A series of new vulnerabilities have been found in the latest releases of PHP which could make sites running on PHP vulnerable to automated hacker attacks.
What is PHP?
PHP is a server-side web programming language that powers over 78 percent of the internet today. PHP is also the code that runs your WordPress website. Your plugins, themes and any other applications installed on your website like phpmyadmin also include PHP code.
What is a PHP vulnerability?
Vulnerabilities in PHP code are usually caused by a mistake that a developer made when writing the original code. It is quite common for a developer to launch a perfectly working PHP application like WordPress, but do not anticipate all the ways that hackers on the internet will try to gain access. As the application is used more and more, the developer will learn from users and their experiences with attacks on how the website can be made more secure. Developing a PHP application is an evolutionary process, which is why it is important to keep abreast of security alerts.
Should WordPress site owners be worried?
Besides brute-force attacks that try to guess your password by simply using the login screen on your wp-admin page, bots that try to exploit vulnerabilities in your website PHP code are the most common form of attack targeting WordPress websites.
Most of your time securing your site will be spent securing vulnerabilities in your website PHP code. When you upgrade WordPress core to protect against a new kind of attack, you are upgrading to prevent an attack on WordPress’s PHP code.
The same applies when you upgrade your themes and plugins to patch a vulnerability.
General best practices to protect your WordPress site?
- Remove unwanted plugins- Since most of these plugins are running on PHP, it is best to remove them and reduce your risk.
- Upgrade plugins to the latest version -Login to your control panel and update all your plugins to the latest version.
- Make sure you are on the latest version of WordPress. Login to your wp-admin dashboard and update WordPress to the latest version. Since WordPress has not officially responded to these PHP vulnerabilities, it is safe to assume that even the latest version is not “that safe”.
- Use security plugins-
- Wordfence– Wordfence includes an endpoint firewall and malware scanner that can help protect your WordPress site from these automated attacks.
- Bulletproof security- This plugin comes with a malware scanner, Firewall, Login Security, DB Backup, Anti-Spam & much more.
What can you do to protect your WordPress site against this particular bug?
- Check your WordPress PHP version.If you have ssh access, you could do that with
php -v
- if you have ftp access, you can the following code and hit it from your browser.
<?php echo 'Current PHP version: ' . phpversion(); ?>
- Upgrade your PHP to one of the following PHP versions- 7.3.9, 7.2.22 or 7.1.32
- If you see any less version, then your PHP is outdated and needs to be updated. Currently, there is no simple way to install these versions. If you are interested in getting notified drop an email to support@expertrec.com with the subject “PHP vulnerability – <your PHP version>_<Wordpress Version>_<host operating system>”. Once we have a solution for each of the popular combinations, we will publish and notify you. Keep your servers safe!
- Contact us- Drop us an email with your website address and we will help in securing your WordPress site.
Add instant Search to your website @ 9 USD per month
Critical PHP vulnerability [Sept 2019] : What it is and fixes
