#62622 Bump minimum supported PHP version to 7.4

[johnbillion]

Trac ticket: https://core.trac.wordpress.org/ticket/62622

[github-actions]

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

• The Plugin and Theme Directories cannot be accessed within Playground.
• All changes will be lost when closing a tab with a Playground instance.
• All changes will be lost when refreshing the page.
• A fresh instance is created each time the link below is clicked.
• Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance,
  it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Core Committers: Use this line as a base for the props when committing in SVN:

Props johnbillion, jorbin, desrosj.

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

[aaronjorbin]

There are a couple of spots where we should document changes, otherwise LGTM

[desrosj]

Looks good! Can't wait to get rid of that local environment code working around available MySQL authentication plugins.

I only have one thought to consider around which point version of 7.4 to actually use.

[desrosj]

Is there a specific bug fix version of 7.4 that we'd like to make a requirement? It seems that 7.2.24 was used based on usage numbers.

I've created a similar spreadsheet to the one used for the previous bump. Some observations:

• The "5% or less" criteria is met using 7.4.27.
• 7.4.x only went up to 7.4.33 so that may not be the best.
• 7.4.3 has 1.23% for some reason.
• The only other versions with greater than 1% are 7.4.33 and 7.4.30.
• No other versions have more than a half percent (0.5%) usage.

I don't know that we'll find a point release with a specific change that we want required, and the last 7.4.x release included security fixes, so technically all others are potentially insecure.

There's a few possible landing spots:

• 7.4.22 would mean just over 1% of all WordPress sites would be dropped.
• 7.4.16 would mean just 3% of sites using 7.4.x would be dropped.
• 7.4.27 would mean less than 5% of PHP sites using PHP 7.4.x would be dropped.

[johnbillion]

Is there a practical benefit to using a point release as the minimum instead of 7.4.0?

When the minimum was bumped to 5.6 in Core-46594 we ended up on 5.6.20 because of the small fractional difference between that and 5.6.0. When it was bumped to 7.0 in Core-57345 we didn't bother looking at usage for point releases and just went with 7.0.

My preference would be to not introduce an unnecessary point release restriction if it means sites that are on an older point release of 7.4 aren't able to update.

[desrosj]

The only benefit I can think of is that we ensure certain bug fix are present or specific vulnerabilities are not.

However, I don't know that there is anything specific we want to target in this case. I don't feel strongly about including a particular point release, but just wanted to discuss it because we have used one in the past.