USING PHP 5 IS BECOMING DANGEROUS STARTING JAN 1st 2019
Yes, it’s True.
WordPress, Joomla, Drupal and many other popular website Content Management System were written in a programming language called PHP. PHP version 5 is about to reach end-of-life and will stop receiving security updates in two months.
Many WordPress and other PHP websites remain on version 5.6 or older. Once support for PHP 5 ends these sites are in a precarious position and will become exploitable as new PHP 5 vulnerabilities emerge without security updates.
This page is in a Frequently Asked Questions format and describes why PHP 5 is reaching end-of-life,
what the timeline is and what to do about it.
Graylock Cybersecurity is working to create awareness of this issue in the WordPress and broader PHP community.
You can help by sharing this post with your clients that manage PHP websites or use WordPress.
Check Your Website!
Does this affect me?
Yes, but you probably aren’t even aware of it. When you paid for your website way back in 2014-15 you probably assumed it would ‘last forever’ but if you bought a company vehicle in that same year, do you still have it? Or do you change vehicles every 2-3 years to stay ‘up-to-date’ and to avoid expensive ‘repair bills’?
Maintaining your website is the same principle.
Make sure your version of PHP is migrated to a newer and secure version, we can help with that learn more below.
What does End Of Life or ‘EOL’ mean?
When a software product reaches EOL, it is no longer supported by software developers. That means that, even if someone finds a security hole in the software, the developers will not automatically fix it, Free of Charge.
If your development team is productive, they will release many versions of the software they work on over time.
It becomes impractical to support every version of the code ever released. So a compromise needs to be made.
This compromise is that the development team will only support their software for a certain amount of time. After that time has elapsed, the development team suggests that the user community upgrade to a newer version of the same software, which usually does things better than the old versions and is fully supported.
Remember Microsoft discontinuing support for Windows XP in April 2014?
PHP 5.x is going to be EOL soon,
what does that mean?
PHP version 5 will be declared End-Of-Life on January 1st, 2019.
The PHP development team’s policy with regards to end-of-life is as follows: each release of PHP is fully supported for two years from the date of release. Then it is supported for an additional year for critical security issues only. Once three years have elapsed from the date of release, the version of PHP is no longer supported.
PHP 7.0, the very first PHP 7 release, was released on 3 December 2015, almost three years ago. PHP version 5 is rapidly approaching end-of-life and will no longer be supported starting on 1 January 2019.
The final branch of PHP version 5 that is still supported is PHP 5.6. Because this is the final PHP 5 branch, the PHP team chose to extend the security fix period from the usual one years to two years. That extended security support will end on the 1st January 2019.
Why Should I Upgrade to PHP 7?
As mentioned above, PHP 5 will no longer be supported with security fixes, starting on the 1st January 2019.
That means that even if a vulnerability is discovered, it won’t be fixed, leaving your website vulnerable.
PHP 7 has many improvements over PHP version 5. These include performance improvements. PHP 5 has many known bugs that relate to performance, memory usage and more. PHP 7 is actively supported and developers are therefore able to implement those improvements and make your website run faster, be more stable and use your expensive resources more efficiently.
As an added benefit, PHP 7 also allows the use of more modern programming structures, which is a nice benefit for software developers.
How can I find out my PHP version?
The fastest method would be to contact us below, however, we've included a few methods for you do it yourself folk out there. ;)
If you are using WordPress and running the Wordfence security plugin, simply go to “Tools”, then click on the “Diagnostics” tab at the top right. Scroll down to the “PHP Environment” section and you will be able to see your PHP version on the right side of the page.
Alternatively you can install this extremely basic plugin on your WordPress site which will display your PHP version. Please note that this plugin is not produced by the Wordfence team and we do not endorse it.
If you have FTP access to your website, you can create a file with a name that is hard to guess.
You'll need to create a very simple php script and place it in your home directory.
Using a script editor or a plain text editor (not a word processor) create file called WHATEVERYOUNAMEDTHEFILE.php with this code:
<?php phpinfo(); ?>
That's all you need. Just one single line. Save the file and call it WHATEVERYOUNAMEDTHEFILE.php
Upload this file to the public_html directory or whatever your main HTML directory is called.
In your browser address bar, access the file by typing in: http://yourdomain.com/WHATEVERYOUNAMEDTHEFILE.php
Save the file in your web root directory and then visit the file in your web browser.
Your PHP version will be displayed at the top of the screen.
Don’t forget to delete your temporary file once you’re done.
Which specific version of PHP 7 should I upgrade to?
Ideally, you should upgrade to PHP 7.2 which is the newest version of PHP. This version will be fully supported for another year and will receive security updates for a year after that.
If you are unable to upgrade to 7.2, then at a minimum you should upgrade to PHP 7.1. Full support for PHP 7.1 will end in 1 month.
However, you will continue to receive security updates for another year after that.
Do not upgrade to PHP 7.0. This version will also become end-of-life in one month.
What are the risks of staying on PHP 5?
Does PHP 5 have any vulnerabilities?
Security vulnerabilities are continuously reported in PHP. Some of these are serious. Viewing this page on CVEDetails.com will give you an idea of the volume and severity of PHP vulnerabilities that have recently been reported.
Many of the vulnerabilities reported in PHP were discovered this year in 2018.
Many more will be discovered in PHP version 5 next year, after security support for all versions of PHP 5 have ended.
That is why it is critically important that you upgrade to a version of PHP 7 that is supported and is receiving security updates.
Will anything break if I update to PHP 7.2?
You may discover incompatibilities that need to be fixed by a developer if you update to PHP 7.2.
PHP has undergone some changes since version 5 which has improved the language and made it more secure but may result in warnings or errors for code that has not been made compatible with PHP 7.
If you are a WordPress user, WordPress core is fully compatible with PHP 7.2 and greater.
However, it is very important that you make sure that your themes and plugins are also compatible with PHP 7.2.
If you are using an unmaintained theme or plugin, you may encounter warnings or errors due to incompatibilities.
For this reason, we recommend you contact your hosting provider.
If you encounter any problems with your web host, contact us and ask us for assistance in dealing with them.
What if my developer does not support PHP 7?
Find a new one, your web developers are the first step in building your online business and they should be maintaining their portfolio with current technology platforms there is no reason to keep the inherent insecurity of PHP 5.
PHP 7.0 was released two years and 10 months ago. If your developer’s plugin, theme, or other PHP product does not support PHP 7 at this point, it is quite likely that the project is unmaintained. If the project was being maintained, then they would have had users who are using PHP 7 report problems within the last 2 years and 10 months, which they would have fixed.
Using unmaintained software is a bad idea because it means that security vulnerabilities are not being fixed. So if you do encounter incompatibilities when upgrading to PHP 7.2, this may be a red flag and may indicate you should move on to using an alternative product that is being actively maintained.
There are a huge number of websites that are still on PHP 5 as soon as security updates end, attackers will be highly motivated to find vulnerabilities that they can exploit, because those vulnerabilities will not be fixed and will be exploitable for as long as you are on that version it is not advisable to stay on PHP 5 for any reason. If you remain on PHP 5 you will find yourself dealing with a hacked site some time very soon and no further fixes will be released by the PHP team because PHP 5 is at the End Of Life stage in it's production and application. --Travis Yeargan Creator of D-FENS1 & Founder of Graylock Cybersecurity