Why is WPMUDEV using unsafe function calls in some of their plugins?

Hi Heroes and WPMUDEVelopers

Why can we find in WPMUDEV plugins unsafe function calls no matter if with high, medium or low risk when there are safe alternatives available.

i.e. automessage

Tests of plugin code we are currently doing on all WPMUDEV plugins to evaluate their coding quality could be done also by customers who have no coding knowledge and they would get the same output which isn't actually good if we would like to provide a high coding quality in our products.

Kind regards
Andi

  • Andi

    Hi Ivan

    I would suggest to make an announcement that the people should update their sites and servers or use state of the art servers instead of keeping backward compatibility to versions which are long time out of updates - especially no more maintained. Current is PHP 7 and that is where people should go and not below that.

    Keeping backward compatibility only promotes laziness for people which actually then take the risk for others who regularly update but whose sites will not run as they could because of that backward stuff.

    Kind regards
    Andi

  • Predrag Dubajic

    Hi Andi,

    If we could get everyone running on PHP 7 or later I think developers would be happiest persons on earth and probably throw a party :slight_smile:

    Unfortunately lot of hosting providers, even some popular ones, are still running on older PHP versions, and WordPress requirements page lists 5.2.4 as the minimum required version so at the moment this is not possible to do.

    We're all hoping this will change in near future.

    Best regards,
    Predrag

  • Andi

    Hi Predrag

    At Typo3 we had a similar problem and a simple compatibility extension solved the problem. This way the never updater, as well as those who run sites for their business and keep their sites up to date, can be happy.

    The compatibility extension in TYPO3 only gets installed where older backward compatibility is needed and all others can run the extensions without that insecure and slow down ballast.

    I would suggest going the way to create a compatibility module which holds all those slow down parts and problem solved.

    We are currently in process to update all sites to PHP 7.2 and therefore that ballast is really blocking the speed - it is as simple as it is! All those who like to run still WP 3.* or earlier can do that as they like but please not at the cost of those who like to have a secure server!

    We will run in the next days over the western Christmas holidays our tests with PHP 7.2. and check also all WPMUDEV plugins and of course we hope that all those errors will be gone but I doubt it.

    What options will be left for us? Let me know? If there is no way to get rid of the stuff we have actually only the chance to do it by ourselves but to finance that effort we would need the community or contributions which means we would need to get on public accessible git. So we are back to the old problem actually.

    You actually don't need to foster all those who are no members anymore or who don't contribute in help or financial values so it is not really understood why that backward compatibility gets kept. Simply look forward to the future and not backward to the vulnerable WordPress of yesterday!

    A simple statement of WPMUDEV would solve the problem.

    1. WPMUDEV provides plugins which are compatible with old stable and current stable releases of PHP
    2. All other PHP Versions might work but will no more be maintained (which is actually the case)
    3. If you are on a no more supported PHP version please send the letter provided on wordpress.org to your hosting provider. https://wordpress.org/about/requirements/
    4. If you need help in switching to another PHP version ask in at Jobs and Experts. There are people who are willing to help and who actually can do the job.
    5. We are a community and we are here to help to get altogether secure and updated, speedy websites. Please help to not slow down development by no more updating your server and sites!

    i.e. Set a date - start 1 January 2018 - this goes in effect and people will update. they will be happy to have faster and more secure sites. Members will be happy to help those who can't find a qualified hoster. You have 600.000 members who pay and for sure there are some posters who have space for them and perhaps even some who offer their customers automated updates not only for WordPress but also for the complete server surrounding like our servers are running on 17.10 and have PHP 7.0, 7.1+ and 7.2+ available - no more PHP 5.6 or below.

    You have such great features at WPMUDEV but keeping that backward compatibility you slow down not only the plugin development but also the sites of your members who are already on PHP 7. Please keep that in mind.

    In TYPO3 people can stay and even get updates for lower versions but here they simply have to pay more or less a fortune for it to receive still security related updates - but again those run complete separate (that is the reason why the support for unmaintained versions is so expensive.) 2000 Euro/year!

    The general problem is that also customers check plugins and realize that those red warnings pop up and they call us here and we have to tell them we don't know, we think ... , they say it is secure ... but to be honest that is not at all good. It would be much better to go in public and show - Hi WP Community here that is WPMUDEV - no more plugins are outdated, no more plugins have yellow or red warnings, ...

    There is no excuse actually to not simply do it and skip the backward compatibility!
    WordPress actually promotes that plugin developers put in recent PHP versions as a requirement
    https://make.wordpress.org/plugins/2017/08/29/minimum-php-version-requirement/
    and WPMUDEV should follow that then rather following the core.

    People who don't fullfil the requirements could still load an older version which they would need to maintain by themselves like they would need to maintain also a server and even a wordpress site with older versions.

    Wordpress actually warns that it is insecure to run on no more maintained PHP versions which means lower than 5.6!!

    So there is absolut no reason to keep this blocking stuff in the plugins.

    By the way Apple is doing the same like many other professionals. They simply tell the iPhone 4 users that iOS8 is no more running as wenn as lots of apps but I still run the phone 4 (not even the 4S) on iOs7 and older versions of the plugin. You could do exactly the same with all your plugins. release a final release of a plugin which works in 5.x and set the main version number up to 7. - so that everyone knows that now the plugin needs PHP 7 to run.

    make your plugins looking more modern by using the 7.subversionPHP.pluginrelease.subrelease

    People would love that - sure!

    Kind regards
    Andi

  • Adam Czajczyk

    Hello Andi!

    I hope you're well today and don't mind my "two cents" here :slight_smile:

    All of this what you said makes a lot of sense. But it's a different perspective. I won't address everything you wrote "point by point" because, well, there's no point in it: it'd be hard to disagree with you.

    There is, however, one "catch" here and that really doesn't look that simple and easy. Do you know how many really huge hosting providers (huge doesn't necessarily mean "good" - just popular; they may offer good or bad services but they're incredibly popular) do not offer or allow PHP 7.x? Furthermore, how popular - unfortunately - 5.4 (and, surprisingly, even lower versions!) are?

    I, we, do. I see it day by day. Dealing with Member's sites day by day I see server configurations that make me want to run away, find some distant lonely planet in another galaxy and spent the rest of my life there. It wouldn't even be so bad if not that these providers do not allow any changes/upgrades. For example, GoDaddy and SiteGround - big providers, no doubt - still maintain some plans with old PHP and no option to change. Furthermore, they also maintain some no longer available plans for users that purchased them long time ago and these plans are really "fixed" with no way to change anything except simply changing the plan.

    Which leads me to another point: are we able to force Members to change plans? We do promote 7.x. If I was about to count how many times a day I and my colleagues ask for update to PHP 7, I think I would quickly get lost in maths (I was never any good with that Graham's number thing :stuck_out_tongue:).

    But it's not always possible and often it's also not possible to change host (which would surely be the best idea in such cases). Amazingly often it's not even Member's choice because Member (I'm, of course, referring to WPMU DEV members) is limited to what is and is not allowed/accepted/imposed by their customer/principal/boss/you name it.

    Turning off these Members would be like simply telling them to go away "just because". I totally understand your point but we cannot simply turn our backs away to a large group of the Members of our community who cannot overcome these limitation (for whatever reasons that is).

    What we can do and what we actually do is that we're gradually upgrading/improving plugins (I'm referring to the code) here over time. Some, not a lot of them but there are such plugins, older plugins that were not much popular were also given away to the community and are absolutely freely available along with source code on GitHub and everyone is free to take over/fork/develop/maintain them. New plugins are written in a different manner and may require newer PHP...

    So we're heading the "force new and up to date PHP" way but in a bit different manner that lets us server our Members and meet their needs better, taking current reality into account. WordPress in fact recommends PHP 7.2 already and this is a great thing because it's a great argument for us too. But still, they do not require this and the argument of "your plugin doesn't work with 5.6 while WordPress does - it's incompatible then!" is also a valid and fair counterargument.

    Having said all that (and I probably missed at least half of the things I was about to say while I was writing it:stuck_out_tongue:), I really hope you don't get me wrong. It's just my "two cents", mostly from the personal point of view. I believe we're following the "compromise" or "mild transition" path with code rather than "extreme turn over" and that's for the benefit of the Members in a long run :slight_smile:

    Best regards,
    Adam

  • Andi

    Hi Adam simply go the way TYPO 3 took

    To run version 7 plugins in 8 you would need the following extension

    Compatibility Mode for TYPO3 CMS 7.x
    compatibility7 / stable
    Provides an additional backwards-compatibility layer with legacy functionality for sites that havent fully migrated to v8 yet.
    Uploaded on 31 Mar 2017 by TYPO3 CMS Team

    to run Version 6 extensions in 7 you need that extension

    Compatibility Mode for TYPO3 CMS 6.x
    compatibility6 / stable
    Provides an additional backwards-compatibility layer with legacy functionality for sites that haven't fully migrated to v7 yet.
    Uploaded on 23 Nov 2017 by TYPO3 CMS Team

    This is a script for backward compatibity PHP

    PHP_SCRIPT compatibility
    phpscript_compatibility / stable
    Backwards compatibility of PHP_SCRIPT
    Uploaded on 25 Nov 2016 by Simon Schaufelberger

    You could do exactly the same and provide a state of the art plugin for PHP 7.2 + I would simply start with that

    and then have all the lower versions stopped in further feature development and they only will receive security fixes until the end of PHP5 which is December 2018. Enough time to switch and you don't block the old members and the don't block those members who came here to see progress and not a state of retirement and ancient stuff which gets dusty more and more. We are just checking the changelog and we are pretty frustrated to see that nothing gets done and many plugins don't receive anymore love or updates. And seeing that it also tells a lot about what is going on at WPMUDEV and what many already mentioned that there is an intense focus to pull everything in the cloud but no more interest to actually take care the base of plugins which are still available for download

    For sure the fact that no more updates happen is also the main reason why the changelog dates get hidden from members!

