Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

WordPress to Warn on Outdated PHP Versions

In an effort to improve the security of websites, WordPress will display a warning starting in April 2019 when encountering outdated PHP versions.

In December last year, the free and open-source content management system (CMS) announced that 85% of websites running WordPress 5.0 were already using PHP 5.6 or above. 

In an effort to improve the security of websites, WordPress will display a warning starting in April 2019 when encountering outdated PHP versions.

In December last year, the free and open-source content management system (CMS) announced that 85% of websites running WordPress 5.0 were already using PHP 5.6 or above. 

In light of that, PHP 5.6 will become the minimum PHP version requirement for WordPress websites, and site administrators running outdated PHP versions will receive notices on that. 

“To help you check if you’re prepared for this change, WordPress 5.1 will show you a warning and help you upgrade your version of PHP, if necessary,” WordPress says

The notification will also include a link (in the form of a button) to a new support page with information on how to update PHP. 

WordPress would still provide security updates and bug fixes for sites that choose to stay on PHP 5.5 or below. However, these sites won’t be able to upgrade to the latest major WordPress version without switching to a supported version of PHP first.  

WordPress 5.1, which is scheduled for release on February 21, also implements the first phase of Health Check, a project aimed at improving the stability and performance of the entire WordPress ecosystem. 

“For the first time, WordPress will catch and pause the problem code, so you can log in to your Dashboard and see what the problem is. Before, you’d have to FTP in to your files or get in touch with your host,” WordPress explains. 

Advertisement. Scroll to continue reading.

The CMS will also include a mechanism to detect fatal errors that could result from updating the PHP version, and even recover from them in certain designated areas of WordPress. 

Although the update process is straightforward and popular plugins and themes are typically maintained well, some extensions might not be compatible with the latest PHP versions yet, which could result in the WordPress site being broken after the update.

WordPress, however, will recognize when a fatal error occurs and the plugin or theme responsible for it, and will pause the extension, while providing admins with information on that in the admin backend. Extensions can be resumed once the issue has been fixed. 

WordPress 5.1 will also warn admins when attempting to install plugins that require a higher PHP version than the one currently active. Furthermore, the CMS will disable the button for installing those plugins (the same applies for WordPress version compatibility). In the future, plugin updates will also be restricted (themes will be impacted as well). 

At the moment, WordPress plans to warn admins if the PHP versions is below 5.6, but that could change soon. The lowest PHP version still receiving security updates is currently 7.1 and WordPress could bump the minimum required PHP version to 7 by the end of the year. 

“PHP 5.6 is the intended version to bump WordPress requirements to, and from then the threshold for the PHP notice will increase granularly, with the goal to over time catch up with the actual PHP version progress,” WordPress’ Felix Arntz explains. 

Related: WordPress Patches Privilege Escalation Vulnerabilities

Related: Unpatched WordPress Flaw Leads to Site Takeover, Code Execution

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.