Almost 62 percent of all websites are still running PHP version 5 – even as version 5.6 of the server-side scripting language inches toward an ominous end-of-life.
Hypertext Preprocessor (PHP), a programming language designed for use in web-based applications with HTML content, supports a wide variety of platforms and is used by numerous web-based software applications, including popular content management systems like WordPress, Joomla and Drupal.
However, starting in December, versions 5.6 and 7.0 will no longer be supported.
“The deadlines will not be extended, and it is critical that PHP-based websites are upgraded to ensure that security support is provided,” a recent CERT notice has warned users.
Despite end-of-life in the horizon, a new report by Web Technology Surveys found that PHP version 5 is still used by 61.8 percent of all server-side programming language websites. And, of those using version 5, 41.5 percent of websites are using version 5.6, the report said.
Researchers and developers alike have called on these websites to update to newer, supported versions of PHP 7.2.
It’s particularly critical given the popularity of PHP: A full 78.9 percent of all websites use PHP overall, Web Technology Surveys’ report found.
Martin Wheatley, senior web application developer and web security tester, said that impacted websites would run on a platform that no longer receives updates – opening them up to hacks, data exposure or malware.
“I know there are still sites out there that run on PHP 5.6 (and earlier!) that should really be moved on, either updated for PHP 7.2 or if the code is un-maintainable due to years of abuse by developers, simply rebuilt in a modern framework,” he said in a post. “These sites probably include old libraries that haven’t had the joy of an update or have long since been abandoned. The libraries probably have bugs and security holes in themselves, never mind the hosting platform or the website code itself. In some cases library code can be updated easily, others not.”
Many websites are dragging their feet given that the updates cost time and money, he said.
And content management systems are doing nothing to help this cause – Drupal is the only CMS that has posted an official notice requiring an upgrade to PHP 7 by March (three months after the PHP 5.6 end of life deadline).
“Drupal 8 will require PHP 7 starting March 6, 2019,” the company said. “Drupal 8 users who are running Drupal 8 on PHP 5.5 or PHP 5.6 should begin planning to upgrade their PHP version to 7.0 or higher (PHP 7.1+ is recommended). Drupal 8.6 will be the final Drupal 8 version to support PHP 5, and will reach end-of-life on March 6, 2019, when Drupal 8.7.0 is released.”
There has been no such notice from WordPress or Joomla. Neither responded to a request for comment from Threatpost.
So what can websites that are still using PHP 5.6 do? Software engineer David Eddy stressed that they should contact their hosting provider and push them to support a secure version of the language.
“If you have a little technical knowledge, you and your team may be able to do a direct migration to a new machine with PHP 7,” he said in a recent post. “Otherwise, if you are a bit more technical you can install PHP 7 yourself. This may require removing an unsupported WordPress plugins, swapping code libraries or even doing some reprogramming due to a language extension no longer being supported.”
In addition to the risks associated with PHP 5.6, PHP 7.1 comes with advantages, including new features and bug fixes.
That includes speed improvements, according to web developer and Under2 Co-Founder Shane Jones, who took to Twitter to encourage websites to upgrade.
> Anyone that's worked with me recently will know that I've been banging on about upgrading from #PHP5 to #PHP7 for years now. Mainly I've been focussed on the speed improvements due to #PHP being able to process more requests per second. Especially in #WordPress. > > Thread 1/6 pic.twitter.com/HEPXq1ENO0 > > — Shane (@shanejones) October 15, 2018
In the end, while updating PHP is painful and time-consuming, is it worth protecting websites from various security risks that come with end of life, experts said.
“Yes it does cost time and money, but what’s worse, a small monthly support fee, or a headline ‘Site hacked, thousands of user details stolen’ followed by a fine for up to 20 million euros or 4% of your turnover under GDPR… I know what I’d rather pay,” said Wheatley.