[ad_1] There is a lot of advice on keeping your WordPress themes, plugins, and core files up to date. This helps keep your site in working order. Though, it’s not the only element to focus on. You’ll also want to update PHP in WordPress, to keep the server-side running smooth. Every site has a front end and back end. The back end makes sure your site loads quick, is performant, and keeps malicious users at bay. Your PHP version should be current, for many of the same reasons your site’s files should. In this post, we’ll give you an overview of how WordPress and PHP interact. From there, we’ll show you how to update your PHP in WordPress. How WordPress Uses PHP to Serve Websites Before we get into the bulk of the article, let’s discuss PHP itself. For the unaware, websites run on a ‘stack’. This is a collection of software that helps the site run. For example, WordPress runs using a few different tools and languages: Front end: HTML, CSS. Interactivity: JavaScript, React. Back end: PHP. Server: MySQL. While we won’t be going into the details of everything here in this post, know that PHP is important to WordPress’ functionality. It’s a ‘server-side’ programming language that makes websites dynamic. Take a contact form. The ability to send the information it contains to the server, and store it in the database is crucial for basic operation. The isn’t possible without PHP as part of the WordPress stack. Why You Should Update Your PHP Version in WordPress Given how WordPress uses PHP – it’s inherent in its operation – keeping the PHP version up to date on your server has a lot of benefits. Many of them are the same here as they are for other site elements: You can take advantage of new developments in the language. There is often better performance in the newer version. Security issues found in previous versions will often be patched, making your site stronger and more secure. For a real-world example, take PHP 8. This is the most recent version of PHP, and it’s been adopted by lots of leading web hosts, for a few reasons: PHP 8 has tightened up its error reporting, which helps developers maintain better code. There are new performance features, such as ‘Just In Time’ (JIT) processing. This can be compared to caching, in that PHP tracks often used scripts and optimizes them. There are a lot more benefits, but they’re beyond the scope of this article. Even so, there are some situations that don’t call for an immediate upgrade. Let’s discuss this next. When You Should Update Your PHP Version As per the standard advice for anything relating to your site, updating depends on a few variables. In most situations involving your themes, plugins, and core files, you’ll update as soon as you’re able. In contrast, your PHP version may not warrant an upgrade straight away. For many cases, there are more drawbacks than positives. Here are a few: Some functions have been depreciated in PHP 8, but are still used in lots of WordPress plugins. As such, upgrading could break them (and by extension, your site). In other words, your site and its dependencies may not be compatible with the update. You may find that you don’t need the enhanced functionality of a new PHP version. Your host might not support the newer version of PHP yet, for reasons of security and stability. Again, there are lots more reasons, specific to your own needs and that of your host. In general, unless there’s a huge spotlit reason for not upgrading, you should do so. What’s more, lots of hosts will let you know how to upgrade when the time’s right. They should all have a blog, newsletter, knowledge base article, and more detailing whether an upgrade is possible, and how to do it. How to Check Your Current PHP Version First off, you need to check your current version of PHP before upgrading it. Achieving this depends on your host and current plan. Most custom dashboards will have a specific panel dedicated to PHP management. For example, Kinsta (our review) includes it in your list of sites: In contrast, DreamHost gives you the information after navigating a few subscreens: For cPanel users, your current PHP version can be found in the MultiPHP Manager: Regardless of your host, it should almost always display the current version of PHP used on your site. You may also find that you’re running the latest version of PHP anyway. Lots of hosts will automate this with your permission, such as confirmation through a newsletter, or a dedicated toggle within your control panel. It could also be that you don’t get to update PHP in WordPress just yet. This is often because the host wants to test the functionality first before deploying it to the public. In these cases, there’s not much for you to do. Your host will handle the process, and you can sit back. It’s fair to say that this article is less relevant if you’re on a managed WordPress host. Still, the process is worth knowing as you may want to update PHP in WordPress for reasons specific to you. What You’ll Need Before Updating Your PHP Version The good news is that because updating PHP in WordPress is straightforward, you won’t need too much to get the job done. In fact, there are less than a handful of elements you’ll need in place: Administrator access to your server. The ability to upgrade your PHP version within your hosting panel. Other than this, there are a few preventative measures you can take before pressing on with an update: Make a current, clean backup of your site – in case the worst happens and you have to start from scratch. Update your WordPress site’s core files. Update your site’s themes and plugins. Check the compatibility once again. Once you’re set, you’re ready. The next section will show you
Continue readingTag Archives: Update
Google Search Completes Rollout of Link Spam Update – WP Tavern
