A significant number of businesses are running web applications, intranets, or tools that were built years ago in PHP and have not been meaningfully updated since. The code works, the application does what it always did, and so it sits. What accumulates in the meantime is technical debt with real business consequences.
Legacy PHP typically means code written in an older style, often without a framework, sometimes as a collection of files that grew organically over years, with logic that was added as needs arose rather than designed with any particular structure. PHP 5.x and PHP 7.x code written this way is common. The application works, but it is increasingly disconnected from the standards and security expectations of current PHP development.
PHP 5 reached end of life in December 2018. PHP 7 reached end of life in November 2022. Applications running on these versions are not receiving security patches. Beyond the PHP version itself, older PHP codebases frequently contain patterns that modern development practices specifically avoid: direct database queries constructed from user input, unvalidated form data, session handling that would not pass a basic security review. These are not theoretical concerns. They are the categories of vulnerability that are exploited in practice.
In most cases, the developer or agency who wrote the original code is no longer available. The application works, but nobody currently employed by the business, and perhaps nobody still active in professional development, fully understands how it works. Modifications are made carefully and nervously, or not made at all, because the consequences of a change are unclear.
Each year a legacy PHP application is left unaddressed, the gap between its current state and the standard required to move it to current technology grows. Frameworks advance. Security requirements evolve. PHP itself changes. A migration that would have been a modest project in 2022 is a more substantial undertaking in 2026, and will be larger again in 2028. The asset is depreciating.
The starting point is documentation and assessment. Understanding what the application does, what data it handles, how it connects to other systems, and where it sits in your business operations. From that, you can make an informed decision about whether the application should be maintained in place, migrated to a modern framework such as Laravel, or replaced with a purpose-built alternative. What you should not do is continue to treat it as invisible infrastructure. The risk associated with ignoring it is not static. It grows.
Most business websites are built on content management systems. That makes sense for most situations. But there are cases where a CMS is the wrong tool, and the gap between what a CMS can do and what a business needs it to do creates ongoing friction, cost, and limitation. Knowing when a bespoke solution makes more sense is a useful thing to understand.
Custom web application development covers an enormous range of scope and complexity, which means the cost range is equally wide. If you have asked for quotes and received wildly different figures, that is not necessarily a sign that something is wrong. But understanding what drives the cost helps you evaluate what you are being offered.
Most business websites work in the sense that they function. Far fewer perform in the sense that they actively contribute to the business. Here is what the difference looks like in practice.
Most clients come to us when their site has started to feel like a risk rather than an asset. Whether the agency relationship has ended, an upgrade has been delayed, or the site has simply grown beyond what it can handle, a conversation costs nothing.
Get in touch with KarlTrusted by established businesses and growing brands across the UK
Expression 37 works with a small number of clients at any one time. These are some of them.
Karl is the founder of Expression 37 Ltd and has been working exclusively with ExpressionEngine and Craft CMS since 2007. In eighteen years he has supported more than 80 clients across the UK, from long-term retainer arrangements to emergency rescues when something has gone wrong at the worst possible moment. Every piece of work is handled personally by Karl, with no account managers or junior developers between you and the person doing it.
Find out how we workWorking with Karl on our ExpressionEngine website was an absolute game-changer for Define Creative. His expertise in translating our PSD layouts into a fully functional and visually stunning website was impressive. The meticulous attention to detail in custom HTML and CSS coding ensured that our brand identity was perfectly captured and maintained across all devices. The integration of ExpressionEngine has made managing our content effortless, and the user experience improvements have significantly enhanced visitor engagement. Karl’s commitment to performance optimisation has resulted in a smooth and efficient site that reflects our dedication to innovative design solutions. We couldn’t be happier with the final product and look forward to future collaborations!
Sarah Whitehead ~ Founder and Managing Director at Define Creative Design Ltd.
Define Creative