As we have done couple of times in the past, we’ve decided to increase our minimum supported PHP version to PHP 7.2.
It’s with some trepidation that we’ve decided to make this change. It’s a big change, but our Shield telemetry data indicates that it should only impact ~1.7% of websites running Shield.
Currently 0.94% and 0.76% of sites reporting telemetry to us are running PHP 7.0 and PHP 7.1, respectively.
While the percentage of sites running PHP 7.0/7.1 is small, we do appreciate that it represents a decent number of sites. However, choices being made by other plugin developers are forcing our hand.
We’ll try to explain the problem we’re facing, below…
The Challenge Of Multiple WordPress Plugins With Duplicate PHP Libraries
A wonderful advantage of opensource software is the availability of high quality, re-useable PHP libraries. It allows software developers, such as ourselves, to make use of software written by somebody else, knowing that it’s reliable and of high quality.
It means we can use the library for our purposes without having to reinvent the wheel, freeing us up to focus our development efforts where it’s needed most.
Let’s look at an example: Logging.
ShieldPRO has aN Activity Log feature feature where we monitor activity and actions taken on a WordPress site and log it to a database for future analysis by the admin.
We want to focus our development efforts on capturing the data, hooking into WordPress events etc., and less on how we actually log the data itself. To help us in this, we use a well-established PHP logging library: Monolog.
But we’re not pioneers in this regard. Other developers recognise the quality of this PHP library and so they use it in their plugins, too.
This means that if you run Shield Security alongside one of those other plugins that also use the Monolog library, you’ll actually have 2 copies of the Monolog PHP library installed on your WordPress site.
This isn’t a problem. Most of the time.
The Monolog library is available in 3 main versions:
- Version 1.x: requires PHP 5.3+
- Version 2.x: requires PHP 7.2+
- Version 3.x: requires PHP 8.1+
As you can imagine, if you have 2 sets of the library installed on your site, and they’re different versions, you could potentially run into trouble.
Shield uses Monolog version 1.x. This is so that we can support as many of our customers as possible, as we list Shield as supporting PHP 7.0 and up. Looking at the list above, this means that we must use the oldest version of Monolog (1.x).
Without getting too deeply into the mechanics of how PHP Autoloading works, it’s possible for us (Shield) to extend Monolog 1.x and for this to cause a fatal error on your site, when it also has Monolog 2.x installed (somewhere inside another plugin).
And this is actually happening for our customers. A lot. And it’s increasing.
We’d love for other developers to recognise this as an issue and see that Monolog v1 is likely sufficient for their requirements, but they’re either “too big” or too stubborn, to care.
We hear rationale such as “we should be using the latest version of the software as possible”. This makes some sense, and I agree with it, but it doesn’t fully explain why v1.x couldn’t still be used.
We’d also rather use a more recent version of the software, but we also have to consider the impact on other plugins.
This situation forces us to make a difficult choice between 2 options:
- switching Shield to use the later version of Monolog (v2.x) (and force an upgrade of our minimum requirements); or
- dig our heels in and attempt to build a complex technical solution to work around the issue
Option 2 is possible, but it’s costly to implement and will likely lead to other problems entirely.
And, considering that less that 2% of our clients are currently operating on below PHP 7.2, we’ve decided to take Options 1 and increase our minimum requirements.
What Does Increasing Minimum PHP Requirements Mean For You?
It simply means that if your WordPress website isn’t running PHP 7.2 or higher, then you won’t be able to upgrade your Shield Security beyond version 16.
To discover what version of PHP your site is currently running, you can take a look at Shield’s debug page:
Shield > Tools > Debug Info > System Info > PHP
Here are some reasons why it’s better to keep your PHP up-to-date:
We’re big proponents of keeping server software up-to-date wherever possible. When you have an uptodate and secure hosting stack, you have a more secure WordPress site. All versions of PHP that are v7.4 and below are basically EOL (End of Life) and no longer receive security-related patches.
Yes, some hosts backport patches, but certainly not the majority of them.
Every major version of PHP see an overall performance increase. Many WordPress admins spend an inordinate amount of time optimising their WordPress site performance, where they could probably benefit quite quickly by simply upgrading their PHP.
With each major iteration of PHP, there are improvements in the language itself and the tools available to develop with it. We hope that by increasing our minimum PHP version, we’ll be able to take further advantage of these.
How Can You Upgrade Your PHP Version?
The place to begin is open up a discussion with your webhost. They probably have mechanisms and processes in place to help you with this.
You should always, always, always, have a backup of your site and ready to restore should you run into any issues.
To get a bit more advice on this, please see one of our older Ask Paulie Anything Episodes where we discuss this in more detail.
When Will Shield Security Move to PHP 7.2?
From version 17.0 we’ll be switching Shield Security to PHP 7.2. This won’t be released for another few weeks (mid-late-November)
Question or Comments
This is a big change and we appreciate that it can cause some stress. We don’t want to stress you with this, so we’re here to help with any questions or comments you have. Let us know in the comments below if you have any questions about this change.
Works exactly has expected. No problems whatsoever. Thank you.
Peace of mind and unobtrusive software
Like having Agent Coulson and a quinjet full of agents protecting your site
The more I’ve learnt about WordPress security the more I’ve been tempted to retreat to an underground bunker wearing a tinfoil hat. Like its Marvel namesake this plugin is a bunch of kick ass enforcers working as a team. It offers advice on what settings you should use and which…
Simple and effective
My clients and I have been very pleased with how easy this has been to set up, customize, and deploy.
Hey there beautiful! Do you like what you've read here? :)
If this cool feature is something you'd like, but you haven't gone PRO yet, click here to get started today. (no risk, with a 14-day satisfaction guarantee!)
You'll get all PRO features, including Malware Scanning, WP Config Protection, Plugin FileGuard, import/export, customer support, and so much more. Not only that, you'll get that warm, fuzzy feeling that comes from supporting our work and future development.