Goodbye PHP 5.5

php55Yes, another milestone this weekend as PHP 5.5 reaches the end of its safe operating life on web servers. As of July 9, 2016 it will receive no more security updates. Should you be concerned? Maybe, if you are one of the many web designers and site owners whose server runs on PHP 5.5.

I see into the admin panels of many sites every day, and the majority are still using PHP 5.5 or earlier. I still see some with PHP 5.2, and many with PHP5.3. Such a security risk cannot be worth taking, surely?

Similarly, I see way too many sites using the user name ‘admin’ with a simple password, making the life of the hacker way too easy. Be aware that if you have registered the Ultimatum Toolset with one admin user, you must not delete that user without first resetting the Ultimatum Toolset (in effect de-registering it). The same applies if you wish to change the ID number of the main admin user (iThemes Security does this). An alternative to making a safer main admin user name is to rename the main admin, and there are plugins that help you do this, such as the WPVN – Username Changer plugin (use it but then remove it).

With only PHP 5.6 still being supported from the PHP 5 series, the switch to PHP 7 becomes more pressing. At last, cPanel, the supplier of the control panel software most often used by hosts, have announced that EasyApache 4 will be a stable release (out of beta) for their next version; cPanel 58 (but the easy conversion interface to convert from the current EasyApache 3 to the new 4 has been delayed; your host will have to do this from the command line for now). Also coming soon from them is add-on support for Let’s Encrypt automated, free SSL certification, and some support for NGiNX and PHP-FPM. Happy days for those of you seeking better performance and security without the need for expert server tuning skills.

July 10, 2016   14 Comments
by Trevor Nelmes

Trevor is the head of support and testing at Ultimatum Theme and owns a WordPress-based web design business called CDNWebDesign. He has been programming since the 1970's and web designing since 1999. In his spare time, he likes to take scenic photographs in the beautiful Cotswolds in the UK.

Comments

  1. Tereza Ullinovich

    Trevor, thank you for this truly great information. I have been struggling with optimization and this will be a big help for people like me.

  2. Hey Trevor,
    have you come across a tutorial yet that covers the easy apache 3 -4 command line switch, for those of us who don’t mind a little bit of bashing about. 😉

  3. Yeah, I read that but it seems too simple. It can’t be just that simple to run that one command. What about all the settings choices that you need to make, version of apache, php etc.?

    • No, its that simple. It totally borked up my server when I did it. And it goes through a lengthy options process, so you really need to make sure you know what all your settings were. I am waiting for cPanel 58, as it is only days away from release (I think it is in Edge already).

    • Let’s Encrypt will be in the core of cPanel. instead it is an plugin. This is what Benny from cPanel said when asked 2 weeks ago:

      The BETA of the cPanel-provided Let’s Encrypt plugin that we’re building has been going very well, and we’ve gotten some incredible feedback from our testers. The public release of the plugin is still on target to be released during the v58 cycle and we will be sharing an updated BETA version with our testers soon.

  7. As an update to the post, my server has just updated itself to cPanel 58. I had to make two configuration changes (to my SSHD login setup and to install IonCube loader) and it all looks OK. I will leave it for a day or so then look at migrating to Easyapache 4.

  8. Trevor, I think using the –skip_convert flag and then creating a profile from scratch is advisable, as opposed to the default which attempts to convert your profile settings from 3 to 4….