Skip to content
Computer Code Updates
PHP: The Foundation of a Secure WordPress Site
May 24 2023

It may be the most recognizable recursive acronym in the world of website development, and keeping it up to date helps millions of websites run smoothly.

PHP–originally short for “Personal Home Page” tools, now shorthand for “Hypertext Preprocessor”–is the server-side scripting language used to run the WordPress content management system (CMS) and other types of web applications. This is a layer below what many users of WordPress ever encounter; however, it is fundamental to the function of those sites. 

PHP versions and lifecycle

What many WordPress users do not realize is that, like plugins and even the WordPress core itself, PHP regularly needs updates to keep sites performing optimally and securely. While WordPress will notify users when an update is available to its core or to plugins, it does not typically inform users when their version of PHP is out of date, so PHP updates can often go ignored for some time and at some risk. One way to stay on top of them is to review your server settings, usually through your hosting provider. Unfortunately, depending on your hosting provider, it might not even be apparent that the PHP version your site is using is outdated.

You can troubleshoot around that by checking available PHP documentation online. PHP offers a page detailing the current supported versions and versions that have recently reached end of life. These PHP versions follow a predetermined lifecycle: each new version released is supported with two years of “active support” in the form of patches for bugs and security issues, followed by one year of “security fixes only.” After this period, the PHP version is considered to be at “end of life” and no longer receives patches of any form.

Why update PHP?

Most important of all, new PHP versions bring with them enhancements to security. This can help reduce your risk of exposure to malware and exploits targeting your server through your website. Such attacks are difficult and costly to correct once the damage is done. The risk and consequences are even more severe if the server is running multiple websites, since the attack surface is broader and the negative impacts potentially more widespread.

With every PHP update also comes performance improvements in how code is executed on the server. Even minor version updates can result in significant boosts. In Kinsta’s benchmark of recent PHP versions on a basic WordPress site, they found that PHP 8.1 performed 47.1 percent more server requests per second than even PHP 8.0, a huge improvement.

Even if users don’t notice this improvement in performance, search engines absolutely do. All other things being equal, a site that loads even a fraction of a second faster than another is going to have an advantage in search result rankings.

New Features
New PHP versions also bring with them new features and improved standards that help developers create better, more efficient websites.

How to update PHP

The method by which you update PHP depends entirely on with whom the server is hosted. Large, enterprise businesses often manage their hosting internally. But, if you’re reading this, there’s a good chance your hosting is managed externally by a web hosting service, perhaps with the oversight of a digital agency like Culture Foundry.

Web hosting companies typically don’t offer the same set of PHP versions as options. For instance, WP Engine currently offers PHP 7.4 (which is “end of life”) and PHP 8 (which is “security fixes only”). It does not offer the two more recent versions in “active support” because WP Engine only uses versions considered “stable” and compatible with the majority WordPress versions in use on their service.

At Culture Foundry, we have encountered web hosting services that did not offer a single PHP version that wasn’t “end of life.” This is a red flag and an indication that the service is not doing the work necessary to keep its clients secure and competitive. If you find that your hosting service is in this camp, consider reaching out to Culture Foundry for help identifying and migrating your website to a more cutting-edge host.

Most hosting services will give you tools to update PHP yourself within their system. However, it is highly recommended that this be tested in some way before making the update on a production server. There could be incompatibility between the newer version of PHP and your version of WordPress or, more likely, plugins or themes currently in use. If you’re lucky, your hosting service will provide a means of testing the PHP update first, either through a dedicated tool like WP Engine’s “PHP Test Driver” or through a staging environment.

Regardless of the tool used to test the PHP update, you’ll want to test for 500 (internal server errors) in the site’s error logs. Visual regression testing tools can also be useful to ensure there are no changes to your WordPress site content. Keep in mind that one server-side error can conceal other errors. If you resolve an error that crops up, make sure you run subsequent tests to catch any others that may have been obscured by the initial one. Repeat this until you have a 100-percent working site on the new version of PHP.

Obstacles to updating PHP

In all likelihood, errors you encounter on a WordPress site from a PHP update will originate from third-party plugins or themes. WordPress sites with many plugins are more likely to encounter errors during the PHP update process and in general. That’s one of the many reasons Culture Foundry recommends reducing plugins on WordPress sites in favor of custom code, and cautions clients not to “plugin and drop out.” We encourage our clients to consider the long-term consequences of selecting third-party plugins or themes off the shelf without fully understanding the routine maintenance required to keep them up to date, functional, and secure. This applies to compatibility with the WordPress core, themes and other plugins, and the underlying PHP version.

Plugin and theme developers are only human
Any decent plugin or theme developer will make efforts to keep their code working on the latest WordPress and PHP versions. Ultimately, these developers are human beings with changing assignments and priorities in an ever-evolving professional (and political) environment. It’s unrealistic to assume all developers can (or will) maintain their code in perpetuity. 

For example, while seeking a compatible version of a plugin that was blocking a PHP 8 update for a client’s website, we tried to reach to the plugin developer directly via their Github profile, only to realize that the developer was in Kharkiv, Ukraine, and had not made contributions to any Github repos since Russia’s attacks on Ukraine began in early 2022.

Plugins that have multiple contributors, or entire businesses to support them, are less likely to be abandoned outright. Consider this when selecting plugins from a variety of offerings. If you’re viewing a plugin on the WordPress plugin directory, you can usually find this information under the “Contributors” section of the sidebar under the “Developers” tab.

When is an up-to-date plugin not up to date?
Sometimes a plugin will appear to be “up-to-date” when viewing it in the list of plugins on your WordPress site, when in fact it isn’t, and a more recent version exists. This can become apparent when doing a PHP update if the old plugin is throwing an error.

Recently, in two separate cases, we encountered plugins that seemed to be current in the sense that there were no outstanding updates needed. Upon further inspection, the developers had abandoned the original plugin, along with their release histories, and created new plugins that were essentially the same. Both cases required the careful replacement of the old plugin, which can be trickier than just running a plugin update.

This can also be the case if you’re using a third-party theme that bundles otherwise paid / licensed plugins. Themes catering to page-builder plugins, such as Elementor, will often do this. In those instances, a plugin may be marked as up-to-date within WordPress, when more accurately, it is at the maximum version that is compatible with the third-party theme, not the latest version of the plugin.

There is a chance you might be prevented from updating the plugin to a version compatible with the desired PHP until the theme developer releases a new version of their theme allowing the incompatible plugin to be further updated. Reducing such chains of dependencies is one of the reasons Culture Foundry recommends developing stand-alone custom themes for clients.

You got a license for that?
The entire economy of premium / paid WordPress plugins and themes is designed around selling users ongoing updates for additional features and security patches. If a license for one of these products lapses, you may not receive additional updates for the software, and this can stall an update to WordPress core or PHP. With that in mind, if you choose to use a premium theme or plugin, keep close track of the license and your account information, and be ready to pay for license renewals through the life of the website.

Need help getting your WordPress site or your server’s PHP updated and secure?

If you have additional questions about PHP updates and how best to manage them, feel free to reach out to us. We’re happy to help.

Culture Foundry is a digital experience agency that helps our clients elevate their impact with beautiful technology. We provide the expertise and insight at every layer that makes a great digital experience for websites and applications possible. If you're committed to elevating your digital experience, contact us and we'd be happy to schedule a chat to see if we're a fit.

(Psst! We also happen to be a great place to work.)

Back To Top