Bumping minimum WordPress and PHP versions supported #461
Comments
jeffpaul
changed the title
|
As this is a SECURITY plugin I say PHP7.4 (only because I know 8.0 won't Happen) |
|
IMO we don't need to support WP's minimum requirements. I'd guess that a proposal to merge this to Core is at least a year away, and Core may have shifted to PHP 7 by then anyway. It could also stay as a canonical plugin for awhile, so aligning with WP's exact requirements seems like a "cross that bridge when we get to it" thing to me. PHP WP |
|
Ok, I'm updating this from a question then to an enhancement looking for someone to help with the following:
|
jeffpaul
changed the title
|
This plugin is an opportunity to improve the security of systems that still can't upgrade to PHP 7/8 for some reason so locking them out of using it completely due PHP requirements feels wrong. I think we should design with progressive enhancement in mind where every user of WP can use the core functionality of this plugin and they get the additional improvements as they upgrade their stack. Currently the need for PHP 7+ is limited to some additional features related to the PHP encryption stack (and possibly the Webauthn implementation) so I would strongly encourage us to keep the same PHP requirements as the WP core project and think of ways to add the additional enhancements in a progressive way. We could add a section to the Site Health that indicates any features that are not enabled due to system requirements. Or to the list of available two-factor methods when a certain method can't be enabled or isn't using the full feature set. |
|
I wonder if that'd give a false sense of security? The vulns in PHP 5 won't necessarily be mitigated by 2FA. Having said that, I think progressive enhancement is a good point; if it's easy to support both then that'd avoid taking away a layer of defense. If it becomes buggy or difficult to maintain, though, then I think it's best to drop support for older versions. I like your idea of disabling specific providers rather than the entire plugin, though. That's a good UX for folks who can't upgrade, but also a reminder that they really should update. |
My 2c, This a security plugin, not "WP best instagram feed". By supporting the lowest possible versions you are doing users on modern versions are disservice since you can't implement what is the best option regarding modern crypto. |
This feels like a good-enough reason not to require PHP > 5.6 to me. Bumping the WP requirement still makes sense though.
This doesn't appear to be the case, nor an issue at present? We specifically only use crypto that is polyfilled through |
|
Ok, sounds like we're coalescing towards:
|
|
Given WordPress now requires PHP 7.2 as of WP 6.6 (PHP 5.6 was dropped in WP 6.3).. I hereby suggest, WP minimum should be bumped to at least 6.3 & PHP should be bumped to 7.2 as of next major release of the plugin. |
|
Works for me. |
As of now version 0.7.2 requires WordPress 4.3 and PHP 5.6. There are some potential benefits and more modern ways we could approach further enhancements and bug fixes in the plugin if we considered (and did) bump those minimum versions. Specifically #455 could be easier/better/simpler to handle if we bumped the PHP minimum to 7.2. Similarly #389 might also be easier/better/simple to handle if we bumped the WordPress minimum to 5.2. I might even suggest that we consider PHP 7.4 (as that still gets EOL later this year) and WordPress 5.3 (released ~3 years ago) or 5.6 (released ~2 years ago) as more modern/current minimums to maintain, but at least considering PHP 7.2 and WordPress 5.2 will help with the issues/PRs noted above.
The text was updated successfully, but these errors were encountered: