Pantheon release notes

The latest version of WordPress, 6.9.4, is available on Pantheon as of today, March 11th, 2026.

This is a security release that addresses incomplete security fixes from the previous 6.9.2 and 6.9.3 releases. Three security vulnerabilities are fixed in this version:

• A PclZip path traversal issue
• An authorization bypass on the Notes feature
• An XXE (XML External Entity) vulnerability in the external getID3 library

Action required

Upgrade to WordPress 6.9.4 right from your Pantheon dashboard or Terminus to access the latest features, fixes, and security enhancements. See related documentation for how to apply core updates.

The latest version of WordPress, 6.9.3, is available on Pantheon as of yesterday, March 10th, 2026.

This version is an immediate follow up with fixes for bugs introduced in 6.9.2, which is a security release.

Action required

Upgrade to WordPress 6.9.3 right from your Pantheon dashboard or Terminus to access the latest features, fixes, and security enhancements. See related documentation for how to apply core updates.

Pantheon is announcing a PHP version removal schedule. The following PHP versions will be removed from the platform on September 30, 2026:

• PHP 5.6
• PHP 7.0
• PHP 7.1
• PHP 7.2 (End of Sale: May 1, 2026)
• PHP 7.3 (End of Sale: May 1, 2026)
• PHP 8.0 (End of Sale: May 1, 2026)

PHP 5.6, 7.0, and 7.1 are already end-of-sale. PHP 7.2, 7.3, and 8.0 will reach end-of-sale on May 1, 2026, meaning no new sites can be created with these versions after that date.

Additionally, PHP 8.1 will reach end-of-sale on September 30, 2026, with a removal date to be announced at least 9 months in advance.

What happens when a PHP version is removed?

Sites still running a removed PHP version will be automatically upgraded to the oldest available PHP version at the time of removal. If your site's software has not been updated for compatibility, this may result in broken functionality.

What to expect going forward

Pantheon will guarantee at least 9 months of advance notice before removing any PHP version from the platform. Refer to the PHP version lifecycle table for the latest schedule.

Action required

If your site is running PHP 5.6, 7.0, 7.1, 7.2, 7.3, or 8.0, upgrade to a recommended PHP version before September 30, 2026 to avoid disruption. We recommend PHP 8.3 or 8.4 for all production sites.

For guidance on upgrading, refer to Upgrade PHP Versions.

Teams using Pantheon's Secrets Manager to set variables like API tokens can now do so through the site dashboard. Previously this feature only had a command line user interface through a Terminus plugin. Secrets Manager works with WordPress, Drupal, and Next.js sites hosted on Pantheon. It does not work with the sunsetting Front-End Sites product.

Secrets Managers encrypts values at rest and then makes them available to your application's code as it runs. Secrets Manager is suitable for setting variables that are truly sensitive like a password, token, or key that allows Next.js to read from a back-end CMS as well as variables that might not be sensitive like a Google Tag Manager ID.

What's new?

• Create new site-owned secrets from the site dashboard
• Create new site-owned secrets in bulk from the site dashboard by either:
  • manually adding multiple keys at once of the same type and scope
  • or importing secrets from .env files (e.g., Next.js sites)
• Manage existing site-owned secrets from the site dashboard:
  • Edit default secret value and/or secret scope
  • Add/edit/delete environment overrides

For details, see related documentation.

Pantheon has released a new version of our WP SAML Auth WordPress plugin. This update focuses on modernizing PHP support and providing developers with more granular control over SAML configurations.

What's New

• PHP 8.4 Compatibility: Full support for PHP 8.4 has been added.
• Updated PHP Requirements: The minimum supported PHP version has been increased to 7.4 to ensure better security and performance.
• WordPress 6.9 Compatibility: Confirmed compatibility with WordPress 6.9.
• Enhanced Configuration: Added the wp_saml_auth_internal_config filter, allowing developers to customize the OneLogin SAML configuration.
• SimpleSAMLphp 2.x Support: Improved auto-detection for SimpleSAMLphp 2.x and optimized autoloader discovery to skip redundant processes when the SimpleSAML\Auth\Simple class is already loaded.

Bug Fixes

Settings Page Warnings: Fixed a warning message on the plugin's settings page that appeared for users not utilizing SimpleSAML.

Important: Compatibility & Testing

While this update improves autoloader discovery, it changes how the plugin interacts with the local environment. We strongly recommend testing in a lower environment before upgrading especially if you use:

• Non-Standard Installations: Custom SimpleSAMLphp installations located in non-standard directories.
• Manual Autoloaders: Custom autoloader code that manually handles the loading of SimpleSAMLphp.

Action required

We encourage you to upgrade to the latest version of WP SAML Auth as soon as possible to take advantage of the latest features and compatibility updates. updating to get the latest features and compatibility updates.

If you have questions or concerns, please open issues in the queue for the plugin.

PHP versions 8.3.27 and 8.4.14, are now available on the platform. These updates bring the latest bug fixes, improving performance and security for your sites. The latest versions have already rolled out to all sites.

PHP 8.4 is only available with the new PHP Runtime Generation 2.

The PHP 8.4 upgrade process automatically includes an upgrade to PHP Runtime Generation 2 if your site hasn't been upgraded already.

Important PHP version information

• PHP 8.1 and 8.2 are currently receiving security-only updates.
• For more details, see the full list of PHP supported versions.

For the best performance and security, Pantheon recommends running PHP 8.2 and above.

Editorial note: The date has been moved from January 19 to January 26.

Tika 1.18 and 1.21 will no longer be available starting January 26, 2026. Impacted sites must upgrade to Tika 3.2 which is available via PHP Runtime Generation 2.

The Apache Tika toolkit detects and extracts metadata and structured text content from various documents using existing parser libraries. On the Pantheon platform, our customers tend to use Tika to parse PDF content for searching with Solr.

Action Required

For most customers, we expect the upgrade to be seamless and not require any manual intervention. But if your site has a custom Tika integration, we recommend you follow our documentation for upgrading to Tika 3 as soon as possible to ensure your site continues to operate as expected.

Sites which have not upgraded to Tika 3 as of January 26, 2026, will be automatically upgraded. Setting tika_version: 1 in pantheon.yml will be ignored after that date. Symlinks from the 1.xx jar filepaths (/srv/bin/tika-app-1.xx.jar) will point to the new Tika 3 jar (/opt/pantheon/tika/tika.jar). These symlinks will be removed later in 2026.

PHP versions 8.3.26 and 8.4.13, are now available on the platform. These updates bring the latest bug fixes, improving performance and security for your sites. Updates will be applied automatically over the next few days, so no manual action is required.

PHP 8.4 is only available with the new PHP Runtime Generation 2. To upgrade your site, set the following in your pantheon.yml file:

The PHP 8.4 upgrade process automatically includes an upgrade to PHP Runtime Generation 2.

Important PHP version information

• PHP 8.1 and 8.2 are currently receiving security-only updates.
• For more details, see the full list of PHP supported versions.

For the best performance and security, Pantheon recommends running PHP 8.2 and above.