WordPress PHP Update – Security Really Not Included

I recently performed a WordPress PHP update, and wanted to share the steps.

WordPress PHP Update - Introduction

First, I noticed a warning on my WordPress dashboard after logging in. The error stated that, "WordPress has detected that your site is running on an insecure version of PHP."

WordPress PHP Update - Update required

I thought this was weird since I was regularly performing apt-update and apt-upgrade.

That said, I figured that it wasn't lying to me, so I set out to upgrade PHP.

Pre-updates

First, I checked my kernel and server version, just to make sure that there was nothing weird there.

root@doylernet:~# uname -a
Linux doylernet 4.4.0-98-generic #121-Ubuntu SMP Tue Oct 10 14:24:03 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Next, I verified that I was running an older version of PHP.

root@doylernet:~# php --version
PHP 7.0.33-0ubuntu0.16.04.15 (cli) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies
    with Zend OPcache v7.0.33-0ubuntu0.16.04.15, Copyright (c) 1999-2017, by Zend Technologies

Finally, I backed up my site using BackWPup, just in case I broke everything.

Site backup

WordPress PHP Update

After a quick search, I found an article discussing the same warning that I had seen.

First, I added the PHP PPA to my sources. Note that this is an untrusted PPA, and not an official source.

root@doylernet:~# add-apt-repository ppa:ondrej/php
 Co-installable PHP versions: PHP 5.6, PHP 7.x and most requested extensions are included. Only Supported Versions of PHP (http://php.net/supported-versions.php) for Supported Ubuntu Releases (https://wiki.ubuntu.com/Releases) are provided. Don't ask for end-of-life PHP versions or Ubuntu release, they won't be provided.

Debian oldstable and stable packages are provided as well: https://deb.sury.org/#debian-dpa

You can get more information about the packages at https://deb.sury.org

BUGS&FEATURES: This PPA now has a issue tracker:
https://deb.sury.org/#bug-reporting

CAVEATS:
1. If you are using php-gearman, you need to add ppa:ondrej/pkg-gearman
2. If you are using apache2, you are advised to add ppa:ondrej/apache2
3. If you are using nginx, you are advised to add ppa:ondrej/nginx-mainline
   or ppa:ondrej/nginx

PLEASE READ: If you like my work and want to give me a little motivation, please consider donating regularly: https://donate.sury.org/

WARNING: add-apt-repository is broken with non-UTF-8 locales, see
https://github.com/oerdnj/deb.sury.org/issues/56 for workaround:

# LC_ALL=C.UTF-8 add-apt-repository ppa:ondrej/php
 More info: https://launchpad.net/~ondrej/+archive/ubuntu/php
Press [ENTER] to continue or ctrl-c to cancel adding it

gpg: keyring `/tmp/tmpe1fspmgc/secring.gpg' created
gpg: keyring `/tmp/tmpe1fspmgc/pubring.gpg' created
gpg: requesting key E5267A6C from hkp server keyserver.ubuntu.com
gpg: /tmp/tmpe1fspmgc/trustdb.gpg: trustdb created
gpg: key E5267A6C: public key "Launchpad PPA for Ondřej Surý" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
OK

Next, I installed the new PHP and PHP-MySQL versions.

root@doylernet:~# apt-get install php7.3 php7.3-mysql
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  libapache2-mod-php7.3 libargon2-0 libpcre2-8-0 libsodium23 libssl1.1 php-common
  php7.3-cli php7.3-common php7.3-json php7.3-opcache php7.3-readline
Suggested packages:
  php-pear
The following NEW packages will be installed:
  libapache2-mod-php7.3 libargon2-0 libpcre2-8-0 libsodium23 libssl1.1 php7.3
  php7.3-cli php7.3-common php7.3-json php7.3-mysql php7.3-opcache
  php7.3-readline
The following packages will be upgraded:
  php-common
1 upgraded, 12 newly installed, 0 to remove and 25 not upgraded.
Need to get 5,898 kB of archives.
After this operation, 22.7 MB of additional disk space will be used.
Do you want to continue? [Y/n] 

After the installations completed, I verified that I was now running version 7.3.

root@doylernet:~# php --version
PHP 7.3.19-1+ubuntu16.04.1+deb.sury.org+1 (cli) (built: Jun 12 2020 07:48:10) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.19, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.3.19-1+ubuntu16.04.1+deb.sury.org+1, Copyright (c) 1999-2018, by Zend Technologies

Post Installation

First, after my installation was complete, I disabled the PHP 7.0 Apache module.

root@doylernet:~# a2dismod php7.0
Module php7.0 disabled.
To activate the new configuration, you need to run:
  service apache2 restart

Next, I enabled the PHP 7.3 Apache module and restarted the server.

root@doylernet:~# a2enmod php7.3
Considering dependency mpm_prefork for php7.3:
Considering conflict mpm_event for mpm_prefork:
Considering conflict mpm_worker for mpm_prefork:
Module mpm_prefork already enabled
Considering conflict php5 for php7.3:
Enabling module php7.3.
To activate the new configuration, you need to run:
  service apache2 restart
root@doylernet:~# service apache2 restart

Note that I was also receiving an error about the server not successfully loading a PHP DLL. I thought this was weird, as I was running on an Ubuntu system.

That said, it looked like there was a line in my php.ini file that was referencing the aforementioned DLL, so I commented this out.

PHP DLL enabled

WordPress PHP Update - Conclusion

I did not realize that my update and upgrade where not upgrading my PHP version, so I was glad that I went through this.

Let me know if there is a more official update process that I do not know about.

In the meantime, hopefully I'll get back to more offensive related posts soon!

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

As an Amazon Associate I earn from qualifying purchases.

Common passed on this blog, I made it to a jam.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

ERROR: si-captcha.php plugin: GD image support not detected in PHP!

Contact your web host and ask them to enable GD image support for PHP.

ERROR: si-captcha.php plugin: imagepng function not detected in PHP!

Contact your web host and ask them to enable imagepng for PHP.

This site uses Akismet to reduce spam. Learn how your comment data is processed.