WordPress Security Dashboard: Great idea, bad execution (also PHP sucks)

WordPress 5.2 includes a security dashboard to help fix potential security issues with any WordPress site. This is a great idea in theory, and kudos to the WordPress team for making this easily available. It’s important to keep sites up to date to avoid hacking.

However, I have one, really big issue. A warning to upgrade your PHP version, and generally a rant about PHP’s awful versioning scheme.

PHP versioning, quite frankly, sucks. I’m a Python developer, so I like knowing that if I make my code in Python 3.5, it’ll generally work with 3.6, 3.7, etc, and more than likely older versions as well. Python follows semantic versioning quite well – if you coded something in say Python 3.1, a few methods may be depreciated by now, but no major issues.

With PHP, it’s bananas. Before I decided to dive into the rabbit hole that is PHP updates, I was running PHP 7.1, which is still supported with security fixes until December 2019. After seeing WordPress yell at me for having an out of date PHP version (when in fact, PHP 7.1 is fine), I decided to go about upgrading to PHP 7.3, more specifically, PHP 7.3.5.

After the upgrade was done, WordPress got angry about missing extensions. No big deal, one APT command and we’re good to go. However, later that day, I discovered that my status page totally broke. Cachet doesn’t work on PHP 7.3, even though it was coded in PHP 7.1. This makes no sense at all from a semantic versioning standpoint – each minor PHP release should be a major release if it’s breaking code. I tried salvaging my status page, but to no avail, so I had to migrate to LambStatus. It’s fine, but I’m still not super happy that I don’t have full control over the servers the page runs on.

Additionally, I further figured out that phpMyAdmin also was slightly incompatible with PHP 7.3, but not code-breaking. It’s a more simpler fix, just install a newer phpMyAdmin, but it’s still a hassle.

In short, for the past few weeks, I’ve been dealing with the ongoing reprocussions of installing the wrong PHP version at the wrong time.

Things WordPress has to fix with the security panel

Because you can get in a lot of trouble for upgrading an essential component of a web server, WordPress needs to improve the security dashboard, specifically the PHP update warning  in a few ways.

1. Make the security dashboard less watered down. I get it – WordPress is used by a wide variety of people, but I’d like more detailed explainations about themes that are out of date, when a theme/plugin was updated, etc.
2. Redo the PHP warning. Make the PHP warning a warning if the user is running PHP 5 – this is obviously a huge issue. However, if a user is using PHP 7.1 or 7.2, instead, notify  the user that while the latest PHP version is newer than the one installed, that the installed PHP version is still being supported. When the EoL comes for the specific PHP version, the notice becomes a warning.
3. WordPress needs to be aware that their software runs alongside other programs in a decent amount of server setups. While WordPress is compatible with the latest version of PHP, other programs on the server may not be. A notice should be provided to say that if you have other applications on the server, make sure those applications can run on the latest version of PHP before upgrading.

And that’s my little rant about the WordPress security dashboard. Good idea in theory, but in practice, it needs a lot of improvement.

This post was typed on my phone, so excuse any grammatical errors and if this post has some continuity issues.