    You as the ones leading a great community and having a great service could actually motivate all those retire sites on Wordpress 2 Wordpress 3 etc which are simply outdated.

    Give them what they need!
    They only need the old versions of the modules. as they don't care if it got updated in the last 6 or even more years or not. give them those modules like APPLE is doing it also with their apps in App store. You only would need to make a remark in the changelog that from the Version released in 2018 WPMUDEV will focus on the future and no more on the past century.
    You provide those members still a version - the last running on their sites and as they haven't been updated since decades their won't be for sure no problem that they look for a future update. They probably even haven't realized that the plugins did never get updated. :wink:

    And for those paying members who need to run businesses and who like to promote WPMUDEV plugins and sites build with them you have the new updated and for PHP7 optimized plugins available.

    To be honest if that isn't happening you leave no other chance for those here in the community to fork the whole stuff and do exactly that. We simply can't tell our customers : Sorry in the WPMUDEV community is still someone who hosts with Go Daddy or Site Ground on one of their ancient PHP5.2 plane and therefore WPMUDEV is not stripping the backward compatiblity which makes all those nice plugins slow!!!

    What you sell is like a Porsche with a Trabbi (former plastic car of the GDR) throttling and that is not fair for those who like to see progress, for those who even like to help to get that up and running, for those who contribute here day by day and for those who keep care of their sites by updating them and looking for great hosters which provide PHP 7.2

    There are ways to satisfy all those very simple with a compatibility mode which can be enabled in the backend i.e. of TYPO3 and a warning even pops uop which tells the site maintainers that the site will be slower (actually much slower) as with updated and state of teh art modules.

    I really don't understand why there is so much blocking from site of WPMUDEV
    Members are not allowed to help in development which would actually speed up the whole stuff
    Members don't get the changelog dates in a visible format on the plugins website

    for example take coursepress:

    Fixed: Export problem on PHP 5.2, json_encode() have only one parameter.

    With a version which still runs on PHP 5.2 and if there is a securit issue then a fix until 2018 December everybody can be satisfied of those people who are not willing to update.

    Yes there are some company managers perhaps but they also pay usually the membership fee :wink: for those who are members.

    Or take the other example which perhaps fits better into the WPMUDEV scheme.
    Let's say we start to build a History of WordPress Development site with lots of different PHP versions and of course plugins from WPMUDEV. That site of course needs to run also on PHP 5.2 in the next 5 years. I hope you will maintain the backward compatibility in all your plugins during that time! Thanks! I am sure that Wordpress will not remove PHP 5.2 soon and tell like they have done in TYPO3 that TYPO3 9 will work only with PHP7.2 and up. This would mean that WPMUDEV would guarantee also in future years lots of throttled and slowed down plugins and plugin development for us as a paying member. We perhaps even look for a hoster who is not willing to upgrade and I could tell that my wife who can't even read or write is against changes of something which is running.

    Meanwhile we can watch all the other newcomers in that Wordpress field building up similar WPMUDEV Enterprises with faster frontend builders, faster plugins and most of all regular maintenances etc and for sure it is only a question of time until there will be also a valuable support - especially for Membership Fees near 400 - 600 Dollar a year.

    Come on that can not be taken seriously what you are promoting here and to slow down your members and their sites!

    I really like WPMUDEV but that blocking of help and the blocking of speed is simlpy not OK and for me it looks as if you are talking about the big boss who is against it that you talk about James Farmer and not about the boss of any member. I can't believe that argument - sorry!

    Kind regards
    Andi

  • Rupok

    Hi Andi,

    I'm not going to state point by point but let me put my two cents here too.

    Apple can do whatever they want with their apps because they control their hardware. They know exactly what hardware will run their apps. But unfortunately, we can't control the servers of our users. If we could, the world would be a different happier place for us. As Adam said above, even today, a lot of servers are using an old version of PHP as primary PHP version. Some of them have an option to upgrade to PHP 7 but their PHP 7 configuration lacks lots of modules. I'm telling you this from my experience. So even if we want, we can't ignore the importance of backward compatibility.

    We can't push our users to change their hosts because it costs money. And everyone has his own preference. If I tell you to change your host today and switch to one of my favorites the first question that will arrive is - if I'm affiliated with them. And when someone purchases a hosting with their own money, most of them make sure they have a good reason for choosing that hosting.

    So instead of pushing users to change hosts, we try to make our plugins backward compatible as much as we can to make their life easier.

    Have a nice day. Cheers!
    Rupok