90% of Magento websites are running on unsupported PHP versions. Why is this a problem and how can you (we) solve it?
The large majority of Magento stores globally are still running on an outdated and unsupported PHP version. If you are on anything below version 7.2, chances are you are missing out on some performance improvements. However, more importantly, you are exposing your store to an increased risk of potential exploits.
Why is this important? Why should you update the PHP version? How to do it with as little friction as possible? Read on!
As reported by Sanguine Security (operated by one of the household names around the eCommerce and, in particular, Magento security topics – Willem de Groot), less than 10% of all Magento stores out there are running on one of the supported versions of PHP.
This was a tweet that started a broader debate on the state of PHP within the Magento ecosystem.
In a few days, PHP 7.1 will stop receiving security fixes. Only 9% of Magento stores worldwide will run a secure PHP version. https://t.co/tju0CtjcIb pic.twitter.com/BgzDyGJbUH
— Sansec (@sansecio) November 13, 2019
What’s the situation now (December 2019)?
I asked the Sanguine Security team for an updated chart, and they replied – so, not much has changed overall. We are still in the same “only 10% are in the clear” area.
A slight shift from 7.0 to 7.3 since last month… pic.twitter.com/L6mA8Vi8oq
— Sansec (@sansecio) December 23, 2019
This creates a huge potential risk for various exploits in the wild, and merchants should take care of this as soon as possible.
Where’s the actual problem? Why is PHP version that important?
Well, let’s start with what this whole thing is about – the PHP version is essentially the version of the programming language your website is using.
And it’s simple – new versions get the support and updates, old ones are slowly getting discontinued. The Circle of Life really. Additionally, performance-wise, newer versions are better, and most of the new programming solutions are probably going to be built on the latest versions, and lack backward compatibility for outdated ones.
So, in a nutshell, you should be on one of the supported (if not the latest) versions of PHP due to two basic things – security and performance.
PHP supported versions and timelines
Here is a quick rundown of the PHP versions and how they fare when it comes to support and security updates available:
- 7.3 and 7.4 – fully supported versions
- 7.2 – under security support until Nov 2020
- 7.1 – recently discontinued security support (Dec 2019)
- 7.0 – no support since December 2018
- 5.6 and older – no support since December 2018
Full data for this is available on the official PHP website.
Why are so many stores still using older PHP versions?
There are many reasons for this, but I’d say that most of these can fall under two categories:
“We didn’t do it because we saw no value in spending money on this.”
or
“We weren’t aware this was an issue at all.”
The first one is very common as very few merchants have somewhat of a “security budget” in place. Yes, some of this can fall under the “ongoing maintenance” item. However, more often than not, things like these get put aside. And then they are simply forgotten as we run our business as usual.
The second one is mostly here because there is a vast number of Magento 1 stores that don’t have quality development or business support outside the store owner’s team. Many merchants run things on their own, and only ask for help when something’s not working.
So, here we are, at the end of 2019, with 90% of Magento stores running on an unsupported version of PHP.
Does this mean I have to upgrade to Magento 2 as soon as possible
You don’t, just for the sake of being on the supported version of PHP. There are some advantages to migrating to Magento 2, and for some merchants, this can be an overkill. We have talked about various options you have in this video, so make sure to check it out to get the big picture.
But, for the sake of this topic, you can stay on Magento 1 and make sure you are running on one of the newer versions of PHP.
How can I make my Magento 1 store compatible with PHP 7.2?
Glad you asked 🙂 Luckily, there are official patches available for making Magento 1 compatible with PHP 7.2, and we happily contributed to making this available for merchants globally after we started the PHP 7 compatibility for Magento 1 stores initiative way back in 2015.
Here you can find more details on how to patch your Magento 1 stores if you don’t plan a migration to Magento 2 very soon.
There are some prerequisites in place for using these patches. You should be running on versions 1.9.2.x or higher for Magento Open Source, and 1.14.2.x of higher if you are on Magento Commerce.
I’m using Magento 2, so I should be ok, right?
Well, it depends 🙂 It depends on the version of Magento 2 you are using. It’s not a given that you are automatically on one of the supported PHP versions. Magento 2.3.x versions fully support PHP 7.2 version, so if you are there, you should be safe when it comes to PHP version for now.
This post is one piece to raise the awareness of merchants, their solution and hosting partners, around this particular topic. Running on one of the latest PHP versions is a quick win to improving both the security and performance of an online store.
