A Plea For Plugin Developers to Stop Supporting Legacy PHP Versions

Iain Poulson has published a thoughtful request on the Delicious Brains blog asking WordPress plugin developers to stop supporting legacy PHP versions. He covers some of the benefits of developing with newer versions of PHP, what Delicious Brains is doing with its plugins, and using the Requires Minimum PHP Version header in readme.txt.

While we wait for the Trac discussion to roll on and the WordPress development wheels to turn we can take action ourselves in our plugins to stop them working on installs that don’t meet our requirements.

We do this in our own plugins where it is strictly necessary (WP Offload S3 relies on the Amazon Web Services S3 SDK, which requires PHP 5.3.3+ and will we will move to PHP 5.5 in the future), and the more plugins that do this out of choice will help move the needle further.

Iain Poulson

Poulson mentions the ServeHappy project in his post and it's worth a mention here as well. The ServeHappy project was launched earlier this year by a group of volunteers.

Its main goal is to reduce the number of WordPress installs running on unsupported PHP versions through education, awareness, and tools to help users update their site's PHP versions.

This project is in need of contributors. If you're interested, join the #core-php channel on WordPress Slack. The team has meetings every Monday at 11:00 AM EDT. You can also follow the #core-php tag on the Make WordPress.org Core site where links to chat logs and meeting summaries are published.


29 responses to “A Plea For Plugin Developers to Stop Supporting Legacy PHP Versions”

  1. Its main goal is to reduce the number of WordPress installs running on unsupported PHP versions through education, awareness, and tools to help users update their site’s PHP versions.

    The biggest motivator for hosts would be if WP would quit acting like it’s a tiny little OSS project and simply say “In X months/with the release of version Y we will no longer support PHP less than 5.6. As PHP versions become unsupported, we will deprecate support for those versions after 12 months.”

    But no… they will utterly change how endusers have to edit content but god forbid they upset hosts….

  2. Apple essentially killed Flash.

    They decided it was a crappy technology and wouldn’t support it.

    What happened? Since supporting Apple devices was worth it, people stopped using Flash.

    WordPress could do the same for old versions of PHP.

    At Soflyy occasionally our customers encounter problems with our plugins not supporting extremely old versions of PHP.

    A simple email to the customer saying “Upgrade to a supported version of PHP: http://php.net/supported-versions.php. If your web hosting provider set up your account with a version of PHP this old, they are not a reputable web hosting provider. You should switch to a modern web host before your websites are hacked.” is fine. I’ve sent countless emails like this, and I can’t recall anyone ever complaining that we don’t support their insecure and ancient version of PHP.

  3. This kind of thin is totally stupid. It is the sites owner site, and I am not going to go on a crusade just because some guy (however smart he might be) want to feel important by telling the world what to do.

    Right now we support 5.3, and it will have very little difference to us if we force users to go 7.X. From our POV there is no ROI for us in such a move. We did force users into 5.3 long time ago, but the advantage of namespaces for sharing code between few projects was obvious and we decided to say “#$%^ the luddites”, but even going all the way to 7.2 there is just not enough difference for us from a software development POV to care to handle the support calls.

    Site owners usually have good reasons not to upgrade….. it costs real money to test the site again, and just calling “shiny shiny” is not a good reason for them to do anything if their site performs exactly as they want. I have a friend who uses windows XP and is very happy. Who is that Ian to decide for him that he should use windows 10?

    (us === https://wordpress.org/plugins/category-posts/ if anyone just has to know)

    • Ah, there are security reasons to not be using such old versions of PHP, as well as not using Windows XP. That’s the nature of the digital world, like it or not. Telling people it’s OK to remain on insecure platforms is not the right thing to do.

      • This is just irrelevant. WP sites are being hacked from bad php code in plugins and themes, not because bugs in PHP. Even with those kind of bugs can be used to hack a site, for the script kiddies it is much easier to exploit the insecure plugins which there are many of them.

      • @jeffc for you and for me, it is not about shiny, but how do you explain the need to the non technical site owner? The only way is FUD, but the site owner itself had probably already experienced how upgrades can ruin his productivity… failures after chrome, windows, IOS and wordpress plugins updates, and he know this is not a risk free effort, so you will need a very good FUD which is much better than “it is EOL”.

    • @Mark K

      I would patiently explain to them that their site is running on an insecure version of php, and any security measures that I or any other developer may attempt to harden their site from malicious players is just p!$$!ng in the wind.

      That if they insist on running an insecure site they are very likely going to be breached at some point and this could be a very very costly mistake.

      I would also ask them to find another developer because I do not want anything to do with the potential risk. If they are breached and their site gets a bad reputation I don’t want to be anywhere near it.

      • @jeffc +1 for you personally not interested to work with ancient tech, but let me ask you something else.

        did anyone suggest to you to ditch intel CPUs becuase of spectre, and if anyone would have done so, would you actually follow their advice?
        Or a different take, did you fully delete your FB account including whatsapp and instagram?

        Security and privacy are not binary states. You are rarely in either of the edges of it, and it is always a judgment call as to if it is worth to invest your time to improve them. I will not spend more than 5 minutes to talk about the real danger of using old PHP – technical debt, but not even one second more as my time is the clients money and he has the full right to spend it in the way he wants.