[ad_1] Google announced today that it has completed its rollout of the link spam update, which was started a month ago. In an effort to combat sites using spammy links to manipulate rankings, the search engine has developed more effective ways to identify and nullify link spam across multiple languages. The update took a couple weeks longer than anticipated but the algorithmic changes that re-assess the ranking of improperly qualified links has now been fully rolled out. Commercial linking can be differentiated from link spam by specifying the appropriate rel attribute. For example, affiliate links must be identified to the search engine by rel=”sponsored” in order to not trigger any negative effects from the most recent update. Website owners and content creators should be aware of the search engine’s requirements when publishing affiliate links or sponsored/guest posts. While it is appropriate and ethical to disclose commercial links in the content of the post, this is no longer sufficient for Google. A post on the Google Search Central blog warns that this update carries a more strict response for sites that do not properly qualify commercial links: When we detect sites engaging in either publishing or acquiring links with excessive sponsored and guest posting without proper link tags, algorithmic and manual actions may be applied, similar to affiliate links. WordPress users who rely on plugins to manage sponsored and affiliate links will want to check to ensure they support the proper tagging for commercial links. Pretty Links, a link management and tracking plugin used by more than 300,000 WordPress sites, added support for the sponsored rel tag in version 3.1.0, along with sponsored toggle support in the block and TinyMCE editors. ThirstyAffiliates, another popular plugin active on more than 40,00 installs, has a global setting for adding rel attribute tags to links, which can also be adjusted on a per-link basis. The are many other affiliate link management, tracking, and cloaking plugins out there that may not have been updated with settings for easily designating relattributes in links. Those who do not want to have negative effects from the link spam update may need the ability to bulk update their links to comply. If you rely on a link management plugin, it’s a good idea to check the plugin’s settings, and alternatively the plugin’s changelog, to see what features are supported. Like this: Like Loading… [ad_2] Source link
Continue readingWooCommerce 5.5.2 Fixes Performance Issues Found After Forced Security Update – WP Tavern
[ad_1] WooCommerce has shipped version 5.5.2 as a follow-up to the forced security update that patched a SQL Injection vulnerability last week. The vulnerability impacted versions 3.3 to 5.5 of the WooCommerce plugin, as well as versions 2.5 to 5.5 of the WooCommerce Blocks feature plugin. The team created a patch for more than 90 releases, which was sent as a forced security update from WordPress.org, due to the potential severity of impact for millions of WooCommerce installations. Shortly after the automatic update rolled out, many store owners started reporting serious performance issues on both WordPress.org and GitHub. Some users reported database crashes after receiving the automatic security patch in 5.5.1. One user reported a painfully slow, endless query that was “crippling to our operations,” with similar reports on GitHub of this same query “causing the entire server to go down.” Those with a large number of products in their databases were impacted more frequently. “We run a fairly big DB – 17k products,” one user said. “This has been a nightmare.” Store owners affected by this issue had resorted to downgrading to the previous releases at WooCommerce’s recommendation. They shared temporary workarounds to disable the query while WooCommerce investigated the issue. The problem was reported so frequently that it became a high priority for the team to fix. A week ago, WooCommerce developer Adrian Duffell reported back that they had determined the cause was twofold: A slow SQL query used to retrieve the products that are low in stock. This SQL has been in WooCommerce for a number of releases. A REST API request, which executes this SQL query, is called more frequently in WooCommerce 5.5 than in previous versions. A combination of these factors was causing the degraded server performance when users updated to WooCommerce 5.5. A fix was released in WooCommerce Admin 2.4.4 three days ago, and the fix was also added to core today in 5.5.2. Users who had put workarounds in place are advised to remove them after updating to the latest release. Like this: Like Loading… [ad_2] Source link
Continue readingWooCommerce Patches Critical Vulnerability, Sending Forced Security Update from WordPress.org – WP Tavern
[ad_1] WooCommerce has patched an unspecified, critical vulnerability identified on July 13, 2021, by a security researcher through Automattic’s HackerOne security program. The vulnerability impacts versions 3.3 to 5.5 of the WooCommerce plugin, as well as version 2.5 to 5.5 of the WooCommerce Blocks feature plugin. “Upon learning about the issue, our team immediately conducted a thorough investigation, audited all related codebases, and created a patch fix for every impacted version (90+ releases) which was deployed automatically to vulnerable stores,” WooCommerce Head of Engineering Beau Lebens said in the security announcement. WordPress.org is currently pushing out forced automatic updates to vulnerable stores, a practice that is rarely employed to mitigate potentially severe security issues impacting a large number of sites. Even with the automatic update, WooCommerce merchants are encouraged to check that their stores are running the latest version (5.5.1). Since WooCommerce backported this security fix to every release branch back to 3.3, store owners using older versions of WooCommerce can safely update to the highest number in their current release branch even if not running the very latest 5.5.1 version. At the time of publishing, only 7.2% of WooCommerce installations are using version 5.5+. More than half of stores (51.7%) are running on a version older than 5.1. WordPress.org doesn’t offer a more specific breakdown of the older versions, but it’s safe to say without these backported security fixes, the majority of WooCommerce installs might be left vulnerable. The security announcement indicates that