The Payment Card Industry Security Standards Council (PCI SSC) recently announced the new PCI Software Security Framework. The new set of standards aims to improve the security resiliency of applications that accept payments and use payment data in their ecosystems. Learn everything you need to know about the PCI Software Security Framework in this article.
What Is the PCI Software Security Framework?
The framework is a new set of standards for securing payment data against data breaches and fraud. There are standards for the secure design, development, and maintenance of modern payment solutions. The standard applies to payment software that is sold, distributed, or licensed to third parties for the purposes of supporting or facilitating payment transactions.
Using an outdated version of WordPress core, plugins or themes isn’t ideal. PHP is no different.
While WordPress technically works with PHP 5.6 and above, you’re sacrificing performance and compatibility, plus you’re open to security vulnerabilities by using older PHP versions. You should always aim to use the latest version of PHP.
In this post, you’ll learn everything you need to check what version of PHP you are running and how to update your PHP to the recommended version for WordPress.
What is PHP
PHP can do things like calculations, process conditional logic and pull information from the database so you can take a dynamic approach to build your webpages.
Unlike JavaScript, which modifies the HTML in the browser after the page has been constructed, PHP happens on the server. Since PHP happens before the HTML is rendered, you have more control over the final layout of the page.
If you look in your WordPress site’s files, you’ll see a lot of PHP files. These are the instructions that your server uses to build not only the webpages your visitor sees but also the WordPress admin backend. PHP is a major part of WordPress. PHP is a major part of the whole web, actually. It powers 70% of all websites.
WordPress PHP Version
You may recall that somewhat recently there was a big push to get everyone to upgrade WordPress to PHP 7. While it may have felt recent, that was a while ago. PHP has to be updated on a regular basis, just like WordPress core, themes, and plugins.
With PHP, each version receives support for two years after its initial release, then there is a period of another year where critical security updates are released as they’re needed. After this three year period, that version of PHP is no longer updated.
The majority of quality hosting providers will require you to use the latest version of PHP in order to use their servers and will help you modify your site to ensure that the latest version of PHP will not break your site.
WPMU DEV Hosting, for instance, has your back and uses the latest PHP version automatically.
Only 4.4% of sites are using the most up-to-date version of PHP
Less reputable cheap hosts will not take the initiative to encourage you to upgrade your PHP because of the additional cost of support time and resources to help you transition. Since they don’t want to break your site by updating to the latest version of PHP automatically, they’ll often leave your site to use an outdated version of PHP and hope you don’t notice.
This practice is quite common and most WordPress sites aren’t using the most recent version of PHP as a result. Take a look at these WordPress statistics:
4.4% of WordPress sites are using PHP version 7.3
18.4% of WordPress sites are using PHP version 7.2
13.2% of WordPress sites are using PHP version 7.1
16.9% of WordPress sites are using PHP version 7.0
PHP 7.0 made it’s debut on December 2015 and using our three-year rule, then we know it reached the end of its lifecycle in December 2018. This means 64% of WordPress sites are running a version of PHP that is no longer being actively supported and that’s problematic for several reasons.
Why you need to update PHP
Speed
For one, there are tremendous performance benefits that come with using the latest version. PHP 7.3 requires less time and resources to deliver the same number of requests to site visitors. It can handle as much as 3x as many requests per second as PHP 5.6.
According to this infographic, PHP 5.6 executes one WordPress request in just under 100M CPU instructions, while PHP 7 does the same using 25M CPU instructions, and PHP 7.3 uses even fewer. That’s a huge improvement that also goes a long way toward reducing memory usage on your host as well.
Since using the latest version of PHP takes less time to serve the same number of requests, you can give your visitor’s a much better user experience.
Ensuring Compatibility is Costly
Maintaining code takes effort, and that effort is multiplied when you need to ensure backward compatibility for additional versions.
No wonder people (probably overworked theme and plugin developers) at WordCamp US 2018 cheered when Matt Mullenweg proposed a plan to make PHP 7.0 the minimum required version by “as early as” December 2019.
Sometimes new versions of PHP introduce new features, such as error handling or new operators, as was the case with PHP 7. Other times, functions are deprecated or changed.
Rather than spending time parsing through the code to ensure that any changes to PHP do not affect the code, developers can spend their time adding new features or improving security instead.
Vulnerabilities
Just like plugins, themes and WordPress core get updates to fix security vulnerabilities, so does PHP. This is also why using a PHP version that is still getting updates is so important, as it protects you from vulnerabilities such as SQL injection, XSS and Dos attacks.
According to security vulnerability datasource CVE Details, there were 18 known vulnerabilities found in PHP in 2018. Compare this to the 43 vulnerabilities discovered in 2017 and the 107 found in 2016 and you can see why updating can help protect you from a lot known security exploits.
As a matter of fact, some hackers look to see what version of PHP you’re running in order to know what kind of attack would be effective.
How to Check PHP Version in WordPress
So how do you find out what version of PHP your site is using? Easy. You can see this information right within WordPress.
Go to Tools > Site Health
Site health was recently added in version 5.2
If your site is not using the latest version of PHP, then it will be shown as a recommended improvement.
If it is, then open the passed tests section to verify. You’ll see that is says PHP is up to date plus what version you’re running.
Obviously if you don’t know what version you’re running yet, then you won’t know where to look exactly
How to Update PHP in WordPress
Once you check to see what version of PHP your hosting server is running, you’ll know if you need to upgrade to the latest version of PHP.
If you do, you’ll first need to see if your site will be compatible with the new version of PHP. You never want to test major changes like updating your PHP on your live site because if there are major incompatibilities, you’ll damage your site.
For this reason, you’ll need to create an alternate site to test your changes on first.
Step 1: Create a Copy of Your Site
You’ll first need to get a copy of your current site. You’ll need all of the files and a copy of the database. You can use SFTP for your files and export a copy of your database using MyPHP.
In some instances, you may be able to use your last backup, if your backups include both the files and the database.
Step 2: Create a Local or Staging Site
Once you have a copy of your site, you’ll need to set up a testing environment. You can either use a local environment or set up a staging environment if your host allows it.
See our post on how to set up XAMPP on your local computer if you need help setting up your local environment.
Once your testing environment is set up, you can add the files and database from the previous step to your testing environment, so you have an exact replica of your live site.
Then once you have a copy of your site in your testing environment set up, you’re ready to upgrade the PHP version of your testing site.
Check PHP Compatibility
Now comes the fun part, and by fun, I actually mean when the boring action happens.
You’ll need to go through your test site to make sure that nothing is broken. You’ll want to pay extra careful attention to the critical functionality of your site. Checkout processes, newsletter signups, web forms, navigation, and all of the other elements that contribute to the bottom line.
You want to catch these issues before they have a chance to wreak havoc on your live site and cause a bad user experience for your visitors.
Checking PHP Compatibility with Tools
There are some tools that can help you with this process.
PHP Compatibility Checker – This plugin is often recommended to help you scan your site for incompatibility issues. Unfortunately, it hasn’t been updated to be able to test PHP 7.3. It also is known to flag false positives, so be sure to double check incompatibilities manually.
PHP Compatibility Checker Dashboard
Error Log Monitor – This plugin will display a list of PHP errors in your WordPress dashboard which will help you diagnose the issues if you’re a developer. If you’re not a developer then it will help you relay the issue to support.
Error Log in WordPress Dashboard
WP_DEBUG – WP_DEBUG is a PHP constant (a permanent global variable) that can be used to trigger the “debug” mode throughout WordPress. To turn on debugging in WordPress, set the WP_DEBUG variable to true. You can find it in the wp-config.php file. Check out our other post on Debugging WordPress: How to Use WP_DEBUG.
Fix issues
If a plugin or your theme is causing issues, work out the issue on your test site. Find a suitable alternative that is compatible with the latest version of PHP. Once you’ve found a solution, be sure to also make the change to your live site.
Check your active plugins to make sure they’re compatible with the latest version of PHP
When you’re looking for a suitable plugin in the WordPress repo, check to see what versions of PHP are supported.
How to Update PHP Version in WordPress
Once you’ve worked through all of the bugs and issues with compatibility, and have made the corresponding changes to your live site, then you can switch over your live site to the new version of PHP.
This process will vary from host to host, but will most likely involve changing a setting in your hosting cPanel. Ask your host for help on how to do this as some shared hosts will not let you access this setting.
If you never want to deal with having to update your PHP version, why not give WPMU DEV hosting a try and leave all the technical stuff to us.
Partnering with Your Host to Update PHP Version
Cheap shared hosting has convinced a lot of people that hosting websites is a simple and straightforward process, but the truth is, there is a lot that goes into maintaining your site files and database. Keeping all of your software up-to-date is one of the tasks that your host can and should help you with. If they’re unwilling to help you or hide your version to keep you in the dark, then that’s generally a sign that it’s time for you to switch hosts to something better.
At WPMU DEV, members get hosting for 3 free sites (even multisite) included with a monthly membership. Not only do we help you update your PHP version, we also backup your site daily, assist with caching configuration and monitor uptime. And if you ever need help fixing compatibility issues with your theme or plugins, our awesome support team is ready and willing to help. Sign up for a free 30-day membership to try everything out.
“We’re pleased to announce the delivery of Kubernetes 1.14, our first release of 2019!” Seeing a new blog post that starts with that sentence is always an exciting moment, isn’t it? Well, Kubernetes 1.14 is officially out, and boy, was it worth the wait.
It is a relatively big update, with the delivery bringing a whopping total of 31 enhancements, 10 of which are stable with an additional set of 12 enhancements that are in beta. There are some interesting changes to the ecosystem, but we are going to focus on the five most exciting ones. Let’s have a look!
A good starting point for the current state of the "records" design work is Brian Goetz's February 2019 version of "Data Classes and Sealed Types for Java." In addition to providing background on the usefulness of "plain data carriers" being implemented with less overhead than with traditional Java classes and summarizing design decisions related to achieving that goal, this post also introduces noted Java developer personas Algebraic Annie, Boilerplate Billy, JavaBean Jerry, POJO Patty, Tuple Tommy, and Values Victor.
Upgrading from older versions of WordPress is designed to go without a hitch, but depending on the setup and the two versions involved, you may encounter some hangups along the way. For example, if you are upgrading from a version of WordPress older than 3.0, eventually you may encounter the dreaded "Warning! WordPress Encrypts User Cookies" error. This quick DigWP tutorial explains what it is, why it happens, and how to fix the problem asap.
The error message
For those who are experiencing this "encrypted cookie" issue, the error message that's displayed looks something like this:
Warning! WordPress encrypts user cookies ...
This error happens when trying to log in or when you try to do things in the Admin Area. Basically you keep getting logged out for no apparent reason.
Why it happens
Fortunately there is an easy solution for the "WordPress Encrypts User Cookies" error. Open your site's wp-config.php file. Scroll down the file to just after the database credentials. Depending on your version of WordPress, you should find something like this:
/**#@+
* Authentication Unique Keys and Salts.
*
..followed by a set of 3, 4, or 8 (depending on WP version) constant definitions. For example, in the latest version of WordPress (5.0), there are EIGHT Unique Keys and Salts, waiting to be filled with random characters:
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
The problem is that the number of these keys has changed along with WordPress. For those with better things to do, here is a brief history:
WordPress < 2.6
WP 2.6 has no secret keys:
[ none ]
WordPress 2.6
WP 2.6 has three secret keys:
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
WordPress 2.7 — 2.9
WP 2.7 thru 2.9 have four secret keys:
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
WordPress >= 3.0
Versions of WP greater than or equal to 3.0 have eight secret keys:
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
What does this mean? It means that when you upgrade from an older version of WordPress, the number of Unique Keys and Salts may not be the same. And so, if the latest version of WordPress is expecting eight secret-key constants, but your site's wp-config.php only contains four constants, you're gonna get the "WordPress Encrypts User Cookies" error.
The solution
To resolve the "encrypts cookie" error, you need to update your site's Unique Keys and Salts (secret keys), so as to provide the correct number of key constants. So if your old WP site only has three key constants, and you upgrade to WordPress 5.0, you will need to add the five missing constants (for a total of eight), so that WordPress can operate normally and without error.
Example: Upgrade from any version of WP, to the latest version of WP
If you are upgrading from any version of WP to the latest version, you can fix the error by simply replacing your existing secret keys with a brand new set. To do so, visit the WordPress Keys & Salts Generator, copy the results, and replace your existing keys with the freshly generated code. Then save changes, upload to your server and done. Once the new, complete set of keys is added, the encrypted-cookie error will disappear.
Other upgrade paths
As explained previously, your site's wp-config.php file should have the same number of constants that is expected by WordPress. Although ideally everyone everywhere always would update to the latest version of WordPress, we know that's just not a realistic expectation.
So for any other "non-latest" upgrade path that you may be taking, just make sure that your new version of WordPress has the correct number of secret keys defined. Check out the previous section for a list of WP versions and their respective number of Unique/Key salts.
