Decision Guide — PHP 7.x

PHP 7.x Is End-of-Life:
Migrate or Buy Extended Support?

Updated July 13, 2026 · endoflife.ai · Decision Guide · Language Runtime / Web Backend

Current Status

PHP 7.x is fully end of life. PHP 7.4, the last release in the 7.x line, reached end of life on November 28, 2022 — and every earlier PHP 7 minor version (7.0 through 7.3) had already stopped receiving security fixes before that. Any application still running on PHP 7.x has been without a vendor patch stream for the better part of four years, and PHP is a common target given how directly it's exposed on web-facing infrastructure.

Still running PHP 7.x?
See where you land on the decision flow below, then get matched with the right option for your situation.
Free · no obligation · we match you with the right provider
Get Matched With a Provider →

The Decision Flow

Most teams still running PHP 7.x land on one of three paths. Work through it in order:

Q1: Can you migrate within your risk window?
Yes
Migration PathPlan an upgrade to a currently supported PHP version (8.2 or later), on a controlled timeline. No further gating question needed.
No
Q2: Is the workload compliance-critical or internet-facing?
Yes
Extended Support NowThe exposure is too high to leave unpatched even briefly. Bring in third-party extended security support immediately while migration planning proceeds in parallel.
No
Planned MigrationLower immediate exposure buys some room to plan deliberately — but set a hard deadline. "Not compliance-critical today" tends to change without warning.

Migrate vs Extended Support vs Do Nothing

Factor Migrate Extended Support Do Nothing
Upfront cost profile High — engineering time, testing, compatibility work Medium — recurring vendor fee, minimal engineering lift Low — no direct spend, but risk accrues silently
Time-to-safe Weeks to months, depending on scope Days — coverage typically begins on contract signing Never — exposure is open-ended
Ongoing risk Eliminated once complete Reduced, bounded by vendor's CVE coverage scope Unbounded and compounding
Compliance posture Clean — current, vendor-supported platform Defensible — documented active coverage plus a plan Open finding under most audit frameworks

What Teams in Your Position Typically Weigh

Teams still on PHP 7.x tend to fall into a few recognizable situations. Some run a modern-ish codebase where the jump to PHP 8.x is mostly a matter of resolving deprecation warnings and re-testing — for those, migration is usually the cleaner move once the work is scoped. Others have a large legacy application built on old frameworks or heavily customized CMS installs, where deprecated function usage, extension incompatibilities, and untested edge cases make the upgrade a genuinely large project — for those, a full migration can take longer than the immediate risk window allows, which is where extended support earns its keep as a bridge rather than a destination.

The applications that get prioritized first are usually the ones with direct exposure: anything public-facing, anything processing payments or personal data, and anything that would trigger an audit finding on its own. Internal admin tools or low-traffic sites sometimes get deprioritized — reasonably, as long as that decision is documented and revisited, not just left to drift.

One pattern worth naming honestly: extended support is frequently treated as a permanent fix once it's in place, the same way people treat any subscription that quietly renews. It works best when it's explicitly scoped as a bridge with an end date attached to a migration plan, not an indefinite substitute for one.

Not sure which path fits your PHP 7.x footprint?

Tell us your situation and we'll match you with a provider suited to it — migration partner or extended-support vendor.

Free · no obligation · we match you with the right provider
Get Matched →

Frequently Asked Questions

When did PHP 7.x reach end of life?

PHP 7.4, the final PHP 7.x release, reached end of life on November 28, 2022. Every earlier PHP 7 minor version (7.0 through 7.3) had already reached end of life prior to that date, so all of PHP 7.x is now unsupported.

Is there an official PHP 7 extended support program?

Not from the PHP project itself — php.net does not offer paid extended support. Third-party extended-lifecycle-support vendors offer ongoing security patching for PHP 7.x outside the official PHP release channel.

What are my options if I can't migrate off PHP 7 right away?

Three broad paths: upgrade to a currently supported PHP version (8.2 or later) on your own timeline, buy third-party extended security support to keep receiving patches for known PHP 7 vulnerabilities while you plan the migration, or run unpatched and accept the accumulating risk.

Does PHP 7 being EOL affect compliance audits?

Yes. Running a language runtime with no vendor security support is a standard finding under frameworks like PCI DSS, SOC 2, ISO 27001, and HIPAA, particularly for web applications handling regulated or customer data. A documented migration plan or an active extended-support contract typically converts that finding into a managed exception rather than an open gap.

Ready to move off PHP 7 — or bridge it safely while you plan?

We track the dates and match you with the right provider for your situation.

Free · no obligation · we match you with the right provider
Get Matched → View PHP lifecycle data

The Monthly EOL Digest™

Once a month — critical end-of-life dates, CVE blind spots, and lifecycle changes worth knowing about.

✓ You're on the list.