April 17, 2024
Pantheon is updating our SFTP access control, requiring the use of SSH keys starting April 30, 2024. Access via Pantheon usernames and passwords will be disabled.
You'll still access the web dashboard with your username/password or Single Sign-On, but SFTP access (e.g., via terminal or applications like Filezilla or Cyberduck) will need an SSH key.
We are making this change to maintain a secure and reliable platform. Learn how to configure your SFTP client with SSH keys in our documentation.
April 15, 2024
An update is now available for the WordPress (Composer Managed) upstream to resolve a particular log message that started appearing after our WP-CLI wrapper update in February.
This update adds a new file to the /config directory, application.pantheon.php. In order to accomodate this new file, a line has been added to config/application.php to load the config/application.pantheon.php file. If you have made modifications to your config/application.php, it's possible you may run into conflicts with this update. If this is the case, you can manually resolve by running the following command:
git pull -Xtheirs https://github.com/pantheon-upstreams/wordpress-composer-managed.git main
git push origin master
For more help or assistance about managing potential merge conflicts, refer to our documentation on auto-resolving via the dashboard or manually resolving via the command line.
Technical Details
The application.pantheon.php file curently contains code to check for a defined WP_HOME value in the site's .env file. If the value is undefined or no .env file is being used, values for WP_HOME and WP_SITEURL are defined. This can be overridden by either adding values to the site's .env file or adding putenv( 'WP_HOME=https://example.com' ); and putenv( 'WP_SITEURL=https://example.com' ); to your application.php file.
Why the change?
Roots Bedrock makes heavy use of environment variables. We made an intentional decision to not rely on .env files in order to reduce overall complexity. This left WP_HOME and WP_SITEURL undefined in the application.php file except in local development with Lando. In most cases, WordPress is intelligent enough to use the database values for home and siteurl for normal interactions, however, this caused problems with WP-CLI operations. The addition of a new application.pantheon.php file allows us to define those values if they are not already while still allowing them to be overridden for more complex environments.
April 10, 2024
The latest version of WordPress, 6.5.2, became available on Pantheon as of April 10, 2024.
Highlights
What happened to 6.5.1?
6.5.2 is the first minor release for WordPress 6.5 rather than 6.5.1. Yesterday, it was disclosed on the Make WordPress Core development site that due to an error with the initial package, 6.5.1 could not be released.
Upgrade to WordPress 6.5.2 right from your Pantheon dashboard or Terminus for added security.
April 3, 2024
We are thrilled to announce that on April 23, 2024, we will upgrade the New Relic PHP agent to the latest version (v10.19.0.9). This update is part of our ongoing commitment to enhancing your experience with Pantheon and ensuring that our offerings meet your evolving needs.
By staying up-to-date with the latest agent, you will benefit from improved performance and enhanced troubleshooting capabilities for your WordPress and Drupal instances. This means smoother experiences for your site visitors and more efficient workflows for you. This new version also fully supports PHP 8.3, providing you with the latest features and compatibility.
Learn More about New Relic®, real-time performance monitoring for your Pantheon web applications.
Action Required: Default behavior of New Relic Drupal Hooks is changing
After the release of this agent update, Pantheon will no longer support Drupal Hooks reporting by default. However, the functionality is still available. If this is crucial for troubleshooting your sites, please add these lines to your site’s pantheon.yml file to enable this reporting:
new_relic:
drupal_hooks: true
The parameter above will take effect when the New Relic PHP agent is updated for your site.
If your site currently reports Drupal Hooks information to New Relic, you will need to add the above line to your pantheon.yml file before the April 23 update to maintain this reporting moving forward.
Our support team is happy to help if you have any questions or need assistance.
March 20, 2024
As part of our continued effort to provide the latest and best in secure software, PHP versions 7.1 and below will reach end-of-sale (EoS) on May 15, 2024. This means that sites created after May 15 will not be able to change their PHP version to PHP 7.1, 7.0, or any version of PHP 5. Sites created with custom upstreams using EoS PHP may also have unexpected behavior upon site creation.