Security, however, doesn’t start and end with the version of PHP or Magento you are using.
You should always be on the lookout for the official Magento patches that are coming out. And have an open conversation about your security plans with your partners.
What are my next steps?
Running on the supported PHP version will not make miracles happen for your store. But, it can prevent a lot of potentially bad things from happening.
The overall security and performance of any webshop is a much broader topic to cover. However, certain things (like the one described in this post) can definitely help you improve in both areas. And the good news is, they shouldn’t create too much of a burden on ongoing business.
To clarify some things that may create confusion, and to give you some action points:
- If you are running a Magento 1 store on an unsupported PHP version, you should definitely update the PHP version. And do it as soon as possible. This is much more important than updating your Magento 1 store or planning a migration to Magento 2.
- If you are on Magento 2, make sure you are using one of its latest releases (2.3.x).
- If you are on the fence about the whole M1 to M2 thing, check out this video to learn more about your options.
In any case, before anything, consult with your development and hosting partners. They should be the ones to assist you with the actual next steps, because they (should) know your website inside out and guide you throughout this process.
If you need assistance with making sure you are using your Magento store in the best way possible, get in touch with us and let’s talk!
9 comments
Who knew PHP versions could be so fascinating? 😄 Great read! Adding my perspective: Considering security is crucial, but let’s not forget about the performance boost with the latest version!
Most people ignoring the version of PHP in their Magento store. I think most of the problems are arising because of it.
Now we have PHP 7.4.4 and both all versions of M1 and M2 doesn’t support it. Geez, too many updates and we cannot keep up. Haha!
Magento just recently allowed for the upgrading of pho to 7.3 and before that it struggled to get to 7.2. PHP as a code keeps deprecating major things that Magento coders have used as staples in the crib job back ends, reindexing, and for sure the main Magento script. I had to rely on remi repos and a specialized https.conf file along with an add-on php-fpm in order to dual host my laravel and Magento store at the same time. That or I was forced to downgrade, which is inopportune due to all the vulnerabilities.
On top of all of this. I just noticed… Why on Earth would anyone in the world still be on 1.9.x…
Hi Chris, thanks for your comment. Yes, Magento is not keeping up to date with PHP versions, now there’s talks on whether 2.3.4 release will be compatible with 7.4 out of the box. Now, when it comes to why there are still stores on 1.9.x (or even 1.14.x if talking about Magento Commerce), this is not a surprise at all.
1.9.x is the result of 10 years of development of a product (Magento 1) and it is by far the best version of Magento 1. Many early adopters of M2 burned themselves (and we were there too) because of the issues with 2.0, 2.1 and even 2.2 to an extent.
Now with 2.3 things are picking up, but you can’t blame those merchants that made a (good) decision to continue focusing on their products and marketing rather than on the code, while running on a stable software. We’ll see what they will decide now as EOL is approaching.
We’ve prepared a short video with options for merchants that might be helpful – not sure if you checked that out – https://www.youtube.com/watch?v=c2Bs_A4Fy0w
I wouldn’t say all the other 90% are running an insecure PHP version as some Magento stores are powered by HardenedPHP (part of CloudLinux and imunify360).
HardenedPHP includes security patches and fixes for PHP versions as old as 4.4, 5.1, 5.2, 5.3, 5.4, 5.5, 5.6, 7.0 and 7.1.
Hi James, thanks for your comment. Do you have any numbers as to how many Magento stores are using HardenedPHP? To sort out the confusion – I mentioned in the post that security is a very layered topic, so I didn’t say that all those sites are running an insecure site, but that their version of PHP is no longer officially supported.
There are initiatives like this one, and I’d say that this is also a good short-term alternative to updating your PHP version, and especially compared to migrating to Magento 2 (if we are talking about the sheer effort or budget needed).
However, running on older versions (of both PHP and Magento) for too long can affect performance, not just security, so the sooner some plans for updates are made, the better.
I develop web based applications using DreamWeaver MX and PHP5.6
When I select PHP version 7.2 on the shared hosting server, many of php code does not work. What would you suggest for me. Thanks and Regards.
Hi Arun, thanks for your comment. I’m not that familiar with the details there, but you should contact your hosting provider for some guidance and troubleshooting around this, I’m sure they’ve come across similar issues before. Hope you’ll sort it out soon.