    • @Mark K

      Also regarding your reply to Tim.

      It’s not an either or.

      So what if most of the hacks are due to them running insecure or outdated plugins.

      That doesn’t invalidate the insecurity from using old unpatched PHP versions. PHP versions that don’t include modern password hashing for example.

      Security is always in-depth.

      Run the latest secure stable supported stack, secure and harden at a server level, security at an application level, security at a behavioural level.

      Do you really want to be working with clients that don’t understand that? If things go wrong, who is the sh@+ gonna blow back on?

  4. It seems less a plea to stop supporting ‘legacy versions’ and more to stop support 5.2. Kind of. The initial part of that post is all about 5.2 and how only 0.64% of those on WordPress 4.9 (the latter is important as it goes up to around 2% if you include all versions).

    He then doesn’t recommend a specific version to move to but does talk about PHP 7 a lot. Moving to PHP 7 would, of course, prevent your plugin from working for about 90% of users.

    So, I’m a bit confused. What is the recommendation for plugin developers here?

  5. Supporting old version of PHP is a pain when developing plugins with large codebase. And it benefits developers more than users, in terms of functionality.

    I’d suggest WP disables updates for plugins that have required PHP version greater than the hosting version. That makes the site still works with old versions of the plugins.

  6. Every single WordPress installation we host is on PHP 7.1. Our clients have the option to switch to 5.4 but not only they are encouraged not to do that, we also help them adjust their WP installations for PHP7 free of charge. On the short run it may seem like a waste of time and money but having faster, more stable and more secure hosting environment is totally worth it. :)

  7. I think the bigger argument is getting WordPress itself to move its version floor. As derivative works, Plugins should not mandate a higher version of PHP than the root work.

    If you look at the WordPress’ current Requirements page, they support all the way down to PHP v5.2.4

    At 5.0, WordPress itself should simply cut off any an all PHP versions that have reached End-of-Life. And then, as each subsequent version of PHP reaches EoL status, cut them off in the next version released ~6 months later.

    Plugin authors can maybe help push it along and increase end-user awareness by having a function that tests the PHP version and if it is less than 7.0, display a message in the Admin area to that effect. I believe the WordPress marketing team either has or has been working on a site section about the advantages of upgrading PHP versions, so it can point to that site.

    • Yes, that sounds perfectly reasonable… it’s incredible that WordPress, the largest CMS on the planet, is effectively helping an insecure version of PHP survive in the wild.

      It is completely irresponsible.

  8. As the largest CMS on the planet, WordPress should lead the charge in forcing the use of supported PHP versions.

    Use of new PHP versions benefit the users first, and whoever said that PHP upgrade benefits developers only, has no idea what he is talking about. Newer PHP versions are faster (faster PHP, more pages can be served with the same hardware, and users don’t need to upgrade to faster hosting), and PHP 7.x is a lot faster than PHP 5.x. New versions of PHP are more secure (in this day and age, that should be a high priority for everyone), and they will stay secure as long as they are in development. When PHP reaches EOL, no more patches for security issue are coming, and no one really knows what kinds of security-related issues PHP 5.2, 5.3 and 5.4 have right now, they are unsupported for years.

    On Dev4Press, I have set PHP 5.5 as the lowest PHP versions I will use to test my plugins with, and I will fix any bugs related to PHP 5.5 or newer only. Most of my plugins work with PHP 5.3 and PHP 5.4, and I know that some users still use these PHP versions, and my plugin might continue to work for years for them, but I am not going to test or fix issues with PHP older than 5.5.

    A similar thing can be done with WordPress at first. Stop testing with PHP 5.2 and 5.3. Considering how slow WordPress development is, I don’t expect to see a lot of code changes in the next major versions that will immediately break on PHP 5.2 or PHP 5.3. But, spread the word, increase minimum PHP required version, and I am sure it will have effect: hosting companies that have stuck to old PHP until know will be forced to deal with it, or lose users that use WordPress.

  9. And one more thing, WordPress can’t work on PHP 5.2 anyway: there are some features that require PHP 5.3 and they are part of the WordPress core, including SimplePIE used for all RSS feed stuff in WordPress. That library doesn’t work with PHP 5.2. I remember that there are few more libraries that have the similar limitation.

    So, all this ‘we support PHP 5.2’ is a nonsense, and WordPress core should move on and take the lead in the newer PHP adoption. PHP 5.5 or 5.6 should be set as the minimum requirement, and revisit the PHP versions support once a year.

  10. While I totally agree that WP should be helping to lead the charge here, I don’t thing plugin/theme developers should throw up their hands and say “not my job”.
    As plugin & theme developers, we ARE making a difference. In one year, the percentage of sites running PHP 5.2-5.5 went from 60% of all WordPress sites down to 35%. That’s a pretty incredible difference in a single year.
    Now, imagine what would happen if core WP actually joined the effort :)

  11. Wait, there are people running sites on anything below 5.5!?

    I have not put a site on anything lower than 7.1 in the last 6 months, and will not do so either. Our latest server doesn’t even support 7.0 or lower. At all.

    Tbh, if WP stopped upgrading on hosts with PHP lower than 5.6, I think we’d see a shift super fast. Imagine hundreds of customers complaining about not being able to upgrade their WP installs…


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: