decorative image for PHP 7.4 EOL blog
January 30, 2023

PHP 7.4 EOL Is Here: Are Your Applications Secure?

PHP Development

PHP 7.4 end of life (EOL) is here. And, with our 2023 PHP Landscape Report showing over 54% of teams still using PHP 7.4, migrating to a supported PHP version and / or finding third party long-term support will be critical for teams who want to maintain the security of their applications.

In this blog we talk through the reality of PHP 7.4 EOL, including how to find the right migration path, the risks of unsupported EOL PHP, and long-term support options for teams that need more time planning their path forward.

Back to top

Get Support for Your EOL PHP 7.4

Keep your applications secure with patched PHP 7.4 builds from Zend.

Explore LTS Options

Back to top

The PHP 7.4 Support Lifecycle

PHP, like many other development languages, has a defined community support lifecycle. Each minor release has a community support lifecycle of three years, with major versions being released anywhere from a year apart to over five years apart. The number of minor releases per major release varies by major release (e.g. PHP 5 had 7 minor versions, PHP 7 had 5 minor versions). The community support lifecycle for PHP is broken down into two support phases: Active Support and Security Support.

Active Support

The active support phase for PHP versions lasts two years from the GA release date. During active support, PHP versions (like PHP 7.4) receive regular patch releases (e.g. 7.4.1) that contain bug fixes and security patches. These updates are typically released monthly, unless there are no bugs or security issues (which is rare).

Security Support

After two years of active support, PHP versions enter the Security Support phase. This phase lasts for one year, with the PHP community only supplying patches for critical security issues. Releases during this phase are on an ad-hoc basis, and are typically released less frequently than during the active support phase.

End of Life

After the security support phase ends, the PHP version enters end of life. This means that it does not receive security patches, bug fixes, or other updates from the community. As bugs and vulnerabilities accumulate, teams using end of life PHP versions expose their applications to compounding risks.

PHP Version 

Release Date 

Active Support End Date 

End of Life / Security Support End Date 

Zend PHP 7.4 LTS End Date 

7.4 

November 28, 2019  

November 28, 2021 

November 28, 2022 

December 2026 

PHP 7.4 End of Life Date

The end of life date for PHP 7.4 was November 28, 2022.

How Many Teams Are Still Using PHP 7.4?

According to the 2023 PHP Landscape Report, 54.2% of PHP teams are still using PHP 7.4 in their applications.

In our 2023 PHP Landscape Report (to be released in February, 2023), we surveyed the PHP community to better understand the PHP versions they use in production. And, as with previous years, we found many teams still using end of life PHP versions — including PHP 7.4

chart showing PHP version adoption as of 2023

As you can see above, a combined 61.9% of respondents reported using at least one EOL PHP version, with 54% using EOL PHP 7.4 in their applications. For larger companies, the percentage using end of life PHP jumped to nearly 66%, showing that many teams struggle to keep up with the rapid PHP end of life cycle.

Back to top

The Consequences of Unsupported EOL PHP 7.4

Most teams are well acquainted with the consequences of unsupported end of life technologies. Every year, new vulnerabilities are discovered within unsupported technologies – with high-profile exploits of these vulnerabilities making their way to front pages around the world.

But security isn’t the only consequence of unsupported EOL PHP applications. Teams working with EOL PHP versions also expose their applications to decreased performance, reduced application stability, and the lost-opportunity cost of maintaining an EOL PHP version when they could be helping to further the goals of the business.

Security

When a PHP version reaches community support end of life, the community stops providing security patches for that version. As noted above, the accumulation of unpatched vulnerabilities adds an increasing amount of security risk to the application. And, if left unmitigated, these vulnerabilities can and will be exploited.

Performance

One of the often overlooked aspects of using end of life PHP versions is performance. New versions of PHP regularly add new features and improvements to the language that can reduce development, hosting, or hardware costs for the application. While this might seem like a lesser consideration, these costs can add up quickly – especially when deploying a large number of PHP applications, or applications that receive large amounts of traffic.

Application Stability

If applications aren’t regularly updated to new technology versions, there can be a growing risk of application downtime. As an example, an application running an EOL PHP version might be using a library that has since been deprecated. A bug within that library could cause the application to crash. Now imagine enterprise applications with dozens of un-updated libraries, or libraries that have been updated and cause issues with the EOL PHP application.

Opportunity Costs

Lastly, there’s the danger of lost opportunity cost. Running an EOL PHP version means spending time on things like building or backporting patches for security issues and bugs. For supported PHP versions, this isn't an issue, and allows teams to better focus on improving the security, performance, or functionality of your application.

Backporting bug fixes and security patches isn't the only time-consuming aspect of maintaining an EOL PHP application, either. Profiling and improving performance on an application running on an EOL PHP version can be time intensive. But even the best performance improvements on that application can be overshadowed by the performance improvements gained by migrating to a new PHP version. That's not to mention new language features in newer versions that can solve a variety of problems for businesses. 

The takeaway from this is that there are a number of hidden costs of running EOL PHP applications that can directly or indirectly impact the health of your application and business, and the time committed to things like backporting patches can lead to lost opportunities for improving your application and business.

Back to top

Facing PHP 7.4 End of Life

To avoid the risks associated with unsupported EOL PHP versions, teams need to regularly plan and execute PHP upgrades and migrations.

Upgrading Your Application(s)

For teams with a limited number of applications or less complex codebases, these upgrades and migrations may be straightforward – depending on the changes between the origin and destination versions. For others, planning migrations for many applications (or particularly complex applications), can be a much more time-intensive exercise.

One thing to keep in mind for teams tasked with migrating PHP 7.4 is that this is the final PHP 7 minor release, meaning that there is no guarantee that the destination PHP version will be backwards compatible. More often than not, these major versions are only released when changes there are breaking changes to existing APIs that are exposed to consumers.

For teams planning PHP migrations or upgrades, having a consistently audited and profiled set of applications is key to understanding the impact of these major version upgrades on your code base, the scope of a given migration for your team, and the potential impact to the overarching business.

Learn more about Zend PHP upgrade/migration services >>

Read our migration services case study with Bark.com >>

Finding Long-Term Support

For teams that, for one reason or another, can’t migrate before PHP end of life hits, finding a reliable source of security patches is key to maintaining the stability and security of their given PHP applications.

Luckily, there are third-party options for PHP long-term support that can help teams to keep their EOL PHP applications supported.

Learn more about Zend PHP LTS >>

Self-Support

Self-support is another option for teams working with EOL PHP 7.4 applications. However, teams that choose this route need to understand the impact this can have on their business. As noted above, developers who are busy developing patches for CVEs are developers who aren’t working on developing new applications, improving existing applications, or working on all the things that will make the next migration easier. While self-support may be a valid option for larger enterprises with resources dedicated to developing patches and fixes in house, it’s not a cost-effective option for 99% of companies.

Back to top

Final Thoughts

Migrating or upgrading your EOL PHP is crucial to avoiding organizational risk – and PHP 7.4 is no different. Now that PHP 7.4 EOL is here, teams need to ensure they’ve established a good migration or LTS plan their applications using PHP 7.4.

Luckily for PHP teams, Zend offers both migration support and long-term support for their EOL PHP.  

Get LTS and Migration Services for Your PHP 7.4 Deployments 

Start planning your migration and support strategy for your PHP 7.4 application with help from Zend. Visit our LTS and migration services pages today to learn more.

See Our PHP LTS OptionsSee Our Migration Services

Additional Resources 

Back to top