WPupdatePHP Project Aims to Help WordPress Users Get on Newer Versions of PHP

photo credit: Feediza.com
photo credit: Feediza.com

Developers are anxious for WordPress to bump up the minimum PHP requirement for core, as it’s currently lingering at 5.2, which is no longer among the supported versions of PHP. As of August 2014, PHP 5.3 no longer receives patches for security vulnerabilities.

Recent updates to WordPress.org stats indicate that 16.4% of WordPress sites are still running on PHP 5.2 and 38% on PHP 5.3. According to lead developer Andrew Nacin, bumping the minimum required version is not likely to happen soon, due to the sheer number of sites that would be negatively impacted.

“One-sixth of all sites running PHP 5.2 is still many millions of sites,” he said. “If we move the PHP minimum version too early, we risk stranding millions of installs on older versions of WordPress.” In the meantime, the WordPress project is researching the current state of PHP offerings available at popular hosts and will soon be urging them to update to more recent versions.

WordPress developer Coen Jacobs believes that the effort to contact hosts will not be enough to help everyone. His new WPupdatePHP project was created to educate end users on outdated versions of PHP. The WPupdatePHP library is a tool that developers can bundle into their plugins in order to require users to upgrade to PHP 5.4+ hosting. It is intended for use within new plugins, not for locking users out of existing ones.

If a user does not meet the minimum PHP version requirements when installing the plugin, he will be presented with an admin notice:

Unfortunately, this plugin can not run on PHP versions older than [ specified version ]. Read more information about how you can update.

The idea of the WPupdatePHP project is to enlist end users in putting pressure on hosts to update their versions of PHP. A future version of the library would add the ability for developers to make the PHP version a “soft requirement,” which would still display the notice but won’t stop the user from using the plugin.

“The core WordPress team can’t get every single hosting company to comply,” Jacobs said in a recent post titled Updating PHP is Everyone’s Responsibility. “I admire their intentions, but in reality this is not going to help everybody.”

He predicts a need for the WPupdatePHP library even after WordPress bumps its minimum required PHP version. “PHP 5.4 is actually already nearing its EOL date and we’re still figuring out how to make PHP 5.2 and 5.3 platforms go away,” he said. In mid-September 2015, PHP 5.4 will not longer receive security fixes.

Jacobs believes that the changes that need to happen require more than a one-time campaign where the WordPress project successfully badgers hosts to update to PHP 5.4.

“In six months we’ll have this same issue all over again,” he said. “As soon as webhosting companies have finally finished off their PHP 5.2 and 5.3 environments, we can start this whole campaign all over again to get rid of PHP 5.4. And so on.”

If you are a WordPress developer interested in enlisting your plugin’s users to help push hosts to update PHP versions, check out WPupdatePHP on GitHub.

“The end user is one of our most important, but underestimated, assets in this battle,” Jacobs said. “They have the strongest voice in this all.”

Would you like to write for WP Tavern? We are always accepting guest posts from the community and are looking for new contributors. Get in touch with us and let's discuss your ideas.

10 Comments


  1. Why people pay to hosting companies which use 5.2 or 5.3? Can not imagine what “quality” of service is behind it.
    It will be probably same reason, why so many people use outdated version of WP or why buy/use junky bloated themes on their sites. DARKNESS ;)
    This kind of projects are cool initiative and even if it gives some “light” to few companies/people its great.

    Report


    1. I think it’s partly when they originally signed up for the account, 5.2/5.3 weren’t outdated, or not as badly as they are now. However, they have never had anyone upgrade them to a newer version that their hosting provider actually provides, and has as default version for NEW signups. Maintenance issue, not necessarily that they signed up with a “bad host” in the first place.

      Report


      1. But what if the host hasn’t updated package options to their clients since 2002? I recently moved one client off his old host because his “premium” package wouldn’t run WordPress at all. He only had 100Mb of space total, and no databases at all.

        Don’t be so certain that the end user hasn’t done the upgrades, when it’s the hosting company that has lack of clue. I’ve run across three smaller hosting companies in the past year whose servers for shared hosting services are still running end-of-life versions of FreeBSD 6, 7 and 8 on AMD boxes with less than 2Gb of RAM. My concerns about their default still being PHP 5.2 paled under those circumstances.

        The client I rescued had no idea any of that mattered, he’d just been happy paying them every month since 1997. The other one stuck to his guns and stayed with his host, but now even he has noticed some performance problems since I upgraded his site for him (issues I’d pointed out to him before we got underway).

        I think Media Temple skipped over PHP 5.4 and went straight to from 5.3 to 5.5; not aware of anyone else who has done that.

        If you have a lot of people with websites who aren’t tech savvy and don’t want to be, and they are stuck on lazy hosting providers who should know better but don’t make the effort because “everything still works, why rock the boat”, but since they aren’t concerned about security (thereby making things rougher on everyone else) maybe more direct ways of bringing their attention to the problem are needed… like updating the minimum requirements out from under them, forcing them to update or play in a different sandbox.

        I don’t know that there is a good solution, but if a hosting provider hasn’t updated their hardware or OS or software in 5 years, how stable and secure is their operation to begin with?

        Report


  2. Forget WordPress. Look at the big picture.

    There are many old PHP systems, that crash from upgrades.

    I had a 2 month job last year, fixing PHP shopping systems that used register_globals, after an ISP upgraded to PHP 5.4.

    WordPress was fine on these systems.

    Report


    1. WordPress itself will work on any php version greater than the minimum requirements.

      It is indeed those older programs, some of which are no longer maintained, but still used, which holds back the defaults. The truth is that PHP is not very backwards compatible.

      On the whole, getting the existing versions changed has to be an opt in process. But, getting the “defaults” changed for new users is totally feasible. The default should always be the latest version installed on the system, IMHO. And I think more hosts are starting to see that.

      Report


  3. Glad to see this article, as I’ve also been of the opinion lately that as developer’s, we need to be trying to push PHP hosting forward as well.

    Aside from writing code for a specific PHP version that still has support, we can also not let clients use hosts that are on old versions of PHP. Sometimes we don’t like to be too pushy about this, but really it’s for the client’s own benefit, and if you do more than casually mention it, they’ll often listen.

    Great looking project on Github, Coen, I’ll definitely be taking a look at using it on my next project.

    Report


  4. I think this project is a hit in the face for every plugin developer who likes to make his plugin available for as many user as possible. I understand the urgency for the need to update to newer php version asap but this lies more in the hands by wordpress.org. It’s so easy: wordpress can make the requirements from one day to another to php 5.4. I think this is the most powerful instrument to force user to switch to new hosting environments. This is the way to go, otherwise user would not get security updates for a lot of their plugins any longer. The little developer will not focus on two different plugin branches to do so. It’s also much more effective than doing this by thousands of independent developers instead the main company behind wp.

    Report


  5. It seems the easiest way to improve the problem would be to put the woefully outdated https://wordpress.org/hosting/ page to use. Want to be a WordPress.org recommended host? Use the latest recommended version of PHP. If Matt mentions that in a few talks/interviews hosts will be doing whatever they have to in order to get on that list.

    Report

Comments are closed.