Podcast Episode 7: The Tyler Lau Interview, Assange, Thought Experiments, AirBnB Scams and More

This week we look at the Assange arrest, an irresponsible security researcher affecting the WordPress community and do a bit of a thought experiment. We also look at Google’s Sensorvault and how it’s being used by law enforcement, the fascinating rise and fall of the Bayrob malware gang, and some tips for avoiding a new AirBnB scam. I also talked to Tyler Lau at WordCamp Phoenix last month, and we share that interview with you today. Tyler is the Social Community Manager at Sandhills Development. Sandhills makes some very popular plugins including Easy Digital Downloads, AffiliateWP. We talked about the WordPress community, WordPress in general and some of the cool things that Sandhills is involved in. Enjoy!

Here are approximate timestamps in case you want to jump around:
0:51 Assange taken into custody
20:27 Irresponsible security researcher
30:50 Google Sensorvault
35:14 Bayrob malware gang
43:07 Land Lordz service powering AirBnB scams
49:57 Tyler Lau interview

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast.

This week in the news we cover:

  • Julian Assange is taken into custody after seven years in the Ecuadorian embassy in London. The US Department of Justice is charging him with conspiracy to commit computer intrusion for agreeing to break a password to a classified U.S. government computer.
  • Ars Technica publishes details about the rogue security researcher with a grudge dropping 0days on innocent WordPress users. We’ve covered this irresponsible researchers on past episodes. Mark had a bit of a Tweet storm about this over the weekend. Here’s the link to the WordPress HackerOne bug bounty program.
  • Google’s sensorvault, a database of location records from hundreds of millions of devices, is being used by law enforcement.
  • A fascinating story about the Bayrob malware gang from Romania gives an detailed look at who makes money from malware, their expertise, and ultimately how they were caught.
  • Scammers use a new tool called Land Lordz to automate fake AirBnB scams, but there are ways to detect this scam and stay safe.

You can find me on Twitter as @mmaunder, Kathy as @kathyzant, and Tyler Lau as @tylermaximuslau. Please don’t hesitate to post your feedback in the comments below.

The post Podcast Episode 7: The Tyler Lau Interview, Assange, Thought Experiments, AirBnB Scams and More appeared first on Wordfence.

Read More

Podcast Episode 3: The Cory Miller Interview and Active Exploits Target Easy WP SMTP Plugin

Welcome to Think Like a Hacker, Episode 3. In this episode Mikey Veenstra, a threat analyst at Wordfence, discusses an active exploit in the Easy WP SMTP plugin. This is breaking news which we added to the podcast at the very last minute.

We also chat with Cory Miller, the founder and former CEO of iThemes about how he created his business, why he sold to Liquid Web, what it’s like being an entrepreneur and much more. You can find Cory on Twitter at @corymiller303. And as always we cover the news with Kathy Zant.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast.

This week in the news we cover:

You can find me on Twitter as @mmaunder, Kathy as @kathyzant, and Mikey as @heyitsmikeyv. Please don’t hesitate to post your feedback in the comments below.

The post Podcast Episode 3: The Cory Miller Interview and Active Exploits Target Easy WP SMTP Plugin appeared first on Wordfence.

Read More

Podcast Episode 2: Mikey Veenstra Talks XSS Vulnerability + The Adam Warner Interview

Welcome to Think Like a Hacker, Episode 2. In this episode Mikey Veenstra, a threat analyst at Wordfence, discusses a serious XSS vulnerability in an abandoned cart plugin. We also chat with Adam Warner, a well known figure in the WordPress community. In our interview we chat about Adam’s personal WordPress journey, community engagement success and the future of WordPress. You can find Adam on Twitter at @wpmodder. And as always we cover the news with Kathy Zant.

Find us on iTunes, Spotify, YouTube, SoundCloud, TuneIn and Stitcher. More platforms coming soon!

Click here to download an MP3 version of this podcast.

This week in the news we cover:

  • The web just took a big step toward a password-free future with WebAuthn. The Worldwide Web Consortium approved the WebAuthn standard on March 4. We look at how it works, why this is important, and what it means for WordPress.
  • A marketing company left a massive database of detailed marketing data exposed. Security researchers discovered the database, including a trove of personally identifiable information about over 800 million people.
  • Researchers have discovered a collection of MongoDBs containing information collected by China about their citizens from a variety of platforms, tied to individual profiles and distributed to police across the country.
  • It’s been 30 years of the web, and Sir Tim Berners-Lee wrote a blog post about the state of the web some thoughts on where we’re going next.

