How keeping PHP updated provides an extra barrier against hack attacks
A webmaster's worst nightmare
Having your website hacked, even if you have a bullet proof backup and redundancy strategy is surely the worst nightmare of anyone running a website, especially any site promoting a business or online shopping.
Just how long was it defaced for or offline? How many potential customers and contacts will you have lost as a result of this down time or simply due to the impression that this has given customers? After all, if a site is hacked when visited, why would you trust this person or brand if they can't even look after their own website? Naturally, everything possible should be done to avoid a hack before it ever happens.
What a visitor might see if Google has blacklisted your site for a known malware problem, likely the result of a hack.
There are various misconceptions about hacking that we should run over because these are a core reason why many sites end up getting hacked unnecessarily.
I thought it only happened to large websites
Many people think that hackers will only spend time attacking large websites where the reward for the hack is greater. However this is simply not the case. The massive majority of hacking occurs in a much more arbitrary way with automated software scanning websites at random, trying to detect information about their construction and automatically checking for known backdoors and security vulnerabilities.
I have a managed web hosting package and thought my ISP would prevent this
Whilst your ISP likely has many security precautions in place, as well as monitors to detect downtime and some problems before they get out of hand, they are very unlikely to be actually covering all the possible causes of a hack.
This is largely because it's too time consuming for them to undertake every possible action that would avoid a successful hack attack on your website.
They absolutely should be ensuring that your site runs the latest subversion of PHP (although many don't even do that). Ie if you are running PHP 7.3 and the latest version is 7.3.12 then that is what you should be running, not 7.3.9.
Even worse, many ISPs still host versions of PHP that are now unsupported and past their EOL (end of life). Why? Because to force upgrade the PHP version running an old outdated website may break it and they'd rather keep the custom of the paying user rather than possibly lose them due to a broken website. Even in 2021 there are still many ISP's offering to host PHP 5.4 which is years past it's EOL. There are quite a lot of changes in PHP 7 (the next version released) that can cause a site made for 5.4 to error when upgraded. The fixes to many of the code changes required are very quick to implement but the point is that they are not going to do that for you.
I routinely surf to my website checking it for issues but I never saw a problem!
We've all seen images of websites replaced with a rude message or image but most hacks don't result with the website content being defaced and altering much, if at all. Most hacks have exactly the opposite intention; to completely hide their change to your website. The exact reasons vary. Maybe they've added text to the pages deliberately in the same colour type as your background color so that it isn't visible to anyone but is still machine readable.
The importance of keeping PHP updated
For the reasons mentioned above it's vital that you periodically check the version of PHP that your website is running. If you are running unmanaged hosting
then it's absolutely vital, but even for managed hosting
it's important, you mustn't just assume that your ISP is keeping on top of this.
Put simply, keeping your version of PHP on the very latest subversion of that branch of PHP will assist you in giving one less option to hackers that may otherwise be able to exploit known security weaknesses in earlier versions of PHP.
How do I ensure that my web server is not vunerable due to an old version of PHP?
If you are not sure what version of PHP your web server is currently running read our guide on checking your PHP version. If you know your PHP version but are not sure about how to upgrade it, read our PHP upgrade guide.
Article last updated: 8th January, 2021