PHP 5.6 is the most widely used minor version of a programming language on the web. The PHP language is used on 79% of websites where the server-side language is known. PHP 5 is used on 58% of the web, and PHP 5.6 is used on around a quarter of all websites. It would not be an exaggeration to say there are millions of websites running PHP 5.6 — and also millions using older versions of PHP.
The statistics for WordPress are in the same ballpark: 35% of WordPress sites run on PHP 5.6. For a four-year-old piece of software, PHP 5.6 remains remarkably successful. It is also unsupported, receiving neither bug fixes nor security updates.
By the end of December 2018, PHP 5.6 hadn’t been actively supported for two years, during which time it received no bug-fix releases. Its official end of life was reached as 2018 came to a close, and, going forward, it will no longer be updated for critical security issues either.
PHP 5.6 and WordPress
WordPress recommends that hosting providers support PHP 7.3, which is the most recent version. At the time of writing, modern versions of WordPress will run on much older PHP versions, back to PHP 5.2.4, but, as WordPress’ developers make clear, using an older version may expose your site to security vulnerabilities. When WordPress 5.1 is released later this year, PHP 5.6 will become the minimum supported version, and sites using older versions may begin to experience compatibility problems. There are tentative plans to make PHP 7 the minimum supported version as early as the end of 2019, but given the huge install base for WordPress on PHP 5.6, it’s uncertain that this will actually happen.
Your site will continue to work. Although PHP 5.6 is no longer supported, WordPress sites that use it will continue to work for the foreseeable future. WordPress’ developers prefer site owners to use up-to-date versions, but they ensure that WordPress is compatible with older versions. However, it’s not guaranteed that WordPress will remain compatible with older versions forever or that developers will continue to support old versions for as long as they have.
Using older versions is a security risk. If a critical vulnerability is discovered in PHP 5.6, it won’t be fixed. It’s impossible to say how much of a risk this poses because no one knows if there are any critical security vulnerabilities in PHP 5.6. Over the last couple of years, numerous denial of service vulnerabilities were discovered and patched in PHP 5.6, but few critical remote code execution or privilege escalation vulnerabilities. After four years, the risk of show-stopping vulnerabilities is not high, but it is not zero.
New WordPress sites should use supported versions of PHP. There is no good reason to launch a new WordPress site on an unsupported version of PHP. Hosting providers that use outdated versions for new sites are negligent, knowingly put their clients at risk. Responsible hosting providers regularly upgrade PHP across their hosting platforms. Nexcess offers the most recent supported version for new WordPress hosting accounts, although we continue to support older versions for clients who need them.
In summary, while there is no need to panic, hosting clients with sites based on PHP 5.6 should consider upgrading to a more recent version because there is a non-negligible security risk when using older versions of PHP.