Very Siberian's picture

Hello! I just installed TKL WordPress and have it running. I noticed that it came with PHP version 5.6 out of the box, when my understanding is that version 7+ is now being recommended. Would anyone be able to provide instructions for upgrading the PHP version to 7?

Thank you!


Jeremy Davis's picture

TurnKey is based on Debian and our current release (v14.2) is based on Debian Jessie. Debian Jessie ships with PHP 5.6 so that what we provide. The current release of Debian (which v15.0 will be based on) has 7 as default version of PHP.

You could install PHP7 from a third party source, but then you lose the advantages of a stable version and auto PHP security updates. In fact, sometimes, you may find yourself in a scenario where you should upgrade because of a security bug, but newer PHP version breaks your site. PHP is fairly stable, so it'd probably be an edge case, but it happens...

If you are developer who needs PHP 7, then that will be a no brainer (you need it!). If you google something like "install php7 debian jessie" you will find plenty of info and probably more than one way which you can do it.

If you're using TurnKey with a hobby project or something similar, it may also be a useful learning experience.

However, if you simply plan to serve some content, then I'd encourage you to not make more work for yourself and just stick with 5.6 for now. When we release v15.0 (not sure when, but hopefully not too far away) then you can use TKLBAM to migrate your data to a fresh v15.0 (with PHP7) instance!

Very Siberian's picture

Hi, Jeremy. Thanks for the info. I spent the weekend searching on similar keywords but was not successful at making the PHP upgrade work. I think I have it installed, but my Apache server does not seem to know about it.

in any case, thanks for your reply. If anyone else has specific suggestions on how to upgrade, I am all ears. In the meantime, I will look further into TKBAM.

Jeremy Davis's picture

TBH, I've never done it, but my guess is that it's still picking up the old php. I recommend uninstalling that first. Also Apache would need to be restarted (if you haven't already).

I've just had a quick google and this looks like a pretty good one. Just make sure that you ONLY follow the Debian Jessie/8 steps (the tutorial is for Wheezy & Jessie).

If you encounter any issues, please feel free to post specific info and I'll do my best to help out.

Very Siberian's picture

Thanks for the additional information! I followed the tutorial and it mostly worked. However, when I went to restart Apache2, it did not work. I then got worried and reverted to a VirtualBox snapshot that I took before trying the steps. I will simply wait for the next TKL version with PHP 7. I was simply under the probably mistaken belief that PHP 7 was pretty essential for maximum performance and security.

Best regards,


Jeremy Davis's picture

Ah ok. Well if Apache couldn't restart then there is obvisously something that still isn't quite right.

If you'd like to persevere, please post the exact error message, plus perhaps the last few lines from the Apache log ('head -30 /var/log/apache2/error.log' will give the last 30 lines of the Apache error log). I'm more than happy to try to assist you to do it if you still want?!

With regards to PHP performance, assuming that the app supports it, PHP apps generally do perform better under PHP7. Depending on the app, the improvement may be anything from slight, through to significant. I can't speak for WordPress so I'm not sure there.

Unless you are hosting a very busy website, I doubt it would make significant real world difference (but YMMV). If you're after improved performance, then there are still plenty of other tuning options for MySQL and Apache that may improve things for you (generally tuning is resource and scenario dependant, so we don't touch any of that).

As for security, from your assumption, my guess is that you're a Windows user?! As a general rule on Windows, you install whatever third party software you want, direct from the third party vendor. Then when it has security updates, you need to install the new version. I.e. you get trained to think that "old version = bad; new version = good". However, TurnKey Linux (and many other Linux distros, inc Debian, Ubuntu, etc) does things quite differently.

Under most Linux distros, software is pre-packaged specifically by the distro vendor (as a Debian based distro, we leverage the packaging work of Debian). When a new Debian stable release is finalised, all the software package versions are frozen at whatever version they are at the time (e.g. in the case of Debian Jessie; PHP5.6).

