WordPress 3.2 and PHP support – Security effect

WordPress 3.2 is going to be released very soon and one of the biggest changes is that they will drop support for PHP4 and all versions of PHP5 bellow 5.2.4.

WordPress.org has provided some informative posts about their reasons for dropping support for these PHP versions.

But how will that affect their user base? And how many users are still using these old versions of PHP? We did some scanning and reached around 90 thousand self-hosted WordPress sites that had their PHP version displayed (via the Powered By header).

These are the numbers we found in our analysis (version with less than 0.2% were not displayed):

0.9% – PHP/4.3
5.1% – PHP/4.4
6.0% – PHP/5.1
0.7% – PHP/5.2.0
0.4% – PHP/5.2.1
0.4% – PHP/5.2.3
8.3% – PHP/5.3
76.4% – PHP/5.2.4+

What does this mean? It means that for 84% of the users, based on our numbers, nothing will happen. They will be able to continue using WordPress happily without major changes.

However, almost 15% of the users may experience problems when upgrading to WordPress 3.2 because of their current environment. They will have to contact their hosting, or try to figure out how to update PHP manually.

One of the great benefits in WordPress is the automatic update functionality. However, our analysis estimates that the move to require PHP 5 could leave roughly 15% of WordPress users with no easy update path. When you think of the big market share that WordPress owns, this makes for a very large amount of websites that will potentially remain out of date and vulnerable to attacks.

Will we see a higher number of outdated WordPress instances due to the move? It does seem the number will increase, at least until hosting providers step up their game (which I hope they will do soon).

If you’re running WordPress and aren’t sure what version of PHP your running, contact your hosting provider. Ask them, and if they’re running anything below 5.2.4, we recommend asking them to upgrade as soon as possible (or consider switching hosts). You can also scan your site here to see which version of PHP you are using: http://sitecheck.sucuri.net.

So what do think? Good move by WordPress? Bad environment management by hosting providers? Can and will this lead to more hacked sites?

We’d love to hear from you, make sure to leave us a comment.

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.