The large majority of Magento stores globally are still running on an outdated and unsupported PHP version. If you are on anything below version 7.2, chances are you are missing out on some performance improvements. However, more importantly, you are exposing your store to an increased risk of potential exploits.
Why is this important? Why should you update the PHP version? How to do it with as little friction as possible? Read on!
As reported by Sanguine Security (operated by one of the household names around the eCommerce and, in particular, Magento security topics – Willem de Groot), less than 10% of all Magento stores out there are running on one of the supported versions of PHP.
This was a tweet that started a broader debate on the state of PHP within the Magento ecosystem.
— Sansec (@sansecio) November 13, 2019
What’s the situation now (December 2019)?
I asked the Sanguine Security team for an updated chart, and they replied – so, not much has changed overall. We are still in the same “only 10% are in the clear” area.
A slight shift from 7.0 to 7.3 since last month… pic.twitter.com/L6mA8Vi8oq
— Sansec (@sansecio) December 23, 2019
This creates a huge potential risk for various exploits in the wild, and merchants should take care of this as soon as possible.
Where’s the actual problem? Why is PHP version that important?
Well, let’s start with what this whole thing is about – the PHP version is essentially the version of the programming language your website is using.
And it’s simple – new versions get the support and updates, old ones are slowly getting discontinued. The Circle of Life really. Additionally, performance-wise, newer versions are better, and most of the new programming solutions are probably going to be built on the latest versions, and lack backward compatibility for outdated ones.
So, in a nutshell, you should be on one of the supported (if not the latest) versions of PHP due to two basic things – security and performance.
PHP supported versions and timelines
Here is a quick rundown of the PHP versions and how they fare when it comes to support and security updates available:
- 7.3 and 7.4 – fully supported versions
- 7.2 – under security support until Nov 2020
- 7.1 – recently discontinued security support (Dec 2019)
- 7.0 – no support since December 2018
- 5.6 and older – no support since December 2018
Full data for this is available on the official PHP website.
Why are so many stores still using older PHP versions?
There are many reasons for this, but I’d say that most of these can fall under two categories:
“We didn’t do it because we saw no value in spending money on this.”
“We weren’t aware this was an issue at all.”
The first one is very common as very few merchants have somewhat of a “security budget” in place. Yes, some of this can fall under the “ongoing maintenance” item. However, more often than not, things like these get put aside. And then they are simply forgotten as we run our business as usual.
The second one is mostly here because there is a vast number of Magento 1 stores that don’t have quality development or business support outside the store owner’s team. Many merchants run things on their own, and only ask for help when something’s not working.
So, here we are, at the end of 2019, with 90% of Magento stores running on an unsupported version of PHP.
Does this mean I have to upgrade to Magento 2 as soon as possible
You don’t, just for the sake of being on the supported version of PHP. There are some advantages to migrating to Magento 2, and for some merchants, this can be an overkill. We have talked about various options you have in this video, so make sure to check it out to get the big picture.
But, for the sake of this topic, you can stay on Magento 1 and make sure you are running on one of the newer versions of PHP.
How can I make my Magento 1 store compatible with PHP 7.2?
Glad you asked 🙂 Luckily, there are official patches available for making Magento 1 compatible with PHP 7.2, and we happily contributed to making this available for merchants globally after we started the PHP 7 compatibility for Magento 1 stores initiative way back in 2015.
Here you can find more details on how to patch your Magento 1 stores if you don’t plan a migration to Magento 2 very soon.
There are some prerequisites in place for using these patches. You should be running on versions 1.9.2.x or higher for Magento Open Source, and 1.14.2.x of higher if you are on Magento Commerce.
I’m using Magento 2, so I should be ok, right?
Well, it depends 🙂 It depends on the version of Magento 2 you are using. It’s not a given that you are automatically on one of the supported PHP versions. Magento 2.3.x versions fully support PHP 7.2 version, so if you are there, you should be safe when it comes to PHP version for now.
This post is one piece to raise the awareness of merchants, their solution and hosting partners, around this particular topic. Running on one of the latest PHP versions is a quick win to improving both the security and performance of an online store.
Security, however, doesn’t start and end with the version of PHP or Magento you are using.
You should always be on the lookout for the official Magento patches that are coming out. And have an open conversation about your security plans with your partners.
What are my next steps?
Running on the supported PHP version will not make miracles happen for your store. But, it can prevent a lot of potentially bad things from happening.
The overall security and performance of any webshop is a much broader topic to cover. However, certain things (like the one described in this post) can definitely help you improve in both areas. And the good news is, they shouldn’t create too much of a burden on ongoing business.
To clarify some things that may create confusion, and to give you some action points:
- If you are running a Magento 1 store on an unsupported PHP version, you should definitely update the PHP version. And do it as soon as possible. This is much more important than updating your Magento 1 store or planning a migration to Magento 2.
- If you are on Magento 2, make sure you are using one of its latest releases (2.3.x).
- If you are on the fence about the whole M1 to M2 thing, check out this video to learn more about your options.
In any case, before anything, consult with your development and hosting partners. They should be the ones to assist you with the actual next steps, because they (should) know your website inside out and guide you throughout this process.
If you need assistance with making sure you are using your Magento store in the best way possible, get in touch with us and let’s talk!