Did you know that nearly 80% of all websites run on PHP? More particularly, “PHP is used by 78.9% of all the websites whose server-side programming language we know”, as revealed by W3Techs statistics. This fact alone makes PHP security a very crucial matter, and when you add the fact that support for PHP 5.6.x ends at the end of this year, the security matter becomes critical.
Support for PHP 5.6.x to End on December 31, 2018
In other words, after December 31, 2018, millions of websites will stop receiving security updates for their servers, and hence the PHP ecosystem will be exposed to a variety of security dangers. History shows that it won’t take long for attackers to locate a security flaw in PHP and exploit it against vulnerable websites, researchers generally warn.
According to Scott Arciszewski, Chief Development Officer at Paragon Initiative Enterprise, it is highly likely that “any major, mass-exploitable flaw in PHP 5.6 would also affect the newer versions of PHP”.
It should be noted that PHP 7.2 will get a patch from the PHP team, for free, in a timely manner. As for PHP 5.6, it will only get one if paid support from the OS vendor is at place.
“If anyone finds themselves running PHP 5 after the end of the year, ask yourself: Do you feel lucky? Because I sure wouldn’t,” Arciszewski added in a conversation with ZDNet.
Security researchers have been referring to this as a “ticking PHP time bomb”, and they have the absolute right to do so. Interested parties have been aware of this time limit for quite some time. Since PHP 5.6 was considered the most deployed version of PHP in 2017, PHP maintainers extended the EOL date to December 31, 2018.
In general, PHP support cycles go like this:
Each release branch of PHP is fully supported for two years from its initial stable release. During this period, bugs and security issues that have been reported are fixed and are released in regular point releases. After this two year period of active support, each branch is then supported for an additional year for critical security issues only. Releases during this period are made on an as-needed basis: there may be multiple point releases, or none, depending on the number of reports. Once the three years of support are completed, the branch reaches its end of life and is no longer supported.
Support for PHP 5.6, in particular, has been extended: active support will run for an additional four months, and the security fix period has been doubled from one to two years.
Where Do WordPress, Drupal and Joomla Stand in the PHP Matter?
Unfortunately, there hasn’t been a widely coordinated attempt to implement newer versions in a timely manner. But there are indeed CMS platforms that are working on delivering the minimum security requirements. Drupal has officially stated that it is going to change its minimum requirements to PHP 7:
Drupal 8 will require PHP 7 starting March 6, 2019. Drupal 8 users who are running Drupal 8 on PHP 5.5 or PHP 5.6 should begin planning to upgrade their PHP version to 7.0 or higher (PHP 7.1+ is recommended). Drupal 8.6 will be the final Drupal 8 version to support PHP 5, and will reach end-of-life on March 6, 2019, when Drupal 8.7.0 is released.
WordPress has also changed its recommendation, and now PHP version 7.2 or greater is recommended to be met. However, if you are in a legacy environment where you only have older PHP or MySQL versions, WordPress also works with PHP 5.2.4+ and MySQL 5.0+. These versions, though, have reached their official End Of Life dates and hence may expose your site to security vulnerabilities, WordPress warns.
Joomla’s minimum requirement is PHP 5.3.10.
Oddly enough, Arciszewski feels that “the biggest source of inertia in the PHP ecosystem regarding versions is undoubtedly WordPress, which still refuses to drop support for PHP 5.2 because there are more than zero systems in the universe that still run WordPress on an ancient, unsupported version of PHP.”