Site Health Check: handing out false security information about PHP versions

[DavidAnderson]

I have just updated a site to WP 5.2. The site is running on PHP 7.2.18. Going to Tools -> Site Health, it recommends that I update PHP, and says "Newer versions of PHP are both faster and more secure".

The information about security is not well-grounded in cases like this. There's no claim I can find from the PHP group themselves that the latest release in one currently-fully-maintained PHP series, is less secure than the latest release in another currently-fully-maintained series. Developers no doubt all want people to run the latest version possible, and I'm all for that. But inaccurate information reduces credibility.

[johnbillion]

It's a generalisation. It usually holds true in one way or another. For 7.3 specifically:

1. The setcookie() and session_set_cookie_params() functions now allow the samesite flag to be set, which enables applications built on it to be more secure.
2. The min_proto_version and max_proto_version options for TLS streams reduce the chance of unintentional usage of insecure protocols in streams.
3. The improvements to xml_set_external_entity_ref_handler() unifies handling of XML external entities which IMO has a good chance of improving security when external entities are sanitised.

[earnjam]

It’s also in the recommended updates group, because 7.3 is the recommended version for WordPress, and the label assigned to it is performance.

If you are on an unmaintaned version of PHP, then it shows as a critical issue with a label of security.