Is it time to update PHP?
According to the site “CVE details“, at the time of writing PHP 5.6.40 has no known vulnerabilities, however, since this product is no longer actively supported by PHP themselves the situation could soon change in the coming months. So with this in mind, there’s no excuse for sitting on your hands, its time to think of what the update means for your sites and web applications.
What’s in a version?
Software version numbers commonly follow the format of a significant version followed by a subversion; in PHP the jump from 5 to 7 was a major one with many backwardly incompatible changes present. You may be wondering what happened to version 6? Well, that didn’t go very well and rather than stick with a broken version the people behind PHP decided to start over and 6 was swiftly retired.
At the time of writing, over 70% of sites according to W3Techs are still using the older PHP 5. It’s common for slow adoptions to the latest software version, but as more is know about PHP 7 the benefits become clearer.
The release of 7 finally brings forward many incremental fixes and improvements to the language that make it more robust, faster and easier to work with. There have been several minor iterations to PHP 7 with 7.3 being the current stable release. The minor version jumps giving further step changes.
Do I need to update at all, what are the risks?
Failing to keep your site up-to-date could very well result in your site being compromised, this can mean the loss of passwords, data, exploitation of visitors amongst others – certainly a situation that most site owners should want to avoid.
Currently, the risk of being hacked at the time of writing is minimal, the theoretical risk, however, is high since there is no one at PHP actively maintaining this version anymore.
Many hosts, as we do, actively monitor all services for unusual activity which can give an extra level of layer of security. If you’re running a sensitive site or secure services you may want to assert what controls are in place and to look at fast-tracking the update, since in many cases an update is quick and painless to carry out.
If your site has been compromised then get in touch, we have saved many sites from the brink in the past and can provide emergency services and talk you through the options.
Keeping your server patched and up-to-date
Some hosts may allow you to continue using a legacy version of PHP, we strongly recommend not to do this – unless this is your only option, or as a short term solution. This is because in using out-of-date software you’re simply adding to the work required later when support is finally dropped and you have to update.
It may not even be legal to run a site with known vulnerabilities, for example – if your processing personal data for instance. A compromised site could end up processing data you didn’t even know it was collecting, simply put this is one component of your sites hosting that needs to be maintained.
On the plus side, PHP 7 is significantly faster than 5, your site(s) will run even quicker when updated.
It is important to use a service where your software stack on which your site relies on is being maintained. For example, our managed service includes the scheduling and application of these patches in a structured way. We check daily for security notices, updates and have a process for checking and updating the services we maintain.
If you’re not a Web-Engineer customer and would like assistance with your upgrade then do get in touch – we’d love to help you if you require help with your migration and we can provide a pay as you go service. An update can take from as little as a few hours to complete, to a few days depending on the nature of your site. Complex bespoke sites may require significant work; but the good news is we have the facilities here to proof changes, test and stage for release using our enterprise development platform, meaning that every line of code updated is tracked and managed in an appropriate way.
PHP is one of many components of software, often run on the server to process web pages. Computer software packages have a finite life cycle, particularly on the internet where the public can access the services. Given the size and complexity of the internet and the content, it contains there are always technical innovations and challenges to overcome. This invariably means software gets updated and improved.
In the case of PHP, their product lifecycle generally follows a three-year cycle, with some exceptions. 5.6 was the last in a major release line and as such support was maintained for longer than usual.
Furthermore – the operating system itself as a whole also has a specific lifecycle – for enterprise Linux this is usually a 10-year cycle. The process of moving servers when a new architecture is available can be a relatively seamless process with little or no downtime. Keeping technologies such as PHP up-to-date we ensure that this transition of a complete system has the best possible chance when the date comes.
How long should this take, what’s involved?
If you’re running an unsupported version as a Web-Engineer customer, you would have received a notification from us with details on what steps are being taken, any costs that may be associated in completing these works and when they can be completed.
Open-source sites we support
For our customers on our managed support packages (such as WordPress or other off the shelf CMS), we will be carrying out the updates in parallel to your site for you to acceptance test before applying these to your live site where that update is from version 5 to 7. We have found that some customers when running heavily customised versions of WordPress can experience issues. In these cases, if these customisations were made by third parties we will need to estimate remedial works in order to complete your site update. Minor version updates may be carried out in parallel where the risk is deemed low.
If you’re self-hosting, most hosting control panels should include a PHP version option, toggling the PHP version should be very easy to try out and see how your site behaves. This process is usually easy to reverse if things don’t work as you’d expect. If you’re looking for a team to assist with your update feel free to get in touch, for new customers migrating to our platform we now often include migration and update services as part of the ongoing managed service cost (subject to conditions).
Software solutions that are not “off the shelf” may require wide-ranging updates. One of the benefits of using an open-source framework is that you can benefit from the contributions of others to the code base, this often improves the chance that future updates will go smoothly.
The 5 to 7 update includes some fundamental changes as detailed on the PHP source site. Database abstraction and many language improvements mean in many cases these can be done in a few days work. In some cases where deprecated features were widely used this process may take longer. The significant area to pay attention to is the “backwards incompatible” changes, these are changes that cause problems with code based on the previous version.
Minor version updates are typically included in support and maintenance plans for. When a major revision such as this is required this may not be something covered as standard, for our customers we try to estimate and schedule the works for you well in advance of the critical dates.
The good news is that many hosts will allow running the out-of-date version short term, certainly, we plan to continue to support sites for the rest of this quarter under our extended support programme to enable this transition period to complete.
For our customers – security advisories and errata will be monitored for this period. Our advanced application monitoring and firewalls also add layers of additional protection. Additionally, we run regular off-site backups. This ensures we have a high chance of dealing with issues should they arise. If you don’t host with us you may want to check what your host is doing to make sure your site is safe.
Alternative options – can we just stay as we are?
It is possible to run on an old version of PHP in exceptional circumstances. To do this you’ll need your own dedicated server or private virtual server. Obviously, there is no guarantee your server is safe and secure, should your site be compromised your host will likely reserve the right to take the server offline until the issue is resolved. A compromised site can present significant risk both to your site data and to others on the same network.
Based on our knowledge we recommend that you don’t delay in updating to PHP 7, but make sure you know how this is being handled and when. The risks are very low at this point in time but you should not be complacent. If you would like to get in touch with one of our team do feel free to contact our support team.
As a closing thought – if you collect customer data then you will also be subject to the GPDR regulations, and in the case of the PHP update as a site owner and a data controller you have a duty to ensure that the systems and services you use to store individuals personal information are maintained and up-to-date. This means knowingly running out-of-date software could mean you are potentially liable.
For many simply running an informational site with no customer login or customer information held in a database there are still risks. Whilst this is not an immediate problem, you need to remember that a compromised site could be made to collect data or worse, and knowingly facilitating this is could land you in hot water, as website owners it’s important to manage your site responsibly.