Sites already running PHP 5, PHP 7.0, or PHP 7.1 will continue to run even after May 15.
PHP 7.1 was declared end-of-life (EoL) by the PHP Foundation on November 30, 2020, more than three years ago. PHP 5.6 reached EoL on December 31, 2018, more than five years ago. EoL software does not receive security or feature updates, and could expose sites to attack if any vulnerabilities or exploits are discovered.
Action required
Customers using custom upstreams with a PHP version less than 7.2 should update their custom upstreams by May 15 to avoid disruption. The current supported versions of PHP are 8.1, 8.2, and 8.3. Pantheon currently recommends at least PHP 8.1 for all production sites.
February 27, 2024
We've recently modified the Pantheon wrapper around the WP-CLI executable to solve a number of interrelated issues that customers may have previously been experiencing and/or using workarounds to solve. We recommend reviewing your site's logs and resolve any PHP notices or warnings.
Problem
- Our WP-CLI wrapper included a hard-coded
--url flag for all wp commands run on the platform (via Terminus, e.g. terminus remote:wp or terminus wp, or internal workflows that relied on WP-CLI like flushing cache or viewing the Status page in the dashboard). - For WordPress Multisites, the hard-coded
--url flag pointed to the Pantheon platform domain (*.pantheonsite.io) instead of the actual domain of the site resulting in errors and the command failing unless executed manually (via Terminus with the correct --url flag attached).
Solution
- We have implemented a solution that checks if a site is a WordPress Multisite. If so, we remove the hard-coded
--url flag, allowing WP-CLI to operate normally. - This change does not affect workflows that are properly passing the
--url flag to WP-CLI commands via terminus (e.g. terminus wp <site>.<env> -- plugin list --url=<url>). Any WP-CLI flags passed after the -- in the terminus wp command will be passed through to and interpreted by WP-CLI. - This change means that many sites that were previously unable to view their full Status page will now be able to do so, and flushing site cache via the button in the Pantheon dashboard on sites that previously were unable to or had errors in doing so should now work as expected. Any other workflows or processes that relied on WP-CLI will also benefit from this change.
Recommended action
This change may also expose PHP notices and warnings that were previously being hidden due to WP-CLI failing commands. We recommend reviewing your site's logs and working to resolve any PHP notices or warnings that you see.
January 31, 2024
The latest version of WordPress, 6.4.3, became available on Pantheon as of January 30, 2024.
Highlights
- Security updates: Addressed two security vulnerabilities, including a PHP file upload bypass (limited to administrators), and a object injection mechanism that could be used to exploit an existing Remote Code Execution (RCE) vulnerability. Since this release fixes security vulnerabilities, users are urged to upgrade their sites immediately. For a detailed analysis of the two security patches, see this article from Patchstack.
- 5 bug fixes in Core
- 16 bug fixes in the Block Editor
Upgrade to WordPress 6.4.3 right from your Pantheon dashboard or Terminus for added security.
November 1, 2023
The WordPress Native PHP Sessions plugin added primary keys to its custom tables in 1.2.2 for greater performance and redundancy, but did not upgrade existing sites. Now, version 1.4 includes an optional upgrade command for sites that installed the plugin prior to the 1.2.2 release.
Our open source WordPress Native PHP Sessions is available in the WordPress.org plugins repo.
November 1, 2023
Pantheon introduced a new build pipeline for Front End Sites to significantly improve build times. Beginning on November 13th, 2023, newly created sites are automatically using the new pipeline and cannot opt back to the old pipeline. Sites made prior to that date can opt-in to the new pipeline to take advantage of the new features. All pre-existing sites that do not opt-in will be switched over for new builds on or around January 15th.
Additionally, we are adding support for Node 18 (for dynamic sites) and 20 (for both static and dynamic sites). To select a specific version, Pantheon is moving away from using .nvmrc and will instead look to the “engines” field in your project’s package.json file.
To find out more about adopting the new pipeline, check out our documentation, and read our blog post about how we’re already experiencing the benefits of this internally at Pantheon.
