Upgrading PHP and WordPress

Written by Christophe Limpalair on 08/29/2015

A friend of mine reminded me that PHP 7 is projected to be released in November 2015.

That made me wonder how many websites were still using old versions of PHP. By old, I mean before 5.6 (which is the current version as of 2/8/15). A quick Google search revealed these interesting pie charts from WordPress. These charts are pretty current, because they include WordPress 4.1, which was released on December 18th, 2014.

According to these charts, there is such a small fraction of websites using PHP 5.6 that they don’t even display the percentage. A whopping 32% still use 5.2, 38.5% still use 5.3, and 24.9% still use 5.4. The WordPress version distribution is not much better either. Wtf?! That's insane!

If you're not convinced as to why you should absolutely upgrade within the next few days if you're still using anything other than PHP 5.6, or WordPress 4.1, skip this section and let me convince you. Don't want to take my word for it? Forbes was attacked and infected its visitors through a plugin exploit.

How to upgrade PHP & WordPress

I recommend you create a backup image of your server. Check your hosting's documentation to know how to do this. With AWS, you can create AMI images/snapshots.

I also recommend you create a backup of your /etc/php5/fpm/php.ini. You'll see why in a minute.
sudo cp /etc/php5/fpm/php.ini /etc/php5/fpm/php_backup

And a backup of your /etc/php5/fpm/pool.d/www.conf (if you are using php-fpm)
sudo cp /etc/php5/fpm/pool.d/www.conf /etc/php5/fpm/pool.d/www_backup

1) Add PHP 5.6 Package sources from Ondřej Surý, who is part of the Debian pkg-php team

sudo add-apt-repository ppa:ondrej/php5-5.6

Now, get the latest version and install:

sudo apt-get update
sudo apt-get install php5

When I run the last command, I get a question:

Configuration file `/etc/php5/fpm/pool.d/www.conf'
==> Modified (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer's version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : start a shell to examine the situation
The default action is to keep your current version.
*** www.conf (Y/I/N/O/D/Z) [default=N] ?

I also get a prompt later on.

The first option "install the package maintainer's version" worked fine for me, however it could cause issues with your setup. The choice you choose is totally up to you, but keep in mind there are options that let you see differences between both files. This is also why I told you to backup your www.conf and php.ini-- if something breaks, you could revert back.

At this point, if you are getting "502 Bad Gateway" errors or anything you may have to reload your web services like apache or nginx and php-fpm:

If (you use Nginx + PHP-FPM) :
sudo service nginx restart
sudo service php5-fpm restart

else (Apache reload) :
sudo service apache2 reload

If that doesn't fix the errors, check your Nginx + PHP-FPM or Apache settings.

Upgrade WordPress

If you're on WordPress and don't have 4.1 (as of 2/8/15, it's the newest version), you need to upgrade. Seriously, there are security issues with older versions that are publicly available on the internet.

Again make sure you have a backup of your site. Go in your admin panel, and hit upgrade.

If something breaks after the upgrade, you may have incompatible plugins. Try disabling them one by one and see if that works. If not, I really hope you haven't been changing the core. If you have, now is the time to correct that.

If these two options don't fix your WordPress upgrade, part of your theme code may be incompatible. If that's the case, you should see errors when loading your website that will point you in the right direction.

With all that being said, I've never had a site break from a WordPress upgrade. I'm not saying that to boast, I'm saying it to show how unlikely it is to happen unless your developers/plugin developers used un-recommended practices.

Hurray, you're making the web a better place! Thanks!

Why does upgrading matter so much?

New language and framework versions are released periodically for a number of reasons, including--- Features, speed, security.

So by not upgrading, you are essentially saying "I am willing to compromise my app’s ability to provide more features, at a faster rate, and I’m willing to put my visitors at risk".

It doesn’t make any sense!

So why don’t more people upgrade?

Again, a few reason—
1) Not aware of upgrades.
2) Too busy at the time and the person forgets about it.
3) Afraid of compatibility issues. ie: it will break my site.

How can the industry fix this?

It’s obviously no easy task or it would already be done, but there is definitely a lot of room for improvement. Here are a few thoughts.

-> I recently logged into a PHPMyAdmin console to browse around a site’s database. After a while, I noticed tiny text at the bottom of the screen that was telling me there was a newer version of PHPMyAdmin and that it was recommended that I update it. While I’m glad they highly recommend this action, it should not have taken me so long to see this notice. It should be in my face as soon as I login. I’m not talking about stopping you from using the software, but you shouldn’t be able to miss it or forget about it.

-> Hosting companies need to work alongside frameworks and languages to guide their customers through the process of upgrading, and again, making sure they don’t miss the notices. This could be as simple as writing guides of how to check compatibility, and backing up their data so that even something goes wrong the customer knows exactly how to revert back; to more complicated scripts that detect incompatible/deprecated syntax.

Sure, this means more work, but it also means a faster and more reliable web!

-> My last, but certainly not least, thought—you, as a developer, need to stay on top of these updates. I’m guilty of this so I’m not just pointing fingers and trying to make you feel bad. I know it’s hard and there are things that appear much more important at the time, but I implore you to stay on top of these updates through social media, newsletters, etc… This will advance your development career by not only improving your apps, but also making your employer respect you a lot more. It’s also doing humanity a favor by making it harder for crackers to take over websites and have an army of DoS bots.


So yeah. Thoughts that developed from a simple comment my friend made. Actually, I’m pretty sure I’ve had a similar conversion with him in the past, and some of his ideas inevitably worked their way inside my thoughts. Thanks, Joel.

Any thoughts you'd like to share? Post them in the comments below!