Whipping your hosting into shape

In this post, I explain why Yoast SEO warns people whose website runs on an older, unsupported, version of PHP to upgrade their PHP version. We’re doing this mainly to improve the security and speed of those websites.

This post is long, but I’ll explain:

  • what the problem is;
  • why we want to fix it;
  • why we burden the user with it;
  • and how web hosts can work with us.

PHP? Versions? What are you talking about?

WordPress, (like Yoast SEO), is built in large part in a programming language called PHP. This language, as WordPress itself, has gradually improved over time. Web developers all over the world are enjoying the new features that newer versions of PHP have brought. Also, more importantly, everyone all over the world enjoys the increased security these new versions bring. Unfortunately, WordPress developers do not get to join in.

Compared to WordPress, PHP has a rather aggressive update path. PHP 5.6 will receive security patches for just under two more years, but nothing else, and no other PHP 5 version receives security updates. PHP 7 is the future (and boy is it nice and fast).

Ever since July 2011, the minimum PHP required for WordPress is PHP version 5.2. Here at Yoast, we think it’s time for WordPress to move that requirement up to PHP 5.6.

Why do you care so much?

At Yoast we care about a lot of things, but two things in a very particular order: user happiness first, developer happiness second. A user is happy when he or she has a fast, easy to install, secure content management system like WordPress to build a site in. A developer is happy when he or she can use a modern language and modern tooling to build software with.

Security

The single most important reason for us to want to increase the minimum requirement is security: PHP versions 5.2 through to 5.5, while still actively in use on millions of sites, no longer get security updates. Some Linux branches and web hosts still backport security fixes from newer PHP versions to older versions, but that’s not something we, as a community, should rely on.

This security concern is not a theoretical concern. We have seen time and time again that the number one reason sites get hacked is because of outdated software. The last release of PHP 5.2 is 6 years old, and several major security issues have been found in it since. WordPress has automatic updates for security updates built-in for exactly this reason. Why would we push people to update WordPress and its plugins regularly, but let the PHP version fall behind?

Speed

Another big issue is speed. WordPress is sometimes said to be slow, but it actually doesn’t have to be slow at all. If it’s running on old versions of PHP however it is, most certainly, slow. PHP 5.2 is more than 100% slower than PHP 5.6, and a whopping 400% slower than PHP 7 (source). If you’re getting a bad reputation because you’re allowing old stuff to stay around, maybe we shouldn’t allow the old stuff to stay around so much?

Modern programming language

PHP 5.2, which was released November 2nd 2006, is no longer a modern language. This makes developers unhappy because they’re missing many of the cool features every other modern language has.

As WordPress is gaining popularity, something else is happening because of this: more and more developers are turning their back on WordPress because it’s moving too slowly. Developing themes or plugins for WordPress, where PHP 5.2 is required, is a hassle and thus not as much fun. This is becoming a problem: we’re literally losing good developers. Those developers could benefit the entire community, but we’re missing out because we’re not getting with the times. Over time, losing developers means other products will move faster, and WordPress will lose marketshare.

Why isn’t WordPress simply upping the requirements to PHP 5.6?

There is a long and ongoing discussion in the WordPress community about upping the requirements for PHP to 5.6. The problem lies therein, that for a user, upgrading their PHP version is non-trivial in a lot of cases. It’s not something we want to burden a user with. So we’ve been waiting and waiting for web hosts to do their work. We’ve been waiting, literally, for years. Unfortunately, it turns out, not all web hosts are created equal. Not all of them pro-actively upgrade their customers to newer PHP versions.

As I type this, the WordPress stats page says 5.6% of websites is using PHP 5.2, 15.6% is using PHP 5.3, 23% is using PHP 5.4 and 15.4% is using PHP 5.5. That means almost 60% of WordPress installs is running on an unsupported version of PHP. So much for web hosts doing their work.

Because web hosts are not upgrading PHP, we have decided to start pushing this from within plugins.

Why don’t web hosts update PHP?

When you’ve seen all the above, you’re probably wondering why web hosts don’t pro-actively update their customers PHP versions. Well the good news is: lots of them do. If you’re on one of those hosts, and you’re running PHP 5.6 or higher: good on you! Other hosts though, seem to be intent on doing as little as possible while still keeping the customer.

We’ve heard all sorts of reasons from hosts to not want to upgrade PHP. The only one we understand to a certain extent is that they don’t want to break your site. Some software running on the same server as your site may not support newer PHP versions, probably because that software needs to be upgraded too. But in all honesty: you shouldn’t have to worry about that. We think a host should upgrade your PHP for you.

What is Yoast going to do?

Combined, all of the above reasons make us very intent on moving WordPress forward. Unfortunately, we don’t have the power to decide on minimum requirements. So we’ve decided to throw our weight behind this in a different way.

As of Yoast SEO 4.5 we will start showing a notice on the WordPress dashboard to administrators of sites running on PHP 5.2.  This notice will be big, ugly, and non-dismissible. In this notice we will explain why the administrator should upgrade the PHP version of the site.

If a web host integrates with our project, which we’ve called WHIP, the host can add some information about how to upgrade right within the notice. See the Github repo for info about how to integrate.

The notice will also encourage people to contact their host if they don’t know how to upgrade their PHP. Yes, this could be painful for some hosts. This notice is deliberately intended to make them work.

As a last resort, if a user’s host does not cooperate, we recommend the user to change to better hosting. Here, you’ll find hosts we recommend.

Read more: Hosting guide: how to pick the right host for your site »

Does this stop with PHP 5.2?

This most probably does not stop with PHP 5.2. We will release it and watch closely what’s happening. If it works, we will start pushing the same notice for PHP 5.3 a few weeks later, and so on. We fully intend to see if we can get the minimum version up to 5.6.

I’m a theme / plugin developer, can I join?

You can of course join this endeavour! Our WHIP package is open source and very easy to implement. Put it in your code following the instructions on the repository and you too will be part of this move forward! Of course your feedback is highly appreciated on that repository too.

For developers that want to integrate WHIP into their plugin, we will make it possible to link to the WordPress.org hosting page. Those hosts are all PHP7 ready too.

Why are you telling us now?

We’re telling you all this now because we fully hope that we have to show this notice to as few people as possible. Upgrade your PHP versions. If you’re a host, integrate with our messaging system and start proactively upgrading your customers PHP versions. With 6.5 million active installs of Yoast SEO, you’re bound to have a lot of customers that are going to start asking for help. You might as well get started.

Coming up next!


27 Responses to Whipping your hosting into shape

  1. Vicky
    Vicky  • 7 years ago

    great article, however i am using hostgator and currently satisfy with that as it has very low down time.

  2. Kim
    Kim  • 7 years ago

    Great initiative for all of us plugin authors to follow.

    We’re educating our users actively on PHP version now through support, our change log and documentation.

    We’ve dropped 5.2 a while ago. Let’s see if we can drop 5.4 in the next 12 months? Maybe a little ambitious!

  3. Susan Langer
    Susan Langer  • 7 years ago

    I self-host a WP blog for three years now, but gave up on Yoast over a year ago because I wrote lot of poetry and because the word length isn’t 300 or more always got market off on my SEO by Yoast. Sadly, I went with another plugin because “they” didn’t seem to throw it constantly in my face. I realize it is really a problem with Google Analytics, but wondered if you knew any way around this problem and if you had addressed it yourself in your plugin? please let me know because I would love to switch back.

  4. Jos van Calsteren
    Jos van Calsteren  • 7 years ago

    A warning. My website is built with Avada version 5.0.2. and one.com is my host. One.com supports PHP 5.6, 7.0 and 7.1. Based on Joost’s article I activated PHP 7.1 (it was on 5.6) at one.com. Then the only thing my website still did was show the home page. Everything else was gone! I went back to PHP 5.6 and now everything works again. Pfjoew. So think and verify before you act.

    • Joost de Valk

      We’re very OK with 5.6. But I would never want to have an outdated version of Avada running.

    • Andrewik
      Andrewik  • 7 years ago

      Why do you use an outdated version of Avada? There could be security vulnerabilities or other issues that you expose your website to.

  5. Derek
    Derek  • 7 years ago

    I’m on Cloudways and I remember weeks ago. I had no PHP7 version available to upgrade. So I created a new server and that PHP7 was available so I upgraded all my blogs. I just sent them a link to your blog post to see if they will at some point force there customers to upgrade or they do it automatically. Strange how I had to create a new server to see the new PHP version because 5.6 was only option available on my old server.

  6. Philips Ekuma
    Philips Ekuma  • 7 years ago

    I’m glad you came up with this idea. I’m a web host and the minimum PHP version running on our server is 5.6. I’m itching to up it to 7 but that *will* definitely break client websites.

    Like you pointed out, not all web hosts are lazy. In most cases, it is the developers who are unwilling to upgrade their software to modern PHP version, hence, the inability of web hosts to just upgrade without breaking things.

  7. Kevin
    Kevin  • 7 years ago

    I finally upgrade to PHP 7 this morning, thanks to this extra push from the Yoast team. I ran a plugin to advise of any potential conflicts, replaced the plug-in that were flagged as incompatible (there were only two and easily replaced with ones that turned out to be better), and then pushed the upgrade.

    Quite simple, actually. Glad I did it!

  8. Luke Cavanagh
    Luke Cavanagh  • 7 years ago

    Thanks for pushing for more hosts to go with PHP 7 as default.

    https://bluehost.blog/wordpress/php-7-now-available-7895/

  9. Arun
    Arun  • 7 years ago

    Joining the bandwagon! Long pending whip lash. Good start…yoast team!

  10. Garth Koyle
    Garth Koyle  • 7 years ago

    @EventEspresso we went through this more than 2.5 years ago and it went remarkably smooth. We do reserve an old version of our plugins for people to use who can’t upgrade their PHP version. And we’ve had only a handful of refunds due to PHP requirements.

    Don’t fear using your position to advocate for improvements from customers’ hosts to make their sites faster, more secure and more modern.

    Here is our announcement where we raised our PHP requirements and dropped support for php 5.2 (August 2014): https://eventespresso.com/2014/08/raising-php-requirements-event-espresso-4/

  11. Ischool
    Ischool  • 7 years ago

    I hope this works and you’ll start doing this for other components such as apache/litespeed or mysql and php plugins. This is a really great idea and I’m counting on other plugin devs to implement this too.

    Btw. Is yoast 100% compatible with php 7.1?

  12. Paul Simard
    Paul Simard  • 7 years ago

    WordPress is made of two parts: PHP and MySQL. You should consider reminding hosts to keep MySQL update to date as well for mostly the same reasons; security, stability and new features. Half a fixed car is still a broken car.

  13. Luke Watts
    Luke Watts  • 7 years ago

    People, just give up on WordPress EVER being a CMS that lives in the modern age of ANY coding best practices let alone to do with PHP versions.

    WordPress values backward compatibility over being secure and using modern best practices. That’s a travesty in today’s web, and it’s dangerous! I’ll never use WordPress again since all the problems with REST API.

    Automattic should be sued for the damage they’ve done to some businesses through their insecure untested releases over the last few years. WordPress is a terrible CMS!

    And if you call yourself a PHP developer and your only platform is WordPress you’re not a PHP Developer, you’re a WordPress developer. They’re not in the same category

    • Joost de Valk

      @Luke Watts: I disagree. Check the code for WordPress SEO on GitHub, see how it’s evolving, and tell me again that the team here developing that are not very good PHP developers. You shouldn’t make such generalising statements.

    • Luke Cavanagh
      Luke Cavanagh  • 7 years ago

      The WordPress Foundation is behind WordPress.org and not Automattic.
      http://wordpressfoundation.org/

      WordPress is not a terrible CMS.
      https://wordpress.org/showcase/

  14. Yves
    Yves  • 7 years ago

    Bij one.com zitten ze zelfs al aan PHP versie 7.1

  15. Stephen Goodyear
    Stephen Goodyear  • 7 years ago

    I upgraded to PHP7 several weeks ago via my Cpanel. I take it is as easy as that? Or have I missed something?

    • Luke Cavanagh
      Luke Cavanagh  • 7 years ago

      Nope that is all you need to do, change PHP version in cPanel or add in the PHP handler in the site .htaccess file.

  16. Slava Abakumov
    Slava Abakumov  • 7 years ago

    “big, ugly, and non-dismissible” – that’s a WordPress plugin guidelines violation.

    Have you confirmed this with the Plugin Review Team?

    • Joost de Valk

      Nope, it’s not. It’s an error that auto resolves (when you fix your PHP version). The plugin team has not just OKed this, they’re very much on board with pushing people to better PHP versions.

  17. Alat Pemadam Murah
    Alat Pemadam Murah  • 7 years ago

    Thank you for sharing. Perfect

  18. Bruce
    Bruce  • 7 years ago

    You will have to be careful on this. Many people run CentOs as their Os of choice and its pretty far behind. The latest PHP version for 7.x is 5.4. I wish they upgrade the repositories more often, but I doubt they are going to change and you may cut out a good amount of users by requiring certain versions to be compatible with your plugin.

    • Joost de Valk

      We shouldn’t be carful, those people should be. We’re not starting with 5.4 for a reason though, we’re starting with 5.2.

  19. Collins Agbonghama
    Collins Agbonghama  • 7 years ago

    Brilliant move from team Yoast. As a plugin developer myself, i will sure be joining you guys on this fight.

  20. Gijs Hovens
    Gijs Hovens  • 7 years ago

    As a WordPress hosting company we see it as our duty to guide our users along any update path. Good communication, some time to solve any issues and a good fallback method go a long way to ensure a smooth transition to a newer PHP version.

    The measures above have allowed us to enforce a minimum PHP version of 5.6 for all our users without any major issues.

    We encourage other hosts to try the same.