How to charge your client for PHP 7 updates (with example email)
As many of you know, PHP 5 is now discontinued and will no longer be receiving security updates. As a result, we strongly recommend that everyone upgrade to PHP 7.1 or better.
I've written up a sample email below that you can resend to your clients explaining what's needed and why it's billable.
You can perform these upgrades yourself by just upgrading CMS Builder, any plugins, and running the "Legacy MySQL Scanner" plugin to check for code that needs updating. Or if you'd like us to do it we can help as well.
Let me know if you have any questions about this or if we can be of any assistance.
Subject: Required Security Updates: PHP 7
I wanted to let you know about some important security updates for your website and to schedule some time in the coming weeks to apply them. These updates will require some time to complete, but they are very important to maintain the security of your site.
We've had a number of clients ask about this so I've written up some additional details below if you’d like to know more.
Can you let me know a good time to discuss?
Ongoing security maintenance:
As part of maintaining an internet website, it's important to keep server software and code up to date. A standard website uses software from multiple 3rd parties such as Linux (operating system), Apache (web server), MySQL (database), PHP (programming language), and custom code that we've written specifically for your website.
These different vendors update their software when security issues are discovered and we periodically have those updates installed on the server. We don't charge for this and it often happens automatically. However, sometimes vendors introduce new versions that are not backwards compatible with existing website code which makes updating it necessary.
Upgrading to PHP 7
PHP is one of the most popular programming languages used today and what your website is programmed in. The developers of PHP have announced they're discontinuing PHP 5 and no longer providing security support for it. This means there won't be any way to prevent hackers or malicious users from using newly found security vulnerabilities to exploit websites running this version.
PHP has skipped ahead to PHP 7 and has also changed how it allows developers to connect to the database (MySQL). They've discontinued the original MySQL database libraries and require developers to use some new libraries. While these libraries are very similar, they are different enough to require manually updating the code.
We've already made the required changes to the CMS (Content Management System) code and we can easily upload that. We've also created an automated code scanner to quickly identify most of the obsolete code that needs to be updated. But we still need to review your website’s plugins and any custom code to ensure it will work with PHP 7.
PHP versions are actively supported for up to 2 years after their release. So further updates will be required in future years. Usually, they will require minimal testing and changes, but like all internet developers, we need to work with what the vendors provide us with.
You can see a list of currently supported PHP versions and their supported dates here: http://php.net/supported-versions.php
Additionally, other components on the server will require updating from time to time. Usually, we'll do this automatically but we'll let you know if anything extra is required.
Common Questions and Answers
Why didn’t you develop the website to support the latest version?
Often the latest version either didn’t exist yet or was not mature enough to be used. Old unsupported software can contain security vulnerabilities, and brand new software can be buggy and unreliable. We try to take a conservative approach and target development at well-tested, supported software versions that are in common use.
What happens if I don’t upgrade?
If you don’t upgrade your website then you’ll be vulnerable to security exploits and attacks that are discovered. On average 2.5 PHP vulnerabilities are discovered every month. You can find more information about PHP vulnerability trends here: https://www.cvedetails.com/product/128/PHP-PHP.html?vendor_id=74
Should I be concerned about all these security issues?
Actually, no. Part of maintaining an internet presence these days is making routine security updates. You've probably seen ongoing media stories about Apple and Microsoft constantly releasing updates and addressing security issues. It’s something everyone has to deal with but we’re happy to take care of it as part of the service we provide for you.
Are there other benefits of upgrading?
Yes, there are. Updated software releases are often faster and more efficient, allowing your web server to respond more quickly and handle more requests. In particular, significant performance optimization means that PHP 7 can run more than twice as fast as version 5.* Additionally, programmers can develop software quicker when they’re able to use the latest features of a programming language.
Shouldn’t you provide these updates for free?
Unfortunately, we can’t anticipate issues before they happen. As the internet evolves, unforeseen changes are sometimes required to maintain server security, to have your site work in the latest browsers, or even address newly introduced laws or regulations. Maintaining a modern internet presence requires that your website evolve as well. Sometimes there are years between these required changes, and sometimes they are more frequent. We stay current on these issues so we can advise you on the best way to address them.
We’d propose the following process for updating the website for PHP 7:
- Backup the CMS database and website
- Upgrade the CMS framework to the latest version (which supports PHP 7)
- Upgrade any CMS plugins to the latest versions (which support PHP 7)
- Manually review and update any website code
- Switch the website over to PHP 7.1 or newer
- Test and confirm no errors or issues
Let me know if you’d like to go ahead with these updates and any questions.
Hope that helps! Let me know any questions.