Upcoming PHP 5.6 disabling
Monday, October 15th, 2018 - General
(Update: October 16 – This will also apply to users using PHP 7.0, but there are very, very few users using PHP 7.0. We skipped PHP 7.0 as a default version and went straight to PHP 7.1 so there are only a handful of PHP 7.0 users that will be affected by this)
We will be switching accounts that use PHP 5.6 to PHP 7.1 on November 20, 2018. This date is more than a month away, if you are affected by this, please use this time to work towards updating your script/web application/plugins to be PHP 7.1 compatible.
Why is it important to switch to remove PHP 5.6?
PHP 5.6 is approaching end-of-life. If you don’t believe me, you can visit the php.net website and see the full schedule:
http://php.net/supported-versions.php
There you can see PHP 5.6 will receive security support updates until December 31, 2018 – that is fastly approaching. We did not design this schedule. This is simply PHP’s schedule of life for it’s programming language. It is not a good idea to rely on a programming language that is not being supported by it’s developers.
My script works, why do I have to upgrade it?
Just because your script works, doesn’t mean it’s not being exploited or has security holes that cannot be compromised. A lot of hacks and abuse happen because hackers are able to burrow their way into a website’s script or web application and perform malicious actions without the website owner knowing about it. If you are using a script, web application, or plugins that still relies on PHP 5.6 then chances are great that the developer of that script/web application/plugin has not audited the security of their work in several years.
If your account is using a script, web application, or plugin that still requires PHP 5.6, then it falls into 1 of 2 categories:
• The script, web application, or plugins you are using are out of date. Updates may be available but for whatever reason, you have not applied them to your account. Updates have to be applied to your account in order for you to reap the benefits of those updates. I think sometimes people may think that just because an update to a script/web application/plugin is released to the public then they are protected. That is not the case. Developers release updates of their products, but it’s up to the users of those products to grab the updates and apply them to their account.
• The script, web application, or plugin you are using has been abandoned by it’s developers. This is called abandonware and it is quite common. A developer may create a script, web application, or plugin release it to the public – they may even release a few updates for it – but eventually it becomes too time consuming for the developer and they quit publishing updates or working on the project and the project becomes abandoned. This puts the people that have installed and used that particular script, web application, or plugin in a difficult spot. This is why we always encourage you to use only reputable scripts, web applications, and plugins – items that have a higher confidence of staying actively developed.
Developers of scripts, web applications, and plugins have a responsibility to stay in tune with the current scheduling of the programming language they are using. There’s really no excuse for a reputable developer to be unaware of PHP 5.6 upcoming end-of-life at the end of 2018. I know that I would not want to put a lot of trust in a developer that is caught off guard of this upcoming end-of-life.
So what actually is going to happen on November 20, 2018?
On Tuesday November 20th, 2018 we will begin switching accounts that are using PHP 5.6 to PHP 7.1. If you find your website to no longer be working after this switch, contact us and let us know and we will reluctantly switch your account back to PHP 5.6. But please understand, you are going to have to get with it, because PHP 5.6 will be removed at the end of 2018 meaning a downgrade to PHP 5.6 will no longer be possible.
Why are you pushing PHP 5.6 out the door?
Because we believe in a safe and secure Internet. We believe scripts that still rely on PHP 5.6 are a security risk to you, to our servers, and to the rest of the Internet users. Compromised scripts, web applications, and plugins is what leads to spamming, phishing attacks, information leaks, and other malicious/abusive actions. Our purpose in all of this is to promote a safer and secure hosting environment for all of our users.
When will PHP 5.6 be completely disabled?
Our hope is that by November 20, 2018 everyone that was using PHP 5.6 will have updated their scripts/web applications/plugins to PHP 7.1 compatible versions. But we will reevaluate where we stand after November 20, 2018. We may have to do another round of disabling PHP 5.6 in December depending on what the uptake is for this November 20th deadline.
My script requires PHP 5.6 and there is no update to it.
See the abandonware paragraph above. If your script requires PHP 5.6 and there is no update for it, then it has been abandoned by it’s developers and you need to seek an alternative script/web application/plugin.
Can you please give me more time to get ready for this November 20th deadline?
No, unfortunately we cannot push this date back any further. If you are still having issues with this on November 20th after your account has been switched to PHP 7.1, contact us and we will reluctantly switch you back to PHP 5.6. But please understand you are getting very close to the deadline for PHP 5.6 to officially become end-of-life. We are not going to push back this November 20th soft deadline because it will take away the sense of urgency to this matter.
Can you use a hardened version of PHP 5.6?
No, this is not something we philosophically believe it. The issue at hand isn’t really so much the PHP version, the issue is more the fact that you are using a script that requires an end-of-life version of PHP. Hardening old versions of PHP is fine, but it’s not going to stop compromises and security holes in old scripts/web applications/plugins that rely on these end-of-life versions of PHP. And a hardened PHP version is not going to protect your outdated, security-hole filled script from being exploited.