two-factor icon indicating copy to clipboard operation
two-factor copied to clipboard

Published 20 hours ago verified publisher icon WordPress

Bumping minimum WordPress and PHP versions supported

Open jeffpaul opened this issue 3 years ago • 8 comments

As of now version 0.7.2 requires WordPress 4.3 and PHP 5.6. There are some potential benefits and more modern ways we could approach further enhancements and bug fixes in the plugin if we considered (and did) bump those minimum versions. Specifically https://github.com/WordPress/two-factor/issues/455 could be easier/better/simpler to handle if we bumped the PHP minimum to 7.2. Similarly https://github.com/WordPress/two-factor/pull/389 might also be easier/better/simple to handle if we bumped the WordPress minimum to 5.2. I might even suggest that we consider PHP 7.4 (as that still gets EOL later this year) and WordPress 5.3 (released ~3 years ago) or 5.6 (released ~2 years ago) as more modern/current minimums to maintain, but at least considering PHP 7.2 and WordPress 5.2 will help with the issues/PRs noted above.

jeffpaul avatar Sep 20 '22 21:09 jeffpaul

As this is a SECURITY plugin I say PHP7.4 (only because I know 8.0 won't Happen)

calvinalkan avatar Sep 25 '22 06:09 calvinalkan

IMO we don't need to support WP's minimum requirements. I'd guess that a proposal to merge this to Core is at least a year away, and Core may have shifted to PHP 7 by then anyway. It could also stay as a canonical plugin for awhile, so aligning with WP's exact requirements seems like a "cross that bridge when we get to it" thing to me.

PHP 5.6 usage seems small enough that I wouldn't worry about it, especially among sites that are running recent versions of Core. 7.0 and 7.1 seem smallish as well, so 7.2 seems like a reasonable minimum to me 👍🏻

WP 4.3 - 5.1 is also fairly small (with 4.9 being somewhat of an exception, but not hugely). Making 5.2 the minimum seems perfectly reasonable to me 👍🏻 If there's a compelling reason to go higher that could definitely be worth considering too, but I wouldn't do it for something small.

iandunn avatar Oct 14 '22 23:10 iandunn

Ok, I'm updating this from a question then to an enhancement looking for someone to help with the following:

  • [ ] Bump WordPress minimum from 4.3 to 5.2
  • [ ] Bump PHP minimum from 5.6 to 7.2

jeffpaul avatar Oct 17 '22 15:10 jeffpaul

This plugin is an opportunity to improve the security of systems that still can't upgrade to PHP 7/8 for some reason so locking them out of using it completely due PHP requirements feels wrong.

I think we should design with progressive enhancement in mind where every user of WP can use the core functionality of this plugin and they get the additional improvements as they upgrade their stack.

Currently the need for PHP 7+ is limited to some additional features related to the PHP encryption stack (and possibly the Webauthn implementation) so I would strongly encourage us to keep the same PHP requirements as the WP core project and think of ways to add the additional enhancements in a progressive way.

We could add a section to the Site Health that indicates any features that are not enabled due to system requirements. Or to the list of available two-factor methods when a certain method can't be enabled or isn't using the full feature set.

kasparsd avatar Oct 18 '22 09:10 kasparsd

I wonder if that'd give a false sense of security? The vulns in PHP 5 won't necessarily be mitigated by 2FA.

Having said that, I think progressive enhancement is a good point; if it's easy to support both then that'd avoid taking away a layer of defense. If it becomes buggy or difficult to maintain, though, then I think it's best to drop support for older versions.

I like your idea of disabling specific providers rather than the entire plugin, though. That's a good UX for folks who can't upgrade, but also a reminder that they really should update.

iandunn avatar Oct 18 '22 17:10 iandunn

I wonder if that'd give a false sense of security? The vulns in PHP 5 won't necessarily be mitigated by 2FA.

Having said that, I think progressive enhancement is a good point; if it's easy to support both then that'd avoid taking away a layer of defense. If it becomes buggy or difficult to maintenance, though, then I think it's best to drop support for older versions.

I like your idea of disabling specific providers rather than the entire plugin, though. That's a good UX for folks who can't upgrade, but also a reminder that they really should update.

My 2c,

This a security plugin, not "WP best instagram feed".

By supporting the lowest possible versions you are doing users on modern versions are disservice since you can't implement what is the best option regarding modern crypto.

calvinalkan avatar Oct 18 '22 18:10 calvinalkan

Currently the need for PHP 7+ is limited to some additional features related to the PHP encryption stack (and possibly the Webauthn implementation) so I would strongly encourage us to keep the same PHP requirements as the WP core project and think of ways to add the additional enhancements in a progressive way.

This feels like a good-enough reason not to require PHP > 5.6 to me.

Bumping the WP requirement still makes sense though.

By supporting the lowest possible versions you are doing users on modern versions are disservice since you can't implement what is the best option regarding modern crypto.

This doesn't appear to be the case, nor an issue at present? We specifically only use crypto that is polyfilled through Sodium_Compat and while that's not the perfect scenario, those running newer versions get a better experience.

dd32 avatar Oct 19 '22 04:10 dd32

Ok, sounds like we're coalescing towards:

  • [ ] Bump WordPress minimum from 4.3 to 5.2
  • ~Bump PHP minimum from 5.6 to 7.2~ (not doing this bump for reasons above)

jeffpaul avatar Mar 02 '23 16:03 jeffpaul