End-of-life software & why it's risky
What "end of life" means for website software, why it's a serious security risk, and what to do about it.
Software doesn't last forever. When the company or community behind a piece of software stops supporting it, that software reaches what's called "end of life." Using end-of-life software on your website is one of the most serious risks you can take. This guide explains why — and what we do about it.
Quick summary
End-of-life software no longer receives security updates. That means known vulnerabilities stay permanently open. Attackers actively target sites running end-of-life software. When we identify end-of-life components on your site, we'll recommend an upgrade path and help you prioritize it.
What "end of life" means
Every piece of software — WordPress, PHP, a plugin, a theme — is maintained by a team of developers. Those developers release updates: bug fixes, new features, and importantly, security patches (fixes for newly discovered vulnerabilities).
"End of life" (often abbreviated EOL) means the developers have officially stopped maintaining that software. No more updates. No more security patches. Any vulnerabilities discovered from that point forward will never be fixed.
Permanently open doors
A vulnerability in end-of-life software is like a permanently unlocked door. Security researchers and hackers discover new vulnerabilities all the time. On supported software, those holes get patched. On end-of-life software, they stay open forever.
Common examples of end-of-life software on websites
| Software | What goes EOL | Risk if outdated |
|---|---|---|
| PHP | Versions become EOL on a published schedule | Server-level vulnerability; sites can be compromised at a deep level |
| WordPress core | Very old versions | Core platform vulnerabilities; no fixes ever released |
| Plugins | Abandoned or deprecated plugins | Each new vulnerability is permanent; often targeted by automated attacks |
| Themes | Abandoned themes | Design and code vulnerabilities; no fixes available |
| Third-party integrations | APIs and services that close down | Broken functionality; potential security gaps |
Why attackers target end-of-life software
When a security researcher discovers a vulnerability in a plugin, they usually notify the developer so it can be patched before the details become public. On supported software, a patch comes out within days or weeks.
With end-of-life software, that patch never comes. Once the vulnerability becomes public knowledge — which happens eventually — every site running that software becomes a target for automated attacks.
Attackers don't manually search for targets. They run automated tools that scan millions of websites at once, looking for specific outdated versions. Being a small business doesn't protect you. The tools don't care.
How we handle end-of-life risks
We track software versions. We monitor the WordPress, plugin, and theme versions on your site and compare them against published EOL timelines.
We alert you early. When software on your site is approaching end of life, we notify you and discuss options before it becomes an emergency.
We recommend an upgrade path. For each EOL component, we'll recommend the right action — whether that's an upgrade, a replacement, or in rare cases, an architectural change.
We prioritize critical risks. If something is already end-of-life and actively vulnerable, we'll recommend treating it as urgent.
What upgrading involves
Upgrading end-of-life software isn't always as simple as clicking a button. In some cases:
- A plugin with no equivalent replacement needs to be rebuilt
- A PHP version upgrade requires testing that your theme and plugins support the new version
- An old theme may need to be replaced entirely
These can be small or substantial projects. We'll give you a clear picture of the work involved and help you plan accordingly.
Staying current is always cheaper than recovering from a security incident caused by outdated software.
Common questions
Related guides
- Software updates explained
- Security monitoring explained
- Why websites need maintenance
- What to do if your site is hacked
- What our care plan covers
Need a hand?
Learn more
What to expect during planned maintenance
What planned maintenance is, when we do it, how we notify you, and what happens to your site while it's underway.
Keeping your site accessible over time
Why website accessibility isn't a one-time fix and how we help you maintain it as your site grows and changes.