Today PHP 5 has died— What does this mean to you?

One of the most widely used languages for the web, still used today, ended support and leaves open vulnerabilities for the future. Scared yet?

This very day, the long life of PHP 5 as ended. Originally announced in 2014, PHP 5.6 became the final version from the team behind the language, as they decided to take all the efforts into PHP 7, the new kid on the block.

“group of people attending burial” by Rhodi Alers de Lopez on Unsplash

Long gone are the days where PHP 5 performance problems and quirks made people find other solutions, giving rise to other languages and techniques: Node.js (Javascript), Python, Go, JAVA and even Elixir, among others. Clearly, PHP had a problem — performance and modernity-wise — and the world didn’t want to wait for the PHP Team and Zend to solve it. They barely made it in time, though.

The last breed of PHP 5 is no more, which not only leaves major features or performance optimizations out of the roadmap. It will also leave vulnerabilities unresolved for those who don’t update their servers, which comprises 60% of the Web Servers in the wild.

The team behind the languages is very serious when they say a version becomes unsupported. Its because it’s f*cking unsupported. I haven’t heard any important patch for any unsupported version, unlike Windows XP where Microsoft had to patch it while being unsupported for when WannaCry invaded.

What does for me?

You may say this is too abrupt, but it wasn’t without warning. PHP 7 came in 2015 and since then everybody knew that sooner or later they had to jump, by just simply upgrading or reworking part of their webapps for PHP 7 before doing so. Even the first version PHP 7.0 has been gutted for PHP 7.1, PHP 7.2 and the recently released 7.3 version.

This sound like armageddon, but don’t worry. If you are a system admin, talk to your team about an impending upgrade and test the code, if you haven’t already. In any other case, trying to stay just a little behind the curve in PHP versions is recommended so you can have time to understand the new features instead of rushing new code out of the door.

For the end-user, nothing changes. Well, almost.

Old startups or sites without proper maintenance may stick with PHP 5 for a couple of months, or even years, if they have applications that are too large and attached to that version. The problem will arise if an important vulnerability is discovered publicly: all these sites with your data will be at risk, no matter how good their service may be.

So who are vulnerable?

Big sites that work with PHP like Wikipedia, Pinterest, Wordpress.com (cloud hosted), and many others, probably are running the latest PHP 7.1~7.3 version. So the biggies are covered because they have the resources and people in charge.

It’s a different story for those sites that rely on self-hosted software for any kind of content or shops. These includes Magento, Prestashop, Shopify, Joomla, Drupal, and Wordpress, the latter being the most widespread of all others.

Since most of these small sites are hosted in shared servers, and barely have any kind of maintenance, these are the ones that may have the biggest problems, but not immediately, though. Even if they want to update, the hosting owner may not have the latest PHP version available.

The only security recommendations for end-users are the most repeated on the web, since the death of PHP 5 is beyond end-user control:

  • Never use the same password in every site, or use a password manager.
  • Avoid directly submitting credit card information to not-renowned sites. Use intermediaries like Stripe, Amazon Payments, Braintree, PayPal, etc.

I pray for a quick PHP 7.1 adoption, you should too.