September 1, 2023
We released an update for the Solr Search for WordPress plugin which disables auto-commit by default and allows cron to push solr commits regularly instead.
This drastically improves the performance of large sites and avoids 503 errors related to hard committing on every update. This update is recommended for all WordPress sites currently running the plugin.
You can still enable auto-commit by explicitly setting SOLRPOWER_DISABLE_AUTOCOMMIT to false.
September 1, 2023
Pantheon has deployed PHP versions 8.2.9, 8.1.22, and 8.0.30 to customer sites running on the platform. These releases address vulnerabilities disclosed in CVE-2023-3823 and CVE-2023-3824.
If you are using PHP 8.2, 8.1 or 8.0, there is nothing further that you need to do. If you are still on PHP 7.4 or earlier, though, you should schedule some time to upgrade to a supported version.While the vulnerabilities patched in these latest releases are not reported to affect PHP 7.4, the fact remains that there could be (and probably are) unpatched vulnerabilities in the end-of-life versions. Read more about it in Greg Anderson’s blog post.
September 1, 2023
We released an update for the Pantheon Advanced Page Cache WordPress plugin which adds a filter to allow disabling surrogate keys for posts' taxonomy terms. This can be especially helpful for posts with large numbers of taxonomies (such as WooCommerce products with a large number of global attributes).
For more information, see Pantheon documentation.
December 1, 2021
WordPress 5.8.2 is available on the Pantheon platform. Detailed information on applying and debugging core updates can be found in the Core Updates documentation. This security and maintenance release features two bug fixes in addition to one security fix. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 5.2 have also been updated. This release fixes security vulnerabilities and users are urged to upgrade their sites immediately.
July 1, 2021
WordPress 5.7.2 is available on the Pantheon platform. This release fixes security vulnerabilities, and users are urged to upgrade their sites immediately. Detailed information on applying and debugging core updates can be found in the Core Updates documentation.
June 1, 2021
WordPress 5.7.2 is now available on the Pantheon platform. This release fixes security vulnerabilities, and users are urged to upgrade their sites immediately. Detailed information on applying and debugging core updates can be found in the Core Updates documentation.
May 1, 2021
WordPress 5.7.1 is now available on the Pantheon platform. This release fixes security vulnerabilities, and users are urged to upgrade their sites immediately. Detailed information on applying and debugging core updates can be found in the Core Updates documentation documentation. For more information, see the WordPress 5.7.1 release notes.
May 1, 2021
Drupal 9.1.7 is now available on the Pantheon platform. This release fixes security vulnerabilities, and users are urged to upgrade their sites immediately. Detailed information on applying and debugging core updates can be found in the Integrated Composer One-Click Updates documentation. For more information, see the Drupal 9.1.7 release notes.
May 1, 2021
Drupal 8.9.14 is now available on the Pantheon platform. This release fixes security vulnerabilities, and users are urged to upgrade their sites immediately. Detailed information on applying and debugging core updates can be found in the Core Updates documentation documentation. For more information, see the Drupal 8.9.14 release notes.
May 1, 2021
Drupal 7.80 is now available on the Pantheon platform. This release fixes security vulnerabilities, and users are urged to upgrade their sites immediately. Detailed information on applying and debugging core updates can be found in the Core Updates documentation documentation. For more information, see the Drupal 7.80 release notes.
December 1, 2020
Drupal 8.9.9 is now available on the Pantheon platform. This release fixes security vulnerabilities, and sites are urged to upgrade immediately. Detailed information on applying and debugging core updates can be found in the Core Updates documentation. For more information, see the Drupal 8.9.9 release notes.
October 1, 2020
Drupal 7.73 is now available on the Pantheon platform. This release fixes security vulnerabilities, and sites are urged to upgrade immediately. Detailed information on applying and debugging core updates can be found in the Core Updates documentation. For more information, see the Drupal 7.73 release notes.
July 1, 2016
There were multiple releases of Drupal contributed modules that fix highly critical remote code execution vulnerabilities. The Drupal Security Team urges you to update the modules immediately. See more information on Drupal.org.