W3Techs reports up to 80% of the internet uses PHP to run their sites. As of 31 December 2018, security support for the PHP 5.6.x will stop. Without these security updates, hundreds of millions of websites are left exposed.
This deadline has been known for a long time, but this version became the most widely used PHP version in March 2017. It is reported that the adoption of newer and supported PHP versions are slower than in the previous end of life cycles. According to WordPress, 37.7% of WordPress sites are being run using PHP 5.6.x, and over half of sites are using unsupported PHP versions. Wordpress changed is recommended hosting to PHP 7+ in December 2017, which allowed new users to create websites with supported versions, however, existing users would need to change the PHP version themselves.
Many content management services are not notified their users to change their PHP versions. Drupal has posted an official notice about the requirement to upgrade, but 3 months after the support for PHP 5.6 has ended.
Whilst updating to PHP 7.1 or 7.2 might be a long and painful process, it is worth the protection so websites can avoid various security risks.
Many articles quote Martin Wheatley on the necessity to upgrade:
“Yes it does cost time and money, but what's worse, a small monthly support fee, or a headline "Site hacked, thousands of user details stolen" followed by a fine for up to 20 million euros or 4% of your turnover under GDPR... I know what I'd rather pay.”