What to do when you see this PHP Update Required

First off, ignore that warning! Your PHP version is still secure, Debian provides backported fixes for Stable versions of our OS.  Wordpress’s stupid dashboard warning is only looking a the version number of PHP, which would make sense if it was 2003 and peoole downloaded the source code of PHP and compiled it and then the version number indicated its security.

But it’s 2020 and nobody does that

Now, you install PHP from your OS package manager and that package is managed with security fixes.  This is far safer – the PHP developers can be reckless when it comes to security and instead they behave like kids in a candy factory.  Their new versions are regularly full of garbage code that is heinously insecure and doesn’t get fixed for ages.  So it’s highly insecure to actually go and get the latest version, nobody who knows what they are doing does it like that.

So why is WordPress recommending it so heavily?

Because they have no way to confirm which way you installed PHP they err on the side of caution.  They don’t bother making a full explanation,  because they assume their users have no clue about security.  The WordPress devs routinely sweep security issues under the mat despite having almost as bad a track record as the PHP devs!  But that’s a whole other rant! 🙂

Anyway, it is important you update the PHP version, not for security improvements (as the opposite would be true) but just so that all your plugins you’re using stay working right.  Now WP has bumped that message everywhere, few plugin authors are bothering to test with older versions.. so over time your site will get buggy if you don’t update.

How we usually do this

With planning: we update the stage site to PHP 7.3 (the current one tracked by the debian stable security team) and then you test your website still works. Custom code (in your theme functions.php or in any out of date modules) might break and spew warnings to the PHP error log, which need fixing. Once it’s all happy on stage, and those fixes are on production too, then we can update the version on production safely without risk of breakage.

This is our process at CanTrust Hosting Co-op, as a managed hosting provider