Developers are anxious for WordPress to bump up the minimum PHP requirement for core, as it’s currently lingering at 5.2, which is no longer among the supported versions of PHP. As of August 2014, PHP 5.3 no longer receives patches for security vulnerabilities.
Recent updates to WordPress.org stats indicate that 16.4% of WordPress sites are still running on PHP 5.2 and 38% on PHP 5.3. According to lead developer Andrew Nacin, bumping the minimum required version is not likely to happen soon, due to the sheer number of sites that would be negatively impacted.
“One-sixth of all sites running PHP 5.2 is still many millions of sites,” he said. “If we move the PHP minimum version too early, we risk stranding millions of installs on older versions of WordPress.” In the meantime, the WordPress project is researching the current state of PHP offerings available at popular hosts and will soon be urging them to update to more recent versions.
WordPress developer Coen Jacobs believes that the effort to contact hosts will not be enough to help everyone. His new WPupdatePHP project was created to educate end users on outdated versions of PHP. The WPupdatePHP library is a tool that developers can bundle into their plugins in order to require users to upgrade to PHP 5.4+ hosting. It is intended for use within new plugins, not for locking users out of existing ones.
If a user does not meet the minimum PHP version requirements when installing the plugin, he will be presented with an admin notice:
Unfortunately, this plugin can not run on PHP versions older than [ specified version ]. Read more information about how you can update.
The idea of the WPupdatePHP project is to enlist end users in putting pressure on hosts to update their versions of PHP. A future version of the library would add the ability for developers to make the PHP version a “soft requirement,” which would still display the notice but won’t stop the user from using the plugin.
“The core WordPress team can’t get every single hosting company to comply,” Jacobs said in a recent post titled Updating PHP is Everyone’s Responsibility. “I admire their intentions, but in reality this is not going to help everybody.”
He predicts a need for the WPupdatePHP library even after WordPress bumps its minimum required PHP version. “PHP 5.4 is actually already nearing its EOL date and we’re still figuring out how to make PHP 5.2 and 5.3 platforms go away,” he said. In mid-September 2015, PHP 5.4 will not longer receive security fixes.
Jacobs believes that the changes that need to happen require more than a one-time campaign where the WordPress project successfully badgers hosts to update to PHP 5.4.
“In six months we’ll have this same issue all over again,” he said. “As soon as webhosting companies have finally finished off their PHP 5.2 and 5.3 environments, we can start this whole campaign all over again to get rid of PHP 5.4. And so on.”
If you are a WordPress developer interested in enlisting your plugin’s users to help push hosts to update PHP versions, check out WPupdatePHP on GitHub.
“The end user is one of our most important, but underestimated, assets in this battle,” Jacobs said. “They have the strongest voice in this all.”