Defaults.Exposed

Defaults.Exposed › Reports

Half the PHP Web Runs End-of-Life PHP (2026)

Published 2026-06-29

Figures as of 2026-06-29 · methodology v7. Aggregate census data from observed X-Powered-By response headers across 261 million graded domains. EOL share is measured across the most common disclosed PHP versions; “end-of-life” means a release no longer receiving security fixes (PHP ≤ 8.1 as of 2026). See how we grade.

A huge share of the web runs PHP that stopped getting security patches years ago — and is happy to tell you so. Of the 12 million sites that disclose their PHP version in response headers, 50.8% are on an end-of-life release. The single most common PHP version on the entire web is 7.4.33 — a build that reached end-of-life in 2022 — running on 1,889,273 sites. These aren’t just outdated; they receive no security fixes, and they announce their version to every scanner that asks.

What “end-of-life” means here

PHP releases get roughly two years of active support and one more of security-only fixes. After that — end-of-life — no more security patches, even for critical vulnerabilities. As of 2026-06-29, everything up to and including PHP 8.1 is end-of-life. A site on an EOL version that picks up a new known vulnerability simply stays vulnerable.

The most common versions sites advertise via X-Powered-By:

Disclosed versionSites
asp.net2,319,873
php/7.4.331,889,273
php/8.2.301,157,134
php/8.3.301,082,519

The most common PHP build, 7.4.33, is end-of-life — ahead of every still-supported release.

Two problems stacked on top of each other

This is a compound exposure:

  1. The software is unpatched. 50.8% of version-disclosing PHP sites can’t receive a security fix for a newly discovered flaw. They depend on nothing being found — which is not a security strategy.
  2. They broadcast it. Disclosing the exact version turns a scan into a shopping list: an attacker filters the internet for 7.4.33, cross-references known vulnerabilities, and has a target list before sending a single exploit. (See what your server headers leak.)

Neither problem is expensive to fix — but they’re invisible to the owner, who sees a working site and no warning.

How to get off end-of-life PHP

  1. Check your version. If it’s 8.1 or older, it’s end-of-life as of 2026-06-29.
  2. Upgrade to a supported release (8.2+). Most hosts offer a one-click PHP version switch.
  3. Stop advertising it. Remove or genericise X-Powered-By so you’re not handing attackers your version.
  4. Re-check to confirm.

Frequently asked questions

What is the most common PHP version on the web? 7.4.33 — and it’s end-of-life. It runs on 1,889,273 sites, more than any still-supported release, as of 2026-06-29.

How many websites run an unsupported PHP version? Among the 12 million sites that disclose a version, 50.8% run an end-of-life release (PHP ≤ 8.1). The true figure is likely higher, since many EOL sites hide their version.

Is running end-of-life PHP actually dangerous? Yes. EOL versions receive no security patches, so any newly discovered vulnerability stays exploitable indefinitely. Combined with version disclosure, it makes a site an easy, pre-qualified target.

How do I know which PHP version I’m on? Your host’s control panel shows it, and many sites leak it in the X-Powered-By header. Upgrading to a supported version (8.2+) is usually a one-click change.

Check what your site reveals

See whether your site advertises its stack — and the rest of your security posture — free and private.

Check your domain → · What your server headers leak → · The HTTP security header report card → · Aggregate data only. Data stored and processed in the EU.