You can find me on Twitter as @mmaunder, Kathy as @kathyzant, and Mikey as @heyitsmikeyv. Please don’t hesitate to post your feedback in the comments below.

The post Podcast Episode 2: Mikey Veenstra Talks XSS Vulnerability + The Adam Warner Interview appeared first on Wordfence.

Read More

Podcast Episode 2: Mikey Veenstra Talks XSS Vulnerability + The Adam Warner Interview

Welcome to Think Like a Hacker, Episode 2. In this episode Mikey Veenstra, a threat analyst at Wordfence, discusses a serious XSS vulnerability in an abandoned cart plugin. We also chat with Adam Warner, a well known figure in the WordPress community. In our interview we chat about Adam’s personal WordPress journey, community engagement success and the future of WordPress. You can find Adam on Twitter at @wpmodder. And as always we cover the news with Kathy Zant.

Find us on iTunes, Spotify, YouTube, SoundCloud, TuneIn and Stitcher. More platforms coming soon!

Click here to download an MP3 version of this podcast.

This week in the news we cover:

  • The web just took a big step toward a password-free future with WebAuthn. The Worldwide Web Consortium approved the WebAuthn standard on March 4. We look at how it works, why this is important, and what it means for WordPress.
  • A marketing company left a massive database of detailed marketing data exposed. Security researchers discovered the database, including a trove of personally identifiable information about over 800 million people.
  • Researchers have discovered a collection of MongoDBs containing information collected by China about their citizens from a variety of platforms, tied to individual profiles and distributed to police across the country.
  • It’s been 30 years of the web, and Sir Tim Berners-Lee wrote a blog post about the state of the web some thoughts on where we’re going next.

You can find me on Twitter as @mmaunder, Kathy as @kathyzant, and Mikey as @heyitsmikeyv. Please don’t hesitate to post your feedback in the comments below.

The post Podcast Episode 2: Mikey Veenstra Talks XSS Vulnerability + The Adam Warner Interview appeared first on Wordfence.

Read More

Think Like a Hacker Podcast Episode 1: An Interview with Josepha Haden

Josepha Haden is the Executive Director of the WordPress project at Automattic. She oversees and directs all contributor teams in their work to build and maintain WordPress. Josepha can be found at https://josepha.blog. In our news segment, we talk about recent vulnerabilities in the Freemius library affecting WordPress plugins, the CoinHive shutdown, and why potential changes in WordPress core development will benefit end users’ security and more.

Click here to download an MP3 version of this podcast. Note that we are in the process of syndicating video and audio versions of this podcast to your favorite player, and we needed to publish our first episode to enable syndication. So check back in a few days and you should find us just about everywhere. Thanks for your patience.

This week in the news we cover:

  • WordPress as of version 5.1 now alerts site owners on the dashboard if they’re using an out of date version of PHP.
  • The 2018 hacked site report from GoDaddy Security/Sucuri indicates increased prevalence of WordPress sites in their site cleaning business. In better news, they’re seeing more WordPress sites updated than in years past, and the WordPress sites are being updated much more frequently than eCommerce platforms.
  • Freemius, a library used by a number of plugins with large installation bases, recently experienced a vulnerability disclosure and a challenging experience with a security researcher. Their blog post is a heartening read about how we all can handle security vulnerability disclosures that serve customers and the community as a whole.
  • The widely used Chrome browser requires an update to patch a very serious vulnerability.
  • WordPress core team is hoping to tighten major release cycles that hopes to streamline development for contributors as well as encourage more site owners to enable autoupdating.
  • A distributed cryptocurrency mining platform called CoinHive is ceasing operations. CoinHive was popular amongst hackers as a new way to mine cryptocurrency on hacked websites, but the crash in cryptocurrency value made it less profitable.

You can find me on Twitter as @mmaunder and Kathy as @kathyzant. Please don’t hesitate to post your feedback in the comments below.

The post Think Like a Hacker Podcast Episode 1: An Interview with Josepha Haden appeared first on Wordfence.

Read More

Live Event: Wordfence Central Official Launch and Demo

Today we are very excited to announce the launch of Wordfence Central. Our team has been working hard for almost a year on this ground-breaking project. Wordfence Central gives you the power of a security events and information manager for WordPress.

Join me for a live event starting at 8am Pacific time, 11am EST where I will provide a walkthrough of the new product. I will also be taking your questions at the end of the event. Dan Moen, our head of product, will be joining me for the webcast.

You can pre-post your questions right here as a comment on this blog post. I will start off our Q&A by answering questions that have already been posted and you are welcome to post new questions while we are streaming.

This video is live with a delay of less than 3 seconds, so I will be able to take your questions in real-time. Please note that I may answer some questions offline due to time and content constraints.

I hope to see you tomorrow at 8am Pacific, 11am Eastern time!! Until then you can read the official Wordfence Central announcement on this page.

This live stream has ended.

Thank you to everyone who participated. In future we will record the live streams our team does. This has been a fun experiment and we received a lot of questions from everyone – thank you all so much for participating. It was a resounding success and we will be experimenting more with this medium in future.

Mark Maunder – Wordfence Founder & CEO.

The post Live Event: Wordfence Central Official Launch and Demo appeared first on Wordfence.

Read More

WordCamp US Recap

WordCamp US was held in Nashville, Tennessee this year. We sponsored the event, had a booth and of course provided lock picking lessons, as has become our tradition at WordCamps. Our goal is to get you to think like a hacker, so that you can better secure your sites. Picking a lock really gets you into that mindset. Plus it is a lot of fun!!

From our team we had Sean Murphy – Director of Threat Intelligence, Tim Cantrell – Customer Service Engineer, Dan Moen – Chief Marketing Officer, Kathy Zant – Client Partner and of course me, Mark Maunder – CEO.

We sponsored 13 WordCamps this year and our team spoke at an additional three. I attended Atlanta, Los Angeles, Portland (Oregon), Vancouver (BC), Seattle and Nashville. On a personal note WCUS was intense for a few reasons. Our team has traditionally attended security conferences like DEF CON, Black Hat, RSA, DerbyCon and more – and we haven’t spent much time attending or sponsoring WordCamps. This year we changed that and put a lot of energy into engaging with the WordPress community.

By the time WCUS rolled around I had already made a lot of friends across the industry. In many cases, these are people in the WordPress community that I have been engaging with for over 6 years via Slack or email but have never met in person. Others I met at WordCamps across the country and when WCUS arrived, it was like a giant reunion which was a lot of fun.

One of my favorite new friends from this year’s WordCamps is Matt Mullenweg, the WordPress founder. I had the pleasure of having a beer with Matt at WordCamp Portland, where he made a surprise appearance. My colleagues Kathy Zant, Mikey Veenstra and I spent over 2 hours just hanging out with Matt in Portland and chatting. Matt is a really cool dude and we again met up at WCUS a few times. Matt came around to our booth and it turns out he has been into lock picking for some time and is quite good at it! (Photo below)

One of the things I love about WordCamps is it really brings the community together, including vendors like us and our peers in cybersecurity. My colleague Kathy Zant is deeply involved in the WordPress community and has made many friends across the industry. This is one of my favorite pictures from WCUS.

From left to right: Alycia Mitchell from Sucuri/GoDaddy, Jamie Schmid from SiteLock, our own Kathy Zant from Wordfence and Rianna MacLeod from Sucuri/GoDaddy.

 

I would be remiss if I didn’t mention Kathy Zant from our team in a bit more detail. Kathy has the most incredible energy and she really brought it at WCUS and WordCamps throughout the year that we sponsored. I would show up at our booth to set up at 7:30am to find that Kathy had already been there for an hour and was just about done booth-building.

Or I’d show up at 9am on a Sunday morning because I was up till 3am the previous evening “networking”, and Kathy was at the booth bright and early chatting with customers and solving security problems. During gaps at the booth she would be on her phone helping our larger customers with their challenges in her role as client partner. And as if that isn’t enough, Kathy is an Executive Producer on a certain project we are collaborating on (I think many of you already know what that is – more news on that soon) and is of course completely owning that role too. And most of that work happens at WordCamps.

Kathy. Is. Amazing.

