How to secure PHP website

Why you should upgrade PHP (in simple words)

Does the title ring a bell? We bet you’ve received many Update PHP notifications from your DevOps, SysOps, your hosting providers, or the PHP web development company that created your website years ago. 

We understand that you don’t want to dig into coding stuff, and you don’t have to. We will tell you why upgrading PHP is a part of the overall business success. We promise—no instructions on inserting code here and there, no unnecessary details; just the essentials.

Why update PHP version

Table of content:

  1. Why is upgrading PHP important for website security?
  2. How often should you upgrade PHP?
  3. Who needs PHP updates?
  4. Benefits of upgrading PHP
  5. What happens if you don't update PHP?
  6. Upgrade PHP and get better performance for your website
  7. How to update PHP in Drupal
  8. How to update PHP in WordPress
  9. How to update PHP for a custom PHP website
  10. Key takeaways

Upgrading PHP as part of maintaining website security

How to secure a website? You must have come across those website security checklists on the Internet. Usually, they recommend the following procedures:

  1. Update software regularly. Here's our post on security for Drupal and related server software.
  2. Use strong passwords and change them once in a while.
  3. Choose a hosting service wisely as it is responsible for backups. Tips for choosing a hosting platform.
  4. ...but make sure you do not forget about backups as well.
  5. Audit your website.
  6. Secure your site with HTTPS.
  7. Create a user permission system and do not give admin access to many people.
  8. Scan devices for malware.

What is PHP? PHP is a programming language used for writing software and web applications.

If you use a content management system, such as Drupal or WordPress, you might have heard that they are written in PHP. They are famous for their ready-made solutions that reduce coding time. Also, there are some websites written in custom PHP which means that all the functionality is created from scratch. Some desktop applications are also written in PHP but that’s not common and not advisable.

Updating PHP belongs to the very first checkpoint: software updates. Why do we associate new releases with security? Because users of releases that are no longer supported may be exposed to unpatched security vulnerabilities.

→ The importance of website maintenance

How often you should upgrade PHP

According to the official PHP website, there’s one PHP version that becomes obsolete each year. For example, in 2023, three versions were supported: 8.0, 8.1, and 8.2.

Only 8.1 and 8.2 are “being actively supported. Reported bugs and security issues are fixed and regular point releases are made.”

PHP 8.0 "is supported for critical security issues only. Releases are only made on an as-needed basis.”

As you can see in the table below, one PHP version is secure for 3 years, but after that, an update is required.

php replace


Who needs PHP update

Literally everyone whose website is running on PHP 8.0 or earlier. But before you switch PHP version, you need to check your website’s condition, server, and hosting.

There are two completely different use cases that we would like to bring to your attention.

  1. A website is hosted on a server with configured environments, backups, etc, like the Pantheon cloud hosting platform or Acquia Cloud.
  2. A website is hosted on a self-managed server (for example, self-managed VPS (Virtual Private Server), VDS (Virtual Dedicated Server), or AWS EC2) that your IT team configured and has to maintain i.e. apply operating system updates and other software updates including PHP.

In the second case, a development team can handle all the operations. But in the first case, the system administrator's help is needed. If you’re a website owner, make sure developers don’t apply changes to the server if your website is running on some highly customized Virtual Dedicated or Virtual Private Server. If you’re a website developer, ask for a sysadmin's assistance in this matter.

Benefits of upgrading PHP

  1. The website is secured since it has no vulnerabilities hackers could use. As you know, outdated PHP versions don't get any security support and new breaches are not covered.
  2. The private data is more secure if PHP is updated. We do not claim that from now on there’s a 100% data safety guarantee, but if the doors and windows of a house are closed, it reduces the likelihood of burglary.
  3. The website performance can be improved just because of the PHP update: studies show that switching to a new version of the programming language gives an increase in speed.
    Have you heard about the huge success of Badoo? They saved one million dollars after switching from PHP 5 to PHP 7. Below is the benchmark comparison between major PHP versions: we see that on PHP 7 it’s possible to execute more requests to the server than on PHP 5. The same is true for minor PHP versions: according to different benchmarks, the difference in performance between minor PHP 7 versions is within 10%. 
  4. Compatibility with hosting requirements: some hostings set strict deadlines for switching to a newer PHP and don’t let you drag your feet.
update php

Comparison between PHP versions

What happens if you don't update PHP

Your website is at risk of security and data leaks if you don't update PHP, and the hacker doesn’t have to be a CIA computer security consultant to do that.

