The end is near! At least for PHP 5.6 and PHP 7.0. Why update? Why is there so much old PHP out there? How to establish an up-to-date mindset.
This is a long read, including backgrounds, philosophical questions and trivia on the topic. Do not expect code examples.
Why upgrade to PHP 7.2 anyway?
It’s about time. “PHP 5.6” is the last 5 version around and there will be no security patches from December 2018 on. Any new vulnerabilities will not get fixed any more. The same applies to the initial PHP 7 release, version 7.0. It was released in December 2015. The current version is PHP 7.2 and PHP 7.3 is approaching next.
How much old PHP is still around?
As of September 2018: PHP 5 is still the most used version of PHP. According on who you are asking, you will get different answers:
- ~80% old PHP according to W3Techs (PHP 7 also includes the deprecated PHP 7.0)
- ~66% old PHP according to WordPress
- ~21% old PHP according to Composer
Why the differences? Well, I believe W3Tech is just crawling the web sniffing the
X-Powered-By header to get the version in use today. That includes all the public IPs with all the neglected websites out there. As this gives potential hackers information about the PHP version, it's common practice to suppress or fake this header, so maybe take this number with an extra grain of salt. WordPress is luckily a little ahead, as it is an active community of "web designers", with a big stake in the United States. And of course, Jordi with Composer is ahead, as those PHPeople are mostly "web developers" who care more about such things.
Who is to blame for all the old PHP?
And it’s the mass of shady shared hosting providers who are keeping the clients locked-in in long term contracts and outdated versions. I can imagine that half of those PHP 5.6 websites could actually be switched off by now. But that’s not the interest of the hosting providers, they are more interested in keeping them around.
What to do about all the old PHP?
What ever the real number of old PHP installations in the whole internet will be, there soon will be tens of thousands of outdated and unprotected PHP servers out there waiting for hackers to take them over. Maybe we should all gather together and raise awareness for the situation so that more PHPeople wake up and update? What about a hashtag like
Or maybe, even better, that’s a call to establish new business models? Imagine, what would you do with that army of zombie servers? Bitcoin mining or Facebook farming?
Establish an up-to-date mindset
Keeping your own code and the underlying software dependencies up-to-date is more than just a good practice, it’s a requirement. On fortrabbit, we are in this together. We are responsible keeping the infra up-to-date; your are responsible for the code you write and use. Updating keeps your code secure, fast and agile. Our clients are obligated to use up-to-date software by our terms under 4.13.
The up-to-date mindset requires some thinking ahead and discipline. Technical debt is the keyword here. Consider upfront that all the code your are having out there, will constantly need some attention and time.
It’s easier when you are code maintainer and business owner, like with a start-up or as a freelancer on your own projects. It’s more complicated in bigger structures and in client-agency relationships. Make maintenance an topic early on, include it in your estimates. Raise awareness on the importance to keep your software up-to-date. Reserve a time budget for that upfront.
I am very happy to see the PHP language under heavy development coming closer to shorter release cycles and even breaking some old habits. It’s alive. Let’s embrace change and move forward.
Originally published at blog.fortrabbit.com.