing this means your site is more at risk of becoming hacked".
I’d like to see them handle it similarly to the jQuery 1.x -> 2 fork (feature freeze + bug fixes in perpetuity for the former, all new development and bumped requirements in the latter).
Those of us who have to clean up after it, and those of us who've had to deal with spam and malware-infested wordpress sites interfering with our business.
Much like google/gmail, windows, and other large monopoly-like players, wordpress is a huge impact on a lot of businesses; whether those businesses are using wordpress or not, we still feel the impact (and yes, I am using it for a couple projects as well - chmod 400 on pretty much the whole site unless I'm doing updates).
"Roots has long been critics of the out-dated PHP version requirements in WordPress. They still have 5.2 as the minimum version which has been end of life (EOL) since January 6th 2011."
This is ignoring the fact that distributions provide security updates for older versions. Looks like RHEL5 includes PHP 5.1 and it's possible to get support for it until 2020.
It's even worse. Why can someone just keep trying to login on default WP installation? Why can they try to guess usernames? First thing I install is: https://www.wordfence.com
Even still, default login attempts are set at 20. I've had a lot of recent bruteforce attacks, and set that delimiter to 5. On top of that, I try changing the wp-login location with 'rename wp-login'[1], and set it to something like http://www.site.com/hello . Doesn't stop everyone, but helps cut down attempts.
WordPress just needs to break compatibility and launch a new version with different requirements (such as PHP 7+ and MySQL 5.7+) and leave a couple of guys just doing security fixes for legacy versions. Now it's such a weird mix of functions, globals, classes, and it's just terrible to have such a vastly popular product being so poorly written and architected! Abusing MySQL to store vast amounts of metadata in wp_options and other tables when NoSQL databases have been available for years is outrageous!
> when NoSQL databases have been available for years is outrageous!
I work for a shared hoster, we host a ton of WordPress sites.
The problem here is that in shared hosting world MySQL is ubiquitous, along with PHP. It's all you need to get your WordPress blog up and running. Adding a dependency on a NoSQL datastore breaks that simplicity. Also which NoSQL database do you target because not all of them are suitable for running in these types of environments.
Also wp_options is, as the table name suggests, mostly just option settings which are looked up by a known key "option_name" then the json-like blob is read from the "option_value" field and parsed. There's very little or no searching done for values inside that blob so you're adding NoSQL complexity just to store key/value pairs. MySQL is a well known, well understood thing and "just works" for apps like WordPress.
This problem could easily be solved by adapters. You can have a default adapter storing this into MySQL tables, but open it up for databases that are designed to do just that effectively. Oh, well, WordPress doesn't even support PostgreSQL, which alone can do both pretty effectively. There's os much spaghetti code in WordPress that I always have a bad feeling pushing that code to Production (with capital "P").
A lot of people praise WordPress for the great number of plugins and themes, but the reality is that only 1% of those are quality code, forward-compatible, following best practices, secure, and suitable for use and not just getting something out of the door quickly. That's why WordPress needs rethinking and most importantly - some sandboxing of themes at least because you can't even allow a shared hosting to upload custom themes as most of them can hack your entire infrastructure being plain PHP code.
I can't believe WordPress being such an archaic product, why they don't support Smarty-based themes, which could be execution-safe.
Wouldn't surprise me, it's had lots of exposure with all the data leaks. I last looked at passwords sometime in 2010 off the back of the infamous "use bcrypt" post.
Just skimmed the WP ticket, what a horrible amount of effort to cover an edge case of people regressing to a 4 years past dead PHP version.
1. Too many WP users are still on old versions like 5.2 and 5.3 2. They don’t care about new "features""
If you really do power 20%+ of the websites out there, do you not perhaps have enough influence to influence a change? I could almost buy this reasoning 6-7 years ago. "If we start requiring PHP 5.1... all our users might flock to something else that still only needs 4.3! We better not push things too much".
A large segment of the hosting world caters to the wordpress user (casual and professional) and they will jump to whatever requirements Wordpress puts out. Where are they going to go? No one will want to upset this golden goose. WP, make version 5.0 require PHP 7 and be done with it. People will upgrade. They have no real choice - you've killed most any platform that might be a serious competitor for the next several years.