The State of WordPress PHP Support

WordPress, written in PHP, powers upward of 65% of websites that use a content management system (CMS). However, given the complexity of WordPress as a CMS and the relatively fast lifecycle of PHP releases, WordPress has recently fallen behind the PHP community support lifecycle. This means that teams deploying WordPress, even if they’re on the latest version (as we’ll explain later), can unknowingly deploy unsupported and unpatched PHP.

So what does this mean for teams that use WordPress for mission-critical websites and web applications? And what impact does this have for companies that provide managed hosting for WordPress sites?

In this blog, we’ll walk through the current state of WordPress PHP support, including the typical WordPress release cadence, the PHP versions that accompany those releases, the impact of lagging WordPress support for PHP, and ways teams can stay protected while deploying end of life PHP.

Does WordPress Support PHP?

Yes, WordPress supports PHP. As of August 2024, WordPress recommends using PHP 8.0 or higher to produce the best results.

WordPress PHP Support: Why It Matters

For teams deploying WordPress-based websites and web applications, the PHP version deployed with their WordPress is often overlooked. Most of the time that’s fine, as WordPress typically updates the supported PHP version with their WordPress releases, but sometimes WordPress lags behind the community support lifecycle for PHP. This means that the PHP versions shipped with new WordPress versions might not be community supported, causing a gap in WordPress PHP support.

What does that mean for teams deploying WordPress? Essentially their applications, which are deploying on unsupported PHP versions, are vulnerable to exploits to those versions. Because the PHP community does not provide patches to those versions after their declared end of life dates, teams deploying these versions need to find other ways to patch their deployed PHP, or risk potentially devastating consequences to their websites, applications, or businesses. 

PHP 8 is a prime example of this conundrum. Despite the terminal release for PHP 7, PHP 7.4, reaching community end of life in November 2022, new WordPress versions don’t officially support PHP 8, with PHP 8 support still only available as a beta feature. For teams where upgrading WordPress represents a substantial investment of developer hours, this puts them in an untenable and risky position. So, when considering WordPress PHP support, what's the answer?

Mittwald Managed Hosting Customers Stay Secure With Zend

mittwald, a global leader in web hosting, partnered with Zend to deliver value, security, and peace of mind to their customers, including those using WordPress.

Read the Case Study  Hosting Provider Solutions

Unpacking the WordPress Release Cadence

Public WordPress releases are grouped into two categories, major and minor, with each release type undergoing a release candidate / beta process. Major releases typically contain major updates (e.g. new features, deprecations, etc.) to WordPress, while minor versions are typically associated with security and maintenance releases.

Source: Major and Minor Version Release Cadence | make.wordpress.org

WordPress Major Release Cadence

Dating back to WordPress 5.0, which was released in December, 2018, there have been 12 major releases, with an average duration of 131 days between those releases.

WordPress Minor Release Cadence

Looking historically at minor releases for WordPress, there are generally between one and three minor releases per major release. As an example, 6.0 had three minor releases, with 6.0.1 (maintenance), 6.0.2 security and maintenance), and 6.0.3 (security).

Looking at the average number of days between releases for WordPress versions 5 and up, including both minor and major versions (but excluding beta and release candidates) WordPress has a GA release every 40 days.

Minor releases, as noted earlier, fall into two categories: maintenance releases and security releases, with many minor releases containing both maintenance and security components. Of the 31 minor releases since PHP 5.0 was released, 13 have been Maintenance releases, 12 have been Security and Maintenance releases, and 6 have been Security releases.

All this to say, WordPress releases generally skew toward maintenance more than security, which indicates the relative security of WordPress as a platform. This impacts WordPress PHP support, as will be discussed later.

Beta Releases and Release Candidates

Like many other projects (including PHP), WordPress builds toward major version releases with a series of beta releases and release candidates. These releases ensure that WordPress has a proving ground for new features, as well as provide advanced notice for deprecations and enhancements that may cause problems for teams as they upgrade.  </p> <p> Major versions typically have anywhere from 1-4 beta versions before they reach the release candidate stage, where there can be an additional 1-5 release candidates before the version reaches GA release.

