How to upgrade from PHP 5.6 to 7 with TKL WordPress?

Very Siberian's picture

Hello! I just installed TKL WordPress and have it running. I noticed that it came with PHP version 5.6 out of the box, when my understanding is that version 7+ is now being recommended. Would anyone be able to provide instructions for upgrading the PHP version to 7?

Thank you!


Jeremy Davis's picture

TurnKey is based on Debian and our current release (v14.2) is based on Debian Jessie. Debian Jessie ships with PHP 5.6 so that what we provide. The current release of Debian (which v15.0 will be based on) has 7 as default version of PHP.

You could install PHP7 from a third party source, but then you lose the advantages of a stable version and auto PHP security updates. In fact, sometimes, you may find yourself in a scenario where you should upgrade because of a security bug, but newer PHP version breaks your site. PHP is fairly stable, so it'd probably be an edge case, but it happens...

If you are developer who needs PHP 7, then that will be a no brainer (you need it!). If you google something like "install php7 debian jessie" you will find plenty of info and probably more than one way which you can do it.

If you're using TurnKey with a hobby project or something similar, it may also be a useful learning experience.

However, if you simply plan to serve some content, then I'd encourage you to not make more work for yourself and just stick with 5.6 for now. When we release v15.0 (not sure when, but hopefully not too far away) then you can use TKLBAM to migrate your data to a fresh v15.0 (with PHP7) instance!

Very Siberian's picture

Hi, Jeremy. Thanks for the info. I spent the weekend searching on similar keywords but was not successful at making the PHP upgrade work. I think I have it installed, but my Apache server does not seem to know about it.

in any case, thanks for your reply. If anyone else has specific suggestions on how to upgrade, I am all ears. In the meantime, I will look further into TKBAM.

Jeremy Davis's picture

TBH, I've never done it, but my guess is that it's still picking up the old php. I recommend uninstalling that first. Also Apache would need to be restarted (if you haven't already).

I've just had a quick google and this looks like a pretty good one. Just make sure that you ONLY follow the Debian Jessie/8 steps (the tutorial is for Wheezy & Jessie).

If you encounter any issues, please feel free to post specific info and I'll do my best to help out.

Very Siberian's picture

Thanks for the additional information! I followed the tutorial and it mostly worked. However, when I went to restart Apache2, it did not work. I then got worried and reverted to a VirtualBox snapshot that I took before trying the steps. I will simply wait for the next TKL version with PHP 7. I was simply under the probably mistaken belief that PHP 7 was pretty essential for maximum performance and security.

Best regards,


Jeremy Davis's picture

Ah ok. Well if Apache couldn't restart then there is obvisously something that still isn't quite right.

If you'd like to persevere, please post the exact error message, plus perhaps the last few lines from the Apache log ('head -30 /var/log/apache2/error.log' will give the last 30 lines of the Apache error log). I'm more than happy to try to assist you to do it if you still want?!

With regards to PHP performance, assuming that the app supports it, PHP apps generally do perform better under PHP7. Depending on the app, the improvement may be anything from slight, through to significant. I can't speak for WordPress so I'm not sure there.

Unless you are hosting a very busy website, I doubt it would make significant real world difference (but YMMV). If you're after improved performance, then there are still plenty of other tuning options for MySQL and Apache that may improve things for you (generally tuning is resource and scenario dependant, so we don't touch any of that).

As for security, from your assumption, my guess is that you're a Windows user?! As a general rule on Windows, you install whatever third party software you want, direct from the third party vendor. Then when it has security updates, you need to install the new version. I.e. you get trained to think that "old version = bad; new version = good". However, TurnKey Linux (and many other Linux distros, inc Debian, Ubuntu, etc) does things quite differently.

Under most Linux distros, software is pre-packaged specifically by the distro vendor (as a Debian based distro, we leverage the packaging work of Debian). When a new Debian stable release is finalised, all the software package versions are frozen at whatever version they are at the time (e.g. in the case of Debian Jessie; PHP5.6).

Pretty much all the available packages are tested against all the other available packages. So in theory, any possible software combination should be just as stable as any other software combination. That is part of the reason why Linux is preferable to Windows for a webserver; because different software combinations are much better tested, making the whole system much more stable and less likely to be crashed by the installation of new software! In practice it is possible to hit edge case issues, but they are extremely rare in my experience, at least on Debian.

The downside of that is that Debian packages get quite stale as time goes on. In scenarios where reliability is preferenced over "latest and greatest" (as a general rule, that includes most "production" servers), that's rarely an issue. Although in some cases there are legitimate reasons to need/want a newer version. E.g. you need one of the new feature from a newer version. Another reason may be general (non-security) bugs. They often get resolved, but can sometimes be slow to become available (especially if they're minor bugs, or tricky to fix).

But what about security I hear you say?! Instead of requiring you to update to the latest version, the Debian security team backport the security fix to the version included in the repos. This patched release (of the same upstream version) is then released via the Debian security channel. So whilst you won't get the latest version (with security updates, bugfixes, new features and possibly new bugs), you will get an updated version of the same release (with security patch included). These security updates specifically just patch the security flaw, so the functionality should remain the same, but with the security bug resolved.

These security updates are specifically designed to introduce the smallest possible set of changes from the original. They are also generally really well tested. This makes Debian security updates super safe. So safe in fact, that by default TurnKey checks for, and installs any security patches nightly.

So in short, you should be fine! :)

Very Siberian's picture

Jeremy, thank you very much for this highly informative reply. This all makes perfect sense. I am mostly a Mac user but use Linux when possible and Windows only when necessary.


In the WordPress world, PHP 7 is being pushed hard by developers and web hosts. I seem to have gotten caught up in the fever and all of my sites are on it except the one for which I’m using TKL. Other companies like yours (e.g., Bitnami) have been pushing out WordPress stacks with PHP 7 for some time now. I just wanted to make sure that I wasn’t neglecting to do something important for the site and assumed that PHP could be easily updated without messing up the rest of the installation.

Again, thanks so much for your replies and TKL in general!


Jeremy Davis's picture

Yes PHP7 has been getting lots of promotion. And don't get me wrong, it's definitely better. Just not "better enough" in my opinion to potentially compromise the stability and security that is inherent when using packages from Debian main.

So the path for us to provide PHP7 is to get our new release (v15.0) out the door. PHP7 is default in Debian Stretch (what v15.0 will be based on)..

Whilst on face value Bitnami provide a very similar product, the way that we achieve the ends are quite different. I certainly don't want to bad mouth our competition, as both ways have advantages and disadvantages. But obviously we think our way is best! ;)

Their way makes it really easy to install "latest and greatest" (which probably helps with marketing). But because Bitnami install everything from upstream (i.e. direct from the software vendors) it's much more like how you manage software on Windows (and perhaps Mac too?) It's possible, but it's messy and stuff may break.

We think our way (leveraging the good work of the Debian folks) provides a more stable platform with a lighter maintenance overhead.

Anyway, good luck with it all, and please post again if you have more questions or feedback.

Very Siberian's picture

Hello again,

Hope you don't mind one more follow up on this thread. Just two questions:

1. Through what mechanism are your users informed of new updates? For example, when the next version of TKL WordPress is released, how will we know? Do you communicate it through your newsletter, Twitter, etc., or should we simply keep checking this site for announcements?

2. When it comes time to upgrade, is an in-place upgrade possible, or must one download and install an updated VM appliance, and then export/import the WordPress site to it? I'm just trying to plan ahead. 



Jeremy Davis's picture

1. We always post updates on our blog. In theory you should be able to subscribe via RSS and/or follow us on social media (twitter, facebook & G+). However, following your question, I've just realised that all those integrations are broken! Argh! So as noted there, for now the only way to do that, is to manually check our blog.

We've been so busy with new developments behind the scenes that the website is falling apart a bit... I'm currently in the process of hiring an outside firm to do some major work on our site and will include fixing that as an high importance item. Unfortunately though I have no timeframe. 2. As TurnKey is Debian under the hood, doing a dist-upgrade is certainly an option. Although we often provide additional (non packaged) tweaks with new releases, particularly major releases (e.g. v14.0, v15.0, etc). So you may not get all the improvements. Using TKLBAM to migrate, will allow you to get the new tweaks, but can sometimes raise new issues. E.g. there were significant changes in Apache config between v13.x (Debian Wheezy) and v14.x (Debian Jessie). See the doc page for more info. Updating that page with new info will happen once (or soon after) we publish v15.0.

Ideally, I've always wanted to implement a way for TKLBAM to trigger the Debian upgrade scripts (that are run when you migrate from one major Debian release to another). Then you could get the advantages of Debian upgrade scripts, but still use TKLBAM to migrate your data. Conversely, I'd also like to see more of our tweaks properly packaged, so then users who do a dist-upgrade can also benefit from them. Unfortunately though we have a huge labour bottleneck, so we often find ourselves never having enough time to implement any of these cool ideas that we have...

OTOH, generally between minor releases the changes are not super significant, and just getting the package upgrades are the most important thing. Most new releases also include updated application code (when stuff is installed direct from upstream, e.g. WordPress). But existing users can't benefit from that either way they upgrade. If using dist-upgrade, you never get the updated software. With TKLBAM, third-party application code is included in your backup, so your current install will over-write the updated application version. E.g. if migrating our WordPress v14.1 appliance to v14.2; you will still be runnign the same version of WordPress as you were on v14.1.

Post new comment