Skip to main content

Pantheon release notes: Infrastructure

April 15, 2024

PHP 8.1.28, 8.2.18, and 8.3.6 were released on the platform. They contain the latest bug fixes and security releases for PHP.

Updates include patches for the following CVEs ( Common Vulnerabilities and Exposures):

  • CVE-2024-1874 "Command injection via array-ish $command parameter of proc_open even if bypass_shell option enabled on Windows"
  • CVE-2024-2756 "__Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix"
  • CVE-2024-3096 "password_verify can erroneously return true, opening ATO risk"
  • CVE-2024-2757 "mb_encode_mimeheader runs endlessly for some inputs" (PHP 8.3 only)

As a reminder, PHP 8.0 reached End-of-Life on 26 November 2023. For the best performance and security, Pantheon recommends running PHP 8.2 and above.

March 20, 2024

As part of our continued effort to provide the latest and best in secure software, PHP versions 7.1 and below will reach end-of-sale (EoS) on May 15, 2024. This means that sites created after May 15 will not be able to change their PHP version to PHP 7.1, 7.0, or any version of PHP 5. Sites created with custom upstreams using EoS PHP may also have unexpected behavior upon site creation.

Sites already running PHP 5, PHP 7.0, or PHP 7.1 will continue to run even after May 15.

PHP 7.1 was declared end-of-life (EoL) by the PHP Foundation on November 30, 2020, more than three years ago. PHP 5.6 reached EoL on December 31, 2018, more than five years ago. EoL software does not receive security or feature updates, and could expose sites to attack if any vulnerabilities or exploits are discovered.

Action required

Customers using custom upstreams with a PHP version less than 7.2 should update their custom upstreams by May 15 to avoid disruption. The current supported versions of PHP are 8.1, 8.2, and 8.3. Pantheon currently recommends at least PHP 8.1 for all production sites.

March 18, 2024

PHP 8.2.17 and 8.3.4 were released on the platform. They contain the latest bug fixes and security releases for PHP. As a reminder, PHP 8.0 reached End-of-Life on 26 November 2023. For the best performance and security, Pantheon recommends running PHP 8.1 and above.

February 21, 2024

The latest versions of PHP 8.x are now available on the Pantheon platform. PHP 8.1.27, 8.2.16, and 8.3.3 are all bug fix releases. No action is required on your part if you are using one of these PHP versions (8.1, 8.2 or 8.3).

December 1, 2023

We're thrilled to announce an impactful upgrade to Pantheon's security infrastructure, reinforcing our commitment to safeguarding your websites. In response to the escalating sophistication of distributed denial-of-service (DDoS) attacks, we've implemented innovative solutions to fortify our defenses. Particularly, we've addressed a surge in Layer 7 attacks targeting content management systems, ensuring resilience even without our Advanced Global CDN's Web Application Firewall (WAF).

Key benefits:

  • Advanced DDoS protection: Our engineers have proactively countered Layer 7 attacks, mitigating risks posed by inauthentic traffic targeting web content management systems.
  • Rate limiting capabilities: We've introduced rate limiting capabilities within our Global CDN, curbing abusive traffic effectively. This ensures a stable online presence, even during large-scale attacks, preventing wider stability issues.

For more in-depth insights into the measures we've taken and the value they bring to your Pantheon experience, delve into the full blog post. Your website's security and stability are our top priorities, and this enhancement is another step in our ongoing commitment to delivering a robust WebOps platform.

November 1, 2023
  • As part of Pantheon’s commitment to accessibility, diversity, and inclusion, we are proud to announce that we have completed an external audit of our platform’s accessibility features and the results are available in our WCAG 2.1 AA VPAT.
  • Our teams have ongoing efforts to improve accessibility further and have outlined goals to improve our support of WCAG 2.1 AA criteria for the next two quarters.
  • Our partners and customers who depend on WCAG compliant products can confidently continue to use the platform knowing that we hold accessibility to be an important function of the services we provide.
November 1, 2023

The File System team at Pantheon achieved significant speed improvements in backup processes. The Valhalla export process was overhauled, allowing backups to be constructed from new objects, cutting down export times by 25-83%. This was accomplished by initiating object retrieval immediately after receiving MANIFEST metadata, omitting empty files, and promptly archiving received files.

