In this post, I explain why Yoast SEO warns people whose website runs on an older, unsupported, version of PHP to upgrade their PHP version. We’re doing this mainly to improve the security and speed of those websites.
This post is long, but I’ll explain:
- what the problem is;
- why we want to fix it;
- why we burden the user with it;
- and how web hosts can work with us.
PHP? Versions? What are you talking about?
WordPress, (like Yoast SEO), is built in large part in a programming language called PHP. This language, as WordPress itself, has gradually improved over time. Web developers all over the world are enjoying the new features that newer versions of PHP have brought. Also, more importantly, everyone all over the world enjoys the increased security these new versions bring. Unfortunately, WordPress developers do not get to join in.
Compared to WordPress, PHP has a rather aggressive update path. PHP 5.6 will receive security patches for just under two more years, but nothing else, and no other PHP 5 version receives security updates. PHP 7 is the future (and boy is it nice and fast).
Ever since July 2011, the minimum PHP required for WordPress is PHP version 5.2. Here at Yoast, we think it’s time for WordPress to move that requirement up to PHP 5.6.
Why do you care so much?
At Yoast we care about a lot of things, but two things in a very particular order: user happiness first, developer happiness second. A user is happy when he or she has a fast, easy to install, secure content management system like WordPress to build a site in. A developer is happy when he or she can use a modern language and modern tooling to build software with.
The single most important reason for us to want to increase the minimum requirement is security: PHP versions 5.2 through to 5.5, while still actively in use on millions of sites, no longer get security updates. Some Linux branches and web hosts still backport security fixes from newer PHP versions to older versions, but that’s not something we, as a community, should rely on.
This security concern is not a theoretical concern. We have seen time and time again that the number one reason sites get hacked is because of outdated software. The last release of PHP 5.2 is 6 years old, and several major security issues have been found in it since. WordPress has automatic updates for security updates built-in for exactly this reason. Why would we push people to update WordPress and its plugins regularly, but let the PHP version fall behind?
Another big issue is speed. WordPress is sometimes said to be slow, but it actually doesn’t have to be slow at all. If it’s running on old versions of PHP however it is, most certainly, slow. PHP 5.2 is more than 100% slower than PHP 5.6, and a whopping 400% slower than PHP 7 (source). If you’re getting a bad reputation because you’re allowing old stuff to stay around, maybe we shouldn’t allow the old stuff to stay around so much?
Modern programming language
PHP 5.2, which was released November 2nd 2006, is no longer a modern language. This makes developers unhappy because they’re missing many of the cool features every other modern language has.
As WordPress is gaining popularity, something else is happening because of this: more and more developers are turning their back on WordPress because it’s moving too slowly. Developing themes or plugins for WordPress, where PHP 5.2 is required, is a hassle and thus not as much fun. This is becoming a problem: we’re literally losing good developers. Those developers could benefit the entire community, but we’re missing out because we’re not getting with the times. Over time, losing developers means other products will move faster, and WordPress will lose marketshare.
Why isn’t WordPress simply upping the requirements to PHP 5.6?
There is a long and ongoing discussion in the WordPress community about upping the requirements for PHP to 5.6. The problem lies therein, that for a user, upgrading their PHP version is non-trivial in a lot of cases. It’s not something we want to burden a user with. So we’ve been waiting and waiting for web hosts to do their work. We’ve been waiting, literally, for years. Unfortunately, it turns out, not all web hosts are created equal. Not all of them pro-actively upgrade their customers to newer PHP versions.
As I type this, the WordPress stats page says 5.6% of websites is using PHP 5.2, 15.6% is using PHP 5.3, 23% is using PHP 5.4 and 15.4% is using PHP 5.5. That means almost 60% of WordPress installs is running on an unsupported version of PHP. So much for web hosts doing their work.
Because web hosts are not upgrading PHP, we have decided to start pushing this from within plugins.
Why don’t web hosts update PHP?
When you’ve seen all the above, you’re probably wondering why web hosts don’t pro-actively update their customers PHP versions. Well the good news is: lots of them do. If you’re on one of those hosts, and you’re running PHP 5.6 or higher: good on you! Other hosts though, seem to be intent on doing as little as possible while still keeping the customer.
We’ve heard all sorts of reasons from hosts to not want to upgrade PHP. The only one we understand to a certain extent is that they don’t want to break your site. Some software running on the same server as your site may not support newer PHP versions, probably because that software needs to be upgraded too. But in all honesty: you shouldn’t have to worry about that. We think a host should upgrade your PHP for you.
What is Yoast going to do?
Combined, all of the above reasons make us very intent on moving WordPress forward. Unfortunately, we don’t have the power to decide on minimum requirements. So we’ve decided to throw our weight behind this in a different way.
As of Yoast SEO 4.5 we will start showing a notice on the WordPress dashboard to administrators of sites running on PHP 5.2. This notice will be big, ugly, and non-dismissible. In this notice we will explain why the administrator should upgrade the PHP version of the site.
If a web host integrates with our project, which we’ve called WHIP, the host can add some information about how to upgrade right within the notice. See the Github repo for info about how to integrate.
The notice will also encourage people to contact their host if they don’t know how to upgrade their PHP. Yes, this could be painful for some hosts. This notice is deliberately intended to make them work.
As a last resort, if a users host does not cooperate, we recommend the user to change to better hosting. We will provide a link to a page we’re building right now here at Yoast, with hosts that we’ve vetted. When we say we’ve vetted them, we mean it: we have verified that Yoast SEO works well on their servers and that they put new customers on modern PHP versions. The page isn’t ready yet, but it’ll be cool and we will not be using affiliate links on that page. This isn’t about money.
Does this stop with PHP 5.2?
This most probably does not stop with PHP 5.2. We will release it and watch closely what’s happening. If it works, we will start pushing the same notice for PHP 5.3 a few weeks later, and so on. We fully intend to see if we can get the minimum version up to 5.6.
I’m a theme / plugin developer, can I join?
You can of course join this endeavour! Our WHIP package is open source and very easy to implement. Put it in your code following the instructions on the repository and you too will be part of this move forward! Of course your feedback is highly appreciated on that repository too.
Why are you telling us now?
We’re telling you all this now because we fully hope that we have to show this notice to as few people as possible. Upgrade your PHP versions. If you’re a host, integrate with our messaging system and start proactively upgrading your customers PHP versions. With 6.5 million active installs of Yoast SEO, you’re bound to have a lot of customers that are going to start asking for help. You might as well get started.