Watch on Demand: Attack Surface Management Summit | All Sessions Now Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

WordPress to Warn on Outdated PHP Versions

In an effort to improve the security of websites, WordPress will display a warning starting in April 2019 when encountering outdated PHP versions.

In December last year, the free and open-source content management system (CMS) announced that 85% of websites running WordPress 5.0 were already using PHP 5.6 or above. 

In an effort to improve the security of websites, WordPress will display a warning starting in April 2019 when encountering outdated PHP versions.

In December last year, the free and open-source content management system (CMS) announced that 85% of websites running WordPress 5.0 were already using PHP 5.6 or above. 

In light of that, PHP 5.6 will become the minimum PHP version requirement for WordPress websites, and site administrators running outdated PHP versions will receive notices on that. 

“To help you check if you’re prepared for this change, WordPress 5.1 will show you a warning and help you upgrade your version of PHP, if necessary,” WordPress says

The notification will also include a link (in the form of a button) to a new support page with information on how to update PHP. 

WordPress would still provide security updates and bug fixes for sites that choose to stay on PHP 5.5 or below. However, these sites won’t be able to upgrade to the latest major WordPress version without switching to a supported version of PHP first.  

WordPress 5.1, which is scheduled for release on February 21, also implements the first phase of Health Check, a project aimed at improving the stability and performance of the entire WordPress ecosystem. 

“For the first time, WordPress will catch and pause the problem code, so you can log in to your Dashboard and see what the problem is. Before, you’d have to FTP in to your files or get in touch with your host,” WordPress explains. 

Advertisement. Scroll to continue reading.

The CMS will also include a mechanism to detect fatal errors that could result from updating the PHP version, and even recover from them in certain designated areas of WordPress. 

Although the update process is straightforward and popular plugins and themes are typically maintained well, some extensions might not be compatible with the latest PHP versions yet, which could result in the WordPress site being broken after the update.

WordPress, however, will recognize when a fatal error occurs and the plugin or theme responsible for it, and will pause the extension, while providing admins with information on that in the admin backend. Extensions can be resumed once the issue has been fixed. 

WordPress 5.1 will also warn admins when attempting to install plugins that require a higher PHP version than the one currently active. Furthermore, the CMS will disable the button for installing those plugins (the same applies for WordPress version compatibility). In the future, plugin updates will also be restricted (themes will be impacted as well). 

At the moment, WordPress plans to warn admins if the PHP versions is below 5.6, but that could change soon. The lowest PHP version still receiving security updates is currently 7.1 and WordPress could bump the minimum required PHP version to 7 by the end of the year. 

“PHP 5.6 is the intended version to bump WordPress requirements to, and from then the threshold for the PHP notice will increase granularly, with the goal to over time catch up with the actual PHP version progress,” WordPress’ Felix Arntz explains. 

Related: WordPress Patches Privilege Escalation Vulnerabilities

Related: Unpatched WordPress Flaw Leads to Site Takeover, Code Execution

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Data privacy startup Mine has appointed Avi Israel, Jessica Stanford, Michael Trites, Dikla Yuval, and Roee Silberman to executive positions.

Bob Turner has been named CISO at Penn State University.

V2X has appointed Christopher Carter as CISO.

More People On The Move

Expert Insights