Staying on top of critical security risks and vulnerabilities is imperative for the safety of your website. Some of the types of threats impacting our client sites include injections, broken authentication, cross site scripting, or even attackers targeting components with known vulnerabilities.
In this post, we’ll be going over why outdated PHP versions can lead to an increase in vulnerabilities with your website and how you can minimize these risks to protect your site and your visitors.
Keeping Your Environment Safe
PHP is the backbone of most web hosting environments and should be maintained like everything else. PHP has had its share of security vulnerabilities over the years, with nearly 20 recorded since the beginning of 2020 alone. They range in scope of severity but include remote code execution attacks, crashes, and information disclosure.
When it comes to updating your PHP version, you have the option of either automatic or manual updates — however, manually updating PHP is recommended to avoid issues.
While some site administrators opt for the automatic route, there are many occasions where automatic updates may break functions that have become deprecated or obsolete in newer versions. Manual updates are suggested for this exact reason. For instance, an older website may rely on deprecated functions not found in the latest version, and a PHP update may end up breaking the site entirely.
Staying on an older version of PHP may be the path of least resistance in terms of website functionality, but going too long without an update will increase the risk to your environment – and provide more opportunities for bad actors.
With this in mind, let’s go over preventative measures in case those updates slip through the cracks. It’s important to determine the right update schedule for your website or organization to balance stability and an acceptable level of risk.
When it comes to having automatic or manual updates, you want to be sure you have backups already in place in case things go south. This means making sure you’re regularly making backups, or setting them up to run automatically. Our recommendation is to make backups every 24 hours and maintain at least 90 days worth of backups, but this should be done more often if you have a website that has more frequent updates.
It’s also worth noting that keeping your backups on the same shared hosting server as your website can also increase the risk of infection within the backups themselves. If your website becomes infected and shares the same hosting environment as all of your backups, they could potentially become cross-contaminated. Due to this, we suggest storing your backups on a separate server backups.
Whether or not you already have a backup of your site in place, some site administrators will prefer testing the site on a separate staging server before making any changes. You’ll first need to locate your local host’s file within your OS (Mac, Windows, etc.). Once you’ve located this file you’d want to edit it, inputting your domain and staging hosting IP.
This is an example of a hosts file opened in the Nano text editor. If you’re using Windows, it will likely open in a regular Notepad program.
After you’ve implemented this change to your host’s file and flushed the DNS cache, you should be able to test version updates without any disruptions to the live site.
Some website administrators prefer to set up a staging subdomain instead so that these host file changes aren’t necessary.
In one of my previous posts, I discussed how to create a website maintenance schedule, which should be considered if you’re unable to manually handle frequent site updates. This will help you reduce the risk of downtime. Gather a security audit checklist to stay organized on what needs to be managed. You’ll want to ensure that your plugins are actively supported, remove unused plugins & themes, review settings and permission levels, and of course check for any updates.
Overall, you should be regularly checking to make sure any software utilizing PHP is being maintained and trusted. There are plenty of tools out there that can help you detect outdated software, like our Sucuri SiteCheck scanner. You can also leverage a web application firewall (WAF), which will help virtually patch vulnerabilities in the event that you aren’t able to make timely updates.
If you believe you’ve been the victim of an attack, don’t hesitate to have it cleaned up as soon as possible. Our remediation team is available 24/7 and is here to help.