PHP for WordPress

WordPress.org 6.4.2 minimum specs:

  • PHP 7.4 or greater

  • MySQL 5.7 or greater OR MariaDB 10.4 or greater

  • Nginx or Apache with mod_rewrite module

  • HTTPS support

Why upgrade your PHP to the latest version

Fulton County DA’s office attacked by LockBit

PHP Security Vulnerabilities:

They used a known vulnerability of PHP.  It was CVE-2023-3824.

In PHP version 8.0.* before 8.0.30,  8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE.

The current stable version is 8.3.2, released on 18 Jan 2024.  All my web sites run on the latest PHP version.   My Fortinet 60E firewall protects against attack vectors for my WordPress server: WordPress and all the LAMP components.  

  • In WordPress 6.4: Added “beta support” for PHP 8.3 (news post).

PHP 8.3.1 has been released on 12.13.2023

PHP 8.3.1

PHP 8.3.2 has been released on 1.18.2024

PHP 8.3.2

PHP 8.3.3 has been released on 2.5.2024 as a bug fix

PHP 8.3.3 

New Features and Improvements in PHP 8.3

Let’s start by exploring the PHP 8.3 features that grab most of the headlines.

Typed Class Constants
A New json_validate() Function
Deep Cloning of readonly Properties
New #[\Override] Attribute
Dynamic Fetching of Class Constants and Enum Members
New getBytesFromString() Method
New getFloat() and nextFloat() Methods

sudo add-apt-repository ppa:ondrej/php -y

remove old fpm
sudo a2disconf php8.2-fpm

replace fpm
sudo a2enconf php8.3-fpm

Configure PHP Logging

/etc/php/8.3/fpm$

php-fpm.conf
error_log = /var/log/php8.3/php8.3-fpm.log

/etc/logrotate.d/php8.3-fpm
/var/log/php8.3/php8.3-fpm.log {
rotate 12
weekly
missingok
notifempty
compress
delaycompress
postrotate
if [ -x /usr/lib/php/php8.3-fpm-reopenlogs ]; then
/usr/lib/php/php8.3-fpm-reopenlogs;
fi
endscript
}

 

PHP Compatibility and WordPress Versions

PHP Compatibility and WordPress Versions

WordPress aims to support new versions of PHP on the day they are released as much as possible. As a project, the process of supporting these new versions begins after each new PHP version has hit feature freeze and are tagging beta versions. This prevents having to revert or make additional changes to WordPress if a planned feature is removed or the implementation changes.

Past changes to supported PHP versions have been as followed:

In WordPress version 4.1: Added support for PHP 5.6.

In WordPress 4.4: Added support for PHP 7.0 (dev note).

In WordPress 4.7: Added support for PHP 7.1.

In WordPress 4.9: Added support for PHP 7.2.

In WordPress 5.0: Added support for PHP 7.3 (dev note).

In WordPress 5.2: Dropped support for PHP 5.2, 5.3, 5.4, 5.5.

In WordPress 5.3: Added support for PHP 7.4 (dev note).

In WordPress 5.6: Added “beta support” for PHP 8.0 (dev note).

In WordPress 5.9: Added “beta support” for PHP 8.1 (dev note).

In WordPress 6.1: Added “beta support” for PHP 8.2.

In WordPress 6.3:

Dropped support for PHP 5.6.

Raised PHP 8.0 to compatible with exceptions.

Exceptions:

Named parameters. WordPress does not support named parameters.

Filesystem WP_Filesystem_FTPext and WP_Filesystem_SSH2 when connect fails.

Raised PHP 8.1 to compatible with exceptions.

Exceptions:

htmlentities() et al needs the default value of the flags parameter explicitly set.

Replace most strip_tags() with wp_strip_tags()

unregister_setting() for unknown setting.

In WordPress 6.4: Added “beta support” for PHP 8.3 (news post).

