Security support for an older version of the world’s most popular web programming language will end on Dec. 31, potentially exposing millions of websites to a variety of vulnerabilities. Experts say it is critical that organizations ensure they are running the last version of the PHP language.
According to W3Techs, about 80 percent of all websites are powered by backend servers running PHP. It drives major sites such as Facebook, Yahoo and Wikipedia, as well as all sites developed in WordPress. About 62 percent of Internet sites still run on PHP version 5.6x, which will no longer be supported. PHP 7.0 has also reached end of support.
The PHP development community has urged organizations to upgrade to version 7.1 or higher to limit the risk of attacks targeting PHP code. Remote code execution, SQL injection, PHP object injection and cross-site scripting are among common PHP vulnerabilities.
Those running WordPress sites can check with your provider to find out what version of PHP you’re running. Your hosting account should include a menu of PHP settings where you can check. Plugins such as Display PHP Version will also pull up that information.
If you’re running an older version, your provider should be able to make the update from the administrative dashboard. It involves little more than picking a newer version from the PHP Version Manager menu and hitting save. After updating, you should return to your site’s front end and check all pages to make sure the change didn’t create compatibility issues or disable any pages.
Here are some additional suggestions for improving website security:
Enable Hyper Text Transfer Protocol Secure. HTTPS uses authentication and encryption to securely transfer data between a web browser and a website. With an HTTPS connection, it is much harder for a hacker to intercept data going to or from your website.
Back Up Your Data. Back up your website frequently enough to prevent significant business disruption. Some do it weekly. At a minimum, you should do quarterly backups. Don’t forget to test your backup service and the process for recovering data.
Control Access to Website Assets. This applies especially to the files and folders that contain the data required to make your website work. Review access permissions periodically and update permissions whenever a person leaves your company.
Secure Your Forms. Forms can become a source of spam and malware if not protected. You should also validate form data to prevent your website from being infected with malicious code.
Choose Third-Party Plugins and Themes Carefully. Only use plugins and themes from trusted sites. Once installed, keep plugins and themes up-to-date.
Deploy a Web Application Firewall. A web application firewall allows you to monitor communication between web applications and the user’s browser for suspicious traffic. This will help you protect your website against SQL injection, cross-site scripting and other threats.
Use SFTP. Secure file transfer protocol (SFTP) is the more secure version of FTP for uploading files to your website.
Conduct Penetration Tests. There are many free tools that will allow you to effectively test whether many known exploits can compromise your site.
The loss of security support for the old version of PHP creates a host of potential vulnerabilities, but the good news is that website security can be improved fairly easily be following some basic best practices. Give us a call to learn more about website security and whether your site is properly protected.