Update PHP: Easy Methods to Secure Critical Apps

One of the easiest ways to keep your critical web applications supported and secure is to ensure you update PHP to the latest version. It really takes just one kink in the armor for the bad guys to get in, so it’s critical to close any vulnerability that a hacker can exploit to gain access to your sensitive data.

In this blog, I explain why you should update PHP, the signs of a security breach, and manual and automated options for PHP update downloads.

Why Update PHP?

Because they are accessible via browsers, public-facing web applications are easier for hackers to target, compared with applications sitting on a corporate intranet. And even though most organizations use infrastructure systems such as web application firewalls, these are often considered inadequate for deterring a sophisticated attacker. Securing apps requires a multi-faceted approach designed for the worst-case attack scenario that includes:

• Code designed to increase security.
• Modern infrastructure and security tools.
• Security-hardened configurations.
• Software and runtimes with the latest security updates.

I say worst-case scenario because it’s always better to be as proactive as possible when it comes to security, regardless of the size of your company. 

While all listed security approaches are critical, designing your code, configurations, and infrastructure with the best-possible security can be extremely time consuming. Keeping your applications patched is relatively simple, and making sure to update PHP versions is the best way to prevent vulnerabilities.

Signs That Your Apps Are Breached

Unfortunately, most companies don’t even know when an application has been compromised. After successfully gaining access into an application, many hackers will sit quietly even though they have gained unauthorized system access, waiting for just the right moment to strike. Other times, cyber criminals go undetected for months before anyone discovers the breach—and the full extent of the damage.

With all that said, if the goal of an attack is to bring your website down (DoS), you will see a performance degradation.

How to Update PHP Versions

To help ensure the highest levels of security, the PHP community often releases updates to supported PHP runtimes every four weeks — and more often, if a critical security vulnerability is detected.  So how do you update PHP runtimes with the latest security patches? You can:

• Manually review the PHP downloads page to get the latest software updates.
• Manually get updates from the PHP repositories provided by Linux distributions, such as RedHat and CentOS.
• Manually review the National Vulnerability Database (NVD) for the latest information about all known security vulnerabilities, including those related to PHP — and then download the needed updates from the community PHP downloads page.
• Get automated PHP updates and alerts by using the PHP application server, Zend Server.
• Get automated alerts about PHP security issues, and use supported ZendPHP Enterprise runtimes.

Update PHP Versions Manually 

Today, if you are running PHP 7.3 or later, you can get security patches by visiting the PHP download page, the NVD site, or other sources such as the website that supports your Linux distribution. However:

• It could be days or longer before you know about a critical security update.
• You need to determine which files to download and install the files yourself.
• If you or your staff are busy with other projects, you may delay making these updates, leaving your applications vulnerable.

In addition, if you use PHP packages from a Linux repository, your runtimes may not include the latest security updates. This is a significant and often unknown vulnerability for organizations running PHP 7.1 and under. Because PHP 7.1 and earlier are no longer supported by the PHP community, many of the available PHP distributions from Linux communities do not include needed security and bug-fix updates.

Update PHP Versions Automatically with Zend Server 

When you use the Zend Server PHP application server, we automatically update your PHP runtimes. That’s because Zend Server includes ZendPHP, which are PHP runtimes that we maintain and support. Based on the community PHP runtimes, ZendPHP includes:

• All the capabilities of the corresponding community release, including compatibility with publicly available PHP extensions and plugins.
• Automated security patches and bug fixes from the community.
• Automated security patches and bug fixes for PHP releases no longer supported by the community, including PHP 5.6 and PHP 7.1.
• PHP support services, including mission-critical options.
• On-demand guidance for PHP, including help with deployments, configurations, and troubleshooting.

In addition, when you use Zend Server, you gain real-time monitoring tools that can automatically alert you of application anomalies including performance slowdowns. And, you gain an industry-leading debugger for pinpointing the cause of PHP issues, so you can quickly resolve them.

Get Secured, Updated PHP Versions with ZendPHP Enterprise

If you just want to use ZendPHP, you can do that by using ZendPHP Enterprise runtimes. Much like the ZendPHP in Zend Server, ZendPHP Enterprise includes:

• All the capabilities of the corresponding community release, including compatibility with publicly available PHP extensions and plugins.
• Automated security patches and bug fixes from the community.
• Automated security patches and bug fixes for PHP releases no longer supported by the community, including PHP 7.2 and PHP 7.3.
• PHP support services, including mission-critical options.
• On-demand guidance for PHP, including help with deployments, configurations, and troubleshooting.

ZendPHP only takes a few minutes to install using the Package Manager — including Yum on CentOS, RPG on Redhat, and APT on Ubuntu/Debian.  For example, if you run CentOS, issue the command, “Yum installed ZendPHP X.X” — where X.X is the PHP version number (5.6, 7.1, 7.3, or 7.4).  The Package Manager will handle the rest, including automatically resolving all packages and dependencies. 

How Will You Update PHP to Help Keep Your Applications Secure?

Regardless of which option you choose to keep your PHP runtimes up to date, it’s important that you take this small but very strategic step to close known vulnerabilities in your software — and protect your information from unauthorized access.
If you’re interested in additional help around PHP security and/or PHP migrations, you can take advantage of our:

• PHP Audit Services, which include performance and security auditing.
• Migration Services for PHP and Zend Framework.
• Custom Consulting Services for help with application design and deployment as well as refactoring code to support containers, microservices, and capabilities such as asynchronous processing.

Please let us know how we can help. Go to this page to contact a Zend representative. You can also send me an email or message me via LinkedIn.

Additional Resources

• 101 Guide - PHP Security
• 101 Guide - Developing Web Applications with PHP
• Blog - The DevOps Approach to Updating PHP
• Blog - What's New in PHP 7.4?
• Blog - Why Development Teams Should Upgrade PHP 5.6 to 7
• Blog - What is PHP?