WordPress development volunteers published a proposal to urge users of potentially vulnerable versions of PHP to upgrade. An alarming number of WordPress users still use PHP versions that no longer receive security updates.
WordPress Addresses 61.6% of Vulnerable Publishers
PHP is the underlying scripting language that WordPress runs on. The most current version is PHP 7.3.7.
PHP is continually updated to make it more efficient and to patch security issues. Except versions that have reached “End of Life” status (EOL). PHP versions 5.6 and 7.0 reached EOL in December 2018.
Only 38.5% of WordPress sites run on an up to date version of PHP.
PHP version 7.1 will reach EOL in December 2019.
According to official WordPress statistics, 45.3% of WordPress publishers are running their sites on PHP versions 5.6 and 7.0.
An additional 16.3% of WordPress publishers are using versions that are even older than 5.6.
That’s a total of 61.6% of WordPress publishers who are using versions of PHP that no longer receive security updates.
NOTE: Those numbers are 0.1% over 100%. 38.5% sites using valid PHP + 61.6% using retired versions of PHP = 100.1%. Those numbers are from WordPress.
29.1% of WordPress publishers still use PHP 5.6. 16.2% use PHP 7.0. Both versions have reached End of Life status.
61.6% of WordPress Publishers are Vulnerable
This means that 61.6% of WordPress users may be vulnerable to hacking events. The WordPress proposal is to get all out of date PHP users up to date by using a nag screen. This means reaching all users of WordPress 5.6 and under plus those who are still using version 7.0.
This is the proposed timeline:
- “Our suggested roadmap to increase the minimum PHP version is:
- Display the PHP update widget for PHP 5.6. This will trigger the widget for anyone using PHP 5.6 or below and WordPress 5.1+ in their dashboards warning them of the fact we recommend upgrading the version of PHP.
- Display the PHP update widget for users of PHP 7.0 and below.
- Based around support and stats of points 1 and 2, have a discussion about whether the next step should be displaying the PHP update widget for PHP 7.1 or a direct increase of the required minimum version to PHP 7.2.”
WordPress Proposal for Nag Screen Widget
The official WordPress proposal calls for a nag screen to display. The nag screen urges users to upgrade their PHP.
This is a screenshot of a WordPress update widget, also known as a nag screen.
Here’s what the official announcement states:
“I would like to propose we trigger displaying the PHP update widget for users of PHP 5.6 in WordPress.
At the time of writing, the WordPress stats show that:
PHP 5.6 has a usage share of 29.1%
PHP 7.0 has a usage share of 16.2%
PHP 7.1 has a usage share of 13.2%”
The first nag screen may begin showing as soon as August 5, 2019. Subsequent nag screens will be determined at a later date.
Here’s the proposed timeline:
“We suggest to start showing the update recommendation for users of PHP 5.6 or lower starting August 5th, the timeline for showing the warning to PHP 7.0 users will be announced in a followup post, and relies on factors like support load, and adoption rate from the previous increase.”
Read the official WordPress discussion: Proposal for increasing recommended PHP version in WordPress