Outdated PHP – Exposed to Cyberattacks

Overview

A new study has revealed that over 70% of publicly accessible WordPress websites are running outdated PHP versions, exposing millions of sites to serious cyber risks. Despite WordPress powering more than 40% of the internet, many administrators neglect backend updates, creating a widening security gap in the global web ecosystem.

The Core Issue

PHP serves as the server‑side engine behind WordPress. While the CMS itself receives frequent updates, its underlying PHP versions often remain stuck on end‑of‑life releases like PHP 7.4, which lost security support in November 2022.

According to Censys data from 316,000 WordPress instances:

  • Only 30% run a supported PHP version.
  • The remaining 70% operate on obsolete builds vulnerable to remote code execution and authentication bypass attacks.

Even sites with up‑to‑date WordPress cores remain at risk if their PHP layer is unpatched.

Real‑World Impact

Attackers actively scan the internet for outdated PHP installations. One recent campaign, the “Hacked by MR.GREEN” defacement wave, compromised over 900 WordPress sites by replacing legitimate content with attacker messages.

Researchers found that most affected sites shared common weaknesses:

  • Outdated software and unpatched plugins.
  • Exposed configuration files like xmlrpc.php.
  • Weak access controls and publicly accessible admin endpoints.

These vulnerabilities allow attackers to inject malicious code, deface sites, or use them as launchpads for further attacks.

The Plugin Problem

WordPress plugins extend functionality but also expand the attack surface. Censys data shows millions of sites use plugins that are not regularly updated.

Even popular plugins like Yoast SEO show low adoption of latest versions. Unpatched plugins can introduce data exposure and authentication bypass flaws, providing attackers easy entry points.

Why Admins Delay Updates

Updating PHP is not always straightforward for older sites. Common barriers include:

  • Compatibility issues with legacy themes and plugins.
  • Fear of downtime or broken functionality.
  • Limited technical resources for testing and migration.

However, this short‑term convenience comes at the cost of long‑term security. Attackers use automated scanners to find and exploit these weak spots at scale.

Recommended Actions

To reduce risk and strengthen WordPress security:

  • Upgrade PHP to supported versions (8.1 or later).
  • Regularly update plugins and themes to patch known flaws.
  • Restrict admin access and disable unused endpoints like xmlrpc.php.
  • Implement continuous monitoring to detect defacement or malware activity.
  • Conduct regular security audits to identify misconfigurations and weak authentication settings.

Expert in the Cloud Insight

This study highlights a persistent truth: cybersecurity hygiene is not optional. Running outdated backend software like PHP creates a silent vulnerability that attackers exploit with ease.

For businesses and developers, the path forward is clear — modernize your stack, automate updates, and treat backend maintenance as a security priority.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.