PHP 7.x Is End-of-Life:
Migrate or Buy Extended Support?
Current Status
PHP 7.x is fully end of life. PHP 7.4, the last release in the 7.x line, reached end of life on November 28, 2022 — and every earlier PHP 7 minor version (7.0 through 7.3) had already stopped receiving security fixes before that. Any application still running on PHP 7.x has been without a vendor patch stream for the better part of four years, and PHP is a common target given how directly it's exposed on web-facing infrastructure.
Free · no obligation · we match you with the right provider
The Decision Flow
Most teams still running PHP 7.x land on one of three paths. Work through it in order:
Migrate vs Extended Support vs Do Nothing
| Factor | Migrate | Extended Support | Do Nothing |
|---|---|---|---|
| Upfront cost profile | High — engineering time, testing, compatibility work | Medium — recurring vendor fee, minimal engineering lift | Low — no direct spend, but risk accrues silently |
| Time-to-safe | Weeks to months, depending on scope | Days — coverage typically begins on contract signing | Never — exposure is open-ended |
| Ongoing risk | Eliminated once complete | Reduced, bounded by vendor's CVE coverage scope | Unbounded and compounding |
| Compliance posture | Clean — current, vendor-supported platform | Defensible — documented active coverage plus a plan | Open finding under most audit frameworks |
What Teams in Your Position Typically Weigh
Teams still on PHP 7.x tend to fall into a few recognizable situations. Some run a modern-ish codebase where the jump to PHP 8.x is mostly a matter of resolving deprecation warnings and re-testing — for those, migration is usually the cleaner move once the work is scoped. Others have a large legacy application built on old frameworks or heavily customized CMS installs, where deprecated function usage, extension incompatibilities, and untested edge cases make the upgrade a genuinely large project — for those, a full migration can take longer than the immediate risk window allows, which is where extended support earns its keep as a bridge rather than a destination.
The applications that get prioritized first are usually the ones with direct exposure: anything public-facing, anything processing payments or personal data, and anything that would trigger an audit finding on its own. Internal admin tools or low-traffic sites sometimes get deprioritized — reasonably, as long as that decision is documented and revisited, not just left to drift.
One pattern worth naming honestly: extended support is frequently treated as a permanent fix once it's in place, the same way people treat any subscription that quietly renews. It works best when it's explicitly scoped as a bridge with an end date attached to a migration plan, not an indefinite substitute for one.
Not sure which path fits your PHP 7.x footprint?
Tell us your situation and we'll match you with a provider suited to it — migration partner or extended-support vendor.
Frequently Asked Questions
When did PHP 7.x reach end of life?
PHP 7.4, the final PHP 7.x release, reached end of life on November 28, 2022. Every earlier PHP 7 minor version (7.0 through 7.3) had already reached end of life prior to that date, so all of PHP 7.x is now unsupported.
Is there an official PHP 7 extended support program?
Not from the PHP project itself — php.net does not offer paid extended support. Third-party extended-lifecycle-support vendors offer ongoing security patching for PHP 7.x outside the official PHP release channel.
What are my options if I can't migrate off PHP 7 right away?
Three broad paths: upgrade to a currently supported PHP version (8.2 or later) on your own timeline, buy third-party extended security support to keep receiving patches for known PHP 7 vulnerabilities while you plan the migration, or run unpatched and accept the accumulating risk.
Does PHP 7 being EOL affect compliance audits?
Yes. Running a language runtime with no vendor security support is a standard finding under frameworks like PCI DSS, SOC 2, ISO 27001, and HIPAA, particularly for web applications handling regulated or customer data. A documented migration plan or an active extended-support contract typically converts that finding into a managed exception rather than an open gap.
Ready to move off PHP 7 — or bridge it safely while you plan?
We track the dates and match you with the right provider for your situation.