Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 4 years ago

#47219 closed defect (bug) (invalid)

Site Health Check: handing out false security information about PHP versions

Reported by: davidanderson's profile DavidAnderson Owned by:
Milestone: Priority: normal
Severity: normal Version: 5.2
Component: Site Health Keywords: site-health
Focuses: Cc:


I have just updated a site to WP 5.2. The site is running on PHP 7.2.18. Going to Tools -> Site Health, it recommends that I update PHP, and says "Newer versions of PHP are both faster and more secure".

The information about security is not well-grounded in cases like this. There's no claim I can find from the PHP group themselves that the latest release in one currently-fully-maintained PHP series, is less secure than the latest release in another currently-fully-maintained series. Developers no doubt all want people to run the latest version possible, and I'm all for that. But inaccurate information reduces credibility.

Change History (4)

#1 @johnbillion
5 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

It's a generalisation. It usually holds true in one way or another. For 7.3 specifically:

  1. The setcookie() and session_set_cookie_params() functions now allow the samesite flag to be set, which enables applications built on it to be more secure.
  2. The min_proto_version and max_proto_version options for TLS streams reduce the chance of unintentional usage of insecure protocols in streams.
  3. The improvements to xml_set_external_entity_ref_handler() unifies handling of XML external entities which IMO has a good chance of improving security when external entities are sanitised.

#2 @SergeyBiryukov
5 years ago

  • Keywords site-health added

#3 @earnjam
5 years ago

It’s also in the recommended updates group, because 7.3 is the recommended version for WordPress, and the label assigned to it is performance.

If you are on an unmaintaned version of PHP, then it shows as a critical issue with a label of security.

#4 @spacedmonkey
4 years ago

  • Component changed from Administration to Site Health
Note: See TracTickets for help on using tickets.