Pretty much all the available packages are tested against all the other available packages. So in theory, any possible software combination should be just as stable as any other software combination. That is part of the reason why Linux is preferable to Windows for a webserver; because different software combinations are much better tested, making the whole system much more stable and less likely to be crashed by the installation of new software! In practice it is possible to hit edge case issues, but they are extremely rare in my experience, at least on Debian.

The downside of that is that Debian packages get quite stale as time goes on. In scenarios where reliability is preferenced over "latest and greatest" (as a general rule, that includes most "production" servers), that's rarely an issue. Although in some cases there are legitimate reasons to need/want a newer version. E.g. you need one of the new feature from a newer version. Another reason may be general (non-security) bugs. They often get resolved, but can sometimes be slow to become available (especially if they're minor bugs, or tricky to fix).

But what about security I hear you say?! Instead of requiring you to update to the latest version, the Debian security team backport the security fix to the version included in the repos. This patched release (of the same upstream version) is then released via the Debian security channel. So whilst you won't get the latest version (with security updates, bugfixes, new features and possibly new bugs), you will get an updated version of the same release (with security patch included). These security updates specifically just patch the security flaw, so the functionality should remain the same, but with the security bug resolved.

These security updates are specifically designed to introduce the smallest possible set of changes from the original. They are also generally really well tested. This makes Debian security updates super safe. So safe in fact, that by default TurnKey checks for, and installs any security patches nightly.

So in short, you should be fine! :)

Very Siberian's picture

Jeremy, thank you very much for this highly informative reply. This all makes perfect sense. I am mostly a Mac user but use Linux when possible and Windows only when necessary.


In the WordPress world, PHP 7 is being pushed hard by developers and web hosts. I seem to have gotten caught up in the fever and all of my sites are on it except the one for which I’m using TKL. Other companies like yours (e.g., Bitnami) have been pushing out WordPress stacks with PHP 7 for some time now. I just wanted to make sure that I wasn’t neglecting to do something important for the site and assumed that PHP could be easily updated without messing up the rest of the installation.

Again, thanks so much for your replies and TKL in general!


Jeremy Davis's picture

Yes PHP7 has been getting lots of promotion. And don't get me wrong, it's definitely better. Just not "better enough" in my opinion to potentially compromise the stability and security that is inherent when using packages from Debian main.

So the path for us to provide PHP7 is to get our new release (v15.0) out the door. PHP7 is default in Debian Stretch (what v15.0 will be based on)..

Whilst on face value Bitnami provide a very similar product, the way that we achieve the ends are quite different. I certainly don't want to bad mouth our competition, as both ways have advantages and disadvantages. But obviously we think our way is best! ;)

Their way makes it really easy to install "latest and greatest" (which probably helps with marketing). But because Bitnami install everything from upstream (i.e. direct from the software vendors) it's much more like how you manage software on Windows (and perhaps Mac too?) It's possible, but it's messy and stuff may break.

We think our way (leveraging the good work of the Debian folks) provides a more stable platform with a lighter maintenance overhead.

Anyway, good luck with it all, and please post again if you have more questions or feedback.

Very Siberian's picture

Hello again,

Hope you don't mind one more follow up on this thread. Just two questions:

1. Through what mechanism are your users informed of new updates? For example, when the next version of TKL WordPress is released, how will we know? Do you communicate it through your newsletter, Twitter, etc., or should we simply keep checking this site for announcements?

2. When it comes time to upgrade, is an in-place upgrade possible, or must one download and install an updated VM appliance, and then export/import the WordPress site to it? I'm just trying to plan ahead. 



Jeremy Davis's picture

1. We always post updates on our blog. In theory you should be able to subscribe via RSS and/or follow us on social media (twitter, facebook & G+). However, following your question, I've just realised that all those integrations are broken! Argh! So as noted there, for now the only way to do that, is to manually check our blog.

