PHP End-of-Life Dates: Support Timeline for Every Version (2026)

PHP powers roughly 75% of all websites with a known server-side programming language, according to W3Techs. WordPress alone, which runs on PHP, accounts for over 43% of all websites on the internet. Drupal, Joomla, Laravel, Symfony, Magento: the PHP ecosystem is enormous, and a significant portion of it is running on versions that no longer receive security patches.

As of March 2026, only four PHP versions are actively supported: 8.2, 8.3, 8.4, and 8.5. Everything from PHP 8.1 and below is end-of-life. PHP 8.2 reaches EOL on December 31, 2026, giving organizations running it less than nine months to plan their next move.

This guide covers every PHP version's lifecycle dates, the security risks of running EOL PHP, and the options available to teams that cannot upgrade immediately.

‍

How PHP's Support Policy Works

The PHP project follows a predictable release and support cycle. A new feature version (e.g., 8.5) ships once per year, typically in late November. Each version then moves through three phases:

• Active Support (2 years): Bug fixes, security patches, and regular point releases.
• Security Support (2 years): Only critical security patches. No bug fixes or new features.
• End of Life: No further updates of any kind. No security patches. No bug fixes.

This gives each PHP version a four-year total support window. Prior to September 2024, the cycle was shorter: two years of active support followed by only one year of security fixes, for a three-year total. The PHP project extended the security support period to two years and aligned all end-of-support dates to December 31 of the relevant year. PHP 8.1 was the first version to benefit from the extended timeline, with its EOL shifting from November 2024 to December 31, 2025.

Note: PHP 6 was never released. A planned Unicode-native rewrite of PHP was abandoned, and development jumped from PHP 5.x directly to PHP 7.0.

Complete PHP Version Timeline

‍

Versions Reaching EOL Next: What to Watch

PHP 8.2 End of Life: December 31, 2026

PHP 8.2 is currently in its security-only support phase and will reach end of life on December 31, 2026. Active support (bug fixes) ended on December 31, 2024, so the only updates 8.2 receives now are critical security patches.

PHP 8.2 introduced readonly classes, disjunctive normal form types, standalone null, false, and true types, and deprecated dynamic properties. It remains widely deployed, particularly across WordPress hosting environments that were slow to adopt 8.3 and 8.4.

Organizations running PHP 8.2 in production should begin planning their upgrade path now. The December 31 deadline leaves limited time for testing compatibility across large application codebases, and any CVE disclosed after that date will not receive an official patch for 8.2.

PHP 8.3: Security Support Until December 31, 2027

PHP 8.3 entered security-only support at the end of 2025. It will continue receiving critical security patches through December 31, 2027. Teams on 8.3 have roughly 21 months of coverage remaining, but should be evaluating 8.4 or 8.5 for their next upgrade cycle.

PHP 8.1: Recently End-of-Life (December 31, 2025)

PHP 8.1 reached end of life on December 31, 2025. Any CVE disclosed against PHP 8.1 after that date will not be patched by the PHP project. Given that PHP regularly receives new CVE disclosures (multiple were disclosed in late 2025 alone, including CVE-2025-14177 and CVE-2025-14180), organizations still running 8.1 are accumulating unpatched exposure.

For more details, see our dedicated coverage: PHP 8.1 End of Life: Security Support Has Officially Ended.

‍

End-of-Life PHP Versions in Detail

PHP 8.0 End of Life

• EOL Date: November 26, 2023
• Last Release: 8.0.30

PHP 8.0 was a landmark release, introducing the JIT compiler, union types, named arguments, attributes, match expressions, and nullsafe operators. Despite its significance, PHP 8.0 followed the original three-year support model (two years active, one year security) and lost all support in November 2023. PHP 8.0 is vulnerable to every PHP CVE disclosed since then, including the critical CVE-2024-4577 (CVSS 9.8) remote code execution flaw that has been actively exploited in the wild since mid-2024.

PHP 7.4 End of Life

• EOL Date: November 28, 2022
• Last Release: 7.4.33

PHP 7.4 was the final release in the PHP 7.x series and remains one of the most heavily deployed PHP versions on the internet. WordPress.org statistics have historically shown PHP 7.4 as the single most-used PHP version across WordPress installations, with over 40% of WordPress sites running it at one point. PHP 7.4 introduced typed properties, arrow functions, the null coalescing assignment operator, and preloading.

