PHP Upgrades: Is Your Agency Keeping Your Data Secure?

A website is not finished the day it goes live.

That might sound obvious, but across the web industry there is still a widespread “set it and forget it” mentality. A site is built, deployed, handed over, and then quietly left to age. Plugins fall behind. CMS versions become unsupported. Server software drifts out of date. PHP versions reach end of life. Eventually, what was once a stable website becomes a security risk.

PHP 7.4 reached end of life on 28 November 2022, meaning it no longer receives official security fixes. The official PHP guidance is clear: unsupported releases should be upgraded as soon as possible because they may expose sites to unpatched security vulnerabilities.

I have seen both sides of this industry.

At one agency, a bespoke Drupal specialist, a large part of my work involved upgrading sizeable websites from Drupal 8.3 to Drupal 10. That meant PHP upgrades from 7.3 to 8.1, custom module refactoring, dependency updates, Composer work, theme fixes, and careful testing. It wasn’t glamorous work, but it was essential and it was overdue. It kept client websites secure, maintainable, and ready for the future.

At another agency, I saw the opposite approach: eCommerce sites being deployed in 2026 on PHP 7.4, with warnings hidden rather than resolved. In one case, a site was compromised the same day it went live. It remained compromised for months, affected by more than one attacker, and was only properly noticed when main menu links started sending visitors to gambling websites.

That is not just a technical issue. It is a process issue.

Removing suspicious accounts and changing admin passwords may be part of a clean-up, but it is not a complete security response. The server support team will run their clean up scripts when made aware, they will also provide a comprehensive report, but for the user It does not answer the bigger questions, the questions that should be put forward by any website owner paying for updates and maintenance:

Are the plugins up to date?
Is the CMS supported?
Is the server running a maintained PHP version?
Are there abandoned themes or custom code paths?
Are logs being checked?
Is there a deployment and maintenance process?
Has anyone actually reviewed how the compromise happened?

Security is not something you bolt on after a breach. It is part of good development practice.

For businesses, this matters because your website is not just a brochure. It may handle customer details, orders, payments, enquiries, subscriptions, accounts, or private business information. If your agency is not actively maintaining the software behind it, they may be leaving you exposed without making that risk clear.

A responsible web developer should not hide warnings, ignore outdated software, or treat upgrades as optional admin. PHP, WordPress, Drupal, plugins, modules, themes, and hosting environments all need ongoing care. Sometimes that means a simple update. Sometimes it means a staged upgrade, code refactor, compatibility review, or a longer-term maintenance plan.

Either way, doing nothing is still a decision.

I take your website security as seriously as any good web developer should. It is a fundamental part of the process, not an afterthought.

If you are unsure what versions your website is running, or whether your current setup is being properly maintained, I can help with upgrades, maintenance, or a discreet site audit covering plugin versions, CMS versions, PHP versions, server software, and obvious areas of risk.

Your website should not be left to quietly become vulnerable.