SecurityWordpress

PHP is one of the most popular scripting languages on the web today. According to W3Techs, PHP is used by over 78% of all the websites who use a server-side programming language. This means for almost every 8 out of 10 websites you visit, they are most likely utilizing PHP in some form or another which also means that PHP is not dead. And of course, it plays a very vital role as it pertains to the WordPress ecosystem, as the entire CMS is built on PHP.

A dilemma we are facing today is that many businesses, developers, and hosts have fallen behind when it comes to supporting the latest PHP versions.

 

Old PHP Versions

 

As with any piece of software, PHP has a release life cycle in which has to adhere to in order to keep pushing things forward and making improvements.  Each major release of PHP is typically fully supported for two years after its release. During that time, bugs and security issues are fixed and patched on a regular basis.

 

PHP 5.6 and PHP 7.0 End of Life

As of December 3rd, 2018, PHP 7.0 has reached its end of life. This means it will no longer have security support and could be exposed to unpatched security vulnerabilities. Following suit, as of December 31st, 2018, PHP 5.6 also reached its end of life. This officially marks the end of an era for PHP 5, as the first version, 5.0 was launched 14 years ago.

According to the official WordPress Stats page, as of writing this, over 57% of WordPress users are still on PHP 5.6 or lower. If you combine this with PHP 7.0, a total of 77.5% of users are currently using PHP versions that is no longer supported as of January 2019.

It’s even scarier if you look at the stats outside of the WordPress community. According to W3Techs, PHP 5 is currently used by 73.1% of all websites who use PHP.

This is not only bad from a security perspective, but also because there is still a large portion of WordPress sites that aren’t taking advantage of the additional performance enhancements with PHP 7.

 

Why the Slow Adoption of Newer Versions?

The main reason for the lack of faster adoption for new versions most likely comes down a few different factors:

  • The number one reason we see from new customers that migrate to Bamboozle Managed WordPress Hosting is that business owners don’t know or care about their PHP version. This, of course, is understandable in some cases as we don’t expect everyone to know this.  Many times this responsibility falls on the developer, agency, or host.
  • It takes time for developers to update their code to support newer versions of PHP. This includes those that develop websites, themes, plugins, etc.
  • Not only does it require effort and time to update code, it also can require extensive testing to ensure compatibility. The WordPress repository alone has over 49,000 plugins!
  • Many WordPress hosts have been reluctant to push out updated PHP versions because this could end up resulting in additional support tickets if it breaks a site. As a WordPress host we definitely understand this, but from our experience, this is typically the other way around. Many support issues we see are from issues caused by older PHP versions.
  • The developer or agency might be stuck between a rock and a hard place when dealing with a client and other 3rd party applications they are unwilling to spend resources on updating.

However, with all that being said, it is still not an excuse to run on PHP versions that are out of date, not supported, and actually could be slowing your WordPress site down. Or worse. Your site gets hacked and crucial data gets lost.

 

Reasons Why You Should Update PHP Versions

 

Check out some of the reasons below why you should think about updating if you haven’t already.

 

1. Security

One of the most important reasons to update PHP is to ensure you are running on a version that is fully supported and patched regularly for security vulnerabilities. PHP 5.4 has not been patched since 2015. And PHP 5.5 has not been patched since 2016. It is important to note though, that some operating system vendors still update older versions of PHP if they included it.

According to CVE Details, 2016 was one of the worst years for PHP security vulnerabilities, with over 100 issues reported. These included DoS, code execution, overflow, memory corruption, XSS, directory traversal, bypass, and gain information types. 2017 was the third-worst year since 2,000, with over 40 vulnerabilities.

 

2. Performance

With the release of  PHP 7.2 and PHP 7.3 came huge performance gains! So big in fact, that it should be a priority over a lot of the small optimizations you might playing around with on your WordPress site. The following benchmarksdemonstrate significant performance improvements with PHP 7 over its previous iterations. PHP 7 allows the system to execute twice as many requests per second in comparison with the PHP 5.6, at almost half of the latency.

 

3. Support

Support is another reason why you want to use the latest and supported PHP versions. Many times, developers of plugins and themes can only extend support back for older versions so far. A lof this is due to time constraints and not having time to test compatibility. Things will eventually break when you run on old versions, and you can see this happening first hand in the WordPress forums. Here is a common error, which is typically caused by an older PHP version and how it treats a certain function:

Parse error: syntax error, unexpected ‘’ (T_VARIABLE), expecting function (T_FUNCTION) in /pub/file.php on line xxx

You can do a search in the WordPress forums for “unexpected T_Function” and it returns over 2,000 threads, many with results from within the last couple days. Here are just a couple recent ones, all due to running old versions of PHP:

Many of these threads are being opened due to the fact that they are running on outdated versions of PHP. However, the same could also be said for threads being open due to PHP 7 compatibility issues. Which shows that the WordPress development community is still trying to catch up with newer versions of PHP.

4. New Features for Developers

Most WordPress developers would prefer to only work on newer versions of PHP if they could, simply due to the fact that there have been so many new features added between PHP 5.2 and PHP 7.3. A few changes with PHP 7 and 7.3 include:

  • Combined comparison operator
  • Null coalesce operator
  • New type hinting
  • Anonymous classes
  • Nullable types
  • Iterable and void returns
  • Multi-catch exception handling
  • Keys usable in lists
  • More negative string offsets
  • Number operators and malformed numbers
  • HTTP/2 server push

It’s no fun to support old versions of anything. Unfortunately, a lot of developers are stuck having to support a wide range of versions.

 

Choose Bamboozle Managed WordPress and relax

 

Out Managed WordPress always features the latest version of PHP. Currently all Shared and Dedicated Managed WordPress Instances run on PHP 7.3 and part of our service is to test and ensure all your plugins, so you do not have to worry PHP (or anything else) breaks your website, store or blog. We of course also update your code when you choose to migrate to us. Of course Free of Charge.

Start the discussion at community.bamboozle.me