WordPress.org

Making WordPress.org

Opened 5 years ago

Closed 4 years ago

#802 closed enhancement (fixed)

Requirements page should recommend supported and secure PHP and MySQL versions

Reported by: andreafaulds Owned by:
Milestone: Priority: normal
Component: General Keywords:
Cc:

Description

https://wordpress.org/about/requirements/

This page says:

To run WordPress your host just needs a couple of things:

  • PHP version 5.2.4 or greater
  • MySQL version 5.0 or greater

This is quite probably harmful, because naïve users may try to use the minimum requirements. It would be better if it said something like this:

To run WordPress your host just needs a couple of things:

  • PHP version 5.2.4 or greater (5.4 or greater recommended, using older PHP versions may expose your website to security vulnerabilities)
  • MySQL version 5.0 or greater (5.2 or greater recommended, using older MySQL versions may expose your website to security vulnerabilities)

That sound good? This should hopefully discourage new installs of outdated and insecure PHP versions.

Change History (24)

#1 @andreafaulds
5 years ago

That should probably say 5.5 or greater for MySQL. I didn't realise there was no 5.2, I know 5.1's EOL. Oops.

#3 @andreafaulds
5 years ago

  • Summary changed from Requirements page should recommend modern PHP and MySQL versions to Requirements page should recommend supported and secure PHP and MySQL versions

#4 @sc0ttkclark
5 years ago

  • Cc scott@… added
  • Component changed from General to Handbooks
  • Keywords dev-feedback added
  • Type changed from defect to enhancement

I think some change to point out recommendations and even a link to read more about PHP / MySQL EOL and what it means to a person running a website.

This all seems entirely reasonable. I'll forward this on to additional folks who may be able to make the associated decisions / changes.

This ticket was mentioned in Slack in #meta by sc0ttkclark. View the logs.


5 years ago

This ticket was mentioned in Slack in #core by sc0ttkclark. View the logs.


5 years ago

#7 @sc0ttkclark
5 years ago

This could be as simple as this (layout imperfect, text could change, but we could show recommended versions and a link to why.

http://f.cl.ly/items/260z2X0k2X3L0Y2b3i1k/Screen%20Shot%202015-01-28%20at%2010.06.38%20PM.png

http://f.cl.ly/items/260z2X0k2X3L0Y2b3i1k/Screen%20Shot%202015-01-28%20at%2010.06.38%20PM.png

Last edited 5 years ago by sc0ttkclark (previous) (diff)

#8 follow-up: @nacin
5 years ago

Fixed via #835.

#9 @andreafaulds
5 years ago

That's certainly an improvement, thanks!

However, I still think the wording could be improved. It's really important that 5.4+ isn't just "recommended", but marked as less secure (which it is). It's all very well telling people to use suPHP, but if they're running 5.2 their site is potentially vulnerable.

Something like this might be better:

To run WordPress your host just needs a couple of things:

  • PHP version 5.4 or greater
  • MySQL version 5.5 or greater

Note: If you are in a legacy environment where you only have older PHP or MySQL versions, WordPress also works with PHP 5.2.4+ and MySQL 5.0+, but these versions have reached official End Of Life and as such will expose your site to security vulnerabilities.

This reframes it. Rather than it being 5.2+ with 5.4 recommended, it's 5.4+ with 5.2 being an option if you're in a legacy environment, but you're warned about security.

#10 in reply to: ↑ 8 @netweb
5 years ago

  • Keywords dev-feedback removed
  • Resolution set to fixed
  • Status changed from new to closed

This has also now been updated in WordPress Core in #WP31173

@andreafaulds I think things will be staying as they are, as such marking as fixed per #835 above.

#11 @andreafaulds
5 years ago

I don't think it's resolved: the page makes no mention of security. I am tempted to reopen.

#12 follow-up: @sc0ttkclark
5 years ago

Andrea is a representative of the PHP project through her contributions, if she thinks security wording is needed, we should certainly listen to her and find some way to address it.

#13 in reply to: ↑ 12 @andreafaulds
5 years ago

Replying to sc0ttkclark:

Andrea is a representative of the PHP project through her contributions, if she thinks security wording is needed, we should certainly listen to her and find some way to address it.

I wouldn't quite go so far as saying I'm "a representative of the PHP project", er... I mean, I'm not speaking in any official or semi-official capacity or anything.

If you want an expert opinion on PHP security, ask Anthony Ferrara.

#14 @netweb
5 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

Cool, welcome Andrea, I'll defer to @Nacin, thoughts?

#15 follow-up: @sc0ttkclark
5 years ago

Sorry Andrea, I was just noting your contributions to PHP itself.

#16 in reply to: ↑ 15 @andreafaulds
5 years ago

Replying to sc0ttkclark:

Sorry Andrea, I was just noting your contributions to PHP itself.

Don't worry about it :)

#17 follow-up: @nacin
5 years ago

While I did note it was "fixed via" another ticket, I didn't outright close this one. I agree that if we're going to mention suExec we should mention more about security here. I'll mull it over.

#18 in reply to: ↑ 17 @andreafaulds
5 years ago

Replying to nacin:

While I did note it was "fixed via" another ticket, I didn't outright close this one. I agree that if we're going to mention suExec we should mention more about security here. I'll mull it over.

If you are to do it, the key thing is that it should be more along the lines of "use 5.4+, although you can use 5.2+ if you absolutely have to and don't mind security and performance issues", rather than "use 5.2+ (optionally, we recommend 5.4+)".

#19 @coffee2code
4 years ago

  • Component changed from Handbooks to General

#20 @dave1010
4 years ago

PHP 5.4 is only getting security updates for a couple of weeks more (until 14 Sep 2015 http://php.net/supported-versions.php ) - it really shouldn't be recommended.

At a minimum, the page should have the requirements:

PHP version 5.2.4 or greater (recommended: PHP 5.6 or greater)

And the letter to hosts should say:

PHP 5.6 or greater

Also the H3 saying "Why not the latest, greatest, bleeding edge versions?" makes it look like more recent versions are not recommended, when in fact it's explaining that the latest versions are not required, even though they are recommended.

I suggest this is either removed completely (it looks like most of it is aimed at potential core developers, not end users) or reworded. The last paragraph ("WordPress does work on the latest versions of PHP and MySQL, which are often faster and more stable.") is important for end users though and could be moved from the sidebar to the main column.

This ticket was mentioned in Slack in #core by netweb. View the logs.


4 years ago

#22 @paulschreiber
4 years ago

It'd be helpful to specifically call out WordPress as being compatible with PHP 7.

#24 @pento
4 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

https://wordpress.org/about/requirements/ has been updated to recommend PHP 5.6, as well as to take on some of the text recommended by folks in this ticket.

I decided not to include a mention of PHP 7, as I think it's a better message that WordPress always supports the latest stable version of PHP. We can absolutely revisit this if we see any significant confusion, though. :-)

Thanks everyone!

Note: See TracTickets for help on using tickets.