This article is more than 1 year old

Want to have your server pwned? Easy: Run PHP

Over three-quarters of all installs are insecure, research shows

More than 78 per cent of all PHP installations are running with at least one known security vulnerability, a researcher has found.

Google developer advocate Anthony Ferrara reached this unpleasant conclusion by correlating statistics from web survey site W3Techs with lists of known vulnerabilities in various versions of PHP.

What he found is that many, many PHP-powered websites are using insecure versions of the interpreter – so much so that it's actually easier to find an insecure PHP setup on the internet than a secure one.

"This is absolutely and unequivocally pathetic," Ferrara wrote.

The two most popular PHP releases, according to W3Techs' statistics, were versions 5.2.17 and 5.3.29. Together, they accounted for 24 per cent of the total – and both are insecure.

More to the point, Ferrara found that for each major version of PHP from 5.3 through 5.6, only a small number of minor versions are not known to contain any vulnerabilities, but most systems aren't running those secure versions.

In Ferrara's findings, 93.3 per cent of all PHP 5.6.x installs were insecure, 63.4 per cent of PHP 5.5.x installs were insecure, 89.6 per cent of PHP 5.4.x installs were insecure, and 66.1 per cent of PHP 5.3.x installs were insecure.

As for PHP 5.2, just write it off. No versions of that branch are considered secure.

Curiously, however, PHP 5.1 actually fared rather well. Fully 94.8 per cent of all PHP 5.1 installations were running a secure version, according to W3Techs' numbers. But never mind that – PHP 5.1 is nine years old, and only 1.2 per cent of the sites surveyed were still running it.

This isn't to say, of course, that none of the other software packages that power the internet contain vulnerabilities. Ferrara found that, similarly, 38 per cent of sites running the Apache web server were insecure, as were 36 per cent of sites running Nginx, 22 per cent of sites running Python, and 18 per cent of sites running Perl.

But PHP's astonishingly bad security record really took the cake in Ferrara's study. Add to that the applications that run on top of PHP – 55 per cent of Drupal installs had their own security bugs, as did 40 per cent of Wordpress installs – and you could almost say that any server running the language is just an exploit waiting to happen.

Unless, of course, you happen to be one of those happy few who are running an airtight version. The latest releases of PHP 5.4, 5.5, and 5.6 are all thought to be secure.

"Check your installed versions," Ferrara urged. "Push for people to update. Don't accept 'if it works, don't fix it.' ... You have the power to change this, so change it. Security is everyone's problem. What matters is how you deal with it." ®

More about


Send us news

Other stories you might like