During WordCamp Atlanta I had the great pleasure of meeting Kathy Drewien, one of the Atlanta organizers. Kathy is also an organizer for WordCamp US and of course we spent some time catching up. Kathy does a lot for WordCamps around the US and my team and I are very grateful for her contribution!!

This is a rather hasty selfie of Kathy Drewien and me at WordCamp US in front of our booth. Looks like Dan and Tim are having an animated conversation behind us and a few visitors are busily picking locks. Kathy Zant is on the far right talking to customers. As you can tell we fully utilized our booth space, and will most likely get a larger space next year.

 

WCUS is awesome. There is no other way to put it. By 9am every morning my body was producing its own caffeine, and by the time the evening came around I was literally high on life after spending time with the most incredible people. If you are passionate about WordPress, WCUS is Disneyland for WP.

This is Tim Cantrell with one of the harder practice locks we had at our table. A lot of our students had a hard time picking this one!!

 

This is Kathy Zant surrounded by her newly minted lock picking prodigies, working on a difficult lock of her own. Tim is on the right answering customer questions.

 

This is Matt Mullenweg with Josepha Haden from Automattic picking locks and chatting with Tim Cantrell.

 

The after-party for WCUS was held at the Adventure Science Center in Nashville. One of my life goals has been to go to a party that has beer at a science center. Goal achieved!!

This is a photo of me and another WCUS attendee battling it out on a mind game. You put a strap with electrodes on your forehead and the goal is to calm your mind as much as possible. The person with calmer mind pushes a ball towards their goal. I got absolutely killed on this game within a few seconds. My colleague apparently has a way calmer mind than I do. This was the moment of my defeat.

 

The after-parties hosted by sponsors were incredible. They really allowed our team and the attendees to experience Nashville, and Broadway in particular. The first time I walked onto Broadway my jaw dropped. I hadn’t actually heard much about Nashville’s party central, and the light show was incredible. I took this photo.

 

Thank you very much to the City of Nashville for hosting WordCamp US 2018. We had a wonderful time in your amazing city. I will be visiting again even if I can’t find a conference to attend. See you all in St Louis next year for WordCamp 2019. The Wordfence team will definitely be there!

~Mark Maunder

The post WordCamp US Recap appeared first on Wordfence.

Read More

How We Think About WordPress Security and Research

This weekend I had a really fun conversation with Doc Pop from Torque Magazine. Torque is a great news source for WordPress news. They are part of WP Engine, but maintain editorial independence.

I chatted with Doc in Nashville, in the Music City Center where WordCamp US was being held. Music City Center is an amazing facility and you can see some of it in the background of our interview. Nashville is also an incredible city. We will be posting a roundup of WordCamp US tomorrow morning.

In our conversation, Doc asked me various questions about WordPress security and the research we do. He got me talking about how we work, how we think about security, responsible disclosure of vulnerabilities and WordPress security in general.

The video of the interview is below. I’ll be around to answer any questions in the comments.

~Mark Maunder

 

The post How We Think About WordPress Security and Research appeared first on Wordfence.

Read More

WordPress 5.0: How and When to Update

WordPress 5.0 is being released tomorrow, December 6th. This release contains a major change to the WordPress editor. The new editor, code-named Gutenberg, is a substantial leap forward in functionality. It uses a new block-based system for editing which allows you to embed a wide range of content in your posts and pages, and gives you a lot of flexibility in laying out those blocks on the page.

Once Gutenberg and WordPress 5.0 have stabilized, they will provide long term benefits to WordPress users and the community. But in the short term, this change may introduce challenges for some WordPress site owners. In this post we will discuss a few points that will help you decide when to upgrade to WordPress 5.0, and to formulate a successful strategy for making the transition.

Why is WordPress changing the editor?

The WordPress core development team has been talking about Gutenberg for quite some time. The goal, according to Matt Mullenweg, is “to simplify the first-time user experience with WordPress — for those who are writing, editing, publishing, and designing web pages. The editing experience is intended to give users a better visual representation of what their post or page will look like when they hit publish.”

Overall, we agree that Gutenberg will be a giant leap forward in using WordPress to create content online. But, as Matt stated, the goal is to simplify the experience for the first-time user. For the rest of us who have assembled a number of tools to fill the gaps in the older editor’s shortcomings, this will be a period of adjustment.

Potential Problems With Legacy Plugins and Themes

WordPress has been around for over 15 years, and in that time millions of websites have been created using the current editing framework. Often, sites are created and never updated to more modern themes. There are a large number of abandoned plugins installed on WordPress sites – plugins that are no longer being actively maintained by their developers.  No one is testing these abandoned plugins or older themes to see how they will behave with Gutenberg.

Adding to the complexity, many of these sites may be hosted on managed WordPress hosting services that will auto-update to the new WordPress version.

Some WordPress site owners may be unable to effectively edit pages they had previously published. Some may be unable to access their edit screen. There may be server 500 errors or white screens for some users. Or everything may run smoothly, even with legacy plugins and a legacy theme.

With over 60,000 unique plugins in the WordPress plugin directory, it is not feasible to test all of the plugins with the new editor. Actively maintained plugins are, for the most part, being tested by the plugin authors. Abandoned plugins will not have been tested, so it is up to you to test whether WordPress 5.0 will work with these plugins.

The same applies to themes. Many themes are actively maintained by their authors. In other cases, a theme may have been created as a single project for a customer or created for the community and then left unmaintained. These unmaintained themes have not been tested with Gutenberg and WordPress 5.0.

If you do anticipate compatibility problems with WordPress 5.0, you can keep the current WordPress editor by installing the WordPress Classic Editor Plugin. We recommend you do this ahead of time, rather than try to use the new editor with incompatible code. But it’s also worth pointing out that Gutenberg and WordPress 5.0 are a significant step forward in editing power and flexibility. So it is worth investing the time to make your site compatible, modifying it if needed, and then reaping the benefits of a brand new block-based editor.

Will Wordfence work with Gutenberg?

Yes. Wordfence does not interact with the editor, so it will not be impacted by Gutenberg. Our QA team has thoroughly verified that Wordfence is ready for Gutenberg and WordPress 5.0.

Because you do have Wordfence installed, you will receive a notification that WordPress is out of date and requires an update. Please keep in mind that this is no ordinary update. This is a major change to your content management system, and we recommend that if you’re not ready for the new editor, wait to update WordPress. Yes, you will receive security warnings from Wordfence because the basic premise has always been to keep open source software updated. If you are not entirely ready for WordPress 5.0, however, there is no harm in staying on the current version while you get ready.

The current version of WordPress core is 4.9.8. If you remain on this version, you will continue to receive security updates from the WordPress core team. The current policy of the WordPress security team is to back-port security fixes to all auto-update compatible WordPress core versions. That means that all versions of WordPress core will continue to receive security updates all the way back to WordPress 3.7. This is not an open-ended policy and may change in the future.

How do I know if I am ready?

Do you have a testing environment for your website? Have you tried the new Gutenberg editor? Are you using a modern version of PHP? Great, you’ll likely be prepared for WordPress version 5.0. As with all major releases, we recommend updating your test environment first to look for problems.

Look for anomalies with all of your page layouts. It also makes sense to go back in time on your test environment and review older posts and pages to ensure they’re ready for the new editor.

As always back up both your site files and your database prior to any update, especially an update of this magnitude.

If your hosting provider auto-updates

If you’re on managed WordPress hosting, your hosting provider will automatically update WordPress for you. Your managed WordPress provider should be taking backups for you. Check with your hosting provider to see what support they will provide for the new WordPress editor and when they will be updating to WordPress 5.0. Some hosting providers, like Page.ly, are waiting until January of next year to do the update.

If you’re using a page builder or premium theme

If your site uses a page builder like Visual Composer, Divi, Beaver Builder or any other tool that uses shortcodes, check with the developer to ensure that your tool is ready for Gutenberg. Many page builders come bundled with premium themes. You may need to check with your theme developer to ensure that you have the updated versions installed on your sites.

What are the security implications of Gutenberg?

We are not currently aware of any security issues with WordPress 5.0 or Gutenberg. The project is being moved into production at a rapid pace which increases the risk of a security issue emerging, because this reduces the amount of time available for testing and debugging.

At this phase in the evolution of WordPress, there are a large number of security teams globally that have eyes on the code and are actively conducting research to determine if there are vulnerabilities in new WordPress releases. As soon as an issue emerges, our team will react and release a firewall rule in real-time to protect our Premium Wordfence customers.

Once WordPress 5.0 is released, there will likely be a series of smaller releases that will emerge over the following weeks. We recommend that you monitor the official WordPress blog and if they announce a security update, upgrade as soon as possible.

Overall This is Good News

As mentioned above, Gutenberg and WordPress 5.0 are a major leap forward in the evolution of WordPress. Rapid innovation does not come without risk or inconvenience to a such a large user base. Our team is excited to embrace the new WordPress and to use it ourselves. By following our recommendations above, you can reduce the risk of this transition and migrate smoothly into 2019 with a powerful new editor for WordPress.

 

The post WordPress 5.0: How and When to Update appeared first on Wordfence.

Read More

Using PHP 5 Becomes Dangerous in 2 Months

WordPress, Joomla, Drupal and many other popular website CMSs were written in a programming language called PHP. PHP version 5 is about to reach end-of-life and will stop receiving security updates in two months. Many WordPress and other PHP websites remain on version 5.6 or older. Once support for PHP 5 ends in two months, these sites are in a precarious position and will become exploitable as new PHP 5 vulnerabilities emerge without security updates.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/10/php5-dangerous/

This post is in a FAQ format and describes why PHP 5 is reaching end-of-life, what the timeline is and what to do about it. The Wordfence team is working to create awareness of this issue in the WordPress and broader PHP community. You can help by sharing this post with your colleagues that manage PHP websites or use WordPress.

What is End-Of-Life or ‘EOL’ in Software?

When a software product reaches EOL, it is no longer supported by software developers. That means that, even if someone finds a security hole in the software, the developers will not fix it.

If a development team is productive, they will release many versions of the software they work on over time. It becomes impractical to support every version of the code ever released. So a compromise needs to be made.

This compromise is that the development team will only support their software for a certain amount of time. After that time has elapsed, the development team suggests that the user community upgrade to a newer version of the same software, which usually does things better than the old versions and is fully supported.

Is PHP Version 5  going to be EOL soon?

Yes. PHP version 5 will be declared End-Of-Life on January 1st, 2019. That is, in approximately two months at the time of writing.

The PHP development team’s policy with regards to end-of-life is as follows: each release of PHP is fully supported for two years from the date of release. Then it is supported for an additional year for critical security issues only. Once three years has elapsed from the date of release, the version of PHP is no longer supported.

PHP 7.0, the very first PHP 7 release, was released on 3 December, 2015, almost three years ago. PHP version 5 is rapidly approaching end-of-life and will no longer be supported starting on 1 January, 2019.

The final branch of PHP version 5 that is still supported is PHP 5.6. Because this is the final PHP 5 branch, the PHP team chose to extend the security fix period from the usual one years, to two years. That extended security support will end on 1 January 2019.

The following table includes the important dates for PHP 5 and PHP 7 branches. You can find this table on this page on the PHP website.

Why Should I Upgrade to PHP 7?

As mentioned above, PHP 5 will no longer be supported with security fixes, starting on 1 January 2019. That means that even if a vulnerability is discovered, it won’t be fixed, leaving your website vulnerable.

PHP 7 has many improvements over PHP version 5. These include performance improvements. PHP 5 has many known bugs that relate to performance, memory usage and more. PHP 7 is actively supported and developers are therefore able to implement those improvements and make your website run faster, be more stable and use your expensive resources more efficiently.

As an added benefit, PHP 7 also allows the use of more modern programming structures, which is a nice benefit for software developers.

How can I find out my PHP version?

If you are using WordPress and running the Wordfence security plugin, simply go to “Tools”, then click on the “Diagnostics” tab at the top right. Scroll down to the “PHP Environment” section and you will be able to see your PHP version on the right side of the page.

Alternatively you can install this extremely basic plugin on your WordPress site which will display your PHP version. Please note that this plugin is not produced by the Wordfence team and we do not endorse it.

If you have FTP access to your website, you can create a file with a name that is hard to guess. Then add the following two lines:

<?php

phpinfo();

Save the file in your web root directory and then visit the file in your web browser. Your PHP version will be displayed at the top of the screen. Don’t forget to delete your temporary file once you’re done.

Which specific version of PHP 7 should I upgrade to?

