Get ready now: Why PHP versions matter

Written By Allen Shaw

Forget all the geeky tech-speak. This is something you need to be aware of and act on.

---

Just to cut to the chase, I'll give you the short story:

The next security release of CiviCRM (whenever it comes out) will require PHP version 8.1 or higher.

So if your site is still running PHP 7, you'll probably want to be sure your site is actually ready to run under that newer PHP version.

To fill in the details a little…

Why this matters:

  • Your CiviCRM site is running on PHP. Even if you don’t know what PHP is, it’s there, doing its job quitely.

  • A change in PHP version will apply to every component of your website: the CMS (WordPress, Drupal, etc.), CMS plugins and modules, CiviCRM, and all CiviCRM extensions.

  • There’s at least some chance that one of those will have some surprises (bugs, or fatal errors) under PHP 8.

  • When a CiviCRM security release comes out, you’ll want to apply it right away.

  • And since it will require PHP 8, that’s not the best time to find out that one of your website compnents has problems under PHP 8.

Wait, is PHP 7 insecure?

Nope. If your web host has your site running under PHP 7, they’re almost certainly keeping it up to date for all known security issues. So your site should be just fine running under PHP 7 right now.

So what’s the problem?

It’s about timing. It’s like this:

Assume for argument that some component of your website will be buggy under PHP 8. And assume that you know neither which component it will be, nor what kind of problem it will have.

Now, ask yourself:

  • Would you like to know about that now, so you have some time to fix those components and make them compatible with PHP 8, in your own good time?

  • Or would you rather wait until a CiviCRM security update has been released; and you’ve upgraded to that security version; and then find out that you’ve got bugs in your site; and then find out that whoever you might ask for help with those bugs is already busy fixing similar emergencies on other people’s sites?

I myself would prefer the first option. Perhaps you can see why.

So what to do?

Taking action here is probably pretty simple. You’ve got some really competent person helping you with the complex technical details of your site — right? Some expert in CiviCRM and your CMS of choice (WordPress, Drupal, etc.), whom you lean on for tasks that are outside your normal in-house expertise?

Great! (And if you don’t I do suggest you find one.)

Just reach out to them and say something like, “We’re going to need to upgrade to PHP 8 pretty soon. Can you help me make sure we’re actually ready for that? And then, can we go ahead and start using PHP as soon as possible?”

Send them a copy of this email, if you like. It might help explain the urgency more clearly.

They might also want to read CiviCRM’s announcement about this change or CiviCRM’s recommended PHP versions.

Here’s the thing:

Neither you nor I know when the next CiviCRM security update will be released.

It could be soon.

When it happens, you’ll want to apply that update as soon as possible.

And to make that possible, you’ll want to be sure now that you’re ready for the upgrade then.

All the best,
A.

Allen Shaw
Previous

Coaching and accountability
Next

Delayed upgrades: extension compatibility problems