Ending the Year with a PHP Update

By the end of 2018, two major versions of PHP (5.6 and 7.0) will officially be end-of-life and will stop receiving active security support. If you’re a glutton for punishment, feel free to dive into notes here or just take our word for it!

This is a Halloween-timed blog and we must admit that “end-of-life” sounds scary. No active security support sounds even scarier, so, what is an organization to do? Let’s start with an explanation of PHP and how that relates to your organization’s website.

What is PHP?

PHP is the programming language in which many common web applications are written – for example, Drupal, WordPress, and Joomla! are all written using PHP. Think of PHP as the underlying framework for these systems.

Why the need to upgrade?

Just as it is important to keep web software, plugins, and modules up-to-date, it is equally essential to keep versions of PHP up-to-date.  

The PHP team provides three years of support to major versions. This support includes fixes for bugs and security issues; however, at the end of three years, security patches will stop being released. These older PHP versions are then marked “end-of-life”.  

(In this case, PHP 5.6 and 7.0 are end-of-life on December 31, 2018, and December 3, 2018, respectively.)

Continuing to run an end-of-life version is extremely risky and leaves a web server vulnerable to malicious scripts, malware, data breaches, etc. Although exploits to WordPress and Drupal – and their plugins and modules – get more media coverage, PHP vulnerabilities can be just as serious.

What are the implications of doing a PHP upgrade?

When PHP is updated, it may break systems that relied on old or no longer supported features.  Existing themes, plugins, or modules may be incompatible with a PHP upgrade.

To offset this risk, the best practice is to test the PHP update on a copy of your site. This initial testing allows developers to identify problems and test fixes before the update is made on your live site.

Major hosting platforms like Pantheon and Acquia will automatically update applications that run on end-of-life versions. These automatic updates are a good safety measure but can break organizations’ sites unintentionally. Budget hosting platforms may continue to let organizations run end-of-life versions of PHP, leaving site owners unaware that their infrastructure is now vulnerable.

What should I do?

If your website uses a PHP-based application like WordPress, Drupal, or Joomla!, and you are unsure as to which PHP version it uses, have your website developers verify this information right away. If you aren’t able to determine your PHP version, or your website is “end-of-life” and you need assistance upgrading we are happy to provide assistance. Regardless, we urge all organizations to take this update seriously. While it does occur entirely “under the hood”, it can mean the difference between smooth sailing and an unplanned emergency. And that’s not just spooky Halloween talk!