WooCommerce cannot yet confirm that this vulnerability has not been exploited: Our investigation into this vulnerability and whether data has been compromised is ongoing. We will be sharing more information with site owners on how to investigate this security vulnerability on their site, which we will publish on our blog when it is ready. If a store was affected, the exposed information will be specific to what that site is storing but could include order, customer, and administrative information. For those who are concerned about possible exploitation, the WooCommerce team is recommending merchants update their passwords after installing the patched version as a cautionary measure. The good news for WooCommerce store owners is that this particular critical vulnerability was responsibly disclosed and patched within one day after it was identified. The plugin’s team has committed to being transparent about the security issue. In addition to publishing an announcement on the plugin’s blog, WooCommerce also emailed everyone who has opted into their mailing list. Concerned store owners should keep an eye on the WooCommerce blog for a follow-up post on how to investigate if their stores have been compromised. Like this: Like Loading… [ad_2] Source link
Continue readingJetpack 9.8 Introduces WordPress Stories Block Alongside Forced Security Update – WordPress Tavern
[ad_1] Jetpack 9.8 was released this week, introducing WordPress Stories as the headline feature. The Story block, which allows users to create interactive stories, was previously only available on mobile. It can now be used in the web editor. Stories went into public beta on the Android app in January 2021, and were officially released on the mobile apps in March. Version 9.8 also included a security patch for all sites using the Carousel feature. The vulnerability allowed the comments of non-published pages/posts to be leaked. It was severe enough for the Jetpack team to work with WordPress.org to release 78 patched versions – every version of Jetpack since 2.0. Sites not using the Carousel feature were not vulnerable but could be in the future if it was enabled and left unpatched. In a rare move, WordPress.org pushed a forced update to all vulnerable versions, surprising those who have auto-updates disabled. Several Jetpack users posted in the support forums, asking why the plugin had updated automatically without permission and in some cases not to the newest version. So this update was a forced update on WordPress sites even with auto-updates disabled? We had this go live on a prod site at 2am last night that has auto-updates disabled for very specific reasons. Not cool Jetpack. https://t.co/55upBmyeHp — Brad Williams (@williamsba) June 3, 2021 Jetpack team member Jeremy Herve said the vulnerability was responsibly disclosed via Hackerone, allowing them to work on a patch for the issue. After it was ready to go, the Jetpack team reached out to the WordPress.org security team to inform them of a vulnerability impacting multiple versions of the plugin. “We sent them the patch alongside all the info we had (a PoC for the vulnerability, what features had to be active, what versions of Jetpack were impacted),” Herve said. “They recommended we release point releases for older versions of Jetpack as well. “We created those new releases, and when we were ready to release them, someone from the WordPress.org team made some changes on the WordPress.org side so folks running old, vulnerable versions of the plugin would get auto-updated, just like it works for Core versions of WordPress.” Jetpack team member Brandon Kraft estimated the number of vulnerable sites at 18% of the plugin’s active installs. He said that Jetpack was not part of the discussion about the pushing out a forced update. We weren’t part of the discussion. Provided details and got the response, but I wouldn’t expect a security convo to be public. But, yes. Single feature impacted. A few things need to be all true for it to matter on a site, which looked like qualified about 18% of sites IIRC. — A Guy Called Kraft 😷💉 (@Kraft) June 3, 2021 “What probably adds to the confusion is that WordPress 5.5 added a UI for plugin (and theme) autoupdates,” Herve said. “That UI, while helping one manage plugin autoupdates on their site, is a bit different from Core’s forced update process. Both of those update types can be deactivated by site owners, just like core’s autoupdates can be deactivated, but I don’t believe (and honestly wouldn’t recommend) that many folks deactivate those updates.” Brandon Kraft dug deeper into the topic and published a post that explains the differences between auto-updates and forced updates. It includes how to lock down file modifications if you don’t want to receive any forced updates in the future. Forced updates, however, are exceedingly rare, and Kraft counts only three for Jetpack since 2013. In this instance, the Jetpack team followed the official process for reporting a critical vulnerability to the plugin and security teams who determine the impact for users based on a set criteria. Users who received an email notification about an automatic update from Jetpack, despite having the UI in the dashboard set to disable them, should be aware that these forced updates can come once in a blue moon for security purposes. Tony Perez, founder of NOC and former CEO at Sucuri, contends that forcing a security update like this violates the intent users’ assign when using the auto-updates UI in WordPress. He highlighted the potential for abuse if the system were to become vulnerable to a bad actor. “The platform is making an active decision that is arguably contrary to what the site administrator is intending when they explicitly say they don’t want something done,” Perez said. “Put plainly, it’s an abuse of trust that exists between the WordPress user and the Foundation that helps maintain the project. “My position is not that it shouldn’t exist. That’s a much deeper ideological debate, but it is about respecting an administrators explicit intent.” Like this: Like Loading… [ad_2] Source link
Continue reading