As End of Life Nears, More Than Half of Websites Still Use PHP V5

Support for PHP 5.6 drops on December 31 – but a recent report found that almost 62 percent of websites are still using version 5.

Almost 62 percent of all websites are still running PHP version 5 – even as version 5.6 of the server-side scripting language inches toward an ominous end-of-life.

Hypertext Preprocessor (PHP), a programming language designed for use in web-based applications with HTML content, supports a wide variety of platforms and is used by numerous web-based software applications, including popular content management systems like WordPress, Joomla and Drupal.

However, starting in December, versions 5.6 and 7.0 will no longer be supported.

“The deadlines will not be extended, and it is critical that PHP-based websites are upgraded to ensure that security support is provided,” a recent CERT notice has warned users.

Despite end-of-life in the horizon, a new report by Web Technology Surveys found that PHP version 5 is still used by 61.8 percent of all server-side programming language websites. And, of those using version 5, 41.5 percent of websites are using version 5.6, the report said.

What this means is, security patches, upgrades and bug fixes will cease for end-of-life technology – putting that percentage of PHP-based websites using PHP 7.0 and below at risk.

Researchers and developers alike have called on these websites to update to newer, supported versions of PHP 7.2.

It’s particularly critical given the popularity of PHP: A full 78.9 percent of all websites use PHP overall, Web Technology Surveys’ report found.

Martin Wheatley, senior web application developer and web security tester, said that impacted websites would run on a platform that no longer receives updates – opening them up to hacks, data exposure or malware.

“I know there are still sites out there that run on PHP 5.6 (and earlier!) that should really be moved on, either updated for PHP 7.2 or if the code is un-maintainable due to years of abuse by developers, simply rebuilt in a modern framework,” he said in a post. “These sites probably include old libraries that haven’t had the joy of an update or have long since been abandoned. The libraries probably have bugs and security holes in themselves, never mind the hosting platform or the website code itself. In some cases library code can be updated easily, others not.”

Many websites are dragging their feet given that the updates cost time and money, he said.

And content management systems are doing nothing to help this cause – Drupal is the only CMS that has posted an official notice requiring an upgrade to PHP 7 by March (three months after the PHP 5.6 end of life deadline).

“Drupal 8 will require PHP 7 starting March 6, 2019,” the company said. “Drupal 8 users who are running Drupal 8 on PHP 5.5 or PHP 5.6 should begin planning to upgrade their PHP version to 7.0 or higher (PHP 7.1+ is recommended). Drupal 8.6 will be the final Drupal 8 version to support PHP 5, and will reach end-of-life on March 6, 2019, when Drupal 8.7.0 is released.”

There has been no such notice from WordPress or Joomla. Neither responded to a request for comment from Threatpost.

So what can websites that are still using PHP 5.6 do? Software engineer David Eddy stressed that they should contact their hosting provider and push them to support a secure version of the language.

“If you have a little technical knowledge, you and your team may be able to do a direct migration to a new machine with PHP 7,” he said in a recent post. “Otherwise, if you are a bit more technical you can install PHP 7 yourself. This may require removing an unsupported WordPress plugins, swapping code libraries or even doing some reprogramming due to a language extension no longer being supported.”

In addition to the risks associated with PHP 5.6, PHP 7.1 comes with advantages, including new features and bug fixes.

That includes speed improvements, according to web developer and Under2 Co-Founder Shane Jones, who took to Twitter to encourage websites to upgrade.

In the end, while updating PHP is painful and time-consuming, is it worth protecting websites from various security risks that come with end of life, experts said.

“Yes it does cost time and money, but what’s worse, a small monthly support fee, or a headline ‘Site hacked, thousands of user details stolen’ followed by a fine for up to 20 million euros or 4% of your turnover under GDPR… I know what I’d rather pay,” said Wheatley.

Suggested articles


  • Mark on

    Hang on, lets remember how Linux works here, before we pay any attention to those numbers. We should remember that a great number of those systems are not running "upstream php" but a package from their Linux distrubition (Debian, Red Hat Enterprise, Centos etc etc) that will support their own PHP7.0.x and PHP5.6.x packages with security fixes for many years to come - They'll miss out on non-security related bug fixes, but is that much to shout about?. Essentially it is only the windows servers that are actually likely to go out of security support.
  • Steve on

    Relying on version numbers is a major mistake which any serious security researcher should never make. Older PHP can be perfectly fine for many years to come, depending on the operating system underneath. Scaremongering admins into uncontrolled updates is much more dangerous. Most do not realize that by directly installing from upstream they need to actively maintain it because the operating system will not do it anymore. In the end, the security of a webserver is much more at risk with that approach. Not to mention conflicts by messing with the package manager what causes even more issues. That's a perfect way to ruin your system and website.
  • Lionel on

    I see the every second website forum that uses php

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.