WordPress Web Hosting Provider Running PHP 7.1 Will Be Dangerous After December 2019

WordPress, Joomla, Drupal, and many other popular website CMS were written in a programming language called PHP. PHP version 7.1 is about to reach end-of-life and will stop receiving security updates in a few weeks. Many WordPress and other PHP websites remain on versions  < 7.1. Once support for PHP 7.1 ends in two weeks, these sites are in a precarious position and will become exploitable as new PHP vulnerabilities emerge without security updates. This post is in an FAQ format and describes why PHP 7.1 is reaching end-of-life, what the timeline is and what to do about it. If your WordPress Web Hosting Provider is not running the most updated versions on your website, you will want to update or change hosting providers.

What is End-Of-Life or ‘EOL’ in Software?

When a software product reaches EOL, it is no longer supported by software developers. That means that, even if someone finds a security hole in the software, the developers will not fix it.

If a development team is productive, they will release many versions of the software they work on over time. It becomes impractical to support every version of the code ever released. So a compromise needs to be made.

This compromise is that the development team will only support their software for a certain amount of time. After that time has elapsed, the development team suggests that the user community upgrades to a newer version of the same software, which usually does things better than the old versions and is fully supported.

Is PHP Version 7.1 going to be EOL soon?

Yes. PHP version 7.1 will be declared End-Of-Life on December 1st, 2019. That is, in approximately two weeks at the time of writing this.

The PHP development team’s policy with regards to end-of-life is as follows: each release of PHP is fully supported for two years from the date of release. Then it is supported for an additional year for critical security issues only. Once three years have elapsed from the date of release, the version of PHP is no longer supported.

The following table includes the important dates for PHP 7.0 thru PHP 8 branches. You can find this table on this page on the PHP website or Wikipedia.

Why Should I Upgrade to PHP 7.2?

As mentioned above, PHP 7.1 will no longer be supported with security fixes, starting on 1 December 2019. That means that even if a vulnerability is discovered, it won’t be fixed, leaving your website vulnerable. PHP 7.2 has improvements over older versions PHP version 7. PHP 7.2 is actively supported and developers are therefore able to implement those improvements and make your website run faster, be more stable and use your expensive resources more efficiently. As an added benefit, PHP 7.2 also allows the use of more modern programming structures, which is a nice benefit for software developers.

How can I find out my PHP version?

If you are using WordPress and running the Wordfence security plugin, simply go to “Tools”, then click on the “Diagnostics” tab at the top right. Scroll down to the “PHP Environment” section and you will be able to see your PHP version on the right side of the page.

Alternatively, you can install this extremely basic plugin on your WordPress site which will display your PHP version. Please note that this plugin is not produced by the Wordfence team and we do not endorse it. If you have FTP access to your website, you can create a file with a name that is hard to guess. Then add the following two lines:

<?php

phpinfo();

Save the file in your web root directory and then visit the file in your web browser. Your PHP version will be displayed at the top of the screen. Don’t forget to delete your temporary file once you’re done.

Which specific version of PHP 7 should I upgrade to?

Ideally, you should upgrade to a minimum of PHP 7.2, though the newest release currently available is 7.3, while 7.4 will be available in the next couple weeks, which will be the newest version of PHP.

If you are unable to upgrade to 7.3+, then at a minimum you should upgrade to PHP 7.2. Full support for PHP 7.2 will end in over 1 year. However, you will continue to receive security updates for another year after that.

Will anything breaks if I update to PHP 7.2?

You may discover incompatibilities that need to be fixed by a developer if you update to PHP 7.2+. PHP has undergone some changes since version 5 which has improved the language and made it more secure but may result in warnings or errors for code that has not been made compatible with PHP 7.2+.

If you are a WordPress user, WordPress core is fully compatible with PHP 7.2 and greater.

However, it is very important that you make sure that your themes and plugins are also compatible with PHP 7.2. If you are using an unmaintained theme or plugin, you may encounter warnings or errors due to incompatibilities. For this reason, we recommend you test your website on a hosting account or server that is running PHP 7.2. If you encounter any problems, contact the developer of the theme or plugin and ask them for an urgent fix. Remind them that PHP 5.6 reaches end-of-life in just two months and that you must update to PHP 7.2 by then.

What if my hosting company does not support PHP 7.2?

Your hosting account should include some kind of control panel or options and settings page. If you’re not seeing an option to upgrade to PHP 7.2, you should contact your hosting company’s support team to see what your options are. If none are available, we recommend you transition to new hosting before the end of the year.

What if my developer does not support PHP 7.2?

PHP 7.2 was released two years ago. If your developer’s plugin, theme, or other PHP product does not support PHP 7.2 at this point, it is quite likely that the project is unmaintained. If the project was being maintained, then they would have had users who are using PHP 7.2 report problems within the last 2 years, which they would have fixed.

Using unmaintained software is a bad idea because it means that security vulnerabilities are not being fixed. So if you do encounter incompatibilities when upgrading to PHP 7.2, this may be a red flag and may indicate you should move on to using an alternative product that is being actively maintained.

What is the easiest way to upgrade to PHP 7.2?

Many hosting providers offer a one-click PHP version change in CPanel. This allows you to switch to PHP 7.2 and check your site for problems. If something doesn’t work, you can switch back and create a plan for addressing the issues you found.

If you can’t find where to update your PHP version, your hosting provider can advise you how to update PHP in their environment. It may mean them making a change on their end or even moving your site to another server.

Remind me again why I need to update to PHP 7.2?

The really good news is that you are probably going to see a nice performance improvement when you update your site. Sure, you may need to deal with a few, hopefully, minor incompatibilities. But once you have updated to PHP 7.2, you can rest assured that you will continue to receive security updates until November 30, 2020.

If you remain on PHP < 7.1, you may find yourself dealing with a hacked site sometime next year when a vulnerability is released for PHP 7.1 and no fix is released by the PHP team because PHP 7.1 is end-of-life.

How we help?

This deadline is coming up fast. All versions of PHP 7.1 will stop receiving security updates in 2 weeks. There are a huge number of websites that are still on PHP 5. As soon as security updates end, attackers will be highly motivated to find vulnerabilities that they can exploit because those vulnerabilities will not be fixed and will be exploitable for a long time.

To help transition the global web community to PHP 7.2, please spread the word by sharing this post and helping create awareness about this tight deadline and how to transition to PHP 7.2*

If you have an old hosting provider that is not capable of updating on their server, or if your website is outdated and needs a refresher, contact us to help you with keeping your website safe and secure.