Hacker News new | comments | ask | show | jobs | submit login

There they go trying to be "hip" again, thinking they are important enough to cause trends.

They also stopped supporting PHP 4.4 which means hundreds of thousands of legacy installs no longer do automatic updates because their update code (purposely? lazily?) has a few lines that don't work under PHP 4.

IE6 is one thing to go "meh" about but WordPress installs that do not do fast easy updates are time bombs.

I can think of several large sites or organizations who have dropped IE6 support in the past year.

There's nothing lazy about not supporting PHP 4. It is outdated and flawed, and the last release was in 2008. PHP 5 has been out for over 5 years. The fact that those sites are timebombs is not WordPress's fault or their problem.

For modern code that starts off with PHP5 it's fine and understandable to restrict versions.

But WordPress is an "ancient" legacy mess and does not have any advanced code that benefits from PHP5 - you actually have to go out of your way to break it for PHP4. There is nothing in it that cannot be fixed for PHP4 without one extra line or two.

Note that 99.9% of WordPress3 works on PHP4 - only the security updating fails - and it fails in an uncontrolled way, not because it checks for the PHP version and stops - it actually fails silently (which is also typical WP style).

There are hundreds of thousands of shared servers that are still running PHP 4.4.9 just fine and WordPress has a responsibility to make sure security updates keep working if it's easy enough to maintain (and it is).

I imagine the main reason they moved to PHP5 was not for features but simply because the PHP development team ended support for PHP 4. That means no more security fixes for version 4. This point was mentioned explicitly by WordPress.

WordPress didn't end support until 3 years after PHP 4's end of life. I think that's a more than reasonable amount of time to wait before enforcing an upgrade.

The fact that WordPress does not have any code that benefits from PHP 5 is undoubtedly, in part, due to its extended support for PHP 4.

As the developer who wrote the Upgrading classes; I'd just like to say that PHP4 is, and always was, supported. The upgrade code hasn't been really affected by the switch to PHP5.2.4

All the known issues with PHP4 and upgrading have been down to bad configurations of the servers, and quite often, insecure configurations of shared hosts. Often swtiching to their servers PHP5 support would "fix" it, simply due to the PHP5 configuration often being setup better than their legacy php.ini for php4 from when php 4.1 was standard..

> and it fails in an uncontrolled way, not because it checks for the PHP version and stops - it actually fails silently (which is also typical WP style).

Did you ever bother helping fix that? If it's failing silently it's either due to a timeout (often configuration related), php error (often plugin related), or http error (dodgy php configuration, or extension is malfunctioning - curl i'm looking at you!)

WordPress has usage stats of what servers are running, The majority of PHP 4.4 hosts have access to PHP5 through their hosts, they just have to turn it on. Most other major webhosts have been contacted and have plans to support php5 as well.

Every other major web application has made the move, It's time for webhosts to spend their customers monthly fee's on providing up to date, secure services, not just letting the server rot..

The best thing WP can do, security-wise, is ditch PHP4.

The best thing it could do security-wise is ditching PHP.

Not really, since that would of course mean a complete rewrite. The code is only as secure as it's authors make it, too - Python or Ruby are not magic bullets against XSS or SQL injection. While it would be fantastic to have WordPress in Python, and for the crufty and backwards bits to be cleaned up, old code that has been tested and audited is surely more secure and bug free than a brand new code base.

really ? Perhaps you are ignoring the fact that with PHP you can be as secure as you can care to be. It's all up to you. But let's not get started on this one. It's done to death already.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact