[wp-trac] [WordPress Trac] #36542: Minimum support to PHP 5.3 from 5.2.9

WordPress Trac noreply at wordpress.org
Fri Apr 15 18:53:37 UTC 2016 

#36542: Minimum support to PHP 5.3 from 5.2.9
-------------------------+-----------------------------
 Reporter:  seancjones   |      Owner:
     Type:  enhancement  |     Status:  new
 Priority:  normal       |  Milestone:  Awaiting Review
Component:  General      |    Version:  trunk
 Severity:  normal       |   Keywords:
  Focuses:               |
-------------------------+-----------------------------
 == Overview ==

 This debate has popped up a number of times before. Invariably there is a
 tension between developers and the core, user-focused mission of
 WordPress. The concern is that although the number of sites running PHP
 5.2 have dropped significantly over the years, now just 8.4%, that is
 still a staggeringly large number of users.

 My untested hypothesis is that many of these users are probably not the
 quickest to update to the newest version of WordPress. Furthermore, one of
 the largest reasons to update to WordPress (other than to experience all
 of the awesome features) is to protect against security vulnerabilities. I
 believe WordPress 4.6 can only increase its awesomeness if it is able to
 use the features in PHP 5.3.

 I propose PHP 5.3 for its smallest possible incrementation, making it a
 good test for a WordPress system upgrades, and because of select features
 I will list later in this proposal.

 == WordPress Core Reasons to Upgrade ==

 Users upgrade for security reasons and to access new features.


 ==== Security ====
 PHP 5.2 has been EOL for 5 years. 5.2.9 has [https://www.cvedetails.com
 /vulnerability-list/vendor_id-74/product_id-128/version_id-81705/PHP-
 PHP-5.2.9.html 2 pages of known vulnerabilities] which a WordPress website
 can be subjected to. In fact, there were 8 updates after 5.2.9, which
 addressed security vulnerabilities. WordPress can provide security
 updates, but if a user/host is so unconcerned with security as to leave a
 service with so many known exploits running on their website, I do not
 believe we even want WordPress to be associated with the potential
 fallout.

 ==== New Features ====
 The WordPress community has accomplished something truly incredible in
 creating the most used CMS in the world. It is insanely user friendly, and
 gets more user friendly with every release. Much of the new features are
 JavaScript driven, but PHP is still at the core of WordPress and there
 continue to be new improvements.

 By upgrading to PHP 5.3, many users would not be able to update to the
 newest version of WordPress. However, are they? And, would upgrading the
 minimum support to PHP 5.3 be the largest barrier to apathy? I propose
 that this needs further investigation.

 How many users running PHP 5.2.9 are upgrading to the newest version of
 WordPress? Roughly 1/3 of all users are running Wordpress 4.1 or lower.
 While this isn't strong enough evidence to be fact, I think it's worth
 exploring further. If I am given a clue as to how I can do that myself,
 I'm more than happy to, but cross referencing PHP versions with WordPress
 versions would probably be a more reliable indicator of who would be
 immediately affected by an update to minimum support of PHP 5.3.

 == Why 5.3 and not something newer? ==

 The few holdouts who are running 5.2.9 should realistically be able to
 upgrade to PHP 5.3 without major system upgrades (even if they really
 should make major system upgrades and/or replace their server which is
 probably EOL. Just because they should does not mean they will/can). A
 portion of those will skip straight to a newer version, which is a good
 thing.

 Additionally, this very minor and very careful upgrade path would be a
 good test for subsequent updates in the future. As a market leader,
 WordPress has been pushing its weight to get hosts to upgrade, and I think
 it can afford to do so in this small way and hopefully help push this
 boulder further uphill.

 == Features in 5.3 ==

 By upgrading the minimum support to 5.3, WordPress would be able to do
 some truly incredible things:

 1. Prevent future cluttering of the global namespace. PHP 5.2.9 does not
 support Namespaces. By upgrading, WordPress would be able to introduce
 namespaces that are not filled with underscores. This may not be possible
 for current classes, but can certainly be implemented for any new
 features. Optionally, by implementing `class_alias()`, another PHP 5.3
 feature, one could use old and new namespaces, encouraging new plugins to
 implement namespaces instead when writing classes.

 2. Introduce anonymous functions. While these can certainly be overused,
 any developer who has used anonymous functions grinds their teeth when
 they think about how to implement the same features without them. This is
 another way to declutter the global scope for rarely-used functions that
 consist of globals.

 == Implementation ==

 Implementation would need to be careful and thought out to cause the least
 amount of disruption to the subset of users who run on PHP 5.2.9 but like
 to update to the newest version of WordPress.

 I propose something along the following lines:

 1. In a minor release of 4.5, issue a dismissable warning to users who
 upgrade, that the next major version of WordPress will no longer support
 PHP 5.2.9. Release a corresponding press release so that there is a lot of
 publicity around it.

 2. Do not introduce updated features in WordPress 4.6. Instead, introduce
 a very obvious warning on all WordPress pages for logged-in administrators
 running PHP 5.2.9, that their version of PHP is no longer supported,
 inviting them to either roll back to an older version of WordPress or to
 update to PHP 5.3 or greater. While this may inundate support pages, it
 will not outright break websites.

 3. Begin implementing newer PHP 5.3 features in WordPress 4.7 or WordPress
 4.8. That will give a full year of increasing intensity and chances to
 upgrade before finally enforcing an upgrade. If relatively painless, it
 can also pave the way for additional upgrades. For example, as servers
 update their systems they may decide that they need to update to PHP 5.5
 or PHP 5.6, making the next update happen more quickly.

 == Conclusion ==

 Ultimately, with under 10% of users running 5.2.9 (and a significantly
 larger percentage running 5.3), this is the time to finally upgrade
 minimum support in WordPress. While upgrading past 5.3 would be wonderful,
 and my heart of hearts yearns to see it happen, it is far too large of a
 jump for the CMS that essentially drives the world wide web. I believe
 this would be a good test, and, if executed carefully, would have a worst
 case scenario of having some users get worried with no serious impact to
 most visitors, and a best case scenario of having virtually no issues with
 the upgrade, following the logic that the people who do not upgrade PHP
 are less likely to upgrade WordPress as well.

 Hopefully I have made a convincing argument and we can safely revive this
 ancient debate.

 Thanks,

 Sean

--
Ticket URL: <https://core.trac.wordpress.org/ticket/36542>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list