Website security is one of the most important parts of running a website, and also one of the most overlooked. Much of this has to do with the rise of modern Content Management Systems (CMS) which have enabled just about anyone with a minimal skillset to setup and post content to a website. These sites are often unmanaged, meaning security patches and version updates are not installed regularly, if at all. To make things worse, many sites are hosted by companies that have little understanding of good security practices. Companies that choose to forgo the regular updating of the systems that run the CMS.
While PHP is not a favorite language amongst developers, it runs on 83.5% of websites. The current production release of PHP is 7.2, however we still see many older versions of PHP in use such as v5.6, v7.0, and v7.1. These versions are still supported, at least for now. What’s concerning about seeing these older versions of PHP in use, especially v5.6 but also v7.0, is that they have just about reached their End of Life (EOL). This means that these version of PHP will no longer be supported with updates. So as hackers discover more security holes within these versions of the language, there will be no updates to protect them, leaving the websites that are running on these versions wide open.
The most used version of PHP right now is v5.6. This version has already had a reprieve, it was originally set to reach EOL long ago. But due to the tremendous usage of this version, about 70% of current installed PHP is running v5.6 or older, it was given an extra year of security updates. Since it has already been granted this extension is is unlikely to receive a second one. So at the end of this year, PHP v5.6 will reach it’s EOL.
Irresponsible Hosting Providers
When PHP v5.6 was granted an extra year of security updates, all remaining hosting providers should have started migrating their servers to the v7.* of the language. Unfortunately this did not happen. This puts the percentage of PHP installs running v5.6 or lower at roughly the same mark as it was a year ago.
There are a few reasons for why hosting providers have not updated:
Lazy - This is the biggest problem within the technology community. Because many decision makers do not understand technology they blindly follow the recommendations of their internal staff. This presents a problem, since the IT staff can then choose to self regulate. As is common, people allowed to be lazy will continue to be lazy
Incompetent - Many people working in technology don’t actually know much about their field. This happens for many reasons, chief among them is that things advance so fast that keeping up can take tremendous amounts of time. Many companies do not encourage, or allow for continued learning. So the knowledge base of the staff becomes outdated rather quickly.
Fear - Hosting providers fear making an update the will adversely affect their clients. If a website is not actively maintained, meaning it routinely has updates and security patches applied, it might not be comparable with new versions of PHP. With such a high number of websites not being actively maintained, a company that chooses to update from PHP v5.6 to PHP v7.2 could inadvertently break a large majority of it’s clients websites.
Why Security Matters
There are a few reasons to make website security a top priority:
Credibility - When a website is hacked, best case is that it’s a momentary loss of credibility with clients. Worst case is that clients or prospective clients leave, effectually closing down the business.
Lost Opportunities - Every time a user tries to visit your website and fails, that one less opportunity to convert them into a client. Depending on the average cost of a sale, this can be a loss of dollars, thousands of dollars, or for some larger companies it can translate to hundreds of thousands or millions of dollars.
Wasted Marketing - Advertising online can be expensive, but if there is an Return on Investment (ROI) then it’s worth every penny. Ad campaings run 24 hours a day, 7 days a week without rest. Every ad clicked while a website is hacked or down is wasted money.
Negate Search Engine Optimization (SEO) Efforts - When Google and Bing detect that a website has been hacked, that site is immediately downlinked in their index. Depending on the severity of the hack, and time the hacked website was online, this down rank can last for months. Thereby negating all the expense and time spent slowly improving Search Engine Results Positions (SERP).
During the year of 2019 and on we are anticipating a dramatic increase in hacked websites. The good news is that your website does not need to be in this group. By actively maintaining your website you can keep hackers from compromising your website through the use of known security exploits. Even if your CMS is updated frequently, it’s important to make sure your web hosting company keeps it’s servers updated.
We actively update our servers. Currently we run PHP 7.2, and will continue to update to the most recent stable versions as they become available. We also routinely update the websites of our clients that take advantage of our Active Site Maintenance service. This service comes standard for one year with every new web development project we work on. We also bundle this service into our SEO services. By doing business with us you are as secure as one can be, allowing you to have confidence that every dollar spent on SEO or online marketing will continue to be an investment into your companies future.
If you have questions about this or any other technology topic please feel free to contact us.