According to statistics from W3Techs, roughly 78.9 percent of all Internet sites today run on PHP.
But on December 31, 2018, security support for PHP 5.6.x will officially cease, marking the end of all support for any version of the ancient PHP 5.x branch.
This means that starting with next year, around 62 percent of all Internet sites still running a PHP 5.x version will stop receiving security updates for their server and website’s underlying technology, exposing hundreds of millions of websites, if not more, to serious security risks.
If a hacker finds a vulnerability in PHP after the New Year, lots of sites and users would be at risk.
“This is a huge problem for the PHP ecosystem,” Scott Arciszewski, Chief Development Officer at Paragon Initiative Enterprise, told ZDNet in an interview. “While many feel that they can ‘get away with’ running PHP 5 in 2019, the simplest way to describe this choice is: Negligent.”
“To be totally fair: It’s likely that any major, mass-exploitable flaw in PHP 5.6 would also affect the newer versions of PHP,” Arciszewski added.
“PHP 7.2 will get a patch from the PHP team, for free, in a timely manner; PHP 5.6 will only get one if you’re paying for ongoing support from your OS vendor.
“If anyone finds themselves running PHP 5 after the end of the year, ask yourself: Do you feel lucky? Because I sure wouldn’t.”
The PHP community has known of this deadline for quite a while. After PHP 5.6 became the most widely used PHP version back in the spring of 2017, PHP maintainers realized it would be a disaster if they stopped security updates right when PHP 5.6 became the most popular PHP version –so they extended the EOL date to the end of 2018.
Since then, there have been several developers and security researchers who warned about the “ticking PHP time bomb,” although not as many as infosec community would have wished.
There has not been a concerted effort to get people to move to the newer PHP 7.x, but some website content management systems (CMS) projects, one by one, have started modifying minimum requirements, and warning users to use more modern hosting environments.
Of the big three –WordPress, Joomla, and Drupal– only Drupal has made the official step to adjust its minimum requirements to PHP 7, but that move will come in March 2019. Ironically, the 7.0.x branch has reached EOL on December 3, 2017, which doesn’t actually solve anything, but it’s still a step forward.
Joomla’s minimum requirement remains PHP 5.3, while WordPress’ minimum requirement remains PHP 5.2.
“The biggest source of inertia in the PHP ecosystem regarding versions is undoubtedly WordPress, which still refuses to drop support for PHP 5.2 because there are more than zero systems in the universe that still run WordPress on an ancient, unsupported version of PHP,” Arciszewski said, describing the WordPress team’s infamous strongheadedness of keeping its minimum requirement at a PHP version that went EOL in 2011.
WordPress –which is used for more than a quarter of all sites on the Internet– would, without a doubt, shift a lot of people’s views on the necessity of using modern PHP versions if the project would move its minimum PHP requirement to the newer PHP 7.x branch.
“What PHP versions should be supported [by WordPress], however, has been a major debate for some time,” said Sean Murphy, Director of Threat Intelligence at Defiant, the company behind the WordFence security plugin for WordPress, in an email exchange with ZDNet.
“There is an ongoing initiative by the WordPress team to notify users when they are using a legacy version of PHP and give them the information and tools they need to request a newer version from their hosting provider,” he added. “Here are notes from this team’s recent meeting.”
Murphy believes that one of the biggest challenges of rolling out PHP version upgrades to a large number of sites is the flood of support requests that come as a result, a reason why many CMS projects and web hosting providers are reticent and unwilling to do so.
But Murphy also points out that “good hosting providers” will always deploy new users on new versions of PHP by default, instead of letting customers choose, and will update existing clients to new versions of PHP only when requested.
But unless customers are aware that their version of PHP has reached end-of-life, very few will ask to be moved to a newer version.
Here’s where WordPress’ notifications for users who are running sites on outdated PHP versions will come to help –making people either update their server or ask their hosting provider for a more modern hosting environment.
While some WordPress security experts are alarmed about the impending EOL for the PHP 5.6 branch and the entire PHP 5.x, indirectly, Murphy is not one of them.
“A PHP vulnerability […] would indeed be very bad, but there hasn’t been any that I know of in recent history,” he said.
“Based on past PHP vulnerabilities, the threat is mostly with PHP applications,” Murphy added, suggesting that attackers would likely continue to focus on PHP libraries and CMS systems.
But not all share Murphy’s opinion. For example, Arciszewski believes that PHP 5.6 and the older branches will be prodded for new vulnerabilities more than the usual. These branches are now EOL, are insanely popular, and are unsupported –the perfect conditions of plentiful targets with bad security that draw in attackers.
“Yes, that is absolutely a risk factor,” Arciszewski said. “We saw something similar happen after Windows XP support was dropped, and I suspect we’ll see the same happen to the PHP 5 branch.
“Maybe that will be the necessary catalyst for companies to take PHP 7 adoption seriously? I can only hope.”
And if server administrators and website owners need more convincing, we’ll end this article with the same ending that Martin Wheatley used for his “ticking PHP time bomb” piece from over the summer.
Yes it does cost time and money, but what’s worse, a small monthly support fee, or a headline “Site hacked, thousands of user details stolen” followed by a fine for up to 20 million euros or 4% of your turnover under GDPR… I know what I’d rather pay.