In 2004 PHP 5 was released to the public. In that year the United States economy had recovered from the .com bubble, Windows XP was hitting its stride being released 3 years earlier, and the #1 pop song of the year was "Yeah" by Usher. Let that sink in, Windows XP was 3 years old when PHP 5 was release. It has been awhile.
Over the following half decade minor point releases were published as any good language would do. Released in August of 2014 PHP 5.6 brough many good, but minor, updates to the language. As of today (Oct. 2018) it is one of the most popular versions of PHP in production. And that is were the the problem originates from. Even though a new major release published nearly 3 years in age, the adoption has stagnated in recent years. Now 5.6 will be End of Life in mear months. That means no more updates, no more security patches, no more assistance when issues are discovered. If the end of life for Windows XP showed us anything it demonstrates that when a piece of software reaches end of life, and is still widely used, that software becomes a prime target for bad actors. What better target could the bad actor have than software with security vulnerabilities that will not get fixed.
Not to sound like a fear monger but if you have an application running PHP 5 and you do not have an upgrade path to completion in the next 6 months; start planning to have a data breach, bad press, a damaged reputation, lose customers, and possible lawsuit due to legnagance. It is not a matter of IF you will be breached; but WHEN. Do you really want to be one of the companies listed on https://haveibeenpwned.com/ due to a data breach?
What can be done?!
So what can be done about this situation? Well, that depends on your level of technical skill and hosting provider. Some hosts have had PHP 7 support since day 1. Meaning the update is a matter of focusing on your application. Others hosts lage behind. Contact your hosting provider and push them to support a secure version of the language. If you have a little technical knowledge you and your team may be able to do a direct migration to a new machine with PHP7. Otherwise if you are a bit more technical you can install PHP 7 yourself. This may require removing an unsupported Wordpress plugins, swapping code libraries, or even doing some reprogramming due to a language extension no longer being supported.
For the programmers among us
As a programmer / developer what can you do to make the move to PHP 7 as quickly, and painlessly, as possible? First and foremost though check the migration documentation available at php.net. If you are still using any of the four extensions listed below you will have some work ahead of you, otherwise the amount of breaking changes was purposely kept to a minimum.
- ereg
- mssql
- mysql
- sybase_ct
The bonus pay off for the migration is worth the effort; your system/s are up to date, more secure by nature, and even run 30% faster. That means 30% more3 visitors on the same hardware or being able to downgrade hardware and save money in the long term.
Related Articles / Resource
- http://php.net/supported-versions.php
- https://haydenjames.io/php-5-6-eol-end-of-life-php-7-compatibility-check/
- https://www.godaddy.com/community/Managing-Web-Hosting/PHP-5-6-End-of-Life/td-p/51463
- https://itristanmedia.com/blog/2018/05/17/php-5.6-is-approaching-its-end-of-life-and-what-to-do-about-it/
- https://www.zdnet.com/article/around-62-of-all-internet-sites-will-run-an-unsupported-php-version-in-10-weeks/
- https://w3techs.com/technologies/details/pl-php/all/all
- https://sensorstechforum.com/support-php-5-6-x-ends-websites-risk/
Help is available
To get a low cost evaluation and talk about a mitigation plan for FREE please reach out to me [at] davidjeddy [dot] com. This is so important I will provide you an initial security audit for FREE. Your application security and user privacy is that important to me; and it should be to you as well.
Wrap up
It is does not matter if you have no I.T. team, using a managed hosting provider, or you are an enterprise with thousands of developers and operations people. This affects affects you.
Top comments (2)
Good post!
You should point out that PHP 7.0 reaches EOL before 5.6 and upgrading to 7.0 won't be enough. Users should upgrade to 7.1 or 7.2 and keep an eye on PHP 7.3 at the end of the year.
Very excellent point, PHP 7.0 does indeed EOL around the same time as 5.6. Though, if an org is able to make the move from 5.6 to 7.0, the move up to 7.1+ is trivial as no backwards breaking changes have been introduced.
Just like it was a struggle to get people away from Windows XP and the mysql_ext; I fear it will take something drastic to get organizations to realize the 5.x linage is now becoming a risk instead of an asset.