Supported Version Chart

WP Version5.25.35.45.55.67.07.17.27.37.48.08.18.28.3
6.4NNNNNYYYYYYeYeY*Y*
6.3NNNNNYYYYYYeYeY*N
6.2NNNNYYYYYYY*Y*Y*N
6.1NNNNYYYYYYY*Y*Y*N
6.0NNNNYYYYYYY*Y*NN
5.9NNNNYYYYYYY*Y*NN
5.8NNNNYYYYYYY*NNN
5.7NNNNYYYYYYY*NNN
5.6NNNNYYYYYYY*NNN
5.5NNNNYYYYYYNNNN
5.4NNNNYYYYYYNNNN
5.3NNNNYYYYYYNNNN
5.2NNNNYYYYYNNNNN
5.1YYYYYYYYYNNNNN
5.0YYYYYYYYYNNNNN
4.9YYYYYYYYNNNNNN
4.8YYYYYYYNNNNNNN
4.7YYYYYYYNNNNNNN
4.6YYYYYYNNNNNNNN
4.5YYYYYYNNNNNNNN
4.4YYYYYYNNNNNNNN
4.3YYYYYNNNNNNNNN
4.2YYYYYNNNNNNNNN
4.1YYYYYNNNNNNNNN
4.0YYYYNNNNNNNNNN
3.9YYYYNNNNNNNNNN
3.8YYYYNNNNNNNNNN
3.7YYYYNNNNNNNNNN
* indicates “beta support”
e indicates “compatible with exceptions”

See the WordPress page for some other php fixes. 

See the http/2 section at bottom.

Great site on upgrading PHP

12.17.2018: Upgrading WordPress PHP 7.1 to PHP 7.2 to PHP 7.3 on Ubuntu 16.04 / 18.04 with Apache2

I found this article very helpful in the past setting up PHP. 

This will setup the repository for php to be on the latest version

sudo apt-get update && apt-get upgrade
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:ondrej/php
sudo add-apt-repository ppa:ondrej/apache2
sudo apt update

Find all PHP files installed

dpkg -l | grep php | tee packages.txt

You will see php only entries along with phpX.Y entries, where X could of 7 or 8. and Y 1 to 9.  You want to remove the previous versions.  If you are running 8.3, you want to remove 8.2, 8.1, 7.x, 6.x, or 5.x.

You can delete the older files:
cd /etc/php
wpmm22:/etc/php$ ls
8.0 8.1 8.3

Clean up old versions of PHP

You should be running 8.3 so remove 8.2.

sudo apt-get purge php8.2 libapache2-mod-php8.2 php8.2-common php8.2-mysql php8.2-gmp php8.2-curl php8.2-intl php8.2-mbstring php8.2-xmlrpc php8.2-gd php8.2-xml php8.2-cli php8.2-zip php8.2-bcmath php8.2-imagick php8.2-fpm php8.2-bz2 php8.2-mcrypt

Install newest version of PHP

remove old fpm
sudo a2disconf php8.2-fpm

replace fpm
sudo a2enconf php8.3-fpm

mcrypt is deprecated in PHP 8.3. 

sudo apt install php8.3 libapache2-mod-php8.3 php8.3-common php8.3-mysql php8.3-gmp php8.3-curl php8.3-intl php8.3-mbstring php8.3-xmlrpc php8.3-gd php8.3-xml php8.3-cli php8.3-zip php8.3-bcmath php8.3-imagick php8.3-fpm php8.3-bz2 php8.3-soap

This is what I use to install PHP for WordPress.

 

sudo a2dismod php8.2
sudo a2enmod php8.3
sudo service apache2 restart
Which PHP files are on my server: You can use it to clean up older files you don’t need
dpkg -l | grep php | tee packages.txt
Purge old php files

php 8.3 configuration

Site health will show PHP issues.  Elementor – System Info will show up your php version and configuration.

I have been working on better securing my web sites in WP.   I installed the Health Check plugin.   I did add them into the commands to install above. 

It checked the php components and found a few missing. CURL, which I had installed so I refollowed these steps to verify it for php 7.3

First Install CURL by typing sudo apt-get install curl
Then Restart Apache by typing sudo service apache2 restart

Then Install PHP7.4 CURL by typing sudo apt-get install php7.4-curl

will prompt to install… type y or yes!

Then Restart Apache by typing sudo service apache2 restart

Done!  It now shows up in phpMyAdmin.

