Make WordPress Core

Opened 21 months ago

Closed 21 months ago

Last modified 19 months ago

#47219 closed defect (bug) (invalid)

Site Health Check: handing out false security information about PHP versions

Reported by: DavidAnderson Owned by:
Milestone: Priority: normal
Severity: normal Version: 5.2
Component: Site Health Keywords: site-health
Focuses: Cc:


I have just updated a site to WP 5.2. The site is running on PHP 7.2.18. Going to Tools -> Site Health, it recommends that I update PHP, and says "Newer versions of PHP are both faster and more secure".

The information about security is not well-grounded in cases like this. There's no claim I can find from the PHP group themselves that the latest release in one currently-fully-maintained PHP series, is less secure than the latest release in another currently-fully-maintained series. Developers no doubt all want people to run the latest version possible, and I'm all for that. But inaccurate information reduces credibility.

Change History (4)

#1 @johnbillion
21 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

It's a generalisation. It usually holds true in one way or another. For 7.3 specifically:

  1. The setcookie() and session_set_cookie_params() functions now allow the samesite flag to be set, which enables applications built on it to be more secure.
  2. The min_proto_version and max_proto_version options for TLS streams reduce the chance of unintentional usage of insecure protocols in streams.
  3. The improvements to xml_set_external_entity_ref_handler() unifies handling of XML external entities which IMO has a good chance of improving security when external entities are sanitised.

#2 @SergeyBiryukov
21 months ago

  • Keywords site-health added

#3 @earnjam
21 months ago

It’s also in the recommended updates group, because 7.3 is the recommended version for WordPress, and the label assigned to it is performance.

If you are on an unmaintaned version of PHP, then it shows as a critical issue with a label of security.

#4 @spacedmonkey
19 months ago

  • Component changed from Administration to Site Health
Note: See TracTickets for help on using tickets.