Ideally, you should upgrade to PHP 7.2 which is the newest version of PHP. This version will be fully supported for another year and will receive security updates for a year after that.

If you are unable to upgrade to 7.2, then at a minimum you should upgrade to PHP 7.1. Full support for PHP 7.1 will end in 1 month. However, you will continue to receive security updates for another year after that.

Do not upgrade to PHP 7.0. This version will also become end-of-life in one month.

Does PHP 5 have any vulnerabilities?

Security vulnerabilities are continuously reported in PHP. Some of these are serious. Viewing this page on CVEDetails.com will give you an idea of the volume and severity of PHP vulnerabilities that have recently been reported.

Many of the vulnerabilities reported in PHP were discovered this year. Many more will be discovered in PHP version 5 next year, after security support for all versions of PHP 5 have ended. That is why it is critically important that you upgrade to a version of PHP 7 that is supported and is receiving security updates.

Will anything break if I update to PHP 7.2?

You may discover incompatibilities that need to be fixed by a developer if you update to PHP 7.2. PHP has undergone some changes since version 5 which has improved the language and made it more secure, but may result in warnings or errors for code that has not been made compatible with PHP 7.

If you are a WordPress user, WordPress core is fully compatible with PHP 7.2 and greater.

However, it is very important that you make sure that your themes and plugins are also compatible with PHP 7.2. If you are using an unmaintained theme or plugin, you may encounter warnings or errors due to incompatibilities. For this reason, we recommend you test your website on a hosting account or server that is running PHP 7.2. If you encounter any problems, contact the developer of the theme or plugin and ask them for an urgent fix. Remind them that PHP 5.6 reaches end-of-life in just two months and that you must update to PHP 7.2 by then.

This page has a migration guide for PHP developers who are migrating code from PHP 5.6 to PHP 7.

This page has a list of deprecated functions under PHP 7.2 and will be helpful to a developer that is migrating code from PHP 5 to PHP 7.

What if my hosting company does not support PHP 7?

Your hosting account should include some kind of control panel or options and settings page. If you’re not seeing an option to upgrade to PHP 7, you should contact your hosting company’s support team to see what your options are. If none are available, we recommend you transition to new hosting before the end of the year.

What if my developer does not support PHP 7?

PHP 7.0 was released two years and 10 months ago. If your developer’s plugin, theme, or other PHP product does not support PHP 7 at this point, it is quite likely that the project is unmaintained. If the project was being maintained, then they would have had users who are using PHP 7 report problems within the last 2 years and 10 months, which they would have fixed.

Using unmaintained software is a bad idea because it means that security vulnerabilities are not being fixed. So if you do encounter incompatibilities when upgrading to PHP 7.2, this may be a red flag and may indicate you should move on to using an alternative product that is being actively maintained.

What is the easiest way to upgrade to PHP 7.2?

Many hosting providers offer a one click PHP version change in CPanel. This allows you to switch to PHP 7 and check your site for problems. If something doesn’t work, you can switch back and create a plan for addressing the issues you found.

If you can’t find where to update your PHP version, your hosting provider can advise you how to update PHP in their environment. It may mean them making a change on their end or even moving your site to another server.

Remind me again why I need to update to PHP 7.2?

The really good news is that you are probably going to see a nice performance improvement when you update your site. Sure, you may need to deal with a few, hopefully minor incompatibilities. But once you have updated to PHP 7.2, you can rest assured that you will continue to receive security updates until November 30, 2020.

If you remain on PHP 5.6, you may find yourself dealing with a hacked site some time next year when a vulnerability is released for PHP 5.6 and no fix is released by the PHP team because PHP 5.6 is end-of-life.

How can I help?

This deadline is coming up fast. All versions of PHP 5 will stop receiving security updates in 2 months. There are a huge number of websites that are still on PHP 5. As soon as security updates end, attackers will be highly motivated to find vulnerabilities that they can exploit, because those vulnerabilities will not be fixed and will be exploitable for a long time.

To help transition the global web community to PHP 7, please spread the word by sharing this post and helping create awareness about this tight deadline and how to transition to PHP 7.

The post Using PHP 5 Becomes Dangerous in 2 Months appeared first on Wordfence.

Read More
Page 1 of 1112345»10...Last »