JDGrimes
commented
6 years ago If you're running an unsupported PHP version, chances are much higher that your site is compromised by an attacker.
The general sentiment may be correct, but I'm not comfortable making that assertion without some hard data to back it up. It is probably more likely that your site is vulnerable, but I can't say I've ever seen hard data on that (percentage of actually unpatched PHP—there's probably no way of knowing if a host has not patched PHP, beside asking/testing). And even if it is more likely to be vulnerable, I guess that isn't the same thing as it being more likely to be compromised. Do hackers specifically target PHP 5.2/3/4/5 vulnerabilities?
You are just as likely to be vulnerable on PHP 7, if you haven't applied the latest patches, and we've actually seen hackers actively exploiting that. So this principle isn't just about keeping on the latest version, but also the latest point release of the version you are on.
Since older versions no longer receive point releases, we might expect that there is a stronger correlation between them and vulnerability (and compromise), and I know that it gets repeated a lot, but I just can't say that I've ever seen data to confirm that.
The general idea that "A modern version embraces security on the web" still holds, of course. Relying on third parties to maintain the software is not the best security posture. But I'm not sure we can be emphatic about it being a common cause of compromise at this point.
For hosters, this also means that they don't have to worry about coming up with patches themselves, or sourcing them from a reputable third party, they can just get them from the official sorce.
Zodiac1978
If you're running an unsupported PHP version, chances are much higher that your site is compromised by an attacker. Keeping WordPress up to date only protects you from WordPress security breaches, but not from PHP security breaches.
For hosters, this means they get less support requests from hacked sites.