/servehappy

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

A modern version embraces security on the web #7

Open
felixarntz opened this Issue Aug 17, 2017 · 2 comments

Comments

Assignees
No one assigned
Labels
audience: hoster audience: site-owner benefit
Projects

Proposed in Benefits & Stats

Milestone
No milestone
3 participants
@felixarntz @JDGrimes @Zodiac1978
@felixarntz
Owner

felixarntz commented Aug 17, 2017

If you're running an unsupported PHP version, chances are much higher that your site is compromised by an attacker. Keeping WordPress up to date only protects you from WordPress security breaches, but not from PHP security breaches.

For hosters, this means they get less support requests from hacked sites.

@felixarntz felixarntz added audience: hoster audience: site-owner benefit labels Aug 17, 2017

@felixarntz felixarntz added to Proposed in Benefits & Stats Aug 17, 2017

@JDGrimes

JDGrimes commented Aug 18, 2017

If you're running an unsupported PHP version, chances are much higher that your site is compromised by an attacker.

The general sentiment may be correct, but I'm not comfortable making that assertion without some hard data to back it up. It is probably more likely that your site is vulnerable, but I can't say I've ever seen hard data on that (percentage of actually unpatched PHP—there's probably no way of knowing if a host has not patched PHP, beside asking/testing). And even if it is more likely to be vulnerable, I guess that isn't the same thing as it being more likely to be compromised. Do hackers specifically target PHP 5.2/3/4/5 vulnerabilities?

You are just as likely to be vulnerable on PHP 7, if you haven't applied the latest patches, and we've actually seen hackers actively exploiting that. So this principle isn't just about keeping on the latest version, but also the latest point release of the version you are on.

Since older versions no longer receive point releases, we might expect that there is a stronger correlation between them and vulnerability (and compromise), and I know that it gets repeated a lot, but I just can't say that I've ever seen data to confirm that.

The general idea that "A modern version embraces security on the web" still holds, of course. Relying on third parties to maintain the software is not the best security posture. But I'm not sure we can be emphatic about it being a common cause of compromise at this point.

For hosters, this also means that they don't have to worry about coming up with patches themselves, or sourcing them from a reputable third party, they can just get them from the official sorce.
@Zodiac1978

Zodiac1978 commented Aug 21, 2017

And there is backporting which some Hoster/Distros hopefully use:
https://access.redhat.com/security/updates/backporting
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment