WordPress to show warnings on servers running outdated PHP versions

WordPress PHP minimum requirement to change to PHP 5.6 in April and PHP 7.0 in December.

WordPress warning shown to users running an oudated PHP version

Image: Felix Arntz, WordPress.org

The WordPress open-source content management system (CMS) will show warnings in its backend admin panel if the site runs on top of an outdated PHP version.

The current plan is to have the warnings appear for sites using a PHP version prior to the 5.6.x branch (<=5.6).

The warnings will contain a link to a WordPress support page with information on how site owners can update their server's underlying PHP version.

In instances where site owners are running their WordPress portals on top of tightly-controlled web hosting environments, the web host has the option to change this link with a custom URL pointing at its own support site.

The warning will ship and start appearing with WordPress 5.1, scheduled for release early this spring.

The decision to start showing this warning was taken in December 2018, after the release of the WordPress 5.0 branch. Upgrade statistics compiled days after the WP 5.0 release revealed that 85 percent of WordPress 5.0 users were running their sites on PHP versions of 5.6 and later, hence only a small subset of the active WordPress community will see these warnings in the first place.

We said "active WordPress community" because there are still millions of sites running old WordPress versions, many of them abandoned or forgotten.

The short-term plan is to migrate as many active users to more recent versions of PHP as possible so that the WordPress team can drop support for older PHP versions altogether.

The WordPress team would like to officially modify the WordPress CMS minimum PHP version requirement from PHP 5.2 (the current) to PHP 5.6 by April 2019. A similar minimum requirement version bump is also planned for MySQL, with MySQL 5.5 becoming the new minimum requirement.

The long-term plan is to have PHP 7.0 become the minimum PHP version needed to run a WordPress site by December 2019.

Yesterday's announcement from the WordPress team came as a surprise for the WordPress community. The minimum PHP version needed to run a WordPress site hasn't been modified for years.

The reason why the WordPress team wants to push site owners to update their underlying PHP servers is because the PHP team has recently dropped support for security fixes for the PHP 5.6.x and PHP 7.0.x branches. These older PHP servers are now vulnerable to attacks and mass-exploitation, as several security researchers have told ZDNet last fall.

Around 66.7 percent of all Internet sites run an unsupported PHP version, according to W3Techs. Almost a quarter of all internet sites run on top of a WordPress CMS. The WordPress team is the first major CMS project to announce a concerted plan to migrate users towards currently-supported PHP versions.

"The threshold for the PHP notice will increase granularly, with the goal to over time catch up with the actual PHP version progress," said Felix Arntz, a member of the WordPress open-source CMS team.

More cybersecurity news: