In: , , ,
On: 2014 / 01 / 22 Viewed: times
Shorter URL for this post: http://ozh.in/x2

There's a recurring debate about WordPress and whether they should keep code compatible with PHP 5.2 or drop it and bump the requirements to a newer PHP version. Hey, I have an opinion on this.

What's wrong with PHP 5.2?

Nothing much, except PHP 5.2 was released in November 2006, and was maintained and developed till January 2011. This means that it's now considered an old release, rusty dusty code that's no longer improved, and should a new vulnerability be discovered in the 5.2 branch, it will remain unfixed.

In short: it's *old*. Any PHP library you'll find these days requires 5.3+.

Old but still everywhere ?

According to W3Techs, 33% of websites running PHP are on 5.2. That's a lot, but wait, there's worse.

According to WordPress, more than 50% of WordPress-powered sites are still on 5.2. Earlier this week @dd32 made a pretty graph showing that PHP 5.2′s share is only slowly decreasing.

So what?

Dropping a platform running half of your user base would be crazy, right? For sure. Except I think the numbers are somewhat skewed.

As you may know, my pet project is a self-hosted URL shortener, YOURLS, which was released in its version 1.7 earlier this month. This new version comes with a phone-home feature to report the same kind of stats that WordPress is aggregating from its users, and particularly what PHP version YOURLS is installed on.

Of course, the YOURLS user base is nowhere near as important in volume as WordPress' market, but I think the average user is similar, so YOURLS figures should be relevant in some way.

What I've learned since the release of YOURLS 1.7 came as a surprise: I was expecting a similar share to what WordPress reports, but it turns out only 10% of YOURLS installs are running on PHP 5.2

yourls_php_version

What did I conclude from all this?

1. Old installs vs new installs

WordPress is old, it's been around for 10 years. The typical WordPress user installed WP 4 or 5 years ago, when 5.2 was still the standard.

YOURLS is much younger, it's been around for 4 years, but the project sort of picked up 3 years ago with YOURLS 1.5, released in November 2010. The typical YOURLS user installed YOURLS 1 year ago, when the default hosting setting on most host was PHP 5.3 or more.

I think that's the key of the skewed numbers : simply too many WordPress installs were around when PHP 5.2 was the default, and those users just did not upgrade their hosting. Well, why would they, it just works fine.

That would be exhibit A : newer users are on 5.3+, older are still on 5.2.

2. Deeper digging: who's running PHP 5.2?

Most host, if not all, still offer 5.2, even if you open an account today, but I could not find any which does not support 5.3+. All the major hosts (Dreamhost, Bluehost, Hostgator, etc…) have 5.3 by default.

And if there is a minor host where PHP 5.2 is the best you can have, then what's the point with signing with a smaller and lesser known company if they cannot provider better services than big ones?

Exhibit B: hosts can give you 5.3+

3. WordPress should lead

And that will be exhibit C: WordPress has the power.

WordPress runs on 20% of all websites in the world. That's huge. Moreover, it apparently has 60% of the CMS market, which is also very impressive.

Few organizations in the world have the power to say "we're moving to a newer version of PHP" and have a global impact ; WordPress is one of them.

With such an influence, WordPress should even go a step further and pro-actively announce end of support for PHP version and follow PHP's 3 year release process, instead of simply watching user adoption. PHP 5.3 will be maintained till July 2014, PHP 5.4 will be maintained till March 2015: I think WordPress should announce the same minimal requirement changes.

TL;DR

The day WordPress says "we require PHP 5.3″, the whole web which is still running 5.2 switches to 5.3. Simple as that.

Shorter URL

Want to share or tweet this post? Please use this short URL: http://ozh.in/x2

Metastuff

This entry "Why WordPress should drop PHP 5.2" was posted on 22/01/2014 at 6:04 pm and is tagged with , , ,
Watch this discussion : Comments RSS 2.0.

19 Blablas

  1. 1
    John Blackbourn United Kingdom »
    thought, on 22/Jan/14 at 6:20 pm # :

    I'm sorry Ozh, but you're completely wrong. The user always comes first.

    Why should users give a damn about what version of PHP they're on? Why should they know what PHP is? Why should they be told that they need to update this thing they don't even know anything about? How is this an acceptable thing to present to a user in order to benefit developers only?

    I have yet to hear one single valid argument why WordPress should place such a wholly unnecessary burden on the end user in favour of the developer.

    "It's old" isn't a valid argument. Performance increases are not enough of an argument. If your shitty shared hosting account still runs PHP 5.2, then your site isn't going to perform much better on 5.3, or 5.4, or 5.5.

  2. 2
    Ozh »
    wrote, on 22/Jan/14 at 6:27 pm # :

    John Blackbourn » we're exactly on the same page: users should not care, and 90% don't. They just use what their hosts give. The problem is that host are not pro-active and their being immobile is why 5.2 is still so used. WP should motivate *hosts* to update their PHP.

  3. 3
    Nacin United States »
    thought, on 22/Jan/14 at 6:48 pm # :

    WordPress does work with hosts to get PHP updated. We keep a pretty close eye on defaults and offerings, and even see how much the numbers move when a big host makes a large shift. We casually survey them to see what their reasons are for updating.* The difference is we're not going to put users in the middle of all of this political melee.

    Further reading: On PHP (by me, 2010), On PHP (by Matt, 2007).

    And for as long as PHP upstream shows a lack of respect for shared hosting situations, dropping security support for PHP 5.2 while it was still powering a vast majority of websites, dropping security support for PHP 5.3 while it (and 5.2) are a vast majority of websites, it's really not in our best interest to "play along" at the expense of our users. Tens of millions of users would be affected — and potentially stranded, or certainly wondering why WordPress is putting them in the middle of all of this — all because reasons. It's completely silly. It's also the kind of move WordPress could make that a hosted or alternative blogging solution would love to see happen.

    When 5.3 support is dropped, a few possibilities may occur. One, the hosts will stay on the LTS builds that distros are/will offer. Or two, the hosts will update straight to 5.4. Given that a majority of all websites are running 5.2.17, the last release there, I have my guesses.

    We don't need PHP 5.3. Or 5.4. Or 5.5. Does it have nice features? Sure. They're nice. It's even more performant in many respects. WordPress.com and WordPress.org both run PHP 5.4. But we don't exactly use PHP for its features. Even back in the day, there were some features we only offered for PHP 5 installs, because it was too annoying in PHP 4 (XML, timezones, etc.). But that pull doesn't really exist anymore. Rather, we use it for its portability and ubiquity. WordPress works out of the box with basically anything. And for that, we're going to cater to the lowest common denominator because it's in the best interests of users.

    * They must have their reasons to avoid later versions, given they are more stable and more performant. One thing I've heard again and again is a desire to not break the non-WordPress stuff they're hosting, that doesn't work on later versions of PHP. All I know is it's not WordPress that's holding them back. The rise of WordPress-specific hosts — and WordPress-specific offerings by the big hosts — may be promising indications of a shift to tailoring hosting environments to WordPress.

  4. 4
    Mika E. (Ipstenu) United States »
    said, on 22/Jan/14 at 7:04 pm # :

    If everyone used WP, I'd shitcan 5.2 in a heartbeat. But speaking as one who works for a host (not speaking for DH, mind), I know that people run code that doesn't work well (if at all) on 5.2. A lot of it is home grown, some are other CMS tools. But as much as WP is a lot of the web, it's not all of it, and until it is, we're never going to be able to use it as leverage fully.

    Also there are some flavors of Linux that don't allow for ease of upgrade paths to 5.3 (seriously, I wanna shoot some of 'em) so we have to refactor entire servers just to be able to do it.

    And it sucks.

    I do know that most good hosts are trying to shove 5.2 away, but realistically it's not a fast thing.

  5. 5
    Ryan Duff United States »
    wrote, on 22/Jan/14 at 7:10 pm # :

    Just out of curiosity, and since it's probably a substantial chunk of the install base, do we know which version of PHP wordpress.com is running?

  6. 6
    Ozh »
    said, on 22/Jan/14 at 8:31 pm # :

    Ryan Duff » I approved nacin's comment in the meantime — he gives the answer on that: 5.4

  7. 7
    Mark Jaquith United States »
    said, on 22/Jan/14 at 8:43 pm # :

    I would like to encourage hosts to upgrade people to PHP 5.4 if it can be determined that they're not running any other applications that are known not to work on it. A lot of sites are just running WordPress, and there's no reason those can't be upgraded.

    They could also start regularly exhorting their users to update their PHP version preference if their current setting is PHP 5.2.x. Promise them speed (true). Promise them compatibility with newer applications (true).

    As much as I would like PHP 5.3, it's not the end of the world that we can't use its feature. It's just annoying. I can't think of any feature we can't deliver to WordPress with PHP 5.2. I get the inclination to force the issue. I really do. But there are better ways of moving the needle that don't put users in awkward or confusing situations.

  8. 8
    Dan Cameron United States »
    commented, on 22/Jan/14 at 10:58 pm # :

    Let's just make it our responsibility instead of WordPress'. Took me a while to come to this conclusion after talking to @nacin and @dd32 about a cross-reference metrics but a users potential PHP upgrade problems (explained above) should be supported the author; since I can explain to my customers why the upgrade is necessary, versus WordPress trying to explain to millions why their sites are broken.

    That said, WordPress should continue to increase the PHP requirements when the time permits but that argument should be had with the core commit'rs, who can rationalize the tradeoffs.

    Something that WP could do now is have plugin and theme version requirements, maybe a readme check on activation with unique error linking to a codex about upgrading PHP/MySQL. The information could also prevent plugins/themes from being downloaded/installed when adding a new theme/plugin from the admin…and to play into WP trying to push better adoption of current PHP would be for some Automattic plugins and possibly the 2015 Theme to set higher requirements.

  9. 9
    Dan Cameron United States »
    thought, on 23/Jan/14 at 12:31 am # :

    I created a Trac ticket with a working patch for basic requirements check during plugin activation.
    https://core.trac.wordpress.org/ticket/26909

    Maybe this will be a start to something much better.

  10. 10
    Otto United States »
    thought, on 23/Jan/14 at 3:51 am # :

    Users shouldn't be brought into the middle of that conversation. WordPress works fine on 5.2 and there is nothing specific that would be improved by 5.3 or any later version.

    It's better to work with the hosting services to get them to upgrade rather than to make the userbase into some kind of "leverage" to force their hand.

  11. 11
    Ozh France »
    commented, on 23/Jan/14 at 10:36 am # :

    Another reason why WordPress should lead a PHP 5.2 drop movement: as they have huge data to crunch, other large organizations are just checking WordPress' stats to ponder about 5.2 support. Example: Google itself, https://github.com/google/google-api-php-client#why-do-you-still-support-52

  12. 12
    Knut Sparhell Norway »
    replied, on 23/Jan/14 at 8:19 pm # :

    Would you say "I have this Fabulous Theme, brand new 2014 edition, that still only requires WordPress 2.5. Fabulous works fine on WordPress 2.5 and there is nothing specific that would be improved by WordPress 3.0 or any later version."?

    WordPress still has the same humble attitude towards what PHP platform it requires as when WordPress was a small outsider.

    WordPress leads the web, and is the leading PHP based application. PHP 5.2 is dead, and if found vulnerable, it will not be fixed.

    The responsible thing, towards users, would be to announce minimum 5.3 in a year, and minimum 5.4 in two years, for new installs at least. Things will then start happening.

  13. 13
    Christian Foellmann Germany »
    commented, on 17/Feb/14 at 7:53 pm # :

    I do not want to cook this up again. Just a quick question:

    Is there any data on how many of the wp.org plugins require PHP 5.3+?

    Even if core does not drop 5.2 a few plugins require PHP 5.3 for whatever reason. Feature or "just" coding style.

  14. 14
    Rahul Bansal India »
    commented, on 15/Apr/14 at 10:51 am # :

    I think the day we find something like heartbleed in PHP 5.2 (which is not supported anymore), everybody will jump to PHP 5.3!

    I agree with @Knut on this. WordPress minimum should not include any outdated and unsupported software.

    The day WordPress drops support for PHP 5.2, we will start using namespaces in all our theme and plugins. Ofcourse, we can live without namespaces but we have to skip libraries which requires PHP 5.3 minimum!

    And WordPress id dominant force. I remember when WordPress dropped support for PHP 4, webhosting companies jumped to get PHP 5.

  15. 15
    Franky Belgium »
    wrote, on 03/Jun/14 at 8:02 pm # :

    I'm developing a WP plugin that talks to facebook. The new facebook API requires PHP 5.4, so on many servers this will be an issue.
    PHP 5.2 is old, outdated and has security issues. PHP 5.3 will be EOL in 2 months.
    We update our Windows, our linux servers and/or our kernels. So why not PHP? Anyone running LAMP or WAMP installations should keep up with security updates, no excuses. Dan Cameron made a nice patch to get things going.
    Just a thought: who will be blamed if your site is compromised just because of an old PHP version?

  16. 16
    Chris Howard Australia »
    wrote, on 15/Jun/14 at 6:28 am # :

    Of the WP 50% of sites still running 5.2, how many are abandoned? How many never upgrade (if it ain't broke!)

    Considered in context with Exhibit A and B, there's probably squillions of WP sites that are sitting on old servers that hosts have had no reason to upgrade.

    So, of your 50% of WP sites on 5.2 (it's now down to 42.6), you will find a much smaller percentage of those are actually content and code maintained.

    Consider, around 38% are still on WP versions between 3.0 and 3.4. They are not affected by WP4 going to 5.3. They aren't updaters.

    Around 34% are on a 3.7 or greater.

    Those 34% are the ones who would more likely to be impacted by a switch to 5.3, as they are ones who are keeping their WP up-to-date (ish). But are massive percentage would also new installs and very likely to be hosted on 5.3 anyway.

    However, they are also much more likely to be on PHP 5.3, and, as folks who like to stay up to date, won't be as concerned if they are told they have to use at PHP 5.3

    I reckon you'd be lucky to find 5% of WP users affected by forcing the WP4 to be PHP 5.3 min.

  17. 17
    Otto United States »
    said, on 15/Jun/14 at 2:28 pm # :

    Chris: It actually doesn't work that way. A site that nobody visits doesn't check .org for updates, and is thus not reflected in the stats. The stats only show information about active sites.

    And it is no more likely for a 3.7+ site to be running 5.3 than anything else. The user chooses the version of WordPress, but usually the host chooses the version of PHP. Version choice of PHP isn't generally something under the user's control, or even in their knowledge. Which is why it's a better idea to work with hosts and convince them to update rather than make it something the users care about.

  18. 18
    Chris Howard Australia »
    commented, on 16/Jun/14 at 3:37 am # :

    Hey, thanks for that clarification, Otto.

    I don't think it changes the gist tho. A PHP 5.3 requirement will only affect those who upgrade to WP4 (or 3.10 or whatever it will be). And most sites don't seem to upgrade.

    Only 13% of sites have installed or upgraded to 3.9. Many of those will be new installs on new hosts on 5.3+. Many more are people who like to keep their site up with the latest specs.

    So if we could work out what percentage of those 3.9s are on 5.2, we'd get a much more reliable indicator of the likely impact of a 5.3 requirement. and I reckon that will be a very small percent.

    Automattic should give a very public 6 to 12 month warning of intent to drop 5.2 support in WP4+. Just as MS did with dropping XP support. That should be sufficient to encourage sluggish hosts to move up if they want to retain WP clients.

  19. 19
    Otto United States »
    thought, on 16/Jun/14 at 3:55 am # :

    Chris:

    A PHP 5.3 requirement will indeed affect new users, if they are trying to install on a non-PHP-5.3 host. As the various lead developers have stated in the comments above, limiting our userbase doesn't make a whole lot of sense, and realistically, there's no actual reason to go there at this time. Newer PHPs are more stable and performant, sure, but they not actually essential to the continued development of the WordPress codebase right now. Maybe in the future, when there is a feature where we actually need a newer PHP, then it would make sense to raise the stakes.

    Secondly, Automattic does not control the development of WordPress. I think only about half of the core committers are Automattic folks? Something around that anyway. Regardless, the WordPress project decides that sort of thing itself, it's not an Automattic decision.

    Third, and most importantly, as you yourself noted, that needle is already moving. In six months it's gone down a good 9-10%. So, why force the issue? Working with hosts behind the scenes and encouraging and helping them gives better results than laying down an ultimatum for something that, again, we don't even really need to happen immediately.

    Yes, we all want newer PHP versions. But we don't need to be jerks about it. Encourage hosts to update their systems. Encourage users to choose the "new" version when they have such a choice. Get everybody moving in the same direction by convincing them of the rightness of the arguments. Don't put a gun to their heads. Metaphorically speaking, of course. :)

Leave a Reply

Comment Guidelines or Die

  • HTML: You can use these tags: <a href=""> <em> <i> <b> <strong> <blockquote>
  • Posting code: Post raw code (no <> &lt; etc) within appropriate tags : [php][/php], [css][/css], [html][/html], [js][/js], [sql][/sql], [xml][/xml], or generic [code][code]
  • Gravatars: Curious about the little images next to each commenter's name ? Go to Gravatar.
  • Spam: Various spam plugins on patrol. I'll put pins in a Voodoo doll if you spam me.
  • I will mark as Spam test comments, all comments with SEO names (ie "My Cool Online Shop" instead of "Joe") or containing forum-like signatures.

Read more ?