Defaults.Exposed › Reports
Half the PHP Web Runs End-of-Life PHP (2026)
Published 2026-06-29
Figures as of 2026-06-29 · methodology v7. Aggregate census data from observed
X-Powered-Byresponse headers across 261 million graded domains. EOL share is measured across the most common disclosed PHP versions; “end-of-life” means a release no longer receiving security fixes (PHP ≤ 8.1 as of 2026). See how we grade.
A huge share of the web runs PHP that stopped getting security patches years ago — and is happy to tell you so. Of the 12 million sites that disclose their PHP version in response headers, 50.8% are on an end-of-life release. The single most common PHP version on the entire web is 7.4.33 — a build that reached end-of-life in 2022 — running on 1,889,273 sites. These aren’t just outdated; they receive no security fixes, and they announce their version to every scanner that asks.
What “end-of-life” means here
PHP releases get roughly two years of active support and one more of security-only fixes. After that — end-of-life — no more security patches, even for critical vulnerabilities. As of 2026-06-29, everything up to and including PHP 8.1 is end-of-life. A site on an EOL version that picks up a new known vulnerability simply stays vulnerable.
The most common versions sites advertise via X-Powered-By:
| Disclosed version | Sites |
|---|---|
| asp.net | 2,319,873 |
| php/7.4.33 | 1,889,273 |
| php/8.2.30 | 1,157,134 |
| php/8.3.30 | 1,082,519 |
The most common PHP build, 7.4.33, is end-of-life — ahead of every still-supported release.
Two problems stacked on top of each other
This is a compound exposure:
- The software is unpatched. 50.8% of version-disclosing PHP sites can’t receive a security fix for a newly discovered flaw. They depend on nothing being found — which is not a security strategy.
- They broadcast it. Disclosing the exact version turns a scan into a shopping list: an attacker filters the internet for
7.4.33, cross-references known vulnerabilities, and has a target list before sending a single exploit. (See what your server headers leak.)
Neither problem is expensive to fix — but they’re invisible to the owner, who sees a working site and no warning.
How to get off end-of-life PHP
- Check your version. If it’s 8.1 or older, it’s end-of-life as of 2026-06-29.
- Upgrade to a supported release (8.2+). Most hosts offer a one-click PHP version switch.
- Stop advertising it. Remove or genericise
X-Powered-Byso you’re not handing attackers your version. - Re-check to confirm.
Frequently asked questions
What is the most common PHP version on the web? 7.4.33 — and it’s end-of-life. It runs on 1,889,273 sites, more than any still-supported release, as of 2026-06-29.
How many websites run an unsupported PHP version? Among the 12 million sites that disclose a version, 50.8% run an end-of-life release (PHP ≤ 8.1). The true figure is likely higher, since many EOL sites hide their version.
Is running end-of-life PHP actually dangerous? Yes. EOL versions receive no security patches, so any newly discovered vulnerability stays exploitable indefinitely. Combined with version disclosure, it makes a site an easy, pre-qualified target.
How do I know which PHP version I’m on?
Your host’s control panel shows it, and many sites leak it in the X-Powered-By header. Upgrading to a supported version (8.2+) is usually a one-click change.
Check what your site reveals
See whether your site advertises its stack — and the rest of your security posture — free and private.
Check your domain → · What your server headers leak → · The HTTP security header report card → · Aggregate data only. Data stored and processed in the EU.