PHP version security warning perhaps overzealous in certain situations?

  • Resolved bbceg

    (@bbceg)


    3 years, 5 months ago

    I run several Ubuntu LTS servers (presently all on 18.04) which mostly host WordPress websites. The maximum (Ubuntu-supported) version of PHP on these servers is 7.2. However my understanding is that Ubuntu will patch this version of PHP with the latest security fixes until 18.04 is EOL (October 2022 I believe).

    If this understanding is correct then the warning in the dashboard about having an insecure version of PHP would seem to be inaccurate. I’m not really expecting the messaging to be changed if this is the case, though it would help to reassure anyone logging into a WordPress website on one of my servers.

    Of course if my understanding is not correct I will need to press ahead with an upgrade to Ondrej’s packages or update the entire distro on each server.

    I appreciate there may be other reasons to upgrade to 7.4 (the current minimum supported version for WordPress) and perhaps these trump the security issues but I like to keep the server configuration as simple and robust as possible and sticking with the packages for my specific distro seems a good way to do that. I try to avoid upgrading to often to keep the stability and reduce the amount of work involved and this generally means skipping an LTS release. Naturally this means the PHP version isn’t always up to par.

    I’ve deviated a little from the original point but would appreciate any thoughts on any of the above.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Moderator James Huff

    (@macmanx)

    PHP 7.2 reached end of life 6 months ago, meaning it will no longer receive security updates from PHP itself: https://www.php.net/eol.php

    Some distros and hosting providers do provide their own third-party security fixes, but as these are not from PHP itself, there is no way to know specifically if they are secure.

    The check can only make sure you’re on the latest version of a still in-service PHP branch. As of today, that’s 7.3.28, 7.4.20, and 8.0.7.

    Thread Starter bbceg

    (@bbceg)

    Thanks for the swift response @macmanx, that makes sense. I suppose it might have been an option to allow hosts / website owners to accept their version of PHP, even if via a filter.

    As mentioned above, there would seem to be good reasons to stay with a distro’s packages and in my specific case I would feel confident that the Ubuntu team will keep the currently maintained PHP version secure.

    I can see there is a filter ‘wp_is_php_version_acceptable’ but this is only available to make the check more strict. With the above in mind do you think it would make sense to remove this restriction?

    Moderator James Huff

    (@macmanx)

    No, the PHP version check won’t be going away.

    There are still far too many people on insecure versions of PHP: https://www.ads-software.com/about/stats/

    Thread Starter bbceg

    (@bbceg)

    I wasn’t looking for the check to go away, merely a way to accept responsibility for the environment and override the behaviour. I can see how this is probably not very progressive so will bow out and find a new way forward.

    Moderator James Huff

    (@macmanx)

    Yeah, there currently is no filter like that to hide or disable the check.

    Overall, we recommend staying on the latest and most secure version of PHP, regardless of available third-party security patches for older versions.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘PHP version security warning perhaps overzealous in certain situations?’ is closed to new replies.