Running Wordpress on PHP7.2/7.3

[Paul&John]

Hi there!

How big of a security risk is running Wordpress on older versions of PHP? And when considering an upgrade one should move to 7.4 or the latest stable of 8.x? (I usually have only 2-3 plugins, so I guess the upgrade shouldn't cause much of a trouble)

I wasn't thinking about updating it, but one of the blogs is using AIOSEO and it says the support for 7.3.3 will be discontinued this year.

Thanks.

[ladida]

Your problem won't be the php version, but wordpress itself.

[Paul&John]

You mean security wise? Fortunately I didn't had any issues (hacks etc) in the last year (or I just dont know about it which is always a possibility).

[k0nr4d]

Your issue won't be with PHP, it will be with wordpress itself if it's an older version + whatever million plugins you have installed for it. You don't even get the common courtesy of a human being hacking you anymore, it's just bots doing it at this point. If you are running PHP 5 or PHP 8 it won't make a difference if your code has exploits.

The PHP version is largely irrelevant - I know alot of people are all worried about EOL on PHP 7 and so forth but the concern with these older PHP versions isn't that your site will get hacked - anything exploit that comes out for older PHP is very likely to be something that requires local access to the server to begin with rather then something that can be done remotely. There's still sites running PHP 5.2 out there and not getting hacked.

[ladida]

Quote:

Originally Posted by Paul&John

You mean security wise? Fortunately I didn't had any issues (hacks etc) in the last year (or I just dont know about it which is always a possibility).

Yes, was talking security wise. As Konrad up there mentioned also, i know plenty of sites on php 5. Nothing wrong with them. They might have some upgrading issues like you're facing etc, but other then that, it works, it won't stop working cause of eol.

[Klen]

It depend on several factors , like:

- How big is your site. If your site receives only few hits daily mostly like nobody knows about it therefore wont be interesting to "get in" even if you leave open door
- what kind of plugins you have installed
- is it WordPress version up to date
- do you have installed script firewall of any kind (mod security, CSF, your own rules)
- do you have installed security patches for old PHP version

[k0nr4d]

Quote:

Originally Posted by Klen

It depend on several factors , like:

- How big is your site. If your site receives only few hits daily mostly like nobody knows about it therefore wont be interesting to "get in" even if you leave open door

Bots are going to hammer it 24/7 looking for exploits. If he has anything else on the same server it can get compromised.

Like I said though bigger issue is old wordpress and plugins and not PHP or Apache itself.

[Mr Pheer]

Best thing you can do is get rid of "Generated by wordpress" and all other wordpress identifiers out of your source code. There are plugins to help do that.

[k0nr4d]

Quote:

Originally Posted by Mr Pheer

Best thing you can do is get rid of "Generated by wordpress" and all other wordpress identifiers out of your source code. There are plugins to help do that.

That will make no difference. There are other markers that something is wordpress like shit in the html source with directories like wp-content and so forth.

[Mr Pheer]

Quote:

Originally Posted by k0nr4d

That will make no difference. There are other markers that something is wordpress like shit in the html source with directories like wp-content and so forth.

It isn't foolproof, but it helps. Not all bots are searching for every marker. Most are searching for the most obvious.

[k0nr4d]

Quote:

Originally Posted by Mr Pheer

It isn't foolproof, but it helps. Not all bots are searching for every marker. Most are searching for the most obvious.

The bots are searching for known exploits, so they'll attack specific files and paths for specific plugins. They aren't just looking for wordpress installations in general.

[Klen]

Quote:

Originally Posted by k0nr4d

Bots are going to hammer it 24/7 looking for exploits. If he has anything else on the same server it can get compromised.

Like I said though bigger issue is old wordpress and plugins and not PHP or Apache itself.

I base that on behavior on two remain sites which i have - first one , which was my flagship site and had 65k daily traffic and tons of backlinks at one point but now almost nothing, it is still hammered on daily bases by various bots trying get into wordpress and other common security holes. But the second site which had only 3k daily in it's best day and which is even older site, from year 1998, but it's not hammered by any bot compared to first site.

[Paul&John]

Thanks for the answers

[Huggles]

Good thing about Wordpress is even if someone hacked my shit and destroyed my entire site I could have my backup running again in 10 minutes.

[k0nr4d]

Quote:

Originally Posted by Huggles

Good thing about Wordpress is even if someone hacked my shit and destroyed my entire site I could have my backup running again in 10 minutes.

No one really destroys sites now unless they hate you specifically. What they do instead is they make redirects to some affiliate offers to make money off your traffic. Sometimes it takes weeks or months before people realize they were even hacked because it only redirects for certain geos for instance.

[Huggles]

Quote:

Originally Posted by k0nr4d

No one really destroys sites now unless they hate you specifically. What they do instead is they make redirects to some affiliate offers to make money off your traffic. Sometimes it takes weeks or months before people realize they were even hacked because it only redirects for certain geos for instance.