We've been so busy with new developments behind the scenes that the website is falling apart a bit... I'm currently in the process of hiring an outside firm to do some major work on our site and will include fixing that as an high importance item. Unfortunately though I have no timeframe.

2. As TurnKey is Debian under the hood, doing a dist-upgrade is certainly an option. Although we often provide additional (non packaged) tweaks with new releases, particularly major releases (e.g. v14.0, v15.0, etc). So you may not get all the improvements. Using TKLBAM to migrate, will allow you to get the new tweaks, but can sometimes raise new issues. E.g. there were significant changes in Apache config between v13.x (Debian Wheezy) and v14.x (Debian Jessie). See the doc page for more info. Updating that page with new info will happen once (or soon after) we publish v15.0.

Ideally, I've always wanted to implement a way for TKLBAM to trigger the Debian upgrade scripts (that are run when you migrate from one major Debian release to another). Then you could get the advantages of Debian upgrade scripts, but still use TKLBAM to migrate your data. Conversely, I'd also like to see more of our tweaks properly packaged, so then users who do a dist-upgrade can also benefit from them. Unfortunately though we have a huge labour bottleneck, so we often find ourselves never having enough time to implement any of these cool ideas that we have...

OTOH, generally between minor releases the changes are not super significant, and just getting the package upgrades are the most important thing. Most new releases also include updated application code (when stuff is installed direct from upstream, e.g. WordPress). But existing users can't benefit from that either way they upgrade. If using dist-upgrade, you never get the updated software. With TKLBAM, third-party application code is included in your backup, so your current install will over-write the updated application version. E.g. if migrating our WordPress v14.1 appliance to v14.2; you will still be runnign the same version of WordPress as you were on v14.1.

Very Siberian's picture

Hey there,

PHP 7+ is getting tons of attention these days and some of my WordPress plugins are starting to phase out support for PHP 5.6. As I've previously posted, WordPress now recommends PHP 7.2. Is there perhaps a timeline for the next version of the WordPress appliance that will include PHP 7?



Jeremy Davis's picture

Thanks for your patience and sorry that it's taking so long...

Fingers crossed, I hope to announce TurnKey Core v15.0RC1 this week. Assuming there are no glaring issues with the RC1, soon after that, we'll move straight to a stable release. We intend to release v15.0 in batches of about 20 appliances. Core will definitely be in the first batch, LAMP will almost certainly be in it too. It's likely that WordPress will also be included in that first batch, or perhaps the second...?!

Sorry that I can't be more precise than "hopefully this week" for an RC and "soon after that" for the stable. But I just don't know what I don't know!

The more eyes we can get over the RC, the sooner I'll be happy that we've caught all the potential issues. So if you keep an eye on the blog and help out testing the RC as soon as it's live, then the sooner we'll have the stable release out.

Anyway, I better get back to it so I can get it published! :)

Very Siberian's picture

Thank you, Jeremy! I am not trying to bug you and find TKL WordPress to be nearly flawless except for the datedness of some elements like PHP. I am simply trying to figure out if I would be better off with a different solution or if I should hold out a bit longer for the next TKL version, so I wanted to inquire about the status. Best wishes for speed and success with the next version!

Jeremy Davis's picture

I hope my response(s) don't give you the impression I just think you're a whinger or intentionally being a PITA! It's frustrating for me it's taking so long, but I also understand that unless you ask (and I answer) then you're in the dark too! It's totally reasonable to try to get an understanding of where things are up to.

Hopefully we'll have something really soon though! It will be such a relief to me once we get there! :)

Very Siberian's picture

Hey there, just wondering how this is going. Per the website, the latest version of TKL WordPress is still at version 14.2. Any idea when 15.x will be available with PHP 7.x support? Thanks!

Jeremy Davis's picture

Sorry it's taken so long... TBH, I'm probably more frustrated about this than you are!

We're getting really close and fingers crossed it should be this week...