PHP 7.4 has been unsupported for over three years. Every CVE disclosed against PHP since November 2022 is unpatched on 7.4, including CVE-2024-4577, which is actively exploited.

PHP 7.3 End of Life

• EOL Date: December 6, 2021
• Last Release: 7.3.33

PHP 7.3 added flexible heredoc/nowdoc syntax, trailing commas in function calls, and json_throw_on_error. It has been unsupported for over four years.

PHP 7.2 End of Life

• EOL Date: November 30, 2020
• Last Release: 7.2.34

PHP 7.2 introduced object type hints, the sodium cryptography extension as a core module, and abstract method overriding. It has been unsupported for over five years. WordPress still lists PHP 7.2.24 as its minimum requirement, which means WordPress will install on a PHP version that has not received a security patch since 2020.

PHP 7.1 End of Life

• EOL Date: December 1, 2019
• Last Release: 7.1.33

PHP 7.1 introduced nullable types, void return types, class constant visibility, and iterable pseudo-type. It has been unsupported for over six years.

PHP 7.0 End of Life

• EOL Date: January 10, 2019
• Last Release: 7.0.33

PHP 5.6 End of Life

• EOL Date: December 31, 2018
• Last Release: 5.6.40

PHP 5.6 was the last version of the PHP 5.x series and its EOL marked the end of an era for PHP. Despite being unsupported for over seven years, PHP 5.x deployments still exist in production environments, particularly in legacy enterprise applications and older CMS installations. W3Techs data has shown PHP 5.x usage persisting on a measurable percentage of websites for years after EOL.

‍

The WordPress Factor

PHP's EOL story cannot be told without addressing WordPress. WordPress powers over 43% of all websites and is entirely dependent on PHP. This creates a cascading effect: when a PHP version reaches EOL, every WordPress site running on that version becomes exposed.

WordPress.org recommends PHP 8.3 or higher as of 2026. However, real-world adoption lags significantly behind. Historical data from WordPress.org has shown that a large percentage of WordPress sites continue to run on PHP 7.4, and many hosting providers are slow to enforce upgrades. WordPress itself has only recently begun requiring PHP 7.2.24 as its minimum, meaning the CMS will technically install on versions that have been unsupported for over five years.

For organizations running WordPress on EOL PHP, the risk is compounded: vulnerabilities can exist in PHP itself, in WordPress core, and in the plugin/theme ecosystem. A single unpatched PHP vulnerability like CVE-2024-4577 can provide an attacker with remote code execution regardless of how well the WordPress application layer is maintained.

‍

CVE-2024-4577: A Case Study in EOL PHP Risk

CVE-2024-4577 (CVSS 9.8) is an OS command injection vulnerability that affects PHP running on Windows with CGI configurations. The flaw exploits Windows "Best-Fit" character encoding behavior to bypass previous CGI protections and achieve remote code execution.

This vulnerability was disclosed in June 2024 and patched in PHP 8.1.29, 8.2.20, and 8.3.8. PHP 8.0 and all 7.x versions are confirmed vulnerable but received no official patches because they were already end-of-life.

Since January 2025, security researchers have documented mass exploitation of CVE-2024-4577 across multiple regions, with over 1,000 unique IPs observed attacking vulnerable systems in a single month. Threat actors have used the vulnerability to deploy cryptominers, RATs, web shells, and DDoS botnet malware.

For a deeper technical analysis, see our CVE-2024-4577 vulnerability write-up and vulnerability directory entry.

This is the reality of running EOL PHP: critical vulnerabilities are disclosed, patches are issued only for supported versions, and attackers exploit the gap.

‍

What Happens After End of Life

When a PHP version reaches EOL, three things change immediately:

Security patches stop. The PHP project will not release fixes for new CVEs, regardless of severity. CVE-2024-4577 demonstrated that critical RCE vulnerabilities affecting EOL versions go unpatched upstream while being actively exploited.

Ecosystem compatibility degrades. PHP frameworks (Laravel, Symfony, Drupal), package managers (Composer), and hosting providers progressively drop support for older PHP versions. Laravel 11 requires PHP 8.2 or higher. Drupal 11 requires PHP 8.3. Running EOL PHP increasingly means running an EOL application stack.

Compliance audits flag it. SOC 2, PCI DSS, HIPAA, FedRAMP, and the EU Cyber Resilience Act require organizations to use supported software or demonstrate equivalent compensating controls. EOL PHP is a finding on virtually every security audit, and vulnerability scanners like Qualys, Nessus, and Snyk flag it automatically.

