Critical WordPress Updates

by | Nov 21, 2018 | News

As you may have heard, there are some important changes happening to the web, which are especially important considerations for WordPress sites. We’re going to cover preparing for 3 changes, and will list them here for your review:

  • WordPress Core will be updated to v5.0
  • PHP 5.6 is reaching its End of Life
  • Browsers continue to punish sites without SSL certificates

If you are confident your site(s) are prepared for WordPress 5.0 and you are running PHP 7.x with an SSL certificate installed and configured, congratulations! You can safely ignore the rest of this article, as you’re in good shape for 2019. If you are not 100% confident you’re ready for these changes, please continue reading.

WordPress 5.0

The first of the changes coming is that WordPress 5.0 currently has a target release date of November 19, 2018. We have every reason to believe this date is accurate (+/- 3-5 days), and you should be seeing a prompt to update your WordPress site(s) on or around that date. This will be the first major version update of WordPress Core since WordPress 4.0 launched on September 4, 2014. The main feature driving this major version update will be the new editor “Gutenberg”. You likely have seen the prompt to either install the Gutenberg plugin or the Classic Editor plugin in your WordPress dashboard. The Classic Editor has been a core feature of WordPress many have attempted to sidestep, typically with themes or plugins that introduce page builders or other content management experiences. While the Gutenberg editor introduces an exciting, new default workflow and experience for content management, it also introduces potentially site-breaking changes to existing content.

Regardless of your current editing methods, it’s critical you install the Gutenberg plugin and extensively test for any site-breaking issues. We also encourage everyone to familiarize themselves with the Gutenberg editor, especially those who currently rely on the Classic Editor. You may be pleasantly surprised at the refreshed editing experience.

PHP 5.6 Abandonment

The second major change is the PHP 5.6 End of Life coming December 31, 2018. An “End of Life” date marks when all updates to a software will end, including security updates and bug fixes. The minimum acceptable version as of that date will be PHP 7.0, released December 2015, with the recommended version being PHP 7.2, released November 2017. As of this email, only about 22% of PHP-powered websites are on 7.0 or higher, with about 77% of those sites running PHP 5.x. We feel powering your site with a version no older than 3 years is a fair expectation, as do the people who create and support PHP itself. What this End of Life means in real terms, is if someone finds a vulnerability in PHP 5 and releases it to the public on January 1, 2019, all sites on PHP 5 will be wide open forever. No one will be there to patch the hole, and the recommended “fix” will be to simply upgrade. The good news is, as PHP 7.x has been available to developers for 3 years, most plugins and themes should work perfectly on the newer version without issue (assuming they’ve been updated in the last 3 years). We insist all WordPress sites be tested for and updated to the minimum PHP 7.0 immediately, and recommend adopting PHP 7.2 if possible while in the process of migrating from 5.x to 7.x. As an added benefit for making this move, you may find PHP 7.x is much faster than PHP 5.x when it comes to some common operations, so you should see a performance boost in return for your effort.

This is an absolutely critical security concern, and must be done before the end of this calendar year. If your hosting provider does not provide you with a safe and easy way to test and upgrade to the latest version of PHP (at least PHP 7.0, preferably PHP 7.2), we highly recommend an immediate migration. This must be done ahead of PHP 5.6’s EoL, it is not optional if you value your site, your data, or your business.

Mandatory SSL Encryption

Finally, we’d like to touch on a change that is less abrupt and more of an ongoing shift in the web. As of Chrome 68, released in July of this year, you may have noticed the URL bar displays either a green padlock (secure), an (i)nfo icon with more information as to why a site cannot be considered secure, or in the worst case, the information icon paired with the words “Not Secure”. Chrome (and other browsers) have a clear, planned progression of changes intended to encourage all sites to be secured with SSL certificates, while respecting some sites may take time to adopt this change. The availability of free SSL certificates through Let’s Encrypt, and the amount of time since these changes began (Google began giving SEO boosts to sites secured with SSL as early as 2014) means no site should remain unsecured today. This is especially important if you process or store any user data, including but not limited to allowing visitors to register as users, running an eCommerce store, or even just having a functional contact form. We recommend everyone install and configure a Let’s Encrypt SSL certificate through their hosting provider, and make the https:// version of their site the canonical address. This involves a search/replace through the database, redirecting to the HTTPS URL, updating any 3rd party tracking/analytics (Google Analytics, etc), and testing for mixed-content (secured and non-secured content being served together).

If your host does not offer a free SSL certificate in 2018, we see this as a serious red flag, and recommend a migration.

Now that we’ve walked you through the changes, we encourage you to research PHP 5.6’s EoL, WordPress 5.0’s upcoming release, and SSL certificates to make an educated plan of action. We have openings in our November/December schedule to prepare some sites for these changes, but may not be prepared to assist everyone receiving this email. We can make hosting recommendations to those who are looking to migrate, but will only be able to prepare a limited number of sites ourselves. If after reading this email you are not 100% confident in your site’s readiness, please reach out to us immediately so we can help.

Thank you,

Your friends at Pixel Parlor
hello@pixelparlor.com