Why it matters what PHP version you are using.

Recently in a facebook group someone posted this image, asking for clarification:

image of text describing how old php 5.2 is, and why a WordPress user should ask their host to update.
This is what’s wrong with web hosting in 2016.

I thought I’d use that as a jumping-off point to talk about “bargain” hosting. This user is on a large (Super-Bowl-ad-budget large) hosting company’s “shared” plan. The irony is that the user would have no way of knowing what version of PHP they are running, were it not for this gently-worded (ahem) encouragement from a plugin developer. This warning didn’t come from the host. It came from a 3rd party plugin developer.

Allow me to be a little more blunt.

But first, a related personal story: some time in 2015, after about 1,000 active users had installed my plugin, I had a user get in touch with me in the support forums saying that they were getting a strange “fatal error” upon activating Better Click To Tweet.

The short and non-technical explanation of the problem my user was having is that the version of PHP they had installed did not include support for a function my plugin needed to function correctly.

The even-shorter explanation: this user used the same large web host as the original picture-sharer above.

For some web hosts, service and security clearly fall outside the scope of expected customer experience.

Here’s the thing: 5.2 has not been officially supported by the PHP development community in YEARS. (since January 06, 2011—to be exact.)

What that means is that any vulnerability discovered in the code has not been patched, since 2011. So, if you are knowingly running version 5.2.x (solve for x) you are implicitly OK with not patching vulnerabilities.

Check out this page for officially supported versions (and note that 5.2 is too old to even make the graph).

literal bug on a computer screen with code.
Who is checking for bugs in your code?
Creative Commons Image Attribution

You read that right. Half of a decade ago developers stopped supporting it, yet some hosts still have it installed on their servers.

If you take your website seriously, you should take your hosting seriously. That means a bare-naked minimum of PHP 5.5, at the time of this writing. Security support for it ends in July of 2016, so you’d be best to go ahead and consider the minimum 5.6.

Some hosts put the onus of updating PHP versions on you, the end user. I think that’s a root problem (pun intended, for my developer readers). Updating PHP versions is a developer task. Any hosting company that has a “one click install” of WordPress can’t expect those users to be comfortable enough to update the scripting language undergirding that one click.

Get in touch with your host. Ask them to update you to an actively supported version of PHP. It should also go without saying, before you update something like that, take a healthy backup of your site (including the database.)

If your host balks at that, it is time for a better host.

WordPress 4.1.2 Security Release

Posted April 21, 2015 by Gary Pendergast. Filed under Releases, Security.

WordPress 4.1.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.1.1 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. This was reported by Cedric Van Bockhaven and fixed by Gary Pendergast, Mike Adams, andAndrew Nacin of the WordPress security team.

We also fixed three other security issues:

  • In WordPress 4.1 and higher, files with invalid or unsafe names could be uploaded. Discovered by Michael Kapfer and Sebastian Kraemer of HSASec.
  • In WordPress 3.9 and higher, a very limited cross-site scripting vulnerability could be used as part of a social engineering attack. Discovered by Jakub Zoczek.
  • Some plugins were vulnerable to an SQL injection vulnerability. Discovered by Ben Bidner of the WordPress security team.

We also made four hardening changes, discovered by J.D. Grimes, Divyesh Prajapati,Allan Collins and Marc-Alexandre Montpas.

We appreciated the responsible disclosure of these issues directly to our security team. For more information, see the release notes or consult the list of changes.

Download WordPress 4.1.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.1.2.

Thanks to everyone who contributed to 4.1.2: Allan Collins, Alex Concha, Andrew Nacin, Andrew Ozz, Ben Bidner, Boone Gorges, Dion Hulse, Dominik Schilling, Drew Jaynes, Gary Pendergast, Helen Hou-Sandí, John Blackbourn, and Mike Adams.

A number of plugins also released security fixes yesterday. Keep everything updated to stay secure. If you’re a plugin author, please read this post to confirm that your plugin is not affected by the same issue. Thank you to all of the plugin authors who worked closely with our security team to ensure a coordinated response.

Already testing WordPress 4.2? The third release candidate is now available (zip) and it contains these fixes. For more on 4.2, see the RC 1 announcement post.