‍

Is My PHP Version Supported?

‍

Options for EOL PHP Versions

1. Upgrade to a Supported Version

The best long-term approach. PHP's migration guides (available at php.net) document the breaking changes and deprecations between each version. Tools like Rector can automate many code transformations.

The challenge is scope. Upgrading from PHP 7.4 to 8.4 spans four major versions, and the gap between PHP 7.x and 8.x is substantial: deprecated dynamic properties, stricter type handling, removed functions, and changes to string-to-number comparisons all require careful testing. For large codebases, particularly those relying on frameworks or CMSs that also need upgrading, the total migration effort can take months.

2. Migrate to a Different Technology

Some organizations use a PHP EOL event as a trigger to re-platform entirely, moving to Node.js, Python, Go, or another backend technology. This is the most expensive and time-consuming option, but may make strategic sense for teams already planning to move away from PHP.

3. Adopt Commercial Extended Support

For organizations that cannot upgrade immediately, commercial extended support provides ongoing security patches for EOL PHP versions, closing the vulnerability gap while your team plans and executes a migration on its own timeline.

HeroDevs Never-Ending Support (NES) for PHP covers PHP versions 7.2, 7.3, 7.4, 8.0, 8.1, and 8.2 with patched runtimes delivered as native installation packages (RPM, DEB) across major Linux distributions and Windows. The runtimes are built and maintained by core PHP contributors in partnership with Zend by Perforce, and include compliance SLAs for SOC 2, PCI DSS, HIPAA, and FedRAMP. This is the same model HeroDevs uses across its full NES product portfolio: a secure, drop-in replacement that requires no application code changes.

‍

Frequently Asked Questions

When does PHP 8.2 reach end of life?

PHP 8.2 reaches end of life on December 31, 2026. After that date, it will no longer receive security patches from the PHP project. Organizations should begin planning their upgrade to PHP 8.3, 8.4, or 8.5 well before that deadline.

Is PHP 7.4 still supported?

No. PHP 7.4 reached end of life on November 28, 2022. It has not received any security patches for over three years and is vulnerable to multiple actively exploited CVEs, including CVE-2024-4577 (CVSS 9.8). Organizations still running PHP 7.4 should upgrade to a supported version or adopt extended support through HeroDevs.

Is PHP 8.1 still supported?

No. PHP 8.1 reached end of life on December 31, 2025. It will not receive any further updates from the PHP project.

What PHP version should I use?

As of March 2026, PHP 8.4 is the recommended version for production environments. It is in active support (receiving both bug fixes and security patches) and will remain supported through December 31, 2028. PHP 8.5, the latest release, is also a strong choice, though it is common practice to wait for a few point releases before adopting the newest version in production.

Does running EOL PHP affect compliance?

Yes. SOC 2, PCI DSS, HIPAA, ISO 27001, FedRAMP, and the EU Cyber Resilience Act all have requirements around maintaining supported software and patching known vulnerabilities. Running EOL PHP is commonly flagged during audits, and vulnerability scanners will report it as a finding.

Why do so many sites still run PHP 7.4?

PHP 7.4 was the last version in the 7.x series, and the jump to PHP 8.0 introduced significant breaking changes (stricter type coercion, removal of deprecated functions, JIT compilation). Many WordPress plugins and themes were slow to declare PHP 8.x compatibility, and shared hosting providers were slow to enforce upgrades. The result is a long tail of sites running unsupported PHP, particularly in the WordPress ecosystem.

‍

Taking Action

PHP's annual release cadence and four-year support windows mean that staying current requires ongoing planning. With PHP 8.2 reaching EOL at the end of 2026 and millions of applications still running PHP 7.4 or 8.0, the gap between supported and deployed PHP continues to widen.

The most important step is understanding where you stand today. Run php -v on your servers, review your hosting provider's PHP version settings, and check your application's compatibility requirements. The longer an unsupported version runs in production, the larger the attack surface and the more expensive the eventual remediation.

Whether you choose to upgrade, migrate, or adopt extended support, HeroDevs can help. Our NES for PHP covers versions 7.2 through 8.2 with ongoing security patches, compliance SLAs, and drop-in replacement runtimes that require no code changes. If your organization is running end-of-life PHP and needs help evaluating your options, contact us.

This post is maintained by HeroDevs and will be updated as new PHP versions are released and existing versions reach end of life. Last updated: March 2026.

‍