I have a love/hate relationship with WordPress. It’s the world’s most popular CMS and it makes managing websites very easy. The downside of this widespread popularity is that there is sometimes far too much technical support for WordPress out there. Wading through all the incorrect advice, adverts for more
dumpster fires plugins disguised as tech support and SEO garbage makes finding the correct advice difficult.
WordPress’s built-in site health plugin tells a user when their version of PHP is out of date. This is a good thing because the web is full of outdated and vulnerable WP installations that are an easy target for bad guys. Unfortunately there is a lot of unclear guidance about how to update your PHP settings and then make sure that WordPress recognises them. It’s possible to fully update to the latest version of PHP on your server and still experience the frustration of WordPress telling you that it’s outdated and you’re going to get pwned. What follows is a short tutorial in how to ensure your server is using the most recent version of PHP and that WordPress recognises it. If you’re using hosted WordPress you’ll need your provider to do this for you.
Installing PHP 7.4
Check the PHP version number installed on your server:
$ php -v
This should report something like:
PHP 7.2.24-0ubuntu0.18.04.7 (cli) (built: Oct 7 2020 15:24:25) ( NTS ) Copyright (c) 1997-2018 The PHP Group Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies with Zend OPcache v7.2.24-0ubuntu0.18.04.7, Copyright (c) 1999-2018, by Zend
So this tells us that the server is running PHP 7.2 on Ubuntu 18.04. This version is still supported but it will soon (Nov 2020) stop receiving support, including security updates. Any versions of PHP older than 7.2 are no longer updated and contain a number of serious security issues. To stop your WordPress site becoming vulnerable it makes sense to upgrade to PHP 7.4, which is the most recent version and will still receive security updates until late 2022.
If your WP server is running the most recent version of Ubuntu (20.04) then PHP 7.4. is already in the repository. You can install it with the following command:
sudo apt update sudo apt install php php-cli php-fpm php-json php-common php-mysql php-zip php-gd php-mbstring php-curl php-xml php-pear php-bcmath
For older versions of Ubuntu you’ll need to add the PHP 7.4 repository first:
sudo apt-get update sudo apt -y install software-properties-common sudo add-apt-repository ppa:ondrej/php sudo apt-get update
Then install PHP 7.4:
sudo apt install php7.4
Now when you check the PHP version you should see the following:
$ php -v $ PHP 7.4.10 (cli) (built: Sep 9 2020 06:36:14) ( NTS ) Copyright (c) The PHP Group Zend Engine v3.4.0, Copyright (c) Zend Technologies with Zend OPcache v7.4.10, Copyright (c), by Zend Technologies
Your server is now running the latest and most secure version of PHP. The problem isn’t quite fixed yet though…
Let Your WordPress Installation Know
Even if you’ve updated your server’s PHP version to 7.4, WP’s Site Health plugin (available from WP 5.2 onwards) will warn you that you’re using an outdated version of PHP, and that’s because your WP installation is still using older versions of PHP and not the new one you’ve just installed.
It’s clear that a lot of people experience this problem but there’s a lot of incorrect advice about how to fix it. One suggested fix is to modify the
.htaccess file in the server’s root directory. This might work, but it’s more likely to break your site. Modifying the
.htaccess file to tell WordPress to use PHP 7.4 doesn’t work if WordPress can’t find the new version of PHP in the first place. All that will happen is that WordPress will look for PHP 7.4, not be able to find it, and then shrug its shoulders and fall over.
To fix this properly means we have to update not only the Linux server OS as above but also the Apache or Nginx webserver that WordPress runs on. Fortunately this is quite quick and easy to do.
To Update Apache
First disable the Apache mod for the older version of WordPress that you’re using (7.2 in this case):
sudo a2dismod php7.2
Then enable the Apache mod for PHP 7.4:
sudo a2enmod php7.4
Restart the Apache webserver:
sudo systemctl restart apache2
You’re done! WordPress will now only use PHP 7.4 and the site will no longer report that you’re using an outdated version of WordPress. Even more importantly, you’ve also plugged a lot of the security holes that outdated PHP causes.
To Update Nginx
If you run WordPress on Nginx you can implement the latest version of PHP as follows:
sudo apt install nginx php7.4-fpm
Restart Nginx and you’re all done:
sudo systemctl restart nginx