October 1, 2023

Global CDN now has improved compatibility with the WPML multilingual WordPress plugin. Page variations for each language can be cached at the edge. This update was rolled out automatically for all sites that use the WPML plugin and increased site cache hit ratio by 24% on average.

October 1, 2023

Sometimes you just need more memory to serve your site reliably. To learn more about why we doubled the memory for most site plans, check out this blog by Rachel Whitton, Lead Technical Writer here at Pantheon.

To take advantage of the increased memory limit, contact our customer support team. Or drop by our regular Zoom-based office hours.

October 1, 2023

PHP 8.2.11 and 8.1.24 were released on the platform. They contain the latest bug fixes and security releases for PHP. As a reminder, PHP 8.0 will reach End-of-Life on 26 November 2023. For the best performance and security, Pantheon recommends running PHP 8.1 and above.

September 1, 2023

Pantheon has deployed PHP versions 8.2.9, 8.1.22, and 8.0.30 to customer sites running on the platform. These releases address vulnerabilities disclosed in CVE-2023-3823 and CVE-2023-3824.

If you are using PHP 8.2, 8.1 or 8.0, there is nothing further that you need to do. If you are still on PHP 7.4 or earlier, though, you should schedule some time to upgrade to a supported version.While the vulnerabilities patched in these latest releases are not reported to affect PHP 7.4, the fact remains that there could be (and probably are) unpatched vulnerabilities in the end-of-life versions. Read more about it in Greg Anderson’s blog post.

September 1, 2023

Pantheon has pushed an update to WordPress and Drupal 7 core upstreams which sets PHP 8.1 as the new default PHP version, rather than 7.4.

Please test this core update thoroughly before deploying to the Live environment. If your site requires an older version of PHP, or if you'd like to upgrade to PHP 8.2, see Pantheon’s documentation on how to manage PHP versions via the pantheon.yml configuration file.

February 1, 2023

Services like Redis greatly accelerate web performance by offloading heavy database and fileservice interactions to a fast in-memory cache. Pantheon Object Cache Update allows customers the ability to adopt Redis server 6.x. This capability is made possible by adopting Pantheon’s modernized infrastructure and cloud operations frameworks. To learn more about Object Cache, refer to our documentation.

September 1, 2022

PHP 8.1 is now recommended for Drupal sites version 9.3.0 and higher. An underlying bug with ProxySQL was fixed in version 2.4.3 and PHP 8.1 was updated on the platform to incorporate this fix.

January 1, 2022

Customers can now upgrade their site database and PHP by using the One-Click Upstream Update feature in the Site Dashboard or the command Terminus upstream:updates:apply. Pantheon makes it simple to keep your site database secure and performant. Sites using Custom Upstreams can easily upgrade to supported database versions by configuring the site's pantheon.yml.

October 1, 2020

Updated to PHP 7.3.22 and 7.4.10 platform-wide. For information on upgrading between major PHP versions see Upgrade PHP Versions.

August 1, 2020

All Pantheon customers are now provisioned with a dedicated certificate for HTTPS for each custom domain on a site environment. In addition, the go-live experience has been optimized and now lets you configure HTTPS before launch via the DNS TXT method to verify domain ownership.

July 1, 2020

Although it places load on the platform, Pantheon now excludes traffic from Petalbot, which would otherwise count towards your website's total traffic.

June 1, 2020

Global CDN now blocks requests identified as being performed by AspiegelBot (aka PetalBot) when a query string is present. This platform-wide change is intended to guard against resource exhaustion and related site downtime. Going forward these requests will result in a 403 and will not count as site traffic for Pages Served and Visits. For more information see Traffic Limits and Overages.

Capacity Expansion: Auckland, New Zealand (AKL).

April 1, 2020

The New Relic agent has been upgraded from version to version platform-wide. This upgrade fixes a potential segfault with PHP 7.3. For more information, see the New Relic Agent release notes.

March 1, 2020

New Points of Presence:

  • Ashburn, VA (WDC)
  • Chicago (PWK)

Expanded Capacity:

  • Vancouver (YVR)
  • Sydney, Australia (SYD)
  • NY (LGA)
  • Los Angeles (BUR)
  • Dallas (DFW)
  • Atlanta (FTY)
  • Boston (BOS)
  • Helsinki (HEL)
  • Osaka (ITM)
  • Amsterdam (AMS)
March 1, 2020

Advanced Global CDN extends Global CDN for customers that need unique customizations including personalization, domain masking, and extended enterprise-grade security features including a WAF, IP and geolocation blocking and blocklisting. Advanced Global CDN is available as an add-on product to all customers now.

February 1, 2020

Updated to PHP 7.3.14and 7.2.27 platform-wide. For information on upgrading between major PHP versions see Upgrade PHP Versions.

January 1, 2020

Most UDP traffic originating from the platform has now been blocked in order to prevent platform abuse.

January 1, 2020

Updated to PHP 7.2.26, and 7.3.13 platform-wide. For information on upgrading between major PHP versions see Upgrade PHP Versions.

January 1, 2020

Localdev 0.6.0-beta.9 includes macOS Catalina support, and numerous improvements and bug fixes.

December 1, 2019

Updated to PHP 7.2.25, and 7.3.12 platform-wide. For information on upgrading between major PHP versions see Upgrade PHP Versions.

November 1, 2019

Updated to PHP 7.1.33, 7.2.24, and 7.3.11 platform-wide. For information on upgrading between major PHP versions see Upgrade PHP Versions.

November 1, 2019

Improved auto-update system with support for stable and beta channels, as well as changelog display, plus other fixes.

October 1, 2019

Swiftbot can now crawl non-production environments and platform domains like to support pre-release site search testing. For details see, Bots and Indexing on Pantheon.

October 1, 2019

This release also includes several options to control HSTS and the ability to choose a primary domain. For details see the blog announcement, Pantheon YAML documentation and our updated Launch Essentials guide.

September 1, 2019

Updated to PHP 7.3.9, 7.2.22, and 7.1.31 platform-wide.

August 1, 2019

The New Relic agent has been upgraded Platform-wide. For more info see New Relic PHP Agent release notes.

July 1, 2019

Now when you create a new site on Pantheon, you can select from one of four regions across the globe, including Australia, Canada, and the European Union. For more info see Pantheon Site Regions and Data Residency.

July 1, 2019

Pantheon now recommends A/AAAA records instead of CNAME records. This change is to reduce complexity, confusion, and address a few edge cases introduced with CNAMEs. For example, the use of an MX or TXT record prevents the use of a CNAME. If you are already using a CNAME you can continue to do so or you can update to A/AAAA records as shown on the dashboard.

June 1, 2019

Updated to PHP 7.1.30, 7.2.19, and 7.3.6 platform-wide.

May 1, 2019

In January 2018, Pantheon announced migration of the Pantheon CMS Container Matrix to Google Cloud. Now, all site file storage, backup processing, and backup storage has moved from Amazon Web Services to Google Cloud. This change provides higher backup performance, higher reliability, and increased innovation ahead for all of Pantheon's customers.

May 1, 2019

PHP 7.3 is the new default for Drupal 8 and WordPress sites. Apply the 1-click update on the Pantheon site dashboard to upgrade. For more information see Faster WordPress & Drupal 8 sites with PHP 7.3 by Default.

May 1, 2019

New Relic Agent has been upgraded platform-wide to For details see New Relic release notes.

May 1, 2019

Whether you need your WordPress or Drupal site to meet data residency requirements or have a performance use case not solved by caching requests through Pantheon’s Global CDN, contract customers can now create sites in the European Union. Also see the blog announcement.

March 1, 2019

Updated to PHP 7.2.15 platform-wide. For more information, see

March 1, 2019

Early Access to run sites in Pantheon’s new European Region is now available for contract customers. See regions for details and contact us for more info.

February 1, 2019

Pantheon now includes the intl PHP extension in PHP 7.1 and PHP 7.2. For more information on upgrading your site's version of PHP see Upgrade PHP Versions.

February 1, 2019

Updated to PHP 7.2.14 and 7.1.26 platform-wide. For more information, see and

February 1, 2019

New Relic has been upgraded platform-wide to version For details see New Relic's APM PHP Agent 8.50.236 release notes. Also, see Pantheon's New Relic documentation for general info on using New Relic to monitor your site and identify opportunities to improve application performance.

January 1, 2019

Pantheon is happy to announce our new Disaster Recovery Service, designed for mission-critical websites that need to ensure business continuity during the unlikely event of a zone failure. See the Disaster Recovery doc below for more information.

December 1, 2018

PHP 7.1 and 7.2 were updated to the latest versions on the platform. For information on changing minor versions (e.g from 7.0 to 7.2) see Upgrade PHP Versions.