Here are two cases from our practice.

A WordPress content website was hacked because of PHP vulnerabilities: attackers managed to insert malicious code into the page code.

A high-load Drupal website that stores many users' data (their personal information, records of their actions, and purchases) still runs on PHP 5.6. This is partly caused by business logic restrictions and budgeting. Soon the hosting service will stop the support of this version and part of the functionality will be unavailable. So, for some time, there can be troubles with getting new leads and receiving payments on the website. And when this happens, we will have to upgrade within a very short time, which doesn’t leave us room for testing the changes.

You see, the further you put off the PHP upgrade, the more it will cost. At some point, incompatibility between your website and hosting requirements, security requirements, etc will become dramatic and expensive to fix.

Updating PHP is suggested to be as important for website security as a strong password, secure connection, and a trustworthy hosting provider.

PHP upgrade and website performance

In a nutshell, such CMSs as Drupal and WordPress want users to use particular PHP versions for their websites. Drupal has 3 supported major versions right now—Drupal 7, 9, and 10—and the recommendation is to run those websites on PHP 7.3 or higher.

What happens if a website runs on an older version? First of all, its overall performance is noticeably weaker than it could have been if it were running on a newer version.

php version update


Secondly, new features in PHP, for example, preloading and syntax features, can help you implement particular functionality better and faster, but they are not available in the current outdated version. It hurts, doesn’t it?

Thirdly, third-party libraries can be unavailable because they’re incompatible with the PHP version used on the website at the moment. You’re bound by your old software.

→ Core Web Vitals and their impact on the website performance

How to update PHP in Drupal

In general, the process is rather straightforward.

  1. Make core and contributed modules used by Drupal compatible with PHP 8. The best option is to have them updated to the latest versions—yes, we mean patch versions. In rare cases, incompatibilities of the contributed modules used are possible if the module is specific, unpopular, and changes have not been committed for a long time.
  2. Make sure that the custom code is compatible with PHP 8.
  3. Estimate the scale and complexity of the incompatibilities and do the fixes.
  4. Update PHP with the help of a developer, if the website is hosted on Pantheon, Acquia, or something else. Update PHP with the help of a system administrator if the website is hosted on a self-managed server.

Well done!

How to update PHP in WordPress

How to update WordPress PHP in a few steps:

  1. Make WordPress plugins compatible with PHP 8 by updating them. Usually, the update process isn’t complicated; the only pitfalls are abandoned paid plugins.
  2. Make sure that the custom code is compatible with PHP 8.
  3. Estimate the scale and complexity of the incompatibilities and do the fixes.
  4. Update PHP with the help of a developer, if the website is hosted on Pantheon, WP Engine, or something else. Update PHP with the help of a system administrator if the website is hosted on a self-managed server.

If you need help with upgrading WordPress PHP, contact our PHP web development specialists at

How to update PHP on custom PHP website

We have several custom PHP websites on support, and we can surely say that the process is not as difficult as it may seem.

  1. Update the third-party libraries that are installed through Composer (pretty much the standard program for dependency management and getting Drupal websites together).
  2. Make sure that the custom code is compatible with PHP 8 and updated libraries (especially if you updated the major version of a library).
  3. Update PHP.

What to be aware of: sometimes dependencies don’t have a version compatible with the latest PHP. Then you have to either look for alternatives and update your code or use a different library. This is always an unexpected surprise but anyway, we were always able to help our clients with this.

Key takeaways

Let's wrap it up and revise the main ideas.

  1. PHP update is one of the most important pillars of security: if you have sensitive data stored on your website, consider taking preliminary actions for securing your website.
  2. Updated PHP means higher performance.
  3. Higher performance leads to a better user experience and conversions.
  4. The longer you don’t update PHP, the longer it will take when the time comes and the more it will cost.
  5. PHP 8 is proven to make websites quicker and web developers' lives easier.
  6. The PHP update process varies from website to website, so consult professionals to upgrade your website.

We have some of them working at ADCI Solutions. Contact us for professional web development services at

You might also like