PHP is one of the widely used scripting languages at present. Based on the report from W3Techs, PHP is used in more than 78.9% of all the websites that use server-side programming language. In other words, almost eight out of 10 websites out there use PHP in one or the other way.
One crucial thing most business owners aren’t aware of is that a specific version of PHP will be supported only for a particular number of years. And, the performance of the latest PHP version in most cases will be much better than the previous versions.
Which versions of PHP are getting old?
Security updates for PHP 5.6 were stopped on 31st December 2018. For PHP 7.0, security updates were stopped on 3rd December 2018. To understand why security updates of these two versions are ending, you first need to understand what is meant by end-of-life (EOF).
What is end-of-life?
End-of-life in general means that the product is at the end of its useful period and the vendor will no longer support it. Depending on the vendor and the product, end-of-life differs.
In the case of PHP, starting from the initial release date, each branch is supported for two years. During this two-year-span, reported bugs and security issues would be fixed in regular point releases.
After this, each branch will be supported for another year, but only for critical security issues. Based on the number of reports, there might be multiple point releases or none at all.
Finally, when three years are over, the particular branch of PHP will enter its end of life and no issues will be fixed, including critical issues.
However, PHP 5.6 is an exception to this timeline. Since it is the final version of PHP 5 and also one of the most used versions, the support period was doubled and now ends on December 31st, 2018.
Why is a product subjected to end-of-life?
Over the years, new updates and features for the product will be developed. Therefore the focus will be shifted in building and making the new features better and secure.
Moreover, when a better version of the same product is available why use the old version?
What will happen if I don’t update my Magento site to 7.2?
Since the security updates for PHP 5.6 and 7.0 will not be delivered, your website will be vulnerable to potential hacks and malware which can lead to serious problems, some of them are:
- Sensitive customer data such as banking information can be stolen.
- Admins might lose controls and admin credentials might be exposed.
- The website can be taken down and made offline.
- Inappropriate ads can be shown which can affect the brand image badly.
- Customers can be redirected to other websites.
- Ranking in search engine results can be severely affected.
Why are still many business owners slow or not upgrading to PHP 7.2?
As per the report from BuiltWith, about 30,952 websites are currently running on Magento 1.9. And, there are still numerous websites that run on lower versions of Magento 1.9.
There are plenty of reasons for why Magento 1.x sites are not upgraded to Magento 2. The important ones are:
- The first reason is that most business owners aren’t aware of the fact that support for PHP 5.6 and 7.0 are getting over by December 2018. Some businesses don’t have a technical team. Therefore business owners can’t be blamed for not knowing the events happening in the technical field.
- It takes effort and time to apply the patch and to make the site components such as extensions, themes to be compatible with PHP 7.2 if the providers don’t deliver it. Also, extensive testing should be carried out to make sure that the website works properly. Since the process involves handling the main aspects of the website, it is very crucial to select the right Magento agency to do it.
- Vendors who provide extensions, plugins and so on might take time to release the updates. Hence it can cause a delay.
- The hosting provider might be reluctant in providing updated PHP versions as it might bring additional support tickets to them.
We as the Leading Managed Magento Hosting Provider, on the other hand really appreciate when our clients ask us to Upgrade their PHP Versions.
How to protect my Magento 1.x website?
There are two methods to protect your Magento 1.x site. Either you have to update the PHP version to 7.2 and apply the patch released by Magento, or you have to migrate your Magento 1.x website to the latest Magento version.
Upgrade PHP to 7.2 and install the patch from Magento.
The easiest way to make your Magento 1.x website secure is to upgrade to PHP 7.2 and apply the patch released by Magento officially. This patch will make your Magento core compatible with PHP 7.2.
- Backup database, code, and media of your website
- Update your PHP version via web hosting panel or using shell commands.
- Install the patch.
Important Note: This patch will only make the Magento core of your online store compatible with PHP 7.2 and not the extensions.
Since you have updated your Magento core, the extensions added to your site, in most cases, might not work.
You have to update the extension to make it compatible with PHP 7.2. If the extension provider does not deliver the required update, then you have to update the extensions.
If you can’t update the extensions, you can hire a Magento developer or a development agency to do it for you.
Upgrade your Magento 1.x site to the latest Magento 2.2.6 or Magento 2.3 version.
Magento 2.2.6 and 2.3 utilize PHP 7.1.x which means that switching to Magento 2.2.6 will make your online store secure.
Migrating to Magento 2.2.6 is not only about improving the security status of the website. It also results in significant performance and other improvements.
One noteworthy improvement is that re-indexing time has decreased up to 98%. Which means it now takes only a minute to re-index product catalogs whereas in the previous versions it takes up to 40 minutes for the same task.
Important note: Migrating from Magento 1.x to Magento 2.x is almost similar to building your site from the start.
Is it really necessary to upgrade to PHP 7.2?
The above graphs show the number of PHP vulnerabilities by year. It is clear that 2016 was the second worst year for PHP and 2017 was the third worst year for PHP. These vulnerabilities include code DoS, SQL injection, XSS, memory corruption, exploits, and directory traversal. Some crucial vulnerabilities are plotted according to the years in the below graph.
PHP 5.4 is not patched since 2015 and PHP is not patched since 2016. This means that any website using PHP 5.4 or 5.5 or older versions are highly vulnerable to these attacks.
Let’s see how many websites are running on 5.5 and older versions.
It might be a bit surprising but almost 40.4% of the sites still run on PHP 5.6, and 16.6% of the websites are still running on 7.0. Approximately a total of 22.4% of the websites run on PHP 5.5, 5.4 and 5.3.
Every time PHP releases an update for a critical security issue; hackers will exactly know where the vulnerabilities are present. If your site isn’t updated, hackers might use these as opportunities to exploit your website.
It is not just security. There’s more.
According to Phoronix, PHP 7.2 is 13% faster than 7.1 and 250% faster than PHP 5.6.
For instance, Magento 2 (CE) 2.1.11 running on PHP 7.1 can handle almost 30 requests per second whereas the same Magento version can handle almost 11 requests per second. Hence, online stores that use PHP 7.2 have a great advantage over the online stores that don’t.
Hosting Plays a very important role when we talk about websites’ security. Read more about How to Choose Best Magento Hosting Provider.
About the Author:
Santhosh Sundararajan works with the digital marketing team at Codilar Technologies. He writes about multichannel commerce, Magento, e-commerce trends, upcoming technologies, and business strategies.
Disclaimer: Facts and opinions expressed in this article are of the Guest Author and do not necessarily reflect the official position of ‘ServerGuy.