Wordpress security concerns on IIS

[mdell-seradex]

This is regarding: https://docs.microsoft.com/en-us/iis/application-frameworks/install-and-configure-php-applications-on-iis/install-wordpress-on-iis

Several sites seem to recommend against installing Wordpress on IIS, and instead direct people to install it in nginx on Linux (see below). https://computerhelp.glerner.com/2015-why-should-you-not-host-wordpress-on-iis/#:~:text=IIS%20is%20used%20mainly%20on%20corporate%20web%20sites%3B,one%20company%2C%20using%20only%20Microsoft%20tools%20for%20development.

https://www.reddit.com/r/sysadmin/comments/sg7a2t/wordpress_on_iis_why_is_not_recommended/

Many of the concerns raised seem to be specific to security issues such as uploading malicious asp or php files and then executing them. Are there any directions on securing the site to prevent such issues?

[lextm]

While the relevant articles related to PHP on IIS are not yet updated, PHP 8 on IIS is explicitly no longer supported by Microsoft. That policy also aligns well with PHP on App Service,

https://github.com/Azure/app-service-linux-docs/blob/master/Runtime_Support/php_support.md#php-8

Thus, recommendation against installing WordPress/PHP on IIS is more than correct. However, the concerns discussed in the threads you linked are in many cases laughable as the same vulnerabilities (malicious code execution) exist in other web servers/operating systems as they are usually configuration flaws left by server administrators.

[mdell-seradex]

I was not aware that PHP 8 is not supported on Windows. It makes me curious as to why. In many cases it seems like the decision to drop support for, or not include support for Windows is because those involved dislike all things Microsoft, or all things that are not open source, which usually seem to be based on logical fallacies, bad information, and faulty logic. I know that some concerns may seem laughable, but sometimes even those should be responded to at least generally and politely.

I guess that article about running Wordpress on IIS is now out of date and will no longer be supported.

[mdell-seradex]

Note that according to the php.net web site, there are downloads for the new versions of php on Windows. Specifically the php.net/downloads page directs users to the windows.php.net/download page. I found no official documentation from the makers of PHP, in my quick review, that states that php will not support Windows or IIS. From what I can see, the links on https://github.com/Azure/app-service-linux-docs/blob/master/Runtime_Support/php_support.md#php-8 do NOT go to any page that states that Windows is NOT supported.

[lextm]

Unlike what you described, the call to stop supporting PHP 8 on IIS was made by Microsoft, not the "makers". The original Microsoft announcement on PHP 8 on IIS can be found at,

https://news-web.php.net/php.internals/110907

Sadly PHP.net is a less well known place for Microsoft customers, but should be the right place for PHP audience.

So while you can still download PHP 8 bits for Windows (as it is created/maintained by the PHP community), you get no support from Microsoft (including this GitHub repo) if any issue occurs. You can continue to go with PHP 8 on IIS/Windows, but notice that running production web apps with only community support is usually considered as risky.

I wrote a post about the various components involved to support PHP 5.x/6.x/7.x on IIS, which you might read as a reference,

https://halfblood.pro/who-should-be-contacted-for-php-on-iis-issues-c80b90bd365

I don't know why Microsoft stopped supporting PHP 8 on IIS (the short announcement from Microsoft didn't shed some light either), but in the meantime PHP on Linux is always a widely preferred option out there.

"Linux only" is the keyword on https://github.com/Azure/app-service-linux-docs/blob/master/Runtime_Support/php_support.md#php-8 if that's not very clear to you. That alone indicates the supported approach is to host your PHP web apps on one of the Linux based App Service offerings.

[mdell-seradex]

It is sad that this decision was made by Microsoft, but was essentially hidden in a post on the php site, not clearly stated in the Microsoft docs, and the main page (Azure/app-service-linux-docs/blob/master/Runtime_Support/php_support.md#php-8) appears, to some at least, to lay the blame for that lack of support on PHP. As I read it, the links, based on where they are and how they are provided, and the related text, indicated to me that this support info came from PHP themselves, not Microsoft. While they could, I generally would never expect Microsoft to support something on their platforms that the original makers do not.

It is odd that PHP 8.1 is TBD if Microsoft has decided to no longer support php.

Thank you for the additional info.