Very Siberian's picture

Thanks. I just read the following story. Do you still consider TKL WordPress version 14.2 to be secure at this point?


Debian GNU/Linux 8 "Jessie" Has Reached End of Security Support, Upgrade Now

Today, June 17, 2018, marks the end of regular security support for the Debian GNU/Linux 8 "Jessie" operating system series, which now reached end of life.

Released more than three years ago, on April 25, 2015, Debian GNU/Linux 8 "Jessie" is currently considered the "oldstable" Debian branch since the release of the Debian GNU/Linux 9 "Stretch" operating system series precisely a year ago, on June 17, 2017. As such, Debian GNU/Linux 8 "Jessie" has now reached end of life and will no longer receive regular security support beginning June 17, 2018.

Security support for Debian GNU/Linux 8 "Jessie" will be handed over to the Debian LTS team now that LTS (Long Term Support) support has ended for Debian GNU/Linux 7 "Wheezy" on May 31, 2018. Debian GNU/Linux 8 "Jessie" will start receiving additional support from the Debian LTS project starting today, but only for a limited number of packages and architectures like i386, amd64, armel, and armhf.

LTS support for Debian GNU/Linux 8 "Jessie" will end June 30, 2020

The Debian Long Term Support (LTS) project takes over security maintenance to extend the life support for Debian GNU/Linux operating systems that reached end of life with two more years. Therefore, it is expected that the Debian GNU/Linux 8 "Jessie" operating system series will receive LTS support from Debian LTS for the next two years, until June 30, 2020.

If you want to continue using Debian GNU/Linux 8 "Jessie" even after the LTS support ends on June 30, 2020, you can further extend its lifetime via the Extended Long Term Support (ELTS) commercial offering, which is available only for i386 and amd64 architectures. Extended LTS support for Debian GNU/Linux 8 "Jessie" will kick off from July 1, 2020, to June 30, 2021.

Otherwise, if you're still using Debian GNU/Linux 8 "Jessie" on your personal computer, you are recommended to start preparing for an upgrade to the latest stable release of the operating system, Debian GNU/Linux 9 "Stretch," which will receive regular security support until June 2020 and an additional two years of LTS support from Debian LTS until June 2022.

Jeremy Davis's picture

I've just been trying to put 100% into v15.0 to hurry it up out the door! :)

As noted in the blog you linked to, it's not like security support has stopped, it's just no longer handled by the "Debian Security Team". Instead it's now managed by the "Debian LTS Team".

Whilst the LTS team don't have quite the same level of resources as the Security team, it should not fundamentally change things. Security fixes will still be generated and auto applied to your TurnKey v14.x server until 2020. All critical issues will still be given priority by the LTS team.

Please be aware that some software may no longer be getting security updates though. All of the core components should be fine, but for piece of mind, you can double check by installing the package 'debian-security-support'. Then check your system. I.e. something like this:

apt-get update
apt-get install debian-security-support'

That should give you a list of all packages that have limited security, security support has ended or will end earlier than the distribution’s end of life.

Hope that helps.

Very Siberian's picture

Thank you, Jeremy!

Very Siberian's picture

Dear Jeremy and the TKL Team,

WOW! I just upgraded to TKL WordPress 15.0. It is beautiful, wonderful, amazing, and flat out terrific -- well worth the wait. Congratulations on your excellent accomplishment and thank you very much!



Jeremy Davis's picture

We still haven't announced it yet, and so far we have only published ISOs, and only for 47 updated apps (so still ~50 to go) but obviously you found it! :)

I plan to post an announcement on the blog in the next couple of days (once I've finished updating the appliance pages). And the other builds for the first batch should be ready real soon too (just finalising some last minute logging issues in the openstack builds). AWS (for both Hub and Marketplace will also follow soon after.

If you have any further feedback, please do not hesitate to share. We love the positive encouragement and the lovely feedback is nice. Although it's also good to hear about issues and suggested improvements! :)

Add new comment