Danger behind using older php versions?

PHP ( PHP Hypertext Processor ) commonly used programming language for creating websites. Over 78% of all the websites are using PHP, ie. 8 out of 10 websites are PHP websites. WordPress, Joomla, Drupal, and many other CMSs are using PHP as the programming language. The latest PHP version 7.4.9 was released on “06 Aug 2020”. In this article, I am discussing the danger behind using older php versions. Only a few amounts of websites are using the latest PHP versions, so this topic is very important in the web hosting industry.

The older PHP versions without security patches are dangerous since the hackers detect your php version and find the known vulnerabilities and hack the websites using these vulnerabilities.  Patching php versions with security updates will help to reduce the chances of your website getting hacked.

What is End-Of-Life or ‘EOL’ in Software?

If we talk about PHP, newer versions were launched and older versions are getting outdated. Even the new versions are released, the older versions were patched for some period. Once a period ends, the older versions set to EOL and EOL software will no longer support by the developers.

cPanel also removed older EOL versions from their list. You can review the unsupported version list from here

PHP Tweet

Benefits of updating to the latest versions 

Older php version 5 has some bugs related to performance, memory usage, and many more. In version 7, these bugs are fixed and have many improvements in performance. Also, your website will run faster and stable with the latest php version 7. In case of security, the latest versions are patched with the latest vulnerabilities and it will help to protect our website from those vulnerabilities. With PHP 7 developers are actively working on it and will get good support for the vulnerabilities and bugs reported.

How to get the php version used by your website. 

  • The first option is to use the phpinfo function. Use the following code in a file with .php extension and save it in your webroot directory and load the file in your webserver to get the php version and other details related to the PHP. Delete the file after checking, since giving all these php information to others is a security risk.
<?php
phpinfo();
?>
  • Some of the applications like wordpress will show the running php version in the admin dashboard. You can check it from there too.
  • Some external site tools also help you to identify the PHP version of your site.

As a security measure, we can disable the phpinfo function and showing the php version from outside the server.

Reasons why still using older versions of PHP 

Ignoring the version upgrade notifications from the customer end is the first and main reason for using older php versions.

Software code incompatibility is another reason why the users are using old php versions. WordPress is used by most of the websites and WordPress Core always compatible with the latest version of php. But the themes and plugins may not be compatible sometimes and the users are forced to keep the older versions of PHP for their website until the plugin or theme supporting the latest version.

Sometimes customers spent a large amount on the development of the code or the customization of the existing product. Unfortunately, the customized code may not be compatible with the latest PHP version. In order to avoid spending another huge amount, they will force them to use older php versions without upgrading the code.

Overcome the use of older versions. 

Upgrade to the latest version

Most of the case the core CMS software or other software are compatible with the latest PHP versions and the issue with the plugins or themes. Check for any available update, which will compatible with the latest version.

Modsecurity

Sometimes upgrade is not an option and customer needs to stick with the older php versions and we need to use WAF ( Web application firewall ) rules to protect the sites from the known vulnerabilities. This just a bandaging on the wound, so it is not a solution, but we can use it as a temporary solution. Malware-expert has some mod security rulesets which will cover most of the known vulnerabilities and it will help to protect your website too.

Take backups

This is very important with old php websites as well as new versions too.  Regular backups will reduce the downtime by easily restore the hacked website. And external backups are more helpful than keeping it in the same server under different drive.  In case of crash recovery, the local backups are not helpful and in case of root compromise, the chances of affecting the local backups too.

How to upgrade website to the latest version 

  • Backup the website files and databases
  • Check the core site, plugins, themes, extensions compatibility with the latest php version
  • Review the upgrade steps and update everything like plugins and themes to the available latest version
  • Check everything is working fine on the server.

Performing the upgrade on the staging sites will help to reduce the downtime for the mission-critical sites. By doing this way, we can minimize downtime.

In the control panel servers, the php version changer plugins or inbuilt software are available and you can use that. If it is a custom server setup, you can check with your server administrator and upgrade the php version in the server or install multiple PHP versions and set respective versions to your website.

Conclusion. 

This article referring to the possibilities and danger behind using older php versions. Using the latest PHP version will improve your site’s security, it doesn’t mean your website is safe and secure. It depends on the way your server administrator manages the server by considering the security precautions. We try to keep updating the software use the latest available software for your website.