Why Using Legacy PHP Versions Makes Your Website Vulnerable

PHP is a widely-used rapidly-evolving scripting language. After over a decade without any significant upgrades to the language, PHP 7 made its debut in December 2015. Recent years have witnessed the adoption of a very definite and consistent release process scheme with a new version coming out every fall, previous versions falling to maintenance support, critical security issues only support and its infamous End of Life (EOL) title, on a regular, predictable schedule. Each PHP version gets supported actively for two years while the third year only gets critical security updates.

The end of the year usually brings about a lot of reflection. A huge problem, we are facing today is that many businesses, organizations, developers, and hosts have failed to keep up when it comes to supporting the latest PHP versions. In fact, we’re 2 months away from the state when the oldest supported version of PHP will be PHP 7.1. Yeah, indeed.

Today we want to discuss the reason why it is so vital that everyone uses the latest PHP versions from a security standpoint. Below, you would also find some shocking statistics why keeping PHP up-to-date matters to you.

The PHP Version Problem

According to statistics from W3Techs, roughly 78.9 percent of all online sites today run on PHP. Version 5 is used by 77.8% of all the websites who use PHP. At the close of this year, scheduled by Dec 31, 2018, security support for our dear chap PHP 5.6.x will officially discontinue, marking the end of all support for any version of the old PHP 5.x branch.

Around 62% of all websites will run an unsupported PHP version in a few weeks

This means that starting off the next year, around 62 percent of all websites on the Internet still running a PHP 5.x version will stop receiving security updates for their server and website’s underlying technology, inevitably exposing hundreds of millions of websites, if not more, to serious security risks as well as poor performance. And if a hacker finds a vulnerability in PHP after New Year’s eve, lots of sites and users will be at risk.

The state of WordPress

According to the official WordPress Stats page, as of writing this post, only 35.7% of WordPress users have already upgraded to PHP 7 or higher. Just 6.1% are using PHP 7.2. What we can see is that a vast majority of users, over 37.7%, are still running on PHP 5.6. What’s even scarier is that over 26.7% of users are using unsupported PHP versions. In December 2016, WordPress.org bumped up their official recommendation for users from PHP 5.6 to PHP 7 or higher. And as of mid-2017, WordPress officially recommends using PHP version 7.2 or higher but that’s a soft requirement encouraged only on the website copy, and means that WordPress can still work on four branches of PHP at EOL, that are no longer supported, and two branches that are only receiving security fixes until the end of 2018. WordPress will have PHP 7.3 support in its core in version 5.0, though.

At WordCamp Europe 2018, representatives from different teams got together to encourage users positively to increase the adoption of modern PHP versions by being more active and vocal about the necessity of those. And just as the WordPress community advocates constantly updating WordPress core and plugins, the same should be applied to PHP versions.

Is running an old version pure madness or is it just a minor security risk?

You’re probably wondering why you can’t just keep using the same version forever, right? It is a viable question, and we wanted to shed some light on this matter.

Using older versions may expose you to security vulnerabilities holes and bugs that have been fixed in more recent versions of PHP. You can find a countless number of security vulnerabilities of previous PHP versions from the National Vulnerability Database (NVD) xml feed provided on CVE Details, with full details of their impacts and severity. PHP 5.x had hundreds of security issues that got patched up over time. You can browse through the vulnerabilities library, for example here is one for PHP 5.4. If your website is running an earlier version of PHP, some of these vulnerabilities might still be present! And cybercriminals are very aware of these vulnerabilities — they actually look for sites running these earlier versions so they can stage easy attacks. The essence of these attacks means that your server’s firewall and/or other security tools cannot defend your site and ultimately your site will be hacked. The question is not if, but when.

Much of the blame WordPress gets for “being insecure” is due to servers and sites still running unpatched versions of PHP. In more than 50% of cases, when a version becomes obsolete, website owners are not able to update, install script updates and change programs to accommodate newer versions quickly to ensure the security of their site.

Which urges the question…It’s Q4 2018, do you know what version your PHP is?


Elena oversees all Marketing, Product Management and Community efforts for FastComet and is in charge of telling the brand's story. Always pitching, she’ll share the FastComet vision with anyone who’ll listen. Elena helps our customers make the most of their web sites' and focuses on our inbound marketing efforts; everything from developing new online growth strategies, content creation, technical SEO, and outreach within the FastComet community. Her background includes Sales and Customer Relationship development, as well as Online Marketing.