Okay, I am irate enough over this situation that I have created a new category: Chief Information Officer. I have been involved with computer security in one way or another since I was stationed in Guam back in the 1989-1992 time frame. Ever since, professionally I have looked at a system or a network and always thought about how it could be attacked and compromised.
I have been building a new website for my new wonderful job, using the open-source Joomla! software. Except none of the internal page links work. Every time I click on a link to go to an article, I keep getting a “404- Page Not Found” error. I have even had outside people look at it and couldn’t figure out what was going on. I have been beating my head against the proverbial wall until today, when one of the modules threw an error on me, telling me the PHP my server was running was unsupported. Further research revealed that the server that all of my personal domains are on (including this one) and the test site are running PHP 5.3. The current version is 5.6.8.
A version of PHP has three phases to its lifecycle. There is the fully supported phase, where there are regular and constant updates which address bugs and security issues. This lasts for two years from its release as a “stable” (as opposed to beta) release.
Then there is a year where it is in “limited support.” This means only significant security issues are addressed, only when it is critically necessary.
Three years after release, it enters the third phase, known as the “You’re dead to me” phase where all support stops on that version. You’re on your own. All support for PHP 5.3 ended around June of 2014, ten months ago as of this writing.
Let me put it this way: Imagine having a computer on your network with company critical information, connected to the Internet…running Windows XP Service Pack 1. XP SP1 is literally six versions (XP SP2, XP SP3, Vista, Win 7, Win 8.0 and Win 8.1) out of date and twelve years old. To say that machine is not prepared for hacking attacks in today’s environment is like putting Pee Wee Herman in a boxing ring with Evander Holyfield. The absolute best result Pee Wee could hope to attain is a bloody corpse.
Back on March 10th, I wrote about getting hit by a script insertion attack. I am 99% certain that having an old version of PHP was the source of vulnerability that let those who did it into my domain. Running a current version of Joomla! could also cause issues like I am experiencing. Think of trying to run a version of Command & Conquer written for Windows 95 on a Windows 8.1 machine. It won’t work.
Which brings me back to today. I called my hosting provider, iPage and asked why the only PHP I had access to was out of date. I had to call and demand to speak with a supervisor to find out what is going on. The short answer: I’m not paying enough. I was essentially told, “If you want access to the current version of PHP, I need to upgrade to a VPS (Virtual Private Server) plan.” Of course, the bottom VPS plan costs three times what I am currently paying. Never mind running my four personal domains on a VPS is like using a semi-tractor trailer to haul a single sheet of paper around the corner (e.g., overkill by a factor of 10,000). The supervisor told me he didn’t even know if they were planning on upgrading the PHP on their non-commercial servers to something approaching 5.5 (which goes into the “limited support” phase in 2-3 of months), let alone upgrading PHP to the current release.
Why this is important: Without getting too technical, the security of a website and the integrity of its data depends on the software that built the files and the programs used by the server to make that information available to you when you visit. If they are not current, they will likely have security holes which leave you and your data at risk.
If you run a website, I suggest you go immediately into your control panel and find out if the software the servers are running are current. If it is not, demand it be updated or move to another hosting provider.
iPage, screw you.
I’m moving to another hosting provider in the morning. There may be interruptions as I move my files and repoint the domain nameservers.