The web runs on PHP. The most popular content management systems, including WordPress, are PHP. The most widely used eCommerce applications are PHP, including Magento and WooCommerce. If your business operates a custom web application, it’s probably built on PHP (although Node and other modern server-side languages are making inroads). What’s more, many of these websites, eCommerce stores, and web applications use PHP 5.6, which reaches the end of its life when 2018 comes to a close.
PHP 5.6 has been stunningly successful. It was first released in August 2014. Active support ended in January 2017. That’s an extraordinarily long lifespan for a minor revision of a programming language, four years and three months. PHP is used on 79% of websites for which we know the language. Of those, 75% use PHP 5, and the vast majority of PHP 5 sites use PHP 5.6. That’s a testament to its success, but it is unfortunate that so many sites are based on software that hasn’t been actively supported for almost two years.
But the real crunch date is December 31st, 2018. Throughout its twilight years, the PHP project supported PHP 5.6 with security updates. They released patches when vulnerabilities were discovered. At the end of 2018, PHP 5’s life-support will be turned off and it will no longer receive patches for security vulnerabilities. Any vulnerabilities discovered after that date are here to stay.
Server hosting clients who still rely on PHP 5.6 should already have updated, but many have not. Their sites have continued to work, and they will work after PHP 5.6 reaches the end of its life. Updating may not appear to be a priority. But unsupported software is inherently dangerous. The world around it changes; it stays the same.
Security vulnerabilities are the most serious problem. It’s not impossible that there remains an undiscovered critical vulnerability lurking in PHP 5.6. In truth, it’s not likely, but it’s possible and it creates a risk that most businesses should prefer to avoid.
Vulnerabilities aren’t the only problem. Modern software is built around newer versions of PHP. An application may work on PHP 5.6 today, but there’s no guarantee that will continue. It’s likely software will become increasingly incompatible with PHP 5.6 over time. As I write, WordPress recommends PHP 7.2 or later. It will run on old — very old — versions of PHP, but that will change, and the WordPress project warns against using older versions. Other PHP-based projects are not so fastidious where backward compatibility is concerned. Craft CMS, for example, requires PHP 7+.
When the software your site runs on no longer supports the version of PHP you prefer, there are two choices. Upgrade both or upgrade neither. Choose the later option and you’ll be running an out-of-date CMS on an out-of-date programming language. It’s smarter to update before you have to make that choice.