I recently performed a WordPress PHP update, and wanted to share the steps.
WordPress PHP Update – Introduction
First, I noticed a warning on my WordPress dashboard after logging in. The error stated that, “WordPress has detected that your site is running on an insecure version of PHP.”
I thought this was weird since I was regularly performing apt-update and apt-upgrade.
That said, I figured that it wasn’t lying to me, so I set out to upgrade PHP.
First, I checked my kernel and server version, just to make sure that there was nothing weird there.
[email protected]:~# uname -a Linux doylernet 4.4.0-98-generic #121-Ubuntu SMP Tue Oct 10 14:24:03 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
Next, I verified that I was running an older version of PHP.
[email protected]:~# php --version PHP 7.0.33-0ubuntu0.16.04.15 (cli) ( NTS ) Copyright (c) 1997-2017 The PHP Group Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies with Zend OPcache v7.0.33-0ubuntu0.16.04.15, Copyright (c) 1999-2017, by Zend Technologies
Finally, I backed up my site using BackWPup, just in case I broke everything.
WordPress PHP Update
After a quick search, I found an article discussing the same warning that I had seen.
First, I added the PHP PPA to my sources. Note that this is an untrusted PPA, and not an official source.
[email protected]:~# add-apt-repository ppa:ondrej/php Co-installable PHP versions: PHP 5.6, PHP 7.x and most requested extensions are included. Only Supported Versions of PHP (http://php.net/supported-versions.php) for Supported Ubuntu Releases (https://wiki.ubuntu.com/Releases) are provided. Don't ask for end-of-life PHP versions or Ubuntu release, they won't be provided. Debian oldstable and stable packages are provided as well: https://deb.sury.org/#debian-dpa You can get more information about the packages at https://deb.sury.org BUGS&FEATURES: This PPA now has a issue tracker: https://deb.sury.org/#bug-reporting CAVEATS: 1. If you are using php-gearman, you need to add ppa:ondrej/pkg-gearman 2. If you are using apache2, you are advised to add ppa:ondrej/apache2 3. If you are using nginx, you are advised to add ppa:ondrej/nginx-mainline or ppa:ondrej/nginx PLEASE READ: If you like my work and want to give me a little motivation, please consider donating regularly: https://donate.sury.org/ WARNING: add-apt-repository is broken with non-UTF-8 locales, see https://github.com/oerdnj/deb.sury.org/issues/56 for workaround: # LC_ALL=C.UTF-8 add-apt-repository ppa:ondrej/php More info: https://launchpad.net/~ondrej/+archive/ubuntu/php Press [ENTER] to continue or ctrl-c to cancel adding it gpg: keyring `/tmp/tmpe1fspmgc/secring.gpg' created gpg: keyring `/tmp/tmpe1fspmgc/pubring.gpg' created gpg: requesting key E5267A6C from hkp server keyserver.ubuntu.com gpg: /tmp/tmpe1fspmgc/trustdb.gpg: trustdb created gpg: key E5267A6C: public key "Launchpad PPA for Ondřej Surý" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) OK
Next, I installed the new PHP and PHP-MySQL versions.
[email protected]:~# apt-get install php7.3 php7.3-mysql Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: libapache2-mod-php7.3 libargon2-0 libpcre2-8-0 libsodium23 libssl1.1 php-common php7.3-cli php7.3-common php7.3-json php7.3-opcache php7.3-readline Suggested packages: php-pear The following NEW packages will be installed: libapache2-mod-php7.3 libargon2-0 libpcre2-8-0 libsodium23 libssl1.1 php7.3 php7.3-cli php7.3-common php7.3-json php7.3-mysql php7.3-opcache php7.3-readline The following packages will be upgraded: php-common 1 upgraded, 12 newly installed, 0 to remove and 25 not upgraded. Need to get 5,898 kB of archives. After this operation, 22.7 MB of additional disk space will be used. Do you want to continue? [Y/n]
After the installations completed, I verified that I was now running version 7.3.
[email protected]:~# php --version PHP 7.3.19-1+ubuntu16.04.1+deb.sury.org+1 (cli) (built: Jun 12 2020 07:48:10) ( NTS ) Copyright (c) 1997-2018 The PHP Group Zend Engine v3.3.19, Copyright (c) 1998-2018 Zend Technologies with Zend OPcache v7.3.19-1+ubuntu16.04.1+deb.sury.org+1, Copyright (c) 1999-2018, by Zend Technologies
First, after my installation was complete, I disabled the PHP 7.0 Apache module.
[email protected]:~# a2dismod php7.0 Module php7.0 disabled. To activate the new configuration, you need to run: service apache2 restart
Next, I enabled the PHP 7.3 Apache module and restarted the server.
[email protected]:~# a2enmod php7.3 Considering dependency mpm_prefork for php7.3: Considering conflict mpm_event for mpm_prefork: Considering conflict mpm_worker for mpm_prefork: Module mpm_prefork already enabled Considering conflict php5 for php7.3: Enabling module php7.3. To activate the new configuration, you need to run: service apache2 restart [email protected]:~# service apache2 restart
Note that I was also receiving an error about the server not successfully loading a PHP DLL. I thought this was weird, as I was running on an Ubuntu system.
That said, it looked like there was a line in my php.ini file that was referencing the aforementioned DLL, so I commented this out.
WordPress PHP Update – Conclusion
I did not realize that my update and upgrade where not upgrading my PHP version, so I was glad that I went through this.
Let me know if there is a more official update process that I do not know about.
In the meantime, hopefully I’ll get back to more offensive related posts soon!
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.