WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

#36542 closed enhancement (duplicate)

Minimum support to PHP 5.3 from 5.2.9

Reported by: seancjones Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.6
Component: General Keywords:
Focuses: Cc:

Description

Overview

This debate has popped up a number of times before. Invariably there is a tension between developers and the core, user-focused mission of WordPress. The concern is that although the number of sites running PHP 5.2 have dropped significantly over the years, now just 8.4%, that is still a staggeringly large number of users.

My untested hypothesis is that many of these users are probably not the quickest to update to the newest version of WordPress. Furthermore, one of the largest reasons to update to WordPress (other than to experience all of the awesome features) is to protect against security vulnerabilities. I believe WordPress 4.6 can only increase its awesomeness if it is able to use the features in PHP 5.3.

I propose PHP 5.3 for its smallest possible incrementation, making it a good test for a WordPress system upgrades, and because of select features I will list later in this proposal.

WordPress Core Reasons to Upgrade

Users upgrade for security reasons and to access new features.

Security

PHP 5.2 has been EOL for 5 years. 5.2.9 has 2 pages of known vulnerabilities which a WordPress website can be subjected to. In fact, there were 8 updates after 5.2.9, which addressed security vulnerabilities. WordPress can provide security updates, but if a user/host is so unconcerned with security as to leave a service with so many known exploits running on their website, I do not believe we even want WordPress to be associated with the potential fallout.

New Features

The WordPress community has accomplished something truly incredible in creating the most used CMS in the world. It is insanely user friendly, and gets more user friendly with every release. Much of the new features are JavaScript driven, but PHP is still at the core of WordPress and there continue to be new improvements.

By upgrading to PHP 5.3, many users would not be able to update to the newest version of WordPress. However, are they? And, would upgrading the minimum support to PHP 5.3 be the largest barrier to apathy? I propose that this needs further investigation.

How many users running PHP 5.2.9 are upgrading to the newest version of WordPress? Roughly 1/3 of all users are running Wordpress 4.1 or lower. While this isn't strong enough evidence to be fact, I think it's worth exploring further. If I am given a clue as to how I can do that myself, I'm more than happy to, but cross referencing PHP versions with WordPress versions would probably be a more reliable indicator of who would be immediately affected by an update to minimum support of PHP 5.3.

Why 5.3 and not something newer?

The few holdouts who are running 5.2.9 should realistically be able to upgrade to PHP 5.3 without major system upgrades (even if they really should make major system upgrades and/or replace their server which is probably EOL. Just because they should does not mean they will/can). A portion of those will skip straight to a newer version, which is a good thing.

Additionally, this very minor and very careful upgrade path would be a good test for subsequent updates in the future. As a market leader, WordPress has been pushing its weight to get hosts to upgrade, and I think it can afford to do so in this small way and hopefully help push this boulder further uphill.

Features in 5.3

By upgrading the minimum support to 5.3, WordPress would be able to do some truly incredible things:

  1. Prevent future cluttering of the global namespace. PHP 5.2.9 does not support Namespaces. By upgrading, WordPress would be able to introduce namespaces that are not filled with underscores. This may not be possible for current classes, but can certainly be implemented for any new features. Optionally, by implementing class_alias(), another PHP 5.3 feature, one could use old and new namespaces, encouraging new plugins to implement namespaces instead when writing classes.
  1. Introduce anonymous functions. While these can certainly be overused, any developer who has used anonymous functions grinds their teeth when they think about how to implement the same features without them. This is another way to declutter the global scope for rarely-used functions that consist of globals.

Implementation

Implementation would need to be careful and thought out to cause the least amount of disruption to the subset of users who run on PHP 5.2.9 but like to update to the newest version of WordPress.

I propose something along the following lines:

  1. In a minor release of 4.5, issue a dismissable warning to users who upgrade, that the next major version of WordPress will no longer support PHP 5.2.9. Release a corresponding press release so that there is a lot of publicity around it.
  1. Do not introduce updated features in WordPress 4.6. Instead, introduce a very obvious warning on all WordPress pages for logged-in administrators running PHP 5.2.9, that their version of PHP is no longer supported, inviting them to either roll back to an older version of WordPress or to update to PHP 5.3 or greater. While this may inundate support pages, it will not outright break websites.
  1. Begin implementing newer PHP 5.3 features in WordPress 4.7 or WordPress 4.8. That will give a full year of increasing intensity and chances to upgrade before finally enforcing an upgrade. If relatively painless, it can also pave the way for additional upgrades. For example, as servers update their systems they may decide that they need to update to PHP 5.5 or PHP 5.6, making the next update happen more quickly.

Conclusion

Ultimately, with under 10% of users running 5.2.9 (and a significantly larger percentage running 5.3), this is the time to finally upgrade minimum support in WordPress. While upgrading past 5.3 would be wonderful, and my heart of hearts yearns to see it happen, it is far too large of a jump for the CMS that essentially drives the world wide web. I believe this would be a good test, and, if executed carefully, would have a worst case scenario of having some users get worried with no serious impact to most visitors, and a best case scenario of having virtually no issues with the upgrade, following the logic that the people who do not upgrade PHP are less likely to upgrade WordPress as well.

Hopefully I have made a convincing argument and we can safely revive this ancient debate.

Thanks,

Sean

Change History (4)

#2 @desmith
3 years ago

Here's a quick summary of the versions supported by Ubuntu LTS and Red Hat Enterprise Linux, probably the two most prominent Linux distributions for servers:

RHEL 5: Shipped with PHP 5.1.6, supported through March 2017
RHEL 6: Shipped with PHP 5.3.3, supported through November 2020
RHEL 7: Shipped with PHP 5.4.16, supported through June 2024
Ubuntu 12.04 LTS: Shipped with PHP 5.3.10, supported through November 2017
Ubuntu 14.04 LTS: Shipped with PHP 5.5.9, supported through November 2019

RHEL 5 doesn't count, as its shipped version of PHP already is too old for WordPress. I wouldn't support going past PHP 5.3 at this time, but at least for larger, enterprise-y users, I think 5.3 would be relatively safe.

Sources: https://access.redhat.com/support/policy/updates/errata, https://wiki.ubuntu.com/LTS, http://www.sasaprolic.com/2013/02/list-of-current-php-version-in-major.html

#3 @seancjones
3 years ago

Note that PHP 5.3 runs on Ubuntu 10.04 and so can be built manually or received from a third-party repo.

Last edited 3 years ago by seancjones (previous) (diff)

#4 @jorbin
3 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Closing this as a dupe of #33381

Let's try to keep all the discussion in one place.

Note: See TracTickets for help on using tickets.