Why it matters what PHP version you are using.

Recently in a facebook group someone posted this image, asking for clarification:

image of text describing how old php 5.2 is, and why a WordPress user should ask their host to update.
This is what’s wrong with web hosting in 2016.

I thought I’d use that as a jumping-off point to talk about “bargain” hosting. This user is on a large (Super-Bowl-ad-budget large) hosting company’s “shared” plan. The irony is that the user would have no way of knowing what version of PHP they are running, were it not for this gently-worded (ahem) encouragement from a plugin developer. This warning didn’t come from the host. It came from a 3rd party plugin developer.

Allow me to be a little more blunt.

But first, a related personal story: some time in 2015, after about 1,000 active users had installed my plugin, I had a user get in touch with me in the support forums saying that they were getting a strange “fatal error” upon activating Better Click To Tweet.

The short and non-technical explanation of the problem my user was having is that the version of PHP they had installed did not include support for a function my plugin needed to function correctly.

The even-shorter explanation: this user used the same large web host as the original picture-sharer above.

For some web hosts, service and security clearly fall outside the scope of expected customer experience.

Here’s the thing: 5.2 has not been officially supported by the PHP development community in YEARS. (since January 06, 2011—to be exact.)

What that means is that any vulnerability discovered in the code has not been patched, since 2011. So, if you are knowingly running version 5.2.x (solve for x) you are implicitly OK with not patching vulnerabilities.

Check out this page for officially supported versions (and note that 5.2 is too old to even make the graph).

literal bug on a computer screen with code.
Who is checking for bugs in your code?
Creative Commons Image Attribution

You read that right. Half of a decade ago developers stopped supporting it, yet some hosts still have it installed on their servers.

If you take your website seriously, you should take your hosting seriously. That means a bare-naked minimum of PHP 5.5, at the time of this writing. Security support for it ends in July of 2016, so you’d be best to go ahead and consider the minimum 5.6.

Some hosts put the onus of updating PHP versions on you, the end user. I think that’s a root problem (pun intended, for my developer readers). Updating PHP versions is a developer task. Any hosting company that has a “one click install” of WordPress can’t expect those users to be comfortable enough to update the scripting language undergirding that one click.

Get in touch with your host. Ask them to update you to an actively supported version of PHP. It should also go without saying, before you update something like that, take a healthy backup of your site (including the database.)

If your host balks at that, it is time for a better host.