I have upgraded to the latest LAMP components that you are read about on Ubuntu pages.   I am on the latest version of WordPress.   This mainly affects my main webpage with videos of my children.  These files can be huge so I set the limits at 768MB.  Ubuntu server has 2 GB RAM available.

/etc/php/8.2/fpm/php.ini
/etc/php/8.2/cli/php.ini
/etc/php/8.2/apache2/php.ini

upload_max_filesize = 768M
post_max_size =768M memory_limit = 768M max_execution_time = 360
mysqli.allow_local_infile = On

Health Check said these two components were missing.  fpm had some errors too.

I ran the commands below in various order to fix fpm

sudo a2enmod proxy_fcgi setenvif
sudo a2disconf php8.2-fpm
sudo a2enconf php8.3-fpm sudo apt purge libapache2-mod-php8.3 libapache2-mod-php
sudo apt install libapache2-mod-php8.3 libapache2-mod-php

After I fixed these errors, I ran update and dist-upgrade again to get the latest versions. 

Enabling http/2 for Apache2:
You need to remove mpm_prefork and put in mpm_event

mpm_prefork doesn’t support http/2.
You need to disable previous version first

You might need to disable mpm_event first.

sudo apt-get install php8.3-fpm
sudo a2dismod php8.2
sudo a2enconf php8.3-fpm
sudo a2enmod proxy_fcgi
sudo a2dismod mpm_prefork
sudo a2enmod mpm_event
sudo a2enmod http2

sudo systemctl restart apache2

# Remember to change the php version!

How To Set Up SSL Certificates With PhpMyAdmin On An Ubuntu

phpMyAdmin

The configuration file now needs a secret passphrase (blowfish_secret).

phpMyAdmin blowfish secret generator

In /usr/share/phpMyAdmin rename config.sample.inc.php to config.inc.php.  Use the link above to generate the line of code to add to this file. Change this line with the code that link gives you. 

$cfg[‘blowfish_secret’] = ”; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */

The $cfg[‘TempDir’] (./tmp/) is not accessible

create tmp under /usr/share/phpMyAdmin.   I use chmod 755 and chown www-data:www-data so Apache can use it.  I am not a big fan of 777 for it.

 phpMyAdmin Homepage

I just upgraded to 5.2.1.  The phpmyadmin directory is /usr/share/phpmyadmin.  If you are installing new, create it first. You will go into it before running the commands below.  The phpmyadmin.conf file in /etc/apache2/sites-available has the Let’s Encrypt certificate to access it from https and from a unique port.  

sudo wget https://files.phpmyadmin.net/phpMyAdmin/5.2.1/phpMyAdmin-5.2.1-english.tar.gz 
sudo tar xvzf phpMyAdmin-5.2.1-english.tar.gz 
sudo cp -avr ./phpMyAdmin-5.2.1-english/. /usr/share/phpmyadmin

phpMyAdmin allows me a tool to create databases and users with ease.   I created a sa account and gave root limited access.   I moved phpMyAdmin off port 80 to another port.   It required a few basic steps of creating a Sites-Available file and removing the mods-enable configuration.  Both WP servers are now on this port.  

The main screen of phpMyAdmin shows you the databases on the left.  The versions of Apache, MySQL (MariaDB), and php on the right.  It also shows you the version of phpMyAdmin running.

I decided to setup a new database to parse out the Firewall Syslogs.  I created a new page for the Fortinet 60E hardening to show the results of this database.  pMyAdmin allows for the easy creation of databases, tables and setting up the user for the database.   Once you setup a unique table field, you can even edit, create and delete rows of data. 

I used this for my syslog parsing project.

In order for LOAD DATA LOCAL INFILE to work in your php code you need a few config file changes:

modify php.ini files in these directories.
/etc/php/8.3/apache2
/etc/php/8.3/cli
/etc/php/8.3/fpm

Under the [MySQLi] and [MySQL]

mysqli.allow_local_infile = On

mysql> SET GLOBAL local_infile = ‘ON’;
Query OK, 0 rows affected (0.00 sec)

mysql> SET GLOBAL local_infile = 1;
Query OK, 0 rows affected (0.00 sec)

SHOW GLOBAL VARIABLES LIKE ‘local_infile’;