WordPress PHP Update – Security Really Not Included

I recently performed a WordPress PHP update, and wanted to share the steps.

WordPress PHP Update – Introduction

First, I noticed a warning on my WordPress dashboard after logging in. The error stated that, “WordPress has detected that your site is running on an insecure version of PHP.”

I thought this was weird since I was regularly performing apt-update and apt-upgrade.

That said, I figured that it wasn’t lying to me, so I set out to upgrade PHP.

Pre-updates

First, I checked my kernel and server version, just to make sure that there was nothing weird there.

root@doylernet:~# uname -a
Linux doylernet 4.4.0-98-generic #121-Ubuntu SMP Tue Oct 10 14:24:03 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Next, I verified that I was running an older version of PHP.

root@doylernet:~# php --version
PHP 7.0.33-0ubuntu0.16.04.15 (cli) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies
    with Zend OPcache v7.0.33-0ubuntu0.16.04.15, Copyright (c) 1999-2017, by Zend Technologies

Finally, I backed up my site using BackWPup, just in case I broke everything.

WordPress PHP Update

After a quick search, I found an article discussing the same warning that I had seen.

First, I added the PHP PPA to my sources. Note that this is an untrusted PPA, and not an official source.

root@doylernet:~# add-apt-repository ppa:ondrej/php
 Co-installable PHP versions: PHP 5.6, PHP 7.x and most requested extensions are included. Only Supported Versions of PHP (http://php.net/supported-versions.php) for Supported Ubuntu Releases (https://wiki.ubuntu.com/Releases) are provided. Don't ask for end-of-life PHP versions or Ubuntu release, they won't be provided.

Debian oldstable and stable packages are provided as well: https://deb.sury.org/#debian-dpa

You can get more information about the packages at https://deb.sury.org

BUGS&FEATURES: This PPA now has a issue tracker:
https://deb.sury.org/#bug-reporting

CAVEATS:
1. If you are using php-gearman, you need to add ppa:ondrej/pkg-gearman
2. If you are using apache2, you are advised to add ppa:ondrej/apache2
3. If you are using nginx, you are advised to add ppa:ondrej/nginx-mainline
   or ppa:ondrej/nginx

PLEASE READ: If you like my work and want to give me a little motivation, please consider donating regularly: https://donate.sury.org/

WARNING: add-apt-repository is broken with non-UTF-8 locales, see
https://github.com/oerdnj/deb.sury.org/issues/56 for workaround:

# LC_ALL=C.UTF-8 add-apt-repository ppa:ondrej/php
 More info: https://launchpad.net/~ondrej/+archive/ubuntu/php
Press [ENTER] to continue or ctrl-c to cancel adding it

gpg: keyring `/tmp/tmpe1fspmgc/secring.gpg' created
gpg: keyring `/tmp/tmpe1fspmgc/pubring.gpg' created
gpg: requesting key E5267A6C from hkp server keyserver.ubuntu.com
gpg: /tmp/tmpe1fspmgc/trustdb.gpg: trustdb created
gpg: key E5267A6C: public key "Launchpad PPA for Ondřej Surý" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
OK

Next, I installed the new PHP and PHP-MySQL versions.

root@doylernet:~# apt-get install php7.3 php7.3-mysql
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  libapache2-mod-php7.3 libargon2-0 libpcre2-8-0 libsodium23 libssl1.1 php-common
  php7.3-cli php7.3-common php7.3-json php7.3-opcache php7.3-readline
Suggested packages:
  php-pear
The following NEW packages will be installed:
  libapache2-mod-php7.3 libargon2-0 libpcre2-8-0 libsodium23 libssl1.1 php7.3
  php7.3-cli php7.3-common php7.3-json php7.3-mysql php7.3-opcache
  php7.3-readline
The following packages will be upgraded:
  php-common
1 upgraded, 12 newly installed, 0 to remove and 25 not upgraded.
Need to get 5,898 kB of archives.
After this operation, 22.7 MB of additional disk space will be used.
Do you want to continue? [Y/n] 

After the installations completed, I verified that I was now running version 7.3.

root@doylernet:~# php --version
PHP 7.3.19-1+ubuntu16.04.1+deb.sury.org+1 (cli) (built: Jun 12 2020 07:48:10) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.19, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.3.19-1+ubuntu16.04.1+deb.sury.org+1, Copyright (c) 1999-2018, by Zend Technologies

Post Installation

First, after my installation was complete, I disabled the PHP 7.0 Apache module.

root@doylernet:~# a2dismod php7.0
Module php7.0 disabled.
To activate the new configuration, you need to run:
  service apache2 restart

Next, I enabled the PHP 7.3 Apache module and restarted the server.

root@doylernet:~# a2enmod php7.3
Considering dependency mpm_prefork for php7.3:
Considering conflict mpm_event for mpm_prefork:
Considering conflict mpm_worker for mpm_prefork:
Module mpm_prefork already enabled
Considering conflict php5 for php7.3:
Enabling module php7.3.
To activate the new configuration, you need to run:
  service apache2 restart
root@doylernet:~# service apache2 restart

Note that I was also receiving an error about the server not successfully loading a PHP DLL. I thought this was weird, as I was running on an Ubuntu system.

That said, it looked like there was a line in my php.ini file that was referencing the aforementioned DLL, so I commented this out.

WordPress PHP Update – Conclusion

I did not realize that my update and upgrade where not upgrading my PHP version, so I was glad that I went through this.

Let me know if there is a more official update process that I do not know about.

In the meantime, hopefully I’ll get back to more offensive related posts soon!

Ray Doyle

Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.