WordPress PHP Support by Version

So how do these releases map to PHP version support, and does WordPress release cadence generally align with the PHP community support lifecycle?

In short, yes and no. While WordPress versions have historically provided a long window of community support for the PHP versions they ship with, since 2019 that time span has shifted to be dramatically shorter.

In the chart above, the negative value for WordPress 6.2 indicates that it shipped with a PHP version (PHP 7.4) that had already reached end of life.

As stated earlier, for companies deploying WordPress-based applications, WordPress PHP support presents a significant challenge – even if it may end up being a short-term challenge.

When Will WordPress PHP 8 Support Be Available?

WordPress versions 5.6 and up offer PHP 8.0 support as a beta feature, 5.9 and newer support up to 8.1, and 6.1 and newer support 8.2 – with the caveat that all PHP 8.x support is in beta (indicated by the asterisk in the chart below). Given the previous release cadence for WordPress, we think that PHP 8.x support will exit beta within the next 3 months.

Support Categorization Update: 12/28/2023 

WordPress has added in a new designation, "Compatible With Exceptions" for PHP 8.0 and PHP 8.1 support for both WordPress 6.3 and WordPress 6.4. PHP 8.2 and PHP 8.3 support are marked as beta.

According to WordPress, those exceptions apply to: 

• htmlentities() 
• Replace most strip_tags() with wp_strip_tags()
• unregister_setting() for unknown setting

Source: https://make.wordpress.org/core/handbook/references/php-compatibility-and-wordpress-versions/

WordPress PHP Support Challenges

Regardless of when WordPress PHP support will fully cover PHP 8.x versions, the reality is that companies deploying WordPress with unsupported PHP versions have an increased level of risk, unless they have a way to patch vulnerabilities revealed in those PHP versions since they reached community support end of life. 

While this might be the first time in recent memory that WordPress users have faced this challenge, the long-term trend of decreasing support windows for the shipped PHP version is concerning to teams charged with keeping their web applications, and data, secure. It’s worth mentioning, however, that WordPress isn’t alone in struggling to keep up with the PHP community support lifecycle. 

Creators and maintainers of plugins, themes, and extensions within the WordPress ecosystem are also lagging behind in providing PHP 8.x support. Consequently, even when teams are able to upgrade to a WordPress version that supports PHP 8, they may find that the plugin or theme central to their web application may not support PHP 8.

Final Thoughts

While this might be the first time in recent memory that WordPress users have faced this challenge, the long-term trend of decreasing support windows for the shipped PHP version is concerning to teams charged with keeping their web applications, and data, secure. It’s worth mentioning, however, that WordPress isn’t alone in struggling to keep up with the PHP community support lifecycle.

Regardless of why it’s happening, teams deploying or managing WordPress-based sites need to plan ahead, and have well-established contingency plans if they end up deploying unsupported PHP in production.

Need Patches for Your EOL PHP?

Zend can help. With PHP LTS options for a variety of EOL PHP versions, you can keep your applications secure and compliant until you’re ready to migrate.

SEE LTS OPTIONS

Additional Resources

• Case Study - mittwald Managed Hosting Customers Stay Secure With PHP LTS From Zend
• Resource Collection - PHP Versions: Performance, Security, and Feature Comparisons
• White Paper - Planning Your Next PHP Migration
• White Paper - The Costs of Building PHP In House
• White Paper - The Hidden Costs of PHP Upgrades
• Solutions - PHP Hosting Providers Solutions
• Blog - How to Develop a WordPress Plugin
• Blog - Unpacking the Drupal PHP Support Lifecycle
• Blog - Changes to Watch in PHP 8.3
• Blog - How to Assess and Prevent PHP Vulnerabilities
• Blog - Are You Ready for PHP 8.0 EOL?
• Blog - PHP Linux Installation: Quickstart Guide