After November 28th, 2022, new security exploits in PHP 7.4 will not be fixed. This is a big deal for WordPress sites because WordPress depends on PHP. The custom themes and plugins most WordPress sites use depend on PHP as well.
The work required to support PHP 8 can vary depending on the code for each WordPress theme or plugin. The newer PHP version has some breaking changes that can cause problems for older themes and plugins. If you haven’t updated your site in the past year or more, your site probably needs some work to prepare for PHP 8.
What happens if I don’t upgrade?
If you don’t upgrade your site to PHP 8, nothing bad will happen right away. Though, the longer you remain on PHP 7.4, the more likely it is your site will become vulnerable to cyber attacks. Security researchers will find more ways to exploit PHP 7.4 over time. Once the PHP version is no longer supported, these new security exploits will not be fixed. That means your site will become less secure over time.
Hackers can take control of an outdated WordPress site. Many attackers use automated tools to find vulnerable sites. Even if your site is not very well-known, it can still be targeted by these automated tools.
Attackers may deface your site with an offensive message or redirect visitors to their own website. Sometimes, they will use your site to send spam emails or attack other sites. They may even install malware—malicious software—on your site to harm visitors’ computers.
These attacks are difficult to clean up, and can have lasting consequences. If your site is flagged as malicious, it can be difficult to get your domain listed again on search engines. Web browsers like Chrome and Firefox also have a list of known malicious sites and will warn or block users from accessing those sites. If your site’s domain is added to that list, it can take weeks to return your domain to good standing.
How to prepare your site for PHP 8
For your site to support PHP 8, you will need to upgrade WordPress Core (the main components of WordPress) to version 5.9 or newer. You will also need to upgrade your themes and plugins to versions that support PHP 8. Upgrading WordPress Core is a good first step, though: doing so will be necessary to update themes and plugins to newer versions that are compatible with PHP 8.
Unfortunately, if you have not been regularly installing updates, moving to recent versions of WordPress, themes, and plugins may not be as simple as the typical “click the button” process for minor updates. You will likely need to review your installed themes and plugins, and go to the developer’s site for each theme or plugin to determine upgrade steps. You may also perform some trial and error: some plugins won’t have documentation, so you’ll just have to try upgrading until you find a version that works as expected.
Once you upgrade your site’s theme and plugins, you’ll need to test them. Just because the plugins are compatible with PHP 8 doesn’t mean they work like they used to. The theme’s design or a plugin’s functionality may have changed since your last software update. Therefore, your upgrade will only be a success if you test every page and feature.
Where possible, try upgrading one thing at a time. Upgrading plugins one by one will be simpler to manage and troubleshoot than upgrading everything all at once.
If you have not upgraded your WordPress theme in a few years, you may have to make some manual adjustments. A custom theme may introduce new features, and old components you built your site with may look or feel a little different in the latest version. You may have to insert your own CSS or HTML into some of the pages, potentially editing the theme.
Testing your site with PHP 8
Before you try any of this on your live site, you should test your site with PHP 8 on a staging site. Depending on your WordPress host, you may already have a staging site available for testing this exact sort of thing. WPEngine offers staging sites, for example. If your host does not offer staging sites, you can set up your own or set up a local development environment.
Your staging site should be a copy of your live site, so you can test exactly what will happen on your live site. Once you have everything upgraded in your staging site, you can import the data and code into your live site. This approach is much less stressful than trying figure out your upgrade path on your live site.
What if I can’t upgrade?
If you can’t upgrade with your particular mix of themes and plugins, it may be time for a new site. Thankfully, WordPress makes it easy to export your site’s content and import it into a new site. In the worst-case scenario, you can set up an entirely new WordPress site with PHP 8, choose a new theme, and import all of your existing content. While it will still require some work (e.g., visually inspecting and tweaking old content to look perfect in the new theme), it may be an easier option than troubleshooting a lot of broken plugins. If you choose this path, a modernized site design might make the entire upgrade process feel like it was worth the effort, too.
Preparing for future upgrades
Technology is a moving target, and WordPress is no exception. This won’t be the last time you have to upgrade WordPress to remain on a supported PHP version. PHP 8.0 security support ends late next year, with 8.1 ending on November 25, 2024. This annual cadence is part of PHP’s regular release and support schedule.
However, if you regularly update your WordPress site, you can drastically lower the effort to upgrade to newer PHP versions. Consider adopting a monthly or quarterly update schedule for your WordPress site. Follow the above process for testing site updates in a staging environment. Update your plugins and themes in the staging site and give the site a thorough review. Once you’re happy with the update, promote the changes to your live site.
After updating everything a few times, you’ll find that you can take care of even larger WordPress sites in a few hours of work or less every few months. Your site will become easier to maintain and you can rest easy knowing that your site is as secure as possible.