Is Your eZ Publish Site at Risk?

If you're running eZ Publish, your site is likely exposed to security vulnerabilities that will never be patched. This checklist helps you assess how exposed your specific installation is.

This isn't speculation: eZ Publish reached end of life in 2021, and the PHP versions it requires have also lost security support.

Quick assessment

Answer these questions about your eZ Publish installation:

1. What PHP version are you running?

Check your PHP version (run php -v on your server or check your hosting control panel).

PHP Version Status Risk Level
PHP 5.6 or earlier End of life since December 2018 Critical
PHP 7.0 End of life since January 2019 Critical
PHP 7.1 End of life since December 2019 Critical
PHP 7.2 End of life since November 2020 High
PHP 7.3 End of life since December 2021 High
PHP 7.4 End of life since November 2022 High
PHP 8.0 End of life since November 2023 Moderate
PHP 8.1+ Currently supported Lower

What this means: If you're running PHP 7.4 or earlier, known security vulnerabilities exist that will never be patched. Attackers actively scan for these vulnerabilities.

Most eZ Publish installations are stuck on PHP 7.x or earlier because the platform wasn't designed for PHP 8.

2. What operating system is your server running?

Old PHP versions require old operating systems. Check your server OS version.

Red flags:

  • Ubuntu 16.04 or earlier (16.04 ended standard support in 2021)
  • Debian 9 or earlier (Debian 9 ended LTS in 2022)
  • CentOS 7 or earlier (CentOS 7 ended maintenance in 2024)
  • Any OS version that's end of life

What this means: An unsupported OS receives no security updates. Kernel vulnerabilities, system library issues, and other server-level security holes remain open.

3. What version of eZ Publish are you running?
Version Status
eZ Publish 4.x (legacy) End of life — no updates since ~2015
eZ Publish 5.x (Platform) End of life — no updates since 2021
eZ Publish Community 2014.x End of life — no updates since 2021

What this means: No security patches are being released for any version of eZ Publish. Any vulnerabilities discovered in the platform itself remain unfixed.

4. When was your site last updated?

If your eZ Publish installation hasn't been updated in years, you're missing whatever security fixes were released before end of life.

Check when your last update was applied. If you can't remember, that's a red flag.

5. Does your site handle sensitive data?

Consider what's at risk if your site is compromised:

  • User accounts and passwords
  • Customer data
  • Payment information
  • Internal business data
  • Admin access credentials

The higher the sensitivity, the more urgent your situation.

6. Is your site publicly accessible?

A site exposed to the internet is constantly being probed by automated scanners looking for vulnerable systems. Internal-only sites have some protection, but aren't immune.

What attackers look for

Outdated eZ Publish installations are attractive targets because:

Known vulnerabilities exist

Security researchers have documented vulnerabilities in old PHP versions and CMS platforms. Attackers don't need to discover new exploits — they use existing ones.

Automated scanning is easy

Bots continuously scan the internet for sites running vulnerable software. Your site's technology stack can often be identified from response headers, URL patterns, and other fingerprints.

Legacy sites often have weak configurations

Old installations tend to have outdated security settings, default credentials that were never changed, and debugging features left enabled.

Maintenance neglect compounds risk

Sites that haven't been updated often haven't had security audits, log reviews, or access control reviews either.

Warning signs of compromise

If any of these apply to your site, investigate immediately:

  • Unexpected files in your installation directory
  • Admin accounts you don't recognize
  • Outbound traffic to unknown servers
  • Your site sending spam email
  • Search engines flagging your site as malicious
  • Unexpected redirects for visitors
  • Site performance degradation without explanation
  • Modified files with recent timestamps you didn't change

Calculating your risk

If you answered "yes" to multiple items above, your risk level is elevated:

Critical risk indicators:

  • PHP 5.x or early PHP 7.x
  • OS version past end of life
  • Site handles sensitive/payment data
  • Publicly accessible
  • No updates in 2+ years

You should act now, not later. The question isn't whether vulnerabilities exist — it's whether they'll be exploited before you address them.

What to do

Immediate steps (this week)
  1. Verify your current backup strategy. If compromised, can you restore? Test a restore.
  2. Review admin access. Remove accounts that shouldn't exist. Change passwords.
  3. Check server logs. Look for unusual access patterns.
  4. Document your current state. Note versions, configurations, customizations.
Short-term (this month)
  1. Assess migration options. Ibexa OSS is the natural successor with the lowest migration risk.
  2. Get a professional assessment. Have someone who knows eZ Publish evaluate your specific situation.
  3. Develop a timeline. How long can you realistically operate on the current stack?
Medium-term (this quarter)
  1. Execute migration. Move to a supported platform.
  2. Decommission legacy infrastructure. Don't leave old servers running.

The cost of waiting

Every month you delay:

  • More vulnerabilities are discovered in your stack
  • Attack tools become more sophisticated
  • Your hosting options continue shrinking
  • Migration becomes more expensive (accumulated content, lost knowledge)
  • Risk of an actual breach increases

We've seen organizations wait until a crisis forced their hand — a hosting provider giving 30 days notice, a security incident, a site that suddenly stopped working. Emergency migrations are more expensive and more stressful than planned ones.

We can help

We specialize in eZ Publish to Ibexa OSS migrations. We've worked with eZ Publish since 2007 and understand both the legacy platform and the modern successor deeply.

If you're running an at-risk eZ Publish installation, we can assess your current security exposure, evaluate your migration options, execute a complete migration to Ibexa OSS, and provide ongoing maintenance after migration.

Get Security Risk Assessment

Related: eZ Publish End of Life: What Are Your Options?