Making sure your Drupal is up to date is a good start but often people forget about keeping PHP up to date. PHP 5.3 has reached end of life and will no longer have any more security updates in July 2014. It is important to make sure your site is running on a supported version. Please note, it is also important to make sure all your server's other software are up to date (i.e. Apache/Nginx, MySQL, OS, etc...). Running any old unsupported software will leave you exposed. In this blog post I will mostly talk about the options you have for updating PHP.
The Drupal team recently decided to make Drupal 8 require PHP 5.4 or higher. If you are a developer or a web development shop that will be building sites in D8, you will need to make sure you have PHP 5.4 installed. Default Ubuntu 12.04 LTS and RedHat 6 or older do not use PHP 5.4 so you will need to upgrade.
Switch to PHP 5.4
If you currently have a D4/5/6/7 site, and you're running the site using PHP 5.4, your site(s) will probably have errors. Some errors will be easy to fix and some will be hard. If your site is on D7 and has the latest core and contrib modules then any error that comes up should be fairly easy to fix and patches are available in most cases. If the problem requires a lot of work especially when you have a D4/5/6 sites then you will have a few decisions to make. There is no definitive solution to this. It depends on your budget limitation, time and/or staff availability, and current server setup.
Here are your options:
1. Upgrade PHP to 5.4, stick with your existing version of Drupal and try to fix the errors.
- Most likely will be cheaper than a full Drupal core upgrade.
- The longer you delay upgrading your unsupported version of Drupal, the more your site will be exposed to security issues.
2. Run multiple versions of PHP. Your old Drupal site will run on the existing version of PHP and if you add a new D8 site, run it on PHP 5.4 or higher.
- How to have two version of PHP installed and switch easily?
- If you are running cPanel, you can change the default PHP version
- Running multiple PHP versions on a single Apache Install
- Potentially the cheapest option
- You don’t have to re-test all your existing sites.
- Requires time to setup different versions of PHP, more complicated server configuration.
- Running unsupported versions of PHP and Drupal exposes you to security vulnerabilities as time passes.
3. Upgrade all of your old Drupal sites to Drupal 8 after a stable release is available.
- Your site will be able to have a longer life span.
- You get to take advantage of Drupal 8’s new features.
- Most secure option
- Requires the most time (higher cost) out of all options
4. If you want to add a new D8 site in addition to other old Drupal sites: Set up the D8 site on a different server with PHP 5.4. Leave your existing sites as it is.
- No need to test any existing sites.
- Once again, running unsupported versions of PHP and Drupal exposes you to security vulnerabilities as time passes.
- Recurring cost of hosting on separate hardware.
PHP 5.5 is already out, should I use PHP 5.5 instead of 5.4?
At the time when this blog post is written, core
is still broken (edit: can get around it by disabling opcache) for PHP 5.5 . It is not as widely used as PHP 5.4 so there is probably still lots of undiscovered issues for PHP 5.5. I would use 5.4 for now.
If your site is currently on an unsupported version of Drupal and/or PHP and you’re wondering which option is best for your needs, feel free to contact us and we will give you our recommendation.
Edit: added "July" 2014 for PHP 5.3 no longer provide anymore security update, added link to PHP 5.5 opcode issue