CMS of WordPress, Joomla, Drupal, and many other popular sites were written in a programming language called PHP. PHP 5 is nearing the end of its life and will stop receiving security updates in two months. Many WordPress and other PHP sites remain in version 5.6 or older. Once support for PHP 5 ends in two months, these sites will be in an indefinite state and become exploitative as new PHP 5 vulnerabilities appear without security updates.
This post is in the Frequently Asked Questions format and explains why PHP 5 is finally coming, what the time is and what you need to do about it. The Wordfence team is working to raise awareness about this issue in the WordPress community and PHP. You can help by sharing this post with your colleagues who manage PHP sites or use WordPress.
What is End-Of-Life or ‘EOL’ in Software?
What is the end of life or “EOL” in software?
This means that even if someone finds a security hole in the software, the developers will not fix it. If a development team is productive, it will release multiple versions of the software working on time. It becomes impossible to support every version of code released. So an agreement must be made.
The agreement is that the development team will only support its software for a specific period. After this time, the development team suggests that the user community upgrade to a new version of the same software, which generally works better than the older versions and is fully supported.
IS PHP VERSION 5 GOING TO BE EOL SOON?
Yes. PHP version 5 will be declared end-of-life on January 1, 2019. It is about two months from the date of writing.
The policy of PHP’s development team regarding the end of life is as follows: Each version of PHP is entirely accepted for two years from the release date. Again, an additional year is allowed only for significant security issues. Three years after the release date, the PHP version is no longer supported.
PHP 7, the first version of PHP 7, was released almost three years ago on December 3, 2015. Version 5 PHP is fast approaching the end of its life and will no longer be accepted until January 1, 2019.
The last branch of PHP version 5 is still supported in PHP 5.6. Because it is the final affiliate of PHP 5, the PHP team chose to extend the security resolution period from one regular year to two years. This extended security assistance will end on January 1, 2019.
The following table contains essential data for PHP 5 and PHP 7 Partner. You can find this page on this page on the PHP site.
Why can I update PHP 7?
As mentioned above, PHP 5 will no longer be supported with security improvements until January 1, 2019. This means that even if a vulnerability is discovered, it will not be fixed, which will weaken your site.
PHP 7 has many improvements over PHP 5. These include performance improvements.
HOW CAN I FIND OUT MY PHP VERSION?
If you are using WordPress and running the WordPress security plugin, simply go to “Tools,” then click on the “Diagnostics” tab in the top right. Scroll to the “PHP Environment” section, and you will see your PHP version on the right side of the page.
Alternatively, you can install this essential plugin on your WordPress site, which will display your PHP version. Please note that the Wordfence team does not manufacture this plugin, and we do not accept it.
If you have FTP access to your website, you can create a file with a name that is hard to guess. Then add the following two lines:
Save the file to the webroot directory and then navigate to the data in your web browser. Your PHP version will appear at the top of the screen. Be sure to delete your temporary file after you are done.
What specific version of PHP 7 do you want to update?
Ideally, you should upgrade to PHP 7.2, which is the latest version of PHP. This version will be fully supported for another year and will receive security updates one year later.
If you cannot upgrade to 7.2, then you need to upgrade to PHP 7.1. Full support for PHP 7.1 will expire in 1 month. Do not upgrade to PHP 7.0. This version will also become the end of life in a month.
Are there other VULNERABILITIES in PHP 5?
Security vulnerabilities are continuously reported in PHP. Some of these are serious. Looking at this page on CVEDetails.com will give you an idea of the amount and severity of recently reported PHP vulnerabilities.
Many vulnerabilities reported in PHP have been detected this year. Many more will be discovered in version 5 of PHP next year, after security support for all versions of PHP 5 ends. This is why it is essential to upgrade to a version of PHP 7 that is supported and receives security updates.
What will happen when I update to PHP 7.2?
If you upgrade to PHP 7.2, you may find inconsistencies that need to be resolved by a developer. There have been some changes to PHP since version 5, which has improved the language and made it more secure, but there may be warnings or errors for code that were not compatible with PHP 7.
If you are a WordPress user, the WordPress kernel is fully compatible with PHP 7.2 and higher.
However, it is essential to ensure that your themes and plugins are also compatible with PHP 7.2. If you use uninstalled themes or plugins, you may experience warnings or errors due to inconsistencies. We recommend that you test your website on a hosting account or server running PHP 7.2. If you run into problems, contact the theme or plugin developer and ask them for an immediate solution. Remind them that PHP 5.6 is ending in just two months, and you need to upgrade to PHP 7.2 by then.
This page contains a migration guide for PHP developers that transfers code from PHP 5.6 to PHP 7.
This page contains a list of obsolete features in PHP 7.2 and will help a developer migrating code from PHP 5 to PHP 7.
WHAT IF MY HOSTING COMPANY DOES NOT SUPPORT PHP 7?
If you do not see an option to upgrade to PHP 7, you should contact the support team of your hosting company to find out your options. If they are not available, we recommend switching to new hosting before the end of the year.
WHAT IF MY DEVELOPER DOES NOT SUPPORT PHP 7?
If your developer’s plugin, theme, or other PHP product does not support PHP 7, likely, the project will not be completed. If the project were maintained, they would have users using PHP 7 report problems in the last two years and ten months that they would have solved.
Using new software is a bad idea because it means that security vulnerabilities are not fixed. So if you encounter incompatibility when upgrading PHP 7.2, it can be a red flag and asks you to switch to using an alternative product that is being actively maintained.
What is the easiest way to upgrade PHP 7.2?
Many hosting providers offer one-click PHP version changes to CPanel. This allows you to switch to PHP 7 and check if your site is experiencing problems. If something doesn’t work, you can come back and make a plan to fix the issues you’ve found.
If you cannot know where to upgrade PHP, your hosting provider can advise you on how to improve PHP in their environment. This may mean making changes to them or moving your site to another server.
Remind me why I need to update PHP 7.2?
The excellent news is that you will see a good improvement in performance when you update your site. Of course, you may need to deal with some minor inconsistencies. But when you upgrade to PHP 7.2, you can be sure that you will continue to receive security updates until November 30, 2020.
If you live on PHP 5.6, you may find that you are dealing with a hacked site next year when a vulnerability for PHP 5.6 is released, and the PHP team issues no solution because PHP 5.6 Life is over.
How can I help you?
This deadline is fast approaching. All versions of PHP 5 will no longer receive security updates in 2 months. There are a large number of websites that are still on PHP 5. As soon as security updates are completed, attackers will be highly motivated to find vulnerabilities that they can exploit, as these vulnerabilities will not be fixed and will be exploitative for a long time.
To help the global web community transition to PHP 7, please spread the word by sharing this post and how to raise awareness of this deadline and move to PHP 7.