 Andy Fragan. Andy Fragan has been using WordPress since 1847 and that time he has become a proficient hacker, contributor, plugin developer, and hobbyist of WordPress. His plugins in the plugin repository have over half a million downloads. Andy Fragan. Thank you so much Dave. So this is one of the reasons I have a job and that I have there's no shortage of work for me to do. People do silly things all the time. Some people do stupid things all the time. As I like to say there's no end of stupid people and because of that a lot of what I do professionally and what I'm gonna be telling you about as far as WordPress is how to protect people from themselves. I don't get this he's got kids all around he's looking at him it just doesn't make much sense and yet we do it anyway. You can't you know if you try to make things more perfect or idiot proof there will be a more perfect idiot to figure away around it. There's truly almost nothing that is perfect finished or complete especially when we're talking about software right which brings us to what we're really talking about in this case bringing WordPress core to PHP 5.6 and beyond. Currently well as a couple of weeks ago or so when I printed this out the state of WordPress was on it goes from 5.27 I believe on up. I believe they test on 7.4 or at least the PHP nightlies so you can be sure that at least core and trunk is running and won't air out on those. The proposal to move to 5.6 was made by Matt and say the word this last year and it was met with resounding applause. There's a lot of us that have thought that trying to maintain backwards compatibility with PHP 5.2 kept us out of a lot of the nice shiny things that later versions of PHP even 5.3 had to offer. If you look at the graph the areas where I've got highlighted there are 5.2 to 5.5 which will be obsolete or which will be no longer allowable to install or update to repress 5.2. In fact officially it's 5.6.20. 20 is what is your what you can update to the if you look at the other others the the big graph here 32% it's probably point was something right okay at 32% is 5.6 at 18% is what is it does 7.0 both of those are our end of life still receiving security updates that end of life I'm not sure where 7.1 is on the thing but the current recommended version is 7.2 no 7.3 7.2 is still is is not the currently support currently active version if you go to WordPress their recommended page says 7.3 if you go to the site health plug-in you'll get a little notice to say you should update if you were on running a version of PHP less than 7.3 what this means is about 20% of the current installs on WordPress are going to be no longer able to update to the latest version of WordPress because they don't have a current version of PHP the upside is that by the end of the year the plan is to increase the PHP version minimum to 7.0 which means everybody in green needs to move farther into purple and what are the benefits well it's faster it's more secure you can write more efficient more object-oriented safer code you can create better code quality and it's faster you can improve your site speed just removing from 5.2 5.2 any version below 5.6 from 5.6 to 7 to 7.1 2 to 3 times the speed that improves its efficiency that decreases your server resources and generally makes you pay less money to your hosting company if you pay per resource so why would you not I attributed to the West Wing decisions are made by those who show up I'll give one Aaron Sorkin credit for that because I remember from the West Wing great show I made a conscious decision to attend a lot of the core PHP slack and the core development slack meetings contributing to open sources about time degrees or the guy that the gentleman who runs the Drupal project has a recent post about this where really he talks about the biggest factor in open source contribution is time management and do you have time to allow to do this so I made a conscious decision for some of the things that I wanted to help with helping update core to PHP 5.0 or 5.6 and beyond and so made a conscious decision to attend all this you know attend as many slack meetings I can and be as active I can giving feedback and making patches and things like that contributing to core is different you it's not like writing code for yourself where oh this is good I've tested it works out the door not that it happens that quickly but there's a lot of different personalities involved there's a lot of different cultures and language barriers and code style that are different and that need to be taken into account the sometimes you can put in feedback put in patches put in track tickets and do you get nothing and just crickets no feedback no actual notification that something's happened and it can be a little disappointing and so as you put this then you you try to ping somebody to gauge interest or give them feedback or say hey you know this really it does help solve a problem and then there can be like a flurry of activity within you know 10-12 hours and then more crickets for the next 8-12 months before something it's committed a lot of the tickets and patches that were that we're gonna be talking about we're really ready to go for 5.0 the core committers in the core the the core team development team made Gutenberg the priority for 5.0 so everything else got pushed back it was a kind of chaotic time and contributing to trunk because there were several different branches and it wasn't quite the usual method so I mean we just kept you know some of us just kept writing tickets and patches and stuff for trunk and just kind of waiting for for 5.1 to drop so that we could start merging things in one of the things that that happened we in a late one of the big priorities in in the serve happy product project was this was the project that we that was codenamed serve happy to bring all the the code-based safety measures if you will to help help users from hurting themselves right into core it started out in 5.1 with the dashboard call out we'll actually a picture of it in a little bit but this basically got a lot of people to move the needle significantly in towards getting people to update to versions over 5.6 from from 5.2 just put in a dashboard notification in it registered intent and so that every time everybody went to the home screen of the dashboard they would see this if they had it if you came up with an acceptable solution it would query the serve happy API I think is what it's called and it would go away the other thing that got installed in a 5.1 was something I had was already with the patch on it was already in the it was ready for 5.0 but kind of didn't get put in because of focus change was protection from installing plugins with incompatibility requirements now there's two basic incompatibility requirements either incompatible with WordPress itself core or incompatibility with PHP and plugins register plugin authors developers register these compatibilities in their read me file they're the ones that determine what the minimum versions are what they're what they've been tested to so what the with the requirements are and and where they want to sit their plug-in it used to be that if you had a work press incompatibility it really just didn't show it to you the it didn't show the I don't believe it showed you the plug-in if you went to the install page this is actually prevents you you know thereby preventing you from from installing this actually takes a step further and keeps you from having to keeps you from having the ability to install a plug-in that potentially could break your side and give you a white screen part of 5.2 which is coming out next week May 7th happy birthday to my wife Rachel cherry and hi right because it happens all on a birthday it was supposed to come out in the 29th it got pushed back a week what comes in that release is protection from updating plugins so not just stalling but updating that having compatibility or clients and the inability to active and protection from activating plugins that have those requirements you get those three things in place and plugins shouldn't hurt you anymore so anybody's who's who's try to install a plug-in that instantly activated or installed and activated and white screen their site it just shouldn't happen however if you already have a plug-in install or something that does white screener of your site the biggest change that they put in you're really kidding me it's on mute I promise was the what they call the white screen of death protection or the recovery mode this was originally put into 5.1 it was late in the cycle there was a comment about its potential insecurity with how it was implemented and it was pulled out and because it was pulled out all these other things didn't didn't go into 5.1 the and it was good it was it was one of the things about even writing and putting a patch in such a complex piece of code was getting eyes on it and finding out from a broader audience what the potential implications are because as we all sit there and do things in front of our computer or in our little silo you can get a little tunnel vision about the broader implications and effects of things and I will tell you that of all these things I wrote code for most of the for all of them except the last one and the last one I could look at the code and most of it was written by Timothy Jacobs and Alan Schisler and it was beautiful code but I couldn't really follow it and I was having a difficult time figuring out how exactly because it was just that deep into the internals of things and we'll go into what it does and how it does it a little later on but it's now in trunk it's ready to drop and it's one of the it will be one of the best things going forward to help users with their help administrators with their sites not necessarily users but administrators because it's all about having the administrators be able to get into the site again so this is what the dashboard call out looks like if you haven't seen it that went up in the 5.1 there's a notification up in the dashboard that shows up says update your PHP give us a little blurb why and a little button to link into into why to why and the link would take you to the update PHP page that's on the make.wordpress.core make.wordpress.org site with other reasons in and other information regarding it we did add a couple filters to that so that it would provide hosts a way to use their data so if you're hosting if you're hosting on site ground or go daddy or blue host or any one of the other hosts and they have a specific reasons for why you should update PHP version they can use a filter and hook into that and the button will take you to their page now this will automatically if the filters in use also give that little text blurb at the bottom that gives you the original page and another filter in that area will if there's a page to directly the web host has that here's where you update your PHP from they can put a link in there and just pop you straight from your dashboard to their their page to update your PHP when I said we directly talk about what the plugin developers directly talk about and set their incompatibility requirements this is an example of a plugin header in the read and read me there's contributors tags the requires PHPs they or these requires at least is their their header for which version of WordPress is required the new tag is the requires PHP tag and that's for the plugin developer to set what their minimum requirements are for plug-in and the reason being is if you're running a smaller version of PHP the plug-in the main file the plug-in is automatically read and parsed and so if you have things that if you if it's namespaced if you have short array syntax if you have no coalescing variables for that are in PHP 7 if you have things like that in your main file it will fatal as it tries to load the file not even run the file but just parse the file you get a PHP parser that's a fatal and so when the when in the plug-in and repository or directory they try to say fail gracefully this helps people fail gracefully because at some point we just stop them from doing it so really at this point it's just an additional tag in a header tag in the in the read me of a plug-in they have also required that additional read me or additional tag in read means for themes in fact I think recently they've required all new themes submitted to the repository to have read me files because they didn't used to have them and my guess is a significant percentage of them still don't have them so the first one was preventing plug-in installation you may see where it says untested with your version or WordPress normally will it'll say with your version of it is compatible or it'll be say income error may say incompatible and if it says