PHP End of Life (a reminder)

PHP 8.0 went End of Life (EOL) in November 2023 . PHP 8.1 will receive security fixes only until December 2025. As of October 2025 up to 55% of PHP powered sites in the top 1 million are running software that is End of Life. This means there is no support and more importantly if new vulnerabilities are discovered, there will be no security fixes released.

PHP End of Life Stats

Editor’s note (Oct 2025): These statistics were originally compiled in 2019. The pattern hasn’t changed, PHP version adoption remains slow and many sites still run EOL releases so the methodology and security implications remain valid. We’ve refreshed the obvious, verifiable figures with the deeper researched stats are being re-run and will be added progressively as they’re validated.

Methodology

In July 2019, we performed a semi regular analysis of WordPress usage in the top 1 million sites. The methodology for this process is to download the default page from the top 1 million sites and performing analysis on the HTTP headers and HTML source of the resulting pages.

The following data is based on sites that reveal the PHP version in the HTTP headers.

The number of sites running unsupported PHP is staggering. Especially considering these are among the highest traffic sites in the world. If a serious security vulnerability were to be discovered in PHP core or a module, these sites would have no way to patch and get protected.

Just show me the Stats!

The number of sites that leak the PHP version in the headers is just over 20% of the Top 1 Million sites.

We found 208806 sites leaking the PHP version of these 154645 are running a version that does not include PHP/7.1 or PHP/7.2 or PHP/7.3.

This is where we get the figure of 74% of sites running PHP that is currently End of Life (unsupported).

PHP versions and WordPress

WordPress recommends a minimum PHP version of 8.3 or greater. This matters because, according to statistics, WordPress runs 34% of the Top 1 Million sites and 42% of the entire Internet and accounts for a large percentage of PHP powered sites.

According to WordPress.org's PHP Version statistics (accessed 14 Oct 2025) 39% of reporting sites are running End of Life PHP (8.0 or older).

Another popular content management system Drupal recommends a minimum PHP version of 8.1 or higher.

Important Caveat

Because many hosts and distro packages disable the X-Powered-By header via eg expose_php=OFF or remove it at the web server/CDN, newer managed stacks often don't reveal their PHP version. The official PHP defaults don't hide this header, but providers frequently do. So, the true EOL statistical share across all PHP sites is likely lower than the amount shown.

Distributions such as Red Hat, Ubuntu, and Debian often provide security patching to packaged PHP even if the version is no longer supported through the official PHP project. E.g. Ongoing support provided as part of the Ubuntu LTS (long term support) releases. Packaged builds commonly include distro tags in X-Powered-By (when not suppressed), and the web server’s Server: header may also show the distro. Both headers are frequently minimised or removed, so you won’t always see these identifiers.

Examples: 
Ubuntu 24.04 LTS 
X-Powered-By: PHP/8.3.6-1ubuntu2.4 
Server: Apache/2.4.58 (Ubuntu)
Debian 12 (Bookworm)
X-Powered-By: PHP/8.2.24-1~deb12u1 
Server: Apache/2.4.62 (Debian)
Nginx on Ubuntu (common in managed stacks)
 X-Powered-By: PHP/8.3.6-1ubuntu2.4 
Server: nginx/1.24.0 (Ubuntu) 

Checking for these Linux distributions shows 25532 sites are using the distributions packaging (this does not verify that these are all supported but some would be). In the chart below you can see the versions with a number using a distribution package for the PHP software.

PHP Vulnerabilities

In 2019, there were 599 PHP CVEs recorded on CVE Details. Today (Oct 2025) that figure stands at 711 PHP Vulnerabilities with CVE's.

The chart below shows statistics of PHP vulnerabilities discovered with a CVE score of 6 or higher by month from 1997-2019.

As can be seen over the years there has been a steady stream of vulnerabilities discovered. Of course this is the case in any popular and complex piece of software, whether it is commercial or open source software. This is here as simply another reminder that it is time to upgrade your PHP to a current release.

Comparing Microsoft IIS End of Life

For a quick comparison against a very different software environment we examined Microsoft IIS server versions. The IIS web server version aligns closely with the Windows Server releases as can be seen in the table below.

The statistics are based on Microsoft IIS versions found in our survey of the Alexa top 1 million sites.

Total Microsoft-IIS Powered Sites: 67787 (6.8% of top 1M)

Microsoft IIS 7.5 or earlier versions accounts for 30.3% of sites.

* IIS/7.5 EOL 14 Jan 2020; Extended Security Updates (ESU) ended 10 Jan 2023 (Azure-only ESU to 9 Jan 2024)
** IIS/8.5 EOL 10 Oct 2023. Extended Security Updates (ESU) available until October 2026.

Conclusion

Even if we take into account the caveats and accept that the number would be lower than 74% across all PHP based sites, it is clear that a significant number of sites do need to upgrade. Site administrators need to get to work and fix this issue now. A new vulnerability could appear any day, and if you are not running a support version then that will be a bad day.

Knowing your vulnerability exposure and what services are listening on your network is the first step in keeping your organisation secure. Our service simplifies that first step with hosted online vulnerability scanners. Try it out today. Immediate access is available with a full refund available within 7 days.