Websites running on PHP 5.6 to become Vulnerable from 2019

From 2019, the ubiquitous PHP 5.6, responsible for running 62% of websites on the Internet, will cease receiving security support from The PHP group. As a result, millions of websites would be exposed to security risks from hackers.

Websites running on PHP 5.6 to become Vulnerable from 2019
PHP 5.6 will stop receiving security support from 2019

In 1994, Rasmus Leordof created PHP, a server-side scripting language designed for Web development. A recursive acronym for Hypertext Preprocessor, the open-source PHP grew in its popularity owing to its versatile nature, which enabled it to be embedded into HTML. Soon, it became the most widely-used general-purpose scripting language in the world. According to W3Techs, almost 79% of all Internet web pages and applications in 2018 run on PHP. However, in an effort to drive users to utilize the latest version of the language, The PHP Group has announced that it would crease to provide security support for PHP 5.6 from 31st December, 2018. The action would mark the end of all support for any version of the archaic PHP 5.x branch.

Initially released in mid-2014, PHP 5.6 became the most widely used PHP version in the spring of 2017. By that time, however, the latest version of 7.1 was already in the market, as it became difficult for The PHP group to provide support for both of them. Although the active support for PHP 5.6 was officially terminated that year, the developers continued to provide security updates for it. Today, around 62% of all Internet sites run on a PHP 5.x version, while 42% of them use the latest PHP 5.6 version. Hence, from 2019, the hundreds of millions of websites still running a PHP 5.x version will be prone to serious security risks – as they won’t receive security updates for their server and their website’s underlying technology.

The Chief Development Officer at Paragon Initiative Enterprise, Scott Arciszewski, said, “This is a huge problem for the PHP ecosystem”. He added, “While many feel that they can ‘get away with’ running PHP 5.x in 2019, the simplest way to describe this choice is: Negligent.” Indeed, while shutting down active support for PHP 5.6 in 2017, the developers and security researchers at the company had divulged the date of closing down security support. Nonetheless, a lack of concerted effort to move to the newer PHP 7.x has resulted in a majority of websites still stuck with the 5.x version.

In fact, out of the three biggest website content management systems (CMS) platforms – WordPress, Joomla, and Drupal – only Drupal has taken active measures to adjust its minimum requirements to PHP 7. Meanwhile, Joomla and WordPress have still kept their minimum requirement to PHP 5.3 and PHP 5.2 respectively. “The biggest source of inertia in the PHP ecosystem regarding versions is undoubtedly WordPress, which still refuses to drop support for PHP 5.2 because there are more than zero systems in the universe that still run WordPress on an ancient, unsupported version of PHP,” Arciszewski said, taunting the WordPress team’s infamous headstrongness of keeping its minimum requirement at a PHP version that lost both active and security support way back in 2011.

Almost a quarter of all sites on the Internet use WordPress to develop their own websites. Under such circumstances, WordPress can shift a lot of people’s attention on the necessity of using modern PHP version if they decide to update their minimum requirement to PHP 7.x. Without it, it’s unlikely that people would resort to the option of updating the PHP version on their own website. As the security support for PHP 5.6 ends, the millions of website running on it will be at a tremendous security risk.