Though approximately 78.9% of internet sites rely on PHP, security support for PHP 5.6x will end on December 31, 2018, effectively leaving about 62% of websites still using PHP without security updates for their server and website’s underlying technology, according to ZDNet.
“This is a huge problem for the PHP ecosystem,” said Scott Arciszewski, Chief Development Officer at Paragon Initiative Enterprise. “While many feel that they can ‘get away with’ running PHP 5 in 2019, the simplest way to describe this choice is: Negligent.”
Several developers have warned of the “ticking PHP time bomb,” but there has yet to be much of a collective effort to promote the updated PHP 7x. Some content management systems (CMS) projects have begun modifying minimum requirements.
Drupal is the only one of three major CMS programs—WordPress, Joomla, and Drupal—to officially require PHP 7, though that policy will not take effect until March. Joomla’s minimum requirement remains PHP 5.3 and WordPress’ remains PHP 5.2.
Arciszewski continues, “The biggest source of inertia in the PHP ecosystem regarding versions is undoubtedly WordPress, which still refuses to drop support for PHP 5.2 because there are more than zero systems in the universe that still run WordPress on an ancient, unsupported version of PHP.” More than a quarter of websites use WordPress, so if the site were to update their policies to require PHP 7.x, it would surely make a mark on the rest of the internet.
“What PHP versions should be supported [by WordPress], however, has been a major debate for some time,” said Sean Murphy, Director of Threat Intelligence at Defiant, the company behind the WordFence security plugin for WordPress. “There is an ongoing initiative by the WordPress team to notify users when they are using a legacy version of PHP and give them the information and tools they need to request a newer version from their hosting provider.”
Murphy is not particularly concerned about WordPress’ involvement in the PHP controversy. “A PHP vulnerability […] would indeed be very bad, but there hasn’t been any that I know of in recent history,” he said. “Based on past PHP vulnerabilities, the threat is mostly with PHP applications.”