70% of WordPress Sites Exposed to Attacks Due to Outdated PHP Versions
Key Takeaways Over 70% of public WordPress sites are running end-of-life PHP versions, creating significant security vulnerabilities. Only about 30% of WordPress installations utilize a currently...
Key Takeaways
- Over 70% of public WordPress sites are running end-of-life PHP versions, creating significant security vulnerabilities.
- Only about 30% of WordPress installations utilize a currently supported PHP version.
- Outdated PHP versions expose sites to known exploits, including remote code execution, even if WordPress core is updated.
- The “Hacked by MR.GREEN” defacement campaign exemplifies the real-world impact of these unpatched systems.
- Challenges like compatibility issues and fear of downtime often prevent administrators from updating PHP.
Widespread PHP Obsolescence Jeopardizes WordPress Security
A recent analysis has uncovered a critical security flaw affecting the majority of WordPress websites globally: more than 70% are operating on outdated, unsupported versions of PHP. This widespread neglect of the underlying server-side language dramatically increases their susceptibility to cyberattacks, leaving millions of sites exposed.
Table Of Content
The findings underscore a significant and growing security gap within the internet’s infrastructure. Despite continuous security updates for the WordPress content management system itself, the foundational PHP versions upon which these sites run are frequently left unpatched, creating a persistent threat vector.
The Scale of the Problem
WordPress, which powers over 40% of all websites, relies heavily on PHP for its core functionality. However, Censys data shows that out of over 316,000 WordPress instances with discernible version information, merely 30% are currently utilizing a supported and up-to-date PHP version. The vast majority continues to run on versions that have reached their end-of-life (EOL), meaning they no longer receive critical security patches. For instance, PHP 7.4 ceased receiving security updates in November 2022, yet it remains prevalent.
This imbalance is a critical concern. Even if website owners diligently keep their WordPress core software updated, an outdated PHP version can introduce severe vulnerabilities. These can include known remote code execution flaws and authentication bypass issues, providing attackers with direct pathways into systems.
Real-World Impact: The “Hacked by MR.GREEN” Campaign
Cybercriminals are actively exploiting these weaknesses. Automated scanning tools constantly probe the internet for unpatched systems, making them prime targets. A prominent example is the ongoing “Hacked by MR.GREEN” defacement campaign, which has compromised over 900 websites, predominantly WordPress installations.
These attacks typically involve replacing legitimate website content with messages from the attackers, clearly demonstrating the ease with which vulnerable systems can be breached. While the precise method of exploitation for this campaign remains somewhat unclear, researchers observed that many affected sites exhibited common signs of neglect, including outdated software, exposed configuration files like xmlrpc.php, and weak access controls.
Compounding Factors: Plugins and Configuration
The extensive use of plugins within the WordPress ecosystem further complicates the security landscape. While plugins enhance functionality, they also expand the attack surface. Censys data shows millions of websites use plugins, yet many fail to keep them updated. Even widely used plugins, such as Yoast SEO, show low adoption rates for their latest, most secure versions. Vulnerabilities in these plugins, ranging from authentication bypasses to data exposure flaws, can serve as readily available entry points for attackers if left unpatched.
Beyond software versions, misconfigurations also contribute significantly to risk. Publicly accessible SSH services, weak authentication settings, and exposed administrative endpoints can create a highly exploitable environment, especially when combined with outdated software. Attackers frequently leverage automated scanning tools to identify these weaknesses at scale.
The Challenge of Updating
Updating PHP versions on CMS platforms is often not a straightforward process, particularly for older websites. Administrators frequently face compatibility issues, the risk of breaking existing site functionality, and the fear of downtime. These concerns often lead to delays or complete avoidance of critical updates. However, this short-term convenience comes at the severe cost of long-term security, leaving systems exposed to known and actively exploited vulnerabilities.
Security experts consistently emphasize that maintaining updated backend infrastructure is as crucial as updating visible components like themes and plugins. In an threat landscape where adversaries are constantly evolving their tactics, neglecting core technologies like PHP leaves a significant portion of the internet vulnerable to opportunistic attacks.
What You Should Do
- Update PHP Immediately: Prioritize upgrading your WordPress site’s PHP version to a currently supported release (e.g., PHP 8.1 or newer). Consult your hosting provider or a developer if you are unsure how to proceed.
- Regularly Patch All Software: Ensure your WordPress core, themes, and all plugins are consistently updated to their latest versions.
- Audit and Secure Configurations: Review server and WordPress configurations for exposed services (like SSH), default credentials, and publicly accessible administrative interfaces. Implement strong authentication and access controls.
- Implement a Staging Environment: Before applying major updates (especially PHP upgrades), test them thoroughly in a staging environment to identify and resolve any compatibility issues without affecting your live site.
- Monitor for Suspicious Activity: Deploy security monitoring tools and regularly review logs for any signs of compromise or unusual activity.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.