November 1, 2018

Updated to PHP 7.2.11 and 7.1.23. For more information, see and

October 1, 2018

PHP was updated to versions 5.6.38, 7.0.32, 7.1.22 and 7.2.10.

October 1, 2018

While we still recommend using a third-party email solution, for those who choose to use Pantheon's built-in message transfer agent (MTA), you may now set up an SPF record for your domain and include Pantheon's mail relays for improved delivery. For details, see: Email on Pantheon.

September 1, 2018

The platform was updated to PHP patch releases.

September 1, 2018

Drupal 8 and WordPress now default to PHP 7.2, while Drupal 7 defaults to PHP 7.1. For details see

August 1, 2018

The PHP versions on the platform have been upgraded to 7.2.8, 7.1.20, 7.0.31 and 5.6.37.

August 1, 2018

An improvement to our queuing system has resulted in a 60% reduction in average HTTPS provisioning times!

August 1, 2018

The latest version of Apache Tika, 1.18, is now available on the platform. See documentation on External Libraries on Pantheon for details.

July 1, 2018

More crawlers can now access platform domains, like, to support pre-release SEO testing. Details:

May 1, 2018

PHP 5.5 and 5.3 have reached end-of-life (EOL), and PHP 5.6 and 7.0 will reach EOL in December 2018 so upgrade to PHP 7.1 or 7.2 as soon as possible.

May 1, 2018

PHP has been upgraded to 5.6.36, 7.0.30, 7.1.17 and 7.2.5 platform-wide.

May 1, 2018

The platform-wide build of PHP 7.2 now supports connecting to an external Microsoft SQL server via sqlsrv functions. Your CMS should use Pantheon's default database, but this unlocks use cases that require connecting to an external MS SQL server.

May 1, 2018

Use the filemount configuration to modify the default location of Pantheon's cloud-based filesystem. For details, see Pantheon YAML Configuration Files.

April 1, 2018

OCSP stapling is an improved method for quickly and safely checking the validity of certificates for HTTPS. You can use SSL Labs (e.g. and search for "stapling" to see it's enabled. OCSP responses are typically good for about 7 days, so a response will only get updated as its validity lifetime expiration time approaches.

March 1, 2018

We’ve upgraded to PHP 5.6.35, 7.0.29, 7.1.16, and 7.2.4. See our documentation to learn how to upgrade your PHP version.

March 1, 2018

The Surrogate-Key-Raw header, used for debugging when using Pantheon Advanced Page Cache, is no longer sent by default. To receive this header when making a request, send the Pantheon-Debug: 1 header, like so:

curl -IsH "Pantheon-Debug:1" | grep key

This change addressed an issue that caused Twitter card validation to fail, and also reduces overall page size and speeds up page load time when sending many keys.

February 1, 2018

PHP 5.6, 7.0, 7.1, and 7.2 have been updated to the latest versions platform-wide to address a vulnerability that could allow for arbitrary code execution.

February 1, 2018

On March 5th, the cost for legacy load balancers increased from $30/month to $60/month. To avoid increased charges, upgrade to the Global CDN, which includes free, automated HTTPS, by updating DNS records.

January 1, 2018

We've upgraded to PHP 5.6.33, 7.0.27, 7.1.13, and 7.2.1. See our documentation to learn how to upgrade your PHP version.

January 1, 2018

GCP and Pantheon Logo

Pantheon has switched infrastructure providers from Rackspace to Google Cloud Platform. This switch requires no downtime, as we actually did it six months ago! Read the announcement here.

January 1, 2018

New Relic on Pantheon has been upgraded to version 5.0.199, which supports PHP 7.2.

December 1, 2017

We've upgraded to PHP 5.6.32, 7.0.26, and 7.1.12. See our documentation to learn how to upgrade your PHP version.

December 1, 2017
  • Added the HTML Tidy PHP extension.
  • Fixed an issue where the Redis cache was not cleared during clone operations.
  • Fixed an issue where repeated UTM_* parameters caused an infinite redirect loop.
November 1, 2017

Over 200,000 sites are already on Pantheon's Global CDN, but if you still have sites pointing to the legacy, deprecated infrastructure, you can now see which sites need an upgrade from your User or Organization Dashboard. Find the required DNS information from the Domains / HTTPS tab on each site environment. Complete the upgrade as soon as possible, and let us know if you have any questions.