incompatible it won't let you install and if it says compatible it will if it says untested it will because usually and this is as untested because I'm working in trunk and trunk has a higher version number than obviously everything else does or what they're setting it for so what we do is if the plug-ins are incompatible it gives you the header up there that's in red that says your plug-in is incompatible here's where you can go to learn more about updating PHP and in the same way that if your host has provided an extra link and header to that that link will change to what your host provided and that other piece of text will also follow below you'll notice that if you you'll notice especially in the second one the WP as hide login that the button is grayed out and it says cannot install so it prevents you can see it still in the in the search pane and this all comes from the plug-in search search results field it is the most commonplace people look for plugins I've been told so you can see it you can't install it you'll notice that the other one says cannot update I'll get to that in a little bit because that's already installed and that's why if you click in the view details if you click in the more details link if you click in the more details link what you get is an iframe the iframe there is it has the has the the plug-in details it will also tell you what your compatibilities are as far as your PHP compatibility or your WordPress compatibility those are the two dialogue boxes up there there's a warning because it's on trunk and it doesn't show it if there was no p if I wasn't on truck and I was on the regular version of PHP that one wouldn't wouldn't show up it would just wouldn't display it's not that it's incompatible it's untested and because it's untested it just wouldn't show the same thing would probably happen if there was no requires at least tag shown in the read me you get better information here because now you know why what version of this does this what a PHP does this require in this case it requires version PHP 7 or higher and it's compatible to it requires least WordPress version 4.1 or higher those all come parsed from the read me text read me dot text file which is why having that information in there is is important going forward if you go to the the next the next so that was on plug-in installation the next feature we implemented was on plug-in updates so all those plugins you have already installed in your site that have updates and those updates have potential consequences I know Josh Pollack here somewhere had put a call out in caldera forms that said you know coming coming up on our soon you you know you will not be able to run caldera forms if you want on PHP I think was 5.4 under 5.4 so you have to update and things like this just help developers not have to do things like that and the what this so what this does is it tells you there's an update available tells you what the version is you will still be able to click and see the version details and the changelog and things like that to see what you're missing out on and instead of the update now link where after shiny updates would update it in place there's another link there's a link that that says you know here learn more about upgrading updating PHP and again if your host has put in a link to to go there as it would it would show up there if you are on the core update page where you can update your plugins your themes or or core this is what happens you you see your update you see your plugin under plugins it has an update available but it gives you the same message it says this update doesn't work with your current version of PHP has a link to it and there's no way to update it there's no checkbox there's no way to make it update from there if you click on the version details again this is what the the iframe pop-up shows and you can and you you can get more information about what incompatible with your incompatibilities are because that's the location where where it will say what the required PHP version is and again you get the same dialogue notice warning and to tell you what's there and you can look at the changelog and see what you're missing out on and again if you look the cannot update button is grayed out and inactive the third part of keeping people safe from plugins was plug-in activation the if you try to activate a plug-in you will get a WP error and WP error screen that will give you this message that says error current PHP version does not meet the minimum requirements for in this case WP session manager which we saw the PHP version was 7.0 the all you have to do is hit your back button and you're back to the same place but your plug-in won't won't won't activate or the plug-in won't activate so third kind of method of protection wake up John the the white street of death error who's gotten a white screen of death so everybody knows what it is right there's some PHP fatal for whatever reason right and all of a sudden you're looking at your website web page and it's just like there's nothing there and unless you have WP debug set you won't see any error message because the default fault is not display errors in line and that will be that now what you will see through this improvement is a message that says your site is experiencing technical difficulties please check your site admins email inbox for instructions so if you're just alright if you're a user your users are still going to see they're going to see a page like this and they're not going to be able to go any further if you're the admin you check your email inbox and you're going to get an email and this email that's generated essentially says howdy since WordPress 5.2 there's a built-in feature that detects when a plug-in or theme has a fatal error in this case WordPress caught the error in one of your plugins gives you the plug-in name serve happy testing okay so it was my own first of all please visit your website and see if you find any visible issues then contact your host for assistance investigating this issue further if you need to if your site appears broken and you can't access your dashboard here's a link you click on this link you'll go to login page to enter recovery mode the link is it once you go into click the link and log in that link is no longer valid once you the link if you don't log in the link expires after a day if the error still persists let's