First released in 2004, PHP 5 is one of the most popular web scripting languages in use today, but in a few weeks (December 31) PHP 5 will stop receiving security patches.

End of life: A release that is no longer supported. Users of this release should upgrade as soon as possible, as they may be exposed to unpatched security vulnerabilities.

The end of support for popular software is always significant, and there are some steps you should take to determine a) what applications you have out there running PHP 5 and, b) how you can update or migrate to the new standard.

62% of all Internet sites run PHP 5

ZDNet found that around 62% of all Internet sites will be affected by this end of life. The whole article is worth your time, as it provides many more technical details than we’re discussing here. This blog post focuses on using Censys data to measure the historic prevalence of PHP 5 on the Internet and compares it to PHP 7 prevalence, which will still be receiving support well beyond PHP 5’s December 31 end of life.

To add to the concern over PHP 5’s loss of support is the fact that it already has 225 known vulnerabilities, many of which have a CVE score of 5.0 or higher. The end of security support will, of course, leave more unpatched bugs and potential gaps for attackers to exploit.

Figure 1 breaks down vulnerability severity as CVSS score by PHP 5 minor version. This data is based on the NIST NVD data set as of December 1, 2018.

Figure 1. The X axis shows the breakdown of PHP 5 minor versions, the Y axis shows the Common Vulnerability Scoring System (CVSS value), with 10 being most severe, and each cell shows the number of vulnerabilities for that PHP 5 version. The darker the cell, the higher the vulnerability count. Data source: NIST National Vulnerability Database (NVD)

While PHP runtimes contain security flaws, the bulk of website compromises come through web application flaws, not runtime flaws. However, PHP 7 APIs provide more safety measures than their PHP 5 counterparts, for example SQL APIs, and in general raise a web application’s security profile. If you’re worried about your sites’ web applications, don’t worry; there are some actions below which will help determine whether this a problem for your particular network along with guidance on steps to take to remediate the risk.

Measuring the potential impact of PHP 5 end of support and security updates

Censys scans the Internet at large and collects data presented by servers. Using our historic data sets over the last 19 months, we examined the X-Powered-By HTTP header to establish a lower bound on the number of PHP sites, aggregated by major version, PHP 5.x or PHP 7.x (shown in Figure 2). (Note that the PHP group never released version 6, hence the version jump.) This header text serves as our breadcrumb that indicates which servers are using PHP and which version.

Figure 2 shows that PHP 5 continues to dominate the PHP landscape, while PHP 7 adoption is steadily growing but at a population size that doesn’t yet rival PHP 5. Over this time range PHP 5 usage stays fairly steady, with around 3 million servers using the language, while PHP 7 peaks most recently at around 500,000 servers. Assuming PHP 5 prevalence remains as steady as it has in the past year, we can infer that it will take almost another seven years for the PHP 7 population to equal PHP 5’s population.

Figure 2

Breaking this down further by PHP 5 minor versions (shown in Figure 3), again using 19 months of Censys historical data, we can see that PHP 5.3 dominates the PHP 5 landscape, not PHP 5.6 (the latest version) as we would have expected. The population of servers running PHP 5.3 trends down over this year and a half, but this number is still significant.

Figure 3

The continued dominance of PHP 5 was rather surprising, as we expected that recent base installations would use PHP 7. Since the default for base installations like Ubuntu is PHP 7 now (since Ubuntu 16), the high prevalence of PHP 5 is a surprise because someone has to install PHP 5 manually, overriding the default installations. This may just be due to a large population of outdated servers, which we didn’t measure for this writeup.

The most likely culprit is that some popular web applications expect PHP 5, and upgrading to PHP 7 can break those applications. Major applications like WordPress have tricky upgrade procedures for existing installations, which may complicate matters, although WordPress does now recommend PHP 7 as of late 2017.

The most popular PHP 5 applications to look for are Wordpress, Joomla, and Drupal, none of which will require PHP 7 by PHP 5’s end of life date. (Drupal will enforce the use of PHP 7 by March 2019.)

Searching the Internet for PHP 5.x via Censys

In order to find everything publicly accessible on the Internet running PHP 5 — brace yourself for about 4 million search results — you’ll want to start with the following query.

Essentially, what you want to do here is search for everything with the affected PHP version in the appropriate HTTP header:

80.http.get.headers.x_powered_by: PHP\/5.* 8080.http.get.headers.x_powered_by: PHP\/5.* OR 443.https.get.headers.x_powered_by: PHP\/5.*

Finding applications within your network running PHP 5

To narrow these search results down to what actually matters to you from a corporate security perspective, you’ll need to encapsulate that general search within parentheses and add a search for TLS certificates containing your domain. It will look something like this:

(80.http.get.headers.x_powered_by: PHP\/5.* 8080.http.get.headers.x_powered_by: PHP\/5.* OR 443.https.get.headers.x_powered_by: PHP\/5.*) AND 443.https.tls.certificate.parsed.names:

Run this search for each domain owned by your organization. To find all servers, including those without a TLS certificate, you can search instead by CIDR blocks owned by your organization by using the ip field and specifying a network, for example ip:

What do I do now that I’ve located everything that will be affected?

Okay, you’ve found the potential security fires you need to deal with. What now?

  1. If possible, upgrade your application to PHP 7 immediately. Applications built with security and maintainability in mind will have thought this through and made it easy for you.
  2. For the other 90% of what you find, you should look into what it would take to migrate everything over to using PHP 7 yourself, manually. We’re sorry: there are a significant number of API changes which makes this update process cumbersome, if not impossible except for the original authors for some applications.
    Here’s the good news: PHP hasn’t left you hanging. They’ve created this really helpful guide walking through the migration.
  3. If that’s too daunting or you don’t have the time or resources, you’re stuck with contacting your hosting provider to urge them to update and migrate.
  4. If you can’t patch the server, you should restrict who can access it. Putting it behind a VPN, off the public Internet, will reduce the chance of it being exploited. But we still recommend that you plan to take it offline at some point.

Stay up to date

To get regular news about product updates, user guides, and security tips, send us your email. You can unsubscribe at any time.

Start scanning your organization

Access real-time data about every host exposed on the Internet and tied to your business.