Global CDN now respects the no-store directive in the cache-control header.

October 1, 2017

WebP, a new image format created by Google, is now supported by Pantheon’s Global CDN.

October 1, 2017

We’ve made PHP 7.1 available for all sites. See our documentation to learn how to upgrade your PHP version, or learn more in this blog post.

September 1, 2017

New Relic on Pantheon has been updated to version You can read the release notes for this version in New Relic’s docs. This update also includes Drupal-specific fixes from previous versions, detailed in the release notes.

August 1, 2017

We upgraded PHP to 5.6.31 and 7.0.23. See our documentation to learn how to upgrade your PHP version. Drupal 7 sites may require action.

August 1, 2017

We improved cache clearing behavior for a large number of surrogate keys or cache tags. The fix was made internally by Pantheon and no action is required if you are already running WordPress or Drupal versions of Pantheon Advanced Page Cache. See the Pantheon Advanced Page Cache for WordPress and Drupal pages for more information.

July 1, 2017

Although our analysis indicated our customers were not likely subject to this vulnerability, we applied the recommended remediation for CVE-2017-7529.

July 1, 2017

Organizations using a Custom Upstream can now add and manage their upstreams without engaging Pantheon Support.

If your organization doesn’t yet use Custom Upstreams, and you are interested in access to this feature, tell us about your use-case.

June 1, 2017

Organizations utilizing a Custom Upstream can now set default site configurations, such as nested docroot, in the pantheon.upstream.yml file. For details, see Pantheon YAML Configuration Files.

June 1, 2017

New Relic's APM Availability Monitoring has known incompatibilities with SNI, which our HTTPS uses. Instead, we recommend configuring the free availability monitoring service within New Relic’s Synthetics Lite tool. For details, refer to New Relic APM Pro.

June 1, 2017

New WordPress and Drupal 8 sites now run PHP 7 by default. Drupal 7 sites will default to PHP 5.6.

May 1, 2017


Pantheon has deployed new versions of Ghostscript and Openjpeg2 to mitigate the CVE-2016-8332 vulnerability. No user action is required.


The platform is not vulnerable to this exploit, no user action is required.

May 1, 2017

We upgraded PHP to 7.0.18. See our documentation to learn how to upgrade your PHP version.

February 1, 2017

We upgraded PHP to 5.6.30 and 7.0.15. See our documentation to learn how to upgrade your PHP version.

February 1, 2017

A vulnerability in the Linux Kernel was discovered that could allow users to gain root privileges. The Pantheon platform was quickly updated to prevent this privilege escalation.

November 1, 2016

We upgraded PHP to 5.6.28 and 7.0.13. See our documentation to learn how to upgrade your PHP version.

November 1, 2016

Upgraded from to Includes a fix for an issue with Drupal 6 sites that could cause POST requests made using drupal_http_request to be converted into GET requests. Learn more.

October 1, 2016

You can now add custom domain names to your Multidev environments. Among other use cases, this allows you to use your company’s name in a URL when you show your work to customers or others in your organization.

September 1, 2016

Now your site’s Drush version is managed via pantheon.yml, so it’s in version control and deployed along with the rest of your code.

August 1, 2016

We now support PHP 5.6 and 7.0. See our documentation to learn how to upgrade your PHP version.

August 1, 2016

Nested docroot: Serve sites from a web subdirectory, one-level beneath the root of your code repository. Among other use cases, this helps facilitate managing dependencies via Composer. Protected Web Paths: Specify files or directories that you don’t want to be publicly web-accessible. PHP Version: Now your site’s PHP version is managed via pantheon.yml so it’s in version control and deployed along with the rest of your code.

June 1, 2015

We are now providing richer and more accurate information about the background actions the Pantheon platform is performing on your sites. This includes commits, workflow actions and clear caches, including more details about the tasks that were performed.

April 1, 2015

We’ve officially completed a fleet-wide codeserver update to Fedora 20.

January 1, 2015

We upgraded from PHP 5.3 to 5.3.29. This is the last release for 5.3 and current users are encouraged, if possible, to upgrade to 5.5 in your site's Dashboard.

January 1, 2015

There's no need. Customer application containers and database servers that were already on up-to-date versions were not vulnerable to GHOST. Backing services were quickly patched, and our engineers further refined our patch deployment capability for even faster responses to future vulnerabilities. For more details, see related Incident Report for Platform Operations