• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

WordPress 3.2 and PHP support – Security effect

July 4, 2011David Dede

FacebookTwitterSubscribe

WordPress 3.2 is going to be released very soon and one of the biggest changes is that they will drop support for PHP4 and all versions of PHP5 bellow 5.2.4.

WordPress.org has provided some informative posts about their reasons for dropping support for these PHP versions.

But how will that affect their user base? And how many users are still using these old versions of PHP? We did some scanning and reached around 90 thousand self-hosted WordPress sites that had their PHP version displayed (via the Powered By header).

These are the numbers we found in our analysis (version with less than 0.2% were not displayed):

0.9% – PHP/4.3
5.1% – PHP/4.4
6.0% – PHP/5.1
0.7% – PHP/5.2.0
0.4% – PHP/5.2.1
0.4% – PHP/5.2.3
8.3% – PHP/5.3
76.4% – PHP/5.2.4+

What does this mean? It means that for 84% of the users, based on our numbers, nothing will happen. They will be able to continue using WordPress happily without major changes.

However, almost 15% of the users may experience problems when upgrading to WordPress 3.2 because of their current environment. They will have to contact their hosting, or try to figure out how to update PHP manually.

One of the great benefits in WordPress is the automatic update functionality. However, our analysis estimates that the move to require PHP 5 could leave roughly 15% of WordPress users with no easy update path. When you think of the big market share that WordPress owns, this makes for a very large amount of websites that will potentially remain out of date and vulnerable to attacks.

Will we see a higher number of outdated WordPress instances due to the move? It does seem the number will increase, at least until hosting providers step up their game (which I hope they will do soon).

If you’re running WordPress and aren’t sure what version of PHP your running, contact your hosting provider. Ask them, and if they’re running anything below 5.2.4, we recommend asking them to upgrade as soon as possible (or consider switching hosts). You can also scan your site here to see which version of PHP you are using: http://sitecheck.sucuri.net.

So what do think? Good move by WordPress? Bad environment management by hosting providers? Can and will this lead to more hacked sites?

We’d love to hear from you, make sure to leave us a comment.

FacebookTwitterSubscribe

Categories: Security Advisory, WordPress Security

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Reader Interactions

Comments

  1. Michael Martin

    July 4, 2011

    I think it’s a good move. They have supported PHP4 for an extremely long time, talked well in advance about the plan/reasons to drop it, and will no doubt make it clear enough to users that they need to upgrade.

    And it’s not a complex process either. Most webhosts running PHP4 are running PHP5 too, but they didn’t update their customers automatically. A lot of people just don’t realize this, and they need something like WP to tell them that it’s time they go flip the switch.

  2. Indi Samarajiva

    July 7, 2011

    Don’t they have to update WordPress to the newest PHP at some point? Like people moving away from IE6?

    My only wish is that updating would be invisible, like Google Chrome or, like, Facebook. Stuff should just stay updated. Farhad Manjoo talked about how much human time is wasted doing updates ( http://www.slate.com/id/2295816 ) and you’re talking about how un-updated sites end up serving time and energy wasting spam.

    Idle servers do the devil’s work.

  3. myblogtrainer

    July 24, 2011

    Just installed a fresh WordPress 3.2 with the theme twentyeleven and got this error under Sucuri Sitecheck/Website Details:
    Wordpress theme: http://mydomain.com/wp-content/themes/twentyeleven/

    Error! WordPress internal path: /mypath/mypath/myusername/wordpress/wp-content/themes/twentyeleven/index.php

    Also checked it with other professionel wordpress-sites… always the same… I can see their path and username (=half of the login)!
    So what can I do to avoid this error in your sitecheck and hide my wordpress path and username?

  4. Breze

    November 17, 2011

    Resourceful info, i am a fan of wordpress. This blog is very important for me.Thanks

  5. lsmonline1

    November 19, 2011

    I am absolutely amazed at how terrific the stuff is on this site. I have saved this webpage and I truly intend on visiting the site in the upcoming days. Keep up the excellent work
    LSM Silk Mills

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.