BreadcrumbHomeResourcesBlog The State of WordPress PHP Support June 8, 2023 The State of WordPress PHP SupportPHP DevelopmentBy Matthew Weier O’PhinneyWordPress, written in PHP, powers upward of 65% of websites that use a content management system (CMS). However, given the complexity of WordPress as a CMS and the relatively fast lifecycle of PHP releases, WordPress has recently fallen behind the PHP community support lifecycle. This means that teams deploying WordPress, even if they’re on the latest version (as we’ll explain later), can unknowingly deploy unsupported and unpatched PHP.So what does this mean for teams that use WordPress for mission-critical websites and web applications? And what impact does this have for companies that provide managed hosting for WordPress sites?In this blog, we’ll walk through the current state of WordPress PHP support, including the typical WordPress release cadence, the PHP versions that accompany those releases, the impact of lagging WordPress support for PHP, and ways teams can stay protected while deploying end of life PHP.Table of ContentsWordPress PHP Support: Why It MattersUnpacking the WordPress Release CadenceWordPress PHP Support by VersionWhen Will WordPress PHP 8 Support Be Available?Challenges With WordPress PHP SupportFinal ThoughtsTable of Contents1 - WordPress PHP Support: Why It Matters2 - Unpacking the WordPress Release Cadence3 - WordPress PHP Support by Version4 - When Will WordPress PHP 8 Support Be Available?5 - Challenges With WordPress PHP Support6 - Final ThoughtsBack to topWordPress PHP Support: Why It MattersFor teams deploying WordPress-based websites and web applications, the PHP version deployed with their WordPress is often overlooked. Most of the time that’s fine, as WordPress typically updates the supported PHP version with their WordPress releases, but sometimes WordPress lags behind the community support lifecycle for PHP. This means that the PHP versions shipped with new WordPress versions might not be community supported.What does that mean for teams deploying WordPress? Essentially their applications, which are deploying on unsupported PHP versions, are vulnerable to exploits to those versions. Because the PHP community does not provide patches to those versions after their declared end of life dates, teams deploying these versions need to find other ways to patch their deployed PHP, or risk potentially devastating consequences to their websites, applications, or businesses. PHP 8 is a prime example of this conundrum. Despite the terminal release for PHP 7, PHP 7.4, reaching community end of life in November 2022, new WordPress versions don’t officially support PHP 8, with PHP 8 support still only available as a beta feature. For teams where upgrading WordPress represents a substantial investment of developer hours, this puts them in an untenable and risky position.Back to topUnpacking the WordPress Release CadencePublic WordPress releases are grouped into two categories, major and minor, with each release type undergoing a release candidate / beta process. Major releases typically contain major updates (e.g. new features, deprecations, etc.) to WordPress, while minor versions are typically associated with security and maintenance releases.Source: Major and Minor Version Release Cadence | make.wordpress.orgWordPress Major Release CadenceDating back to WordPress 5.0, which was released in December, 2018, there have been 12 major releases, with an average duration of 131 days between those releases.WordPress VersionRelease DateDays After Previous Release512/6/2018 3855.12/21/2019775.25/7/2019755.311/12/20191895.43/31/20201405.58/11/20201335.612/8/20201195.73/9/2021915.87/20/20211335.91/25/202218965/24/20221196.111/1/20221616.23/29/2023148WordPress Minor Release CadenceLooking historically at minor releases for WordPress, there are generally between one and three minor releases per major release. As an example, 6.0 had three minor releases, with 6.0.1 (maintenance), 6.0.2 security and maintenance), and 6.0.3 (security).WordPress VersionRelease DateDays After Previous ReleaseRelease Designation512/6/2018126Major5.0.112/13/20187Minor5.0.212/19/20186Minor5.0.31/9/201921Minor5.12/21/201943Major5.1.13/12/201919Minor5.25/7/201956Major5.2.15/21/201914Minor5.2.26/18/201928Minor5.2.39/5/201979Minor5.2.410/14/201939Minor5.311/12/201929Major5.3.112/13/201931Minor5.3.212/18/20195Minor5.43/31/2020104Major5.4.14/29/202029Minor5.4.26/10/202042Minor5.58/11/202062Major5.5.19/1/202021Minor5.5.210/29/202058Minor5.5.310/30/20201Minor5.612/8/202039Major5.6.12/3/202157Minor5.6.22/22/202119Minor5.73/9/202115Major5.7.14/15/202137Minor5.7.25/13/202128Minor5.87/20/202168Major5.8.19/9/202151Minor5.8.211/10/202162Minor5.8.31/6/202257Minor5.91/25/202219Major5.9.12/22/202228Minor5.9.23/11/202217Minor5.9.34/5/202225Minor65/24/202249Major6.0.17/12/202249Minor6.0.28/30/202249Minor6.0.310/17/202248Minor6.111/1/202215Major6.1.111/15/202214Minor6.23/29/2023134Major6.2.15/16/202348Minor6.2.25/20/20234MinorLooking at the average number of days between releases for WordPress versions 5 and up, including both minor and major versions (but excluding beta and release candidates) WordPress has a GA release every 40 days.Minor releases, as noted earlier, fall into two categories: maintenance releases and security releases, with many minor releases containing both maintenance and security components. Of the 31 minor releases since PHP 5.0 was released, 13 have been Maintenance releases, 12 have been Security and Maintenance releases, and 6 have been Security releases.All this to say, WordPress releases generally skew toward maintenance more than security, which indicates the relative security of WordPress as a platform. Beta Releases and Release CandidatesLike many other projects (including PHP), WordPress builds toward major version releases with a series of beta releases and release candidates. These releases ensure that WordPress has a proving ground for new features, as well as provide advanced notice for deprecations and enhancements that may cause problems for teams as they upgrade. </p> <p> Major versions typically have anywhere from 1-4 beta versions before they reach the release candidate stage, where there can be an additional 1-5 release candidates before the version reaches GA release.Back to topWordPress PHP Support by VersionSo how do these releases map to PHP version support, and does WordPress release cadence generally align with the PHP community support lifecycle?In short, yes and no. While WordPress versions have historically provided a long window of community support for the PHP versions they ship with, since 2019 that time span has shifted to be dramatically shorter.WordPress VersionRelease DateNewest Fully Compatible PHP VersionPHP Version EOL Date49/4/20145.57/10/20164.112/18/20145.612/31/20184.24/23/20155.612/31/20184.38/18/20155.612/31/20184.412/8/20157.112/1/20194.54/12/20167.112/1/20194.68/16/20167.112/1/20194.712/6/20167.211/30/20204.86/8/20177.211/30/20204.911/16/20177.312/6/2021512/6/20187.312/6/20215.12/21/20197.312/6/20215.25/7/20197.312/6/20215.311/12/20197.411/28/20225.43/31/20207.411/28/20225.58/11/20207.411/28/20225.612/8/20207.411/28/20225.73/9/20217.411/28/20225.87/20/20217.411/28/20225.91/25/20227.411/28/202265/24/20227.411/28/20226.111/1/20227.411/28/20226.23/29/20237.411/28/2022In the chart above, the negative value for WordPress 6.2 indicates that it shipped with a PHP version (PHP 7.4) that had already reached end of life.As stated earlier, for companies deploying WordPress-based applications, this presents a significant challenge – even if it may end up being a short-term challenge.Back to topWhen Will WordPress PHP 8 Support Be Available?WordPress versions 5.6 and up offer PHP 8.0 support as a beta feature, 5.9 and newer support up to 8.1, and 6.1 and newer support 8.2 – with the caveat that all PHP 8.x support is in beta (indicated by the asterisk in the chart below). Given the previous release cadence for WordPress, we think that PHP 8.x support will exit beta within the next 3 months.Support Categorization Update: 12/28/2023 WordPress has added in a new designation, "Compatible With Exceptions" for PHP 8.0 and PHP 8.1 support for both WordPress 6.3 and WordPress 6.4. PHP 8.2 and PHP 8.3 support are marked as beta.According to WordPress, those exceptions apply to: htmlentities() Replace most strip_tags() with wp_strip_tags()unregister_setting() for unknown setting Supported PHP VersionWordPress Version5.25.35.45.55.677.17.27.37.488.18.26.2NNNNYYYYYYY*Y*Y*6.1NNNNYYYYYYY*Y*Y*6NNNNYYYYYYY*Y*N5.9NNNNYYYYYYY*Y*N5.8NNNNYYYYYYY*NN5.7NNNNYYYYYYY*NN5.6NNNNYYYYYYY*NNSource: https://make.wordpress.org/core/handbook/references/php-compatibility-and-wordpress-versions/Back to topChallenges With WordPress PHP SupportRegardless of when WordPress will offer full support for PHP 8.x versions, the reality is that companies deploying WordPress with unsupported PHP versions have an increased level of risk, unless they have a way to patch vulnerabilities revealed in those PHP versions since they reached community support end of life. While this might be the first time in recent memory that WordPress users have faced this challenge, the long-term trend of decreasing support windows for the shipped PHP version is concerning to teams charged with keeping their web applications, and data, secure. It’s worth mentioning, however, that WordPress isn’t alone in struggling to keep up with the PHP community support lifecycle. Creators and maintainers of plugins, themes, and extensions within the WordPress ecosystem are also lagging behind in providing PHP 8.x support. Consequently, even when teams are able to upgrade to a WordPress version that supports PHP 8, they may find that the plugin or theme central to their web application may not support PHP 8.Back to topFinal ThoughtsWhile this might be the first time in recent memory that WordPress users have faced this challenge, the long-term trend of decreasing support windows for the shipped PHP version is concerning to teams charged with keeping their web applications, and data, secure. It’s worth mentioning, however, that WordPress isn’t alone in struggling to keep up with the PHP community support lifecycle.Regardless of why it’s happening, teams deploying or managing WordPress-based sites need to plan ahead, and have well-established contingency plans if they end up deploying unsupported PHP in production.Need Patches for Your EOL PHP?Zend can help. With PHP LTS options for a variety of EOL PHP versions, you can keep your applications secure and compliant until you’re ready to migrate.SEE LTS OPTIONSAdditional ResourcesResource Collection - PHP Versions: Performance, Security, and Feature ComparisonsWhite Paper - Planning Your Next PHP MigrationWhite Paper - The Costs of Building PHP In HouseWhite Paper - The Hidden Costs of PHP UpgradesSolutions - PHP Hosting Providers SolutionsBlog - How to Develop a WordPress PluginBlog - Unpacking the Drupal PHP Support LifecycleBlog - Changes to Watch in PHP 8.3Blog - How to Assess and Prevent PHP VulnerabilitiesBlog - PHP 7.4 EOL Is Here: Are Your Applications Secure?Blog - 6 PHP Security Best PracticesBlog - Are You Ready for PHP 8.0 EOL?Blog - Mitigating CVE-2023-0662Blog - CVE-2023-3823 OverviewBlog - PHP Linux Installation: Quickstart GuideBack to top
Matthew Weier O’Phinney Zend Product Manager, Zend by Perforce Matthew began developing on Zend Framework (ZF) before its first public release, and led the project for Zend from 2009 through 2019. He is a founding member of the PHP Framework Interop Group (PHP-FIG), which creates and promotes standards for the PHP ecosystem — and is serving his second elected term on the PHP-FIG Core Committee.
