WordPress is an open-source content management system, that uses a number of programming languages to run. One of those languages is PHP.
PHP is an open-source programming language that WordPress uses to run internal functions and process database information. It is installed directly on your web server and managed by your web host. PHP is a living project, and like WordPress, is constantly being updated and patched for bug and security vulnerabilities. Newer PHP versions fix these vulnerabilities and optimize the processing and delivery of your website content.
This means that the PHP version your website runs on, directly affects the security, speed and performance of your site. And as of mid-2017, WordPress officially recommends using PHP version 7.2 or higher.
Like any other software, as newer versions are released, support for the older versions gets dropped as more and more people upgrade. Older versions are maintained with security patches for a while (between 1-2 years), to give everyone a chance to upgrade.
As you can see in the table above, versions 5.6 and 7.0 are no longer being actively developed, but are still receiving security support. However, this security support will officially end in December. And when it does, any sites running these older versions will be susceptible to PHP security vulnerabilities, including WordPress sites!
PHP 7.0 removed many outdated functions that were dragging down older versions, making it more efficient than ever before, and 7.2 takes it even further. This new, leaner version of PHP allows your site to load and respond much faster than previous versions. As an example, PHP 7.2 can serve up to 3x as many requests per second and handle more traffic with the same number of resources. It can handle uncached site visits 2-3 TIMES FASTER than PHP 5.5. If you’re interested in more of the nitty gritty details in PHP version comparison, check out this post which compares site performance across the various PHP versions.
What’s more? WordPress versions 4.0 and above are actively optimized to use PHP 7 and above, meaning you get almost twice the performance out of your site a server running PHP 7.2. Of course, media and template-specific factors will still highly influence your site load times, so be sure your whole site is optimized for quick loading!
PHP 5.x had hundreds of security issues that got patched up over time. If your site is running an earlier version of PHP, some of these vulnerabilities might still be present! And cybercriminals are very aware of these vulnerabilities — they actually look for sites running these earlier versions so they can stage easy attacks. Much of the flak WordPress gets for “being insecure” is due to servers and sites still running unpatched versions of PHP. Check it out: PHP 5.4 hasn’t been updated since 2015 — giving hackers 3 whole years to discover and exploit vulnerabilities that might never be patched on sites running on it.
PHP 7 introduced new security features as well, including stronger hashing and encrypting for storage of sensitive data, and better functionality for identifying content that is potentially dangerous (like malicious code injections).
This leaner, more efficient version of PHP means a significant improvement in how code is processed on the server: up to a 75% reduction in the number of commands issued when performing a single task. This is huge! But what does that mean for YOUR site?
Your server has a set amount of memory available for running PHP on your site. WordPress core, theme, and plugin files all require varying amounts of that memory to run; the more complex the task, the more memory is required. And when they hit that limit of memory on your server — up comes the White Screen of Death with an ugly error message. So in short, upgrading to PHP 7.2 means much less memory is required, allowing more cool stuff to happen on your site.
In the past, PHP has been pretty lax in how developers could use it, culminating in a ton of poor programming practices across the board. Earlier versions of PHP allowed developer to write code with security holes and issues that could slow performance of your site. PHP 7 and above, however, require a higher standard of coding from its developers.
While WordPress has specific requirements for all themes and plugins hosted on WordPress.org, that doesn’t apply to the many paid and commercial plugins that are available out in the wild. Forcing these better programming practices in PHP 7 means higher quality, better performing code from the start.
I feel like I’ve made the case for PHP 7. Unfortunately, not all themes, plugins (or even hosts) are optimized to use it yet! So how do you know if your site, themes, and plugins will work in PHP 7 and higher? The PHP Compatibility Checker is a great place to start. And testing on a Staging Server is a smart next step.
In an upcoming post, we will be discussing the steps needed to test and upgrade your site to PHP 7.2. But in the meantime, I recommend you check out what version your site is running, find out your host’s upgrade process, and do a preliminary scan of your plugins and themes so you are ready to upgrade when the time is right.