PHP 5.X is EOL: Upgrade Now!
On December 31st, 2018 the PHP 5.x branch will stop receiving security updates. This is a big deal. In fact, 79% of all websites on the internet utilize PHP currently, and 60% of those are running PHP 5.X or below. So, naturally, the upgrade to PHP 6 + is going slowly (currently on the 7.X branch.) This is partially due to the natural urge to slowly adopt updates. But, an even more significant issue is CMSs. Almost every website on the internet uses a content management system, and most CMSs utilize PHP (WordPress, Drupal, Joomla, etc.)
Unfortunately, the only major CMS (thus far) that has increased its minimum PHP requirement is Drupal — but that's set to release in 2019. WordPress has yet to increase minimums. Luckily, they recently updated their recommended section, but they continue to run PHP 5.x legacy versions. So, what does this mean for website security at the end of the year? Well, it's not a good outlook. Let's dive in.
The PHP Security Crisis
This entire crisis stems from the fact that PHP is discontinuing security support for their 5.x branch on December 31st, 2018. Once again, 60% of websites are running this version (or below) of PHP, making it a heavily contested issue.
For webmasters, this could spell disaster. Now, a mass-produced PHP error is likely to be something that affects every version of PHP, but, more nuanced hacks could be targeting 5.x PHP versions come New Year's day. It's like a hacker's haven. A massively popular technology that's behind 62% of websites but has no security updates? How much better can it get for the black-hatters?
Not WordPress's Problem
"The biggest source of inertia in the PHP ecosystem regarding versions is undoubtedly WordPress, which still refuses to drop support for PHP 5.2 because there are more than zero systems in the universe that still run WordPress on an ancient, unsupported version of PHP" - Scott Arciszewski, Chief Development Officer Paragon Initiative Enterprise
The primary issue here isn't that PHP is discontinuing support of an old product, that's standard. The problem is that this change is going unnoticed, and the major CMSs aren't making any of their users aware of the change. In fact, WordPress is still supporting PHP 5.x and has no plans to discontinue that support.
So, all of these webmasters who are running crusty old PHP versions on their servers aren't going to get a heads up (unless they are actively searching for one.) Why is this? For one, WordPress is treating it as a not-our-problem situation. The more PHP versions they support, the more business that they get. After all, getting webmasters to upgrade their PHP version that is about to be wide-open to getting hacked may increase traffic to their support team.
So, WordPress is opting to stay out-of-it, leaving the bulk of the responsibility on the webmaster.
This classic not-our-problem move seems to be consistent with OSS.
- Did your +30 million download plugin have a built-in vulnerability? Not our problem, we don't make the plugins!
- Did our core vulnerability just get your website hacked? Not our problem! Delete the whole thing.
- Did you find a vulnerability over a year ago and we still haven't patched it? Not our problem! We can't be expected to find every vulnerability!
Again, these massive CMSs have the bulk of the internet's websites running under their platforms, so opting to ignore the PHP update could spell catastrophe for some webmasters.
Not everyone keeps up-to-date on cybersecurity ongoings, so it's critical that content management systems take a little responsibility and discontinue support of servers with glaring security issues.
Content management systems that are opting to remain neutral are putting their users (over 60%) at risk. This could have an extremely negative impact on many site owners, which could fall victim to upcoming targeted attacks.
How Will The PHP Change Impact Me?
If you're a webmaster, and you use WordPress (or any other CMS) this PHP change will impact you. You need to upgrade to the latest version of PHP in order to continue to receive PHP security updates.
If hackers find a way to abuse the PHP 5.X branch, then your website will likely be at risk. Upgrading is super-easy and doesn't take much time. Here is a handy-dandy guide that will walk you through some of the basics.
Remember, you want to upgrade to PHP 7.X to continue to receive security updates.
We are aware that your CMS may (and probably does) let you run your website on 5.x PHP — that does not mean that it's safe! Always err on the side of caution in these situations. Just because WordPress is letting you run your website on PHP 5.x doesn't mean that you should be.
What's the Large Scale Impact of the PHP 5.X Security Withdraw?
We don't know what the large-scale impact will be as of yet. You can expect that hackers will be probing every inch of PHP 5.X to find any hole that they can. It's too lucrative. Think about it. 60% of the internet is running a version of a software that's about to have its security support withdrawn, and the major CMSs are staying quiet so that they don't have to deal with an overloaded support queue. It's the perfect recipe for disaster.
In fact, according to Scott Arciszewski the Chief Development Officer at Paragon Initiative Enterprise, it may take a massive-scale hack to wake some of these content management systems up.
Unfortunately Scott, from what we've seen, millions of people getting hacked never seems to wake WordPress up.
Conclusion
Remember to update your PHP version! It's critical that you aren't running an old PHP version once this security withdraw is in full effect. Hackers are going to be running to older PHP versions like bees to flowers.
Here are some resources that will help you update your PHP.
- PHP.net documents (including the manual.)
- WooCommerce's Guide
- Joomla's Guide (at least they recognize the issue.)
So get out there and get upgraded! Don't let hackers take advantage of you just because no one decided to inform you that your whole entire website's architecture was about to fail to receive security updates.
Note to our customers: Our platform is fully managed. You will not need to worry about any of these upcoming PHP issues.