In dealing issues with websites for clients, one thing we deal with a lot is that others are giving advice on things they don’t understand. That is an acute problem with the security of websites, but it also comes in to play in other places. Recently we had a client contact us about having their Joomla website stop functioning after changing the PHP version in use on their website to PHP 7.1 or above. They had previously contacted another of their providers about the issue, Sucuri, and were giving a claimed explanation of what was going on, which was, if you are slightly familiar with the subject, clearly wrong.
Someone at Sucuri wrote this:
We have reviewed the 500 Internal Server error and see in the cPanel error_log that the joomla files caused the issue:
What followed that were several lines from the website’s error_log file that looked like this:
[02-Apr-2021 17:12:16 UTC] PHP Deprecated: Non-static method GantryGZipper::_getOutHeader() should not be called statically in /home/[redacted]/public_html/libraries/gantry/core/gantrygzipper.class.php on line 108
For the purposes of determining what was causing the website to stop functioning, the key piece of information there was this: “PHP Deprecated”. What that tells you is that message is a warning that something has been deprecated and won’t work in a future version of PHP, but it still works now. So if you start seeing that warning when the website stops working, it couldn’t be the cause of the issue, since the message is explicitly stating what is being warned about is something that hasn’t stopped working yet.
As further confirmation of this, the relevant PHP documentation states that this issue only starts causing an error in PHP 8:
Calling non-static methods statically throws an Error.
Prior to PHP 8.0.0, calling non-static methods statically were deprecated, and generated an E_DEPRECATED warning.
The actual error that was causing the website to stop wasn’t even shown in that error_log file, which isn’t an uncommon situation.
As with so much of the poor advice that comes from security providers, though usually about security, it sounded like the person knew what they were talking about, but they didn’t.