PHP 5.x Security Support Ends In December 2018 Puts 60%+ Websites On Risk


Table of Contents

Basically, in 10 weeks we will have more than half of the websites exposed to potential security problems if after the new year there is a vulnerability in PHP 5.x.According to statistics from W3Techs, 61.7% of all websites whose server-side programming language we know, currently use PHP 5.x, and PHP 5.6 will no longer have support on December 31, 2018, that is, will stop receiving security updates for your server and for the underlying technologies.

This is a big problem because it simply exposes hundreds of millions of websites to serious security risks,  if something has shown recent history, we can put the simple example of HTTPS, is that to make the majority of the web go through to the latest version of any technology on time, it is never an easy task.

A problem for the PHP ecosystem

php security features

PHP explained in the simplest way is a scripting language that helps people make web pages more interactive by allowing them to do more things. It is a server-side language designed for web development, although it is also used as a general programming language.

For example, with PHP a website can do things like having users and passwords. If a website is not programmed with languages such as PHP, it can not do most of the things we are used to, apart from displaying text, links, and images in a simple way.

Approximately 78% of all websites (those that do not hide their technologies and can be quantified) use some version of PHP
, but most use old versions.The entire current branch of PHP versions 5.x are extremely old, PHP 5.6 was launched in August 2014, its active support ended in 2017, almost two years ago. Its security support ends, as we said at the end of 2018. The most recent version is PHP 7.2, which was launched in November 2017 and will have security support until November 2020.

php version lifecycle

In green: active support In orange: only security updates In red: without supportWordPress, one of the most used and known content management systems ( more than a quarter of all websites use WordPress ), recommends the use of PHP 7.2 on their requirements page but they explain that they continue to support PHP 5.2.4 and Later despite noticing that they are versions without support and that could expose your site to security vulnerabilities. WordPress refuses to stop supporting PHP 5.2 and for some, the CMS is also part of the problem.

This is especially problematic, and for expert Scott Arciszewski, WordPress is the main source of inertia in the ecosystem for refusing to remove support for PHP 5.2.

The good news at least is that PHP has not had any critical vulnerabilities in its recent history, and although that gives some peace of mind, others believe that now that PHP 5.6 support dies and is still widely used, vulnerabilities will begin to appear and be exploited. Only time will tell us, but the responsibility is definitely to update.