It's become somewhat of a tradition to do a PHP version round up at the end of the year. In 2014 Anthony Ferrara posted PHP versions in the wild and last year I continued the tradition (with his blessings) with my PHP version roundup post. This is a continuation of that post.
In this post I'll be detailng:
- patch version fragmentation
- % change in install numbers
- % of installations running an insecure or out of date PHP version.
Data is drawn from w3techs.com. While no raw figures are released, it is based on a percentage of usage from the top 10 million sites on the web (based on Alexa.com's listing) - so in my view its a sufficient sample.
What is 'secure'
As with previous years, a 'secure' version is either:
- Supported by PHP officially (i.e. the latest secure patch)
- Supported by a popular, stable linux distribution (backported patches etc).
An insecure version is either no longer supported by PHP, has been superceded by a more recent patch version, or more simply, is does not meet the 'secure' requirements above (which is why you'll see 1-% calculations in the spreadsheet)
Show me the data
All the analysis is available in this google sheet and I warmly invite any commentary to improve its accuracy and/or analysis.
The version roundup
There's been a minimal change in the usage of 5.1 going from 0.9% to 0.7% in the past 12 months. At present the only popular linux distro to actively support 5.1 is CentOS 5.11 and the EOL for this is the end of March next year. I would expect the main driver here is the slow and steady upgrade process as organisations migrate from older OS's.
I'm saddened to see that the migration away from 5.2 has slowed over the past 12 months. In the 2014-2015 period its usage went from 20% to 13%, sadly that rate has almost halved leaving us with 9.3% of sites using 5.2 at the time of writing.
PHP 5.2 is almost 6 years old (at the time of writing) and reached its end of life in 2011. Simply put, I don't consider any excuse acceptable for still running PHP 5.2; please upgrade, yesterday.
Usage of PHP 5.3 has continued to steadily decline over the past 12 months at roughly 10% year on year. We're currently down to 25% of PHP installs running 5.3 overall, of which 32% are secure. Overall it contributes 8% of the overall # of secure installs.
PHP 5.4 now seems to be in decline, decreasing from 30% usage last year to 24.5% this year - thats less than it was in 2014 when adoption was increasing. I'm also thrilled to see that 70% of these installs are 'secure', which contributes to 17% overall of the secure PHP installs.
PHP 5.5 is on the up and up growing from just 6% in 2014, to 14.8% in 2015 and now 18.2% in 2016! Sadly however only 38% of these installs are 'secure', which contributes to 7.3% of overall secure installs. Thats only a small increase over the % of secure installs from last year too.
I'm predicting this number to say somewhat stationary next year (we'll see) since the only supporting distribution Ubuntu 12.04 is not EOL'd until April 2018.
I'm most delighted with PHP 5.6's adoption over time. It's grown from 0.4% in 2014 to 4.7% last year and 19% this year! 38% of current 5.6 installs are 'secure', which is 7.3% of secure PHP installs overall.
It's fantastic to see the adoption of 5.6 growing for both security and features; but its important to note that 5.6 will reach the end of its active official support at the end of 2016 (15 days away at time of writing). You'll still get security support for 2 more years until December 31st 2018.
These are the numbers I'm most excited to see! When I published this last year PHP 7.0 had only been out for a week], but its 12 months on and adoption is sitting at around 2.1% of all installs. While initially this sounds small; the updates to 7.0 were sufficiently backwards incompatible and its actually quite pleasant to see 2% of the top 10 million sites updating. Since most frameworks have confirmed 7.0 compatibility throughout 2016 I'm hoping 2017 shows a significant increase in 7.x adoption.
Overall, 39% of PHP 7.0 installs are 'secure' which is only 0.9% of overall secure installs.
7.1 is in a similar position as 7.0 from last year in that its only just hit shelves in time for the holiday season (and you get get it from homebrew as of last weekend!). Not surprising is that 99% of installs are secure, with an odd anomaly reporting some 7.1.2 installs... for some unknown reason. In other words; if you're in the spectacularly brave minority of upgrading already then the chances are you're secure!
State of the version
In 2014 we sat at 21.7% of secure installs and last year that grew to 32.4%.
Overall I'm delighted to share that based on these figures 39.5% of PHP installs are secure which is a fantastic improvement.
For PHP developers worldwide its also fantastic to see a steady and progressive increase in the option of new PHP versions. This means more language features, syntactic sugar and better performance for millions of sites! It also leads to an increased minor version fragmentation. Last year we saw an increase in the adoption of 5.4 and 5.5, and this year its broadly fragmented in quarters between 5.3, 5.4, 5.5 and 5.6.
My prediction is that the next 12 months will be a wake up call. PHP 5 (as in all of PHP 5) is due to end active support with 5.6 in 2 weeks (though security support will be maintained). Linux distributions will have to (as they largely have already) pick up their game in version adoption to ensure both a feature rich, stable and secure language offering in their default package repositories.
Sadly however, we're still looking at a majority of PHP installs being classed as insecure. Can we make 2017 the year we tip the tables? I believe we can! So as with last year's call to arms: make this the year you patch. The year you upgrade. The year you spend the time to update and secure your website, application, platform or project.
In short, keep remembering to 'Patch Yo Sh*t!'