According to statistics from W3Techs, roughly 78.9 percent of all Internet sites today run on PHP.
But on December 31, 2018, security support for PHP 5.6.x will officially cease, marking the end of all support for any version of the ancient PHP 5.x branch.
This means that starting with next year, around 62 percent of all Internet sites still running a PHP 5.x version will stop receiving security updates for their server and website’s underlying technology, exposing hundreds of millions of websites, if not more, to serious security risks.
If a hacker finds a vulnerability in PHP after the New Year, lots of sites and users would be at risk.
“This is a huge problem for the PHP ecosystem,” Scott Arciszewski, Chief Development Officer at Paragon Initiative Enterprise, told ZDNet in an interview. “While many feel that they can ‘get away with’ running PHP 5 in 2019, the simplest way to describe this choice is: Negligent.”
“To be totally fair: It’s likely that any major, mass-exploitable flaw in PHP 5.6 would also affect the newer versions of PHP,” Arciszewski added.
“PHP 7.2 will get a patch from the PHP team, for free, in a timely manner; PHP 5.6 will only get one if you’re paying for ongoing support from your OS vendor.
“If anyone finds themselves running PHP 5 after the end of the year, ask yourself: Do you feel lucky? Because I sure wouldn’t.”
The PHP community has known of this deadline for quite a while. After PHP 5.6 became the most widely used PHP version back in the spring of 2017, PHP maintainers realized it would be a disaster if they stopped security updates right when PHP 5.6 became the most popular PHP version –so they extended the EOL date to the end of 2018.
Since then, there have been several developers and security researchers who warned about the “ticking PHP time bomb,” although not as many as infosec community would have wished.
There has not been a concerted effort to get people to move to the newer PHP 7.x, but some website content management systems (CMS) projects, one by one, have started modifying minimum requirements, and warning users to use more modern hosting environments.
Of the big three –WordPress, Joomla, and Drupal– only Drupal has made the official step to adjust its minimum requirements to PHP 7, but that move will come in March 2019. Ironically, the 7.0.x branch has reached EOL on December 3, 2017, which doesn’t actually solve anything, but it’s still a step forward.
“The biggest source of inertia in the PHP ecosystem regarding versions is undoubtedly WordPress, which still refuses to drop support for PHP 5.2 because there are more than zero systems in the universe that still run WordPress on an ancient, unsupported version of PHP,” Arciszewski said, describing the WordPress team’s infamous strongheadedness of keeping its minimum requirement at a PHP version that went EOL in 2011.
WordPress –which is used for more than a quarter of all sites on the Internet– would, without a doubt, shift a lot of people’s views on the necessity of using modern PHP versions if the project would move its minimum PHP requirement to the newer PHP 7.x branch.
“What PHP versions should be supported [by WordPress], however, has been a major debate for some time,” said Sean Murphy, Director of Threat Intelligence at Defiant, the company behind the WordFence security plugin for WordPress, in an email exchange with ZDNet.
“There is an ongoing initiative by the WordPress team to notify users when they are using a legacy version of PHP and give them the information and tools they need to request a newer version from their hosting provider,” he added. “Here are notes from this team’s recent meeting.”
Murphy believes that one of the biggest challenges of rolling out PHP version upgrades to a large number of sites is the flood of support requests that come as a result, a reason why many CMS projects and web hosting providers are reticent and unwilling to do so.
But Murphy also points out that “good hosting providers” will always deploy new users on new versions of PHP by default, instead of letting customers choose, and will update existing clients to new versions of PHP only when requested.
But unless customers are aware that their version of PHP has reached end-of-life, very few will ask to be moved to a newer version.