How to secure PHP website

Why upgrade PHP: a guide without complicated explanations

Introduction

Doesn’t the title ring the bell? We bet you’ve received many notifications about PHP upgrades from your DevOps, SysOps, your hosting providers, the PHP web development company that had created your website years ago. 

We understand that you don’t want to dig into coding stuff and you don’t have to. We will tell you why upgraded software is actually a part of the overall business success. We promise - no instructions on inserting code here and there, no unnecessary details - just the essentials. 

The article’s content

  1. PHP as a part of maintaining the website security
  2. The frequency of updates
  3. Who needs PHP updates?
  4. The benefits of upgrading PHP
  5. What happens if no one updates PHP: lack of security
  6. Upgrade PHP and get better performance for your website
  7. New features in PHP 7.4 and PHP 8
  8. The typical update process for a Drupal website
  9. The typical update process for a WordPress website
  10. The typical update process for a custom PHP website
  11. Key takeaways

PHP as a part of maintaining the website security

How to secure a website? You must have faced those website security checklists over the Internet. In a nutshell, they mention the following:

  1. Update software regularly. Read our article about Security for Drupal and related server software
  2. Use strong passwords and change them once in a while
  3. Choose a hosting wisely as this is the service responsible for back-ups..
  4. ..but make sure you do not forget about back-ups as well
  5. Audit your website
  6. Secure your site with HTTPS
  7. Create user permissions system and do not give admin access to many people
  8. Scan devices for malware

PHP is a programming language used for writing software, web applications. Updating PHP relates to the very first check point - software updates. Why do we associate new releases with security? How come?

Let’s dive into the reasons for new releases (be it PHP, new front-end frameworks versions, etc) emergence. 

  1. New features
  2. Security vulnerabilities
  3. Patches and hotfixes

New features, patches and hotfixes appear in new software releases, so if you see any software that you use announced updates - be sure to check whether it deals with security.

So what about PHP - where, in plain language, can you meet it?

If you use a Content Management System such as Drupal and WordPress, you might have heard that they are written in PHP. They are famous for their ready-made solutions that reduce coding time. Also, you might encounter some websites written in custom PHP: it means that all the functionality is written from scratch. 

Some desktop applications are also written in PHP but that’s not the common practice and it’s not advisable to use PHP for such a use case :)

The frequency of updates

According to the official PHP website, there’s one PHP version that becomes obsolete each year: for example, in 2020, 3 versions were supported: 7.2, 7.3, 7.4. It’s worth saying that only 7.3 and 7.4 were receiving active support: “a release that is being actively supported. Reported bugs and security issues are fixed and regular point releases are made.”

The 7.2 version was receiving the security fixes only: “a release that is supported for critical security issues only. Releases are only made on an as-needed basis.”

As you can see in the table below, one PHP version is secure for 3 years, but after that, an update is required.

Source: https://www.php.net/supported-versions.php

Who needs PHP updates?

Literally, everyone whose website is running on PHP 7.2 or earlier version. But don’t you dare to switch a PHP version without checking the website’s condition, server, and hosting.

There are two completely different use cases that we would love to bring your attention to.

  1. If a website is hosted on a server with configured environments, back-ups, etc, like a cloud hosting platform Pantheon or Acquia Cloud
  2. If a website is hosted on a self-managed server (for example, self-managed VPS (Virtual Private Server) or VDS (Virtual Dedicated Server), or AWS EC2) that your IT team configured and has to maintain i.e. apply operating system updates, other software updates including PHP, etc

In the first case, a development team can handle all the operations but in the second case, the system administrator help is needed. If you’re a website owner, please, make sure developers don’t apply changes to the server if your website is running on some highly customized Virtual Dedicated Server or Virtual Private Server. If you’re a website developer, require sysadmin assistance in this matter.

The benefits of upgrading PHP

  1. The website is secured since hackers cannot use the vulnerabilities in the website: as you know, the outdated PHP doesn't get any security support and new breaches are not covered.
  2. The private data (which is a big deal now - does “GDPR” tell you something?) is more secure if PHP is updated. We do not claim that from now on there’s a 100% guarantee of data safety but if doors and windows of a house are closed, it lessens the possibility of burglary. 
  3. The website performance can be improved just because of the PHP update: studies show that switching to a new version of the programming language gives an increase in speed. Have you heard about the huge success of Badoo? They saved one million dollars after switching from PHP 5 to PHP 7. Below is the benchmark comparison between major PHP versions: we see that on PHP 7, it’s possible to execute more requests to the server than on PHP 5. The same is true for minor PHP versions but at not the same spectacular scale of improvement: according to different benchmarks, the difference in performance between minor PHP 7 versions is within 10%. 
  4. Compatibility with the hosting requirements: some hostings set firm deadlines for switching to a newer PHP and don’t let you drag your feet.

Let’s look at security, performance and new PHP features in detail. We will refrain from talking about hosting and staff since it’s rather straightforward.

Comparison between PHP versions
Source: https://habr.com/en/post/483128/

What happens if no one updates PHP: lack of security

Mostly, it’s a security and data leak that happens on outdated websites, and a hacker doesn’t have to be a CIA computer security consultant like Edward Snowden.

Here are two cases from our practice.

A WordPress content website was hacked because of PHP vulnerabilities: and attackers managed to insert the malicious code on pages

A high-load Drupal website that stores many users' data (their personal information, the records of their actions and purchases) runs on PHP 5.6 - this is partly caused by business logic restrictions and budgeting. Soon the hosting will stop the support of this version and part of the functionality will be broken, so for some time, there can be troubles with getting new leads and clients, and receiving payments on the website. So when this happens, we will have to upgrade in a very tight timeline which doesn’t leave us room for testing changes.

You see, the further you put off the PHP upgrade, the more it will cost: at some point in time, incompatibility between your website and hosting requirements, security requirements, etc. will become dramatic and expensive to fix.

Updating PHP is suggested to be as important for website security as a strong password, secure connection, and trustworthy hosting provider.

Upgrade PHP and get better performance for your website

We’re working with Drupal a lot, so let us provide some examples based on this CMS. 

We have already written the article about performance improvement, and the relevant PHP version was one of the required conditions.

Read Drupal 7 Performance Tips.

In a nutshell, such CMSs as Drupal and WordPress want users to use particular PHP versions for the websites built on those CMSs. Drupal has 3 supported major versions right now: Drupal 7, 8, 9, and the recommendation is to run those websites on PHP 7.3 or higher. It’s worth mentioning that PHP 7.3 is not the newest version, so website owners have a so-called release window and time to upgrade.

What happens if a website runs on an older version? First of all, its overall performance is noticeably lower than it could be if it was running on a newer version.

Source: http://talks.php.net/fluent15#/drupalbench

Secondly, new features in PHP, for example, preloading and syntax features, can help you implement particular functionality better and faster but they are not available in the current outdated version. It hurts, doesn’t it?

Thirdly, third-party libraries can be unavailable because they’re not compatible with the PHP version used on the website at the moment. You’re bound by your old software.

New features in PHP 7.4 and PHP 8

Although this version was released in November 2019, many websites still haven't switched to it. And PHP 8 is already available but you might imagine that the number of websites using it is even lower.

Let’s have a look at top features: they can be of interest not only for developers but for business owners as well.

  1. Preloading: this is one of the things that made PHP 7.4 faster. No time left to describe, just follow this link for further details.
  2. Arrow functions make the life of your developer easier and the syntax shorter.
  3. Typed properties’ support is something of equal importance to arrow functions. This also makes the code cleaner.
  4. JIT compiler in PHP 8 that enables compiling a program into code faster than a traditional interpreter.

Now let’s see how to upgrade PHP for different websites.

The typical update process for a Drupal website

In general, the process is rather straightforward.

  1. Make core and contributed modules used by Drupal compatible with PHP 7.4. The best option is to have them updated to the latest versions - yes, we mean patch versions. In rare cases, incompatibilities of the contributed modules used are possible (the module is specific, unpopular, the changes have not been committed for a long time)
  2. Make sure that the custom code is compatible with PHP 7.4
  3. Estimate the scale and complexity of the incompatibilities and do the fixes
  4. Update PHP with the help of a developer, if the website is hosted on Pantheon, Acquia or something else
    4.1. Update PHP with the help of a system administrator if the website is hosted on a self-managed server

Well done!

The typical update process for a WordPress website

You may think that we’ve just completely copied the text, but that’s not true: we copied just 70% :)

  1. Make WordPress plugins compatible with PHP 7.4 by updating them. Usually, the update process isn’t complicated; the only pitfalls are abandoned paid plugins.
  2. Make sure that the custom code is compatible with PHP 7.4
  3. Estimate the scale and complexity of the incompatibilities and do the fixes
  4. Update PHP with the help of a developer, if the website is hosted on Pantheon, WP Engine or something else
    4.1. Update PHP with the help of a system administrator if the website is hosted on a self-managed server

The typical update process for a custom PHP website

We have several custom PHP websites on support, and we can surely say that the process is not that difficult as it may seem.

  1. Update the third-party libraries that are installed through Composer (pretty much the standard program for dependency management and getting together Drupal websites).
  2. Make sure that the custom code is compatible with PHP 7.4 and updated libraries (especially if you updated the major version of a library)
  3. Update PHP

What to be aware of: sometimes dependencies don’t have a version compatible with the latest PHP. Then you either have to look for alternatives and update your code or use a different library. This is always an unexpected surprise but anyway, we were always able to help our clients with this.

Key takeaways

Let's wrap it up and revise the main ideas.

  1. PHP update is one of the most important pillars of security: if you have sensitive data stored on your website, consider taking preliminary actions for securing your website.
  2. Updated PHP means higher performance.
  3. Higher performance leads to a better user experience and conversions (but that’s not the topic of our article).
  4. The longer you don’t update PHP, the longer it will take when the time comes and the more it will cost.
  5. PHP 7.4 is proven to make websites quicker and the life of web developers easier.
  6. The PHP update process varies from website to website, so address the professionals to upgrade your website.

We have some of them working at ADCI Solutions, so contact us for professional web development services at [email protected].

You might also like

Shopping on a Drupal-based eCommerce website

Online payment is probably one of the most important aspects in the operation of your e-commerce site suggesting flexibility and security. In this post, we'll try to give you a brief introduction to cash-free payment on the Internet.

How to create an eCommerce website with Drupal

Web studio ADCI Solutions launches a series of articles about Drupal web development for online commerce. The first article is about those who don't know about programming but want to create an online store on Drupal without the help of the developer.