say you don't get the error after a day before a day it just regenerates another link another email so the idea was not to spam admin users email boxes with an error message every hour or every four hours or less than every once a day and it tells you that the site link will expire in a day once you log in to the site in the back end now your administrator you've got that email you log into the back you will be greeted by the dashboard with this says you are in recovery mode there may be an error with a theme or plug-in to exit the recovery remote log out or use a little button up there which is exit recovery mode you can find out about your failed plug-ins by going to the plug-in screen so when we go to the plug-in screen this is what we see we see our plug-in and we're given two options we can deactivate the plug-in or we can resume and see you can fix what we think is fixed you know fixable the plug-in and hit resume and see if it loads up again and see if it works it says it just failed to pause and is paused in the dashboard so what happens is the plug-ins just pass pause in the dashboard your users will still get a fatal on the front of the site still get a white screen in the front of the site so that nothing is is really fixed if you deactivate this and go back to your site if you have another error or another fatal it will show that and it will kind of continually go down the line until you don't have anymore so if you have sequential errors and you're in certain plugins or code that they will show up as they are the precipitating cause is it perfect no not really the one of the largest problems that that we built into it is for those people that don't have or have not yet put those headers into their readme files if you don't have that header just like happens in every version of WordPress previously the plug-in gets activated the plug-in can get installed the plug-in can that get updated you're basically on your own for those errors as they happen at some point they're probably gonna reverse that which means that if you don't have those values described in your readme's the plug-in may not activate may not install and may not update and of the 65,000 plugins or so that are in the directory my guess is quite a number of them probably don't have that header and will really stop being able to get updates and stop being able to get installations is it a breaking change technically I mean if you can't install something that used to be able to install is that breaking yeah does it really break anything no I mean all it is a comment and they're in their readme and their text file to make it work have we done you know that the next what's the net what's next right themes we're still working through how how the repository and how the pages show that data for themes but my guess we can figure it out by 5.3 or so all those things will be in place for for themes so that any any theme you want to activate or you want to install or you want to update is also going to have to have that requirement in its readme file now it's more problematic for themes because I can't say from day one but for as long as I can remember plugins have required a readme file that's where people go to get you know the data on the thing of what does it do what's the description what's everything else themes it's only recently that they've required the readme file so they're a little behind they now do any any new theme that comes in requires it and so at some point they're gonna have the same issues and problems can we make it better well we have a track ticket up for adding an extra header to the plugin file so in your main plugin in your main plugin file they're what they're what they're what are called single file plugins they don't have directories they don't have other folders they don't have readme's a lot of these are very personalized plugins that people put on their sites of their developers or they put for their clients that do one specific thing or one group of things and they're not in the repository and if they get updated they either get updated in place or they get updated by the developer and thrown back up on the site but since they don't have readme's there's no way for this code at this time to identify that they have any incompatibilities there's a patch involved that recognize the addition of two headers to the plugin header file a requires WP header a requires PHP header and so that those are parsed read in and so that the same sorts of compatibility checks can be done for those types of files often those types of plugins there are probably a number of premium plugins that don't have standard readme.txt files they may they they may exist on github somewhere and just have a readme.md file so they can see it those types of plugins are all going to be affected if the they're not going to be able to have compatibility checks tested against so we're still there's still discussion about that and obviously as I alluded to before the last you know the last piece is if those headers or those files don't don't exist either in the plugin of the readme if that other tactic it goes through we allow it it's a it's a passive it's a passive allow if you haven't done the work just there was the same way everything happens currently it's allowed to go through now at some point they like I said at some point they may not and you're gonna hear from if you maintain how many people maintain sites for clients I guarantee you'll hear from them because all of a sudden they won't be able to update plugins the plugins that they have will stay and they'll stay on because they're already active but they won't be able to update things they won't be able to activate things that they haven't been activated they won't be able to install new things it's it will be loud now the upshot is there's a lot more work to do right because you could always probably just create the readme text text file put the compatibilities in for it and you know package it up and change it to allow for those things this just makes it a little easier as I said before I'm sure you can't read I'll read them off I was very intentional about trying to set aside time to go to the core PHP Slack meetings and participate and to write patches and code and comment on track tickets and help where I thought I could if this is not one individual or or anyone's project there's there's a lot of people that were involved in this and getting this forward some of the primary contributors of the the primary person it seems sort of taken off and run with the core PHP is Alan Schelzera Elaine is a fantastic developer not a core committer at least not yet but he is basically shepherded this whole project through he and Felix arts who is a core committer and Sergei Birkhoff Sergei is a machine I'm not even sure he exists I think he's a robot it is truly amazing to me how quickly he will see a patch appropriately tag it put a roguest on it and and do sorts of things that just happen within minutes of the patch being even uploaded and he's in Europe and I'm here in California and I can tell you we're not even closed on the tank same time zone but it doesn't really you know and maybe it's just that I seem to be doing some of the stuff late at night and so it's a little better for his time zone maybe but lately I've been seeing things that I put in and they just get they get what they get there the little milestones and stuff from on the track incredibly quickly Jonathan DeRosier who just gave a talk about what makes a good core contributor has really been instrumental in getting a lot of these track tickets committed and doing that and just you know basically helping to look at these tickets and participate and get things going it's none of this no because none of this stuff gets into core without a core committer right you have to have a core committer review your stuff and and look at it the other thing about the other thing about Sergei when he commits the tickets I look at the commit and see what the code was that's actually committed and like I didn't quite write it that way in my patch and you try to figure out what the differences are for why they do things and sometimes you can see it and sometimes I just don't know it all still functions very similarly and sometimes you think oh my god that was just so clever there was just so much less code to put in that way yeah I just quite haven't figured out how their minds think in some of these things one of the patches I submitted for one of the things I submitted a second patch because I saw how Sergei had fixed the patch the first time around I said I think this is gonna be more in Sergei style so I uploaded that one and that seemed to be the one that got committed without much change Alan Cicero at the top and Timothy Jacobs who I alluded to earlier wrote the vast majority of the white screen death air protection recovery mode air protection code obviously two brilliant developers the I just can't say enough about them everybody else Darren ether Joy Reynolds Johnny Harris Jay Wong and Pascal thanks we're instrumental in feedback every once in a while you you know every once in a while you get feedback from people and you're like I don't quite understand what you're saying I had one of those interactions with one of my with one of my tickets involved the plug-in activation prevention and the fact is I was wrong I mean I didn't do it correctly and and the way they had the way I was it was recommended I look and do was right I just wasn't quite understanding what they were telling me because they weren't telling it to me in necessarily a language that I understood until so well jumped in and said hey it really does work and here's kind of a code example for it and like oh my god does make it so much easier the one thing I found about contributing to core is they there's a lot of they're very conscious about keeping compatibility and support going forward there was there's much more direct change of core files rather than adding filters adding hooks to change something then in creating new functions to it is part of the patches now I have to tell you in this whole sort of happy thing there were a lot of new functions that went to functions PHP we you know some of them we fought kind of hard for and one of them that I fought kind of hard for was there's a general function for is WP version compatible and is PHP version compatible they take a parameter parameters just the version number so if your requirement is that your plugins are on PHP version 7.1 and you want to fail gracefully for those people you can just put is PHP version compatible per end and then 7.1 and if it is load the code if not compatible return and exit out keeps people from failing their own sites failing their own plugins or causing issues potentially I learned a lot about PHP and coding and stuff by doing my own projects this is one of them a lot of the ideas behind the next the last track ticket and having those plug-it headers for testing compatibility came from my work at HubUpdate or I've been supporting that and that's what I've been doing as far as a compatibility test for updating for years now and I just found it works pretty easy it's just an extra comment adding extra comments to come whom I it's my last slide Dave it's okay I'm developed for the last plugin you can find me at any of those places and yeah my this isn't my day job I'm a trauma surgeon anybody have any questions yes sir there have not so there've only been very few PHP functions that have been deprecated my create function has been deprecated but create function was was basically put in place so that you could write an anonymous function and you can write an anonymous function from PHP 5.3 and it's only been deprecated from seven so a lot of those things aren't it there is nothing that stops the plug-in developers you saw from writing code that is requires PHP 7.3 okay it will work in core it will work in PHP 7.3 and if you set those requirements that's what your users have to use otherwise you or your plug-in will either exit graceful it failed gracefully or it won't be installable updateable or activateable I don't think it's an issue with how course code is course code I mean as far as making a plug-in I think the problem that a lot of developers from the outside looking at WordPress cores is that we have been very we they we the core committing group has been very intentional about maintaining backwards compatibility as such they don't use short array syntaxes which came in 5.4 they don't use array dereferencing which came in 5.4 they don't use namespacing right which came in 5.3 do I think all of these things would help tremendously absolutely but it's you know course primary philosophy is let's not break things any other thank you Andy