Well I make $0 off my site right now so does it even fucking matter?


I have the most innovative, most advanced website for media display... $0 per month


Meanwhile if you run a shit tube you can be loaded with 0 innovation


Such is life in 2023

[Klen]

Quote:

Originally Posted by k0nr4d

No one really destroys sites now unless they hate you specifically. What they do instead is they make redirects to some affiliate offers to make money off your traffic. Sometimes it takes weeks or months before people realize they were even hacked because it only redirects for certain geos for instance.

Yep. times when purpose of hacking was to post message "you been defaced" are long gone.

[k0nr4d]

Quote:

Originally Posted by Huggles

Well I make $0 off my site right now so does it even fucking matter?


I have the most innovative, most advanced website for media display... $0 per month

Yeah but maybe the hacker is making money

[Colmike9]

Quote:

Originally Posted by Klen

Yep. times when purpose of hacking was to post message "you been defaced" are long gone.

I still do this

[SCORE Ralph]

Quote:

Originally Posted by k0nr4d

That will make no difference. There are other markers that something is wordpress like shit in the html source with directories like wp-content and so forth.

Leaving your default folder structure is a big security issue. I can't tell you how many times I check for wp-admin and shake my head that a login pops up.

[sandman!]

Old plugins is where you will get fucked

[Colmike9]

Just use Joomla, no one hacks that unless it's a targeted brute force to get login info or something not worth the effort like that.

[Klen]

Quote:

Originally Posted by Colmike9

I still do this

You going to jail pal

[Huggles]

Wordpress is actually pretty awesome... so much shit you can do with it, mostly for free!

[ladida]

Quote:

Originally Posted by SCORE Ralph

Leaving your default folder structure is a big security issue. I can't tell you how many times I check for wp-admin and shake my head that a login pops up.

It's not a "big security issue" :P. It's actually just a small nuissance. You think it would take a long time to find your admin login?
Furthermore, your admin login is irrelevant. You can identify wordpress just through certain source code things. Check wpscan. it has a hash for each wordpress version, so not only are you going to get identified, you're also going to be identified which version of wordpress you're running just from looking at your index source code and how it's layed out. Then it's free game, every plugin you have will get identified, and then the fun starts.

[Colmike9]

Honestly, no one's going to bother with hacking a WP porn site, except for rare targeted cases.
All I ever did were things like doing an injection when WP was more vulnerable with sites using pagination and not setting it up to use slugs, then adding in a funny pic somewhere. Or getting into workers' computers, turning up the volume, then making Appletalk scare them..
Or in school, making the teacher's CD drive constantly open

[fris]

too many hosts have servers with outdated php. for wp minimum is 7.4, but 8.0 or 8.1 (this is what i use)

7.4 is the more "safe" version as some peoples code may be incompatible with 8.1 etc.

i noticed while doing dev work for a few clients on vacares, they are shipping 7.3 on their servers wish they could upgrade the defaults for that, its a pain when doing work and want to use updated code.

[ladida]

Quote:

Originally Posted by Colmike9

All I ever did <cut> Or getting into workers' computers, turning up the volume, then making Appletalk scare them..
Or in school, making the teacher's CD drive constantly open

Yea, the way you describe things, it's rather clear you didnt do anything.

[Colmike9]

Quote:

Originally Posted by ladida

Yea, the way you describe things, it's rather clear you didnt do anything.

k

[Kittens]

Quote:

Originally Posted by Huggles

Well I make $0 off my site right now so does it even fucking matter?


I have the most innovative, most advanced website for media display... $0 per month


Meanwhile if you run a shit tube you can be loaded with 0 innovation


Such is life in 2023

The worst part is that you think if you get hacked that someone's gonna inject an ad on your site and not completely destroy your server IP and domain's reputation with spam filters because the main reason to hack sites is to spam from them.

But hey, when you're back here in a month complaining don't act surprised when people point at your neglect here as the reason why.

[jamezon]

you can mitigate a lot of potential wordpress attacks on cloudflare with filters, if you know a bit about wordpress and bots and attackers metrics . i use a couple of older wp versions and also older php versions and they havent been hacked yet. just close everything that lets people from outside try to comment, mail, post etc. the easiest way is to use cloudflares waf > xmlrpc.php, wp-login.php, wp-comments.php, wp-admin, wp-mail, rest api, throw and block everyone out who is trying to access those from outside,+ it also takes load from your own server , its also good to do this on newer versions

[fris]

Quote:

Originally Posted by Mr Pheer

Best thing you can do is get rid of "Generated by wordpress" and all other wordpress identifiers out of your source code. There are plugins to help do that.

add_filter( 'the_generator', '__return_null' );