summary: Websites running outdated PHP versions may be vulnerable themselves, and can even lead to the entire Plesk server being compromised. At the same time, updating a legacy website so that it can run a supported PHP version can be costly and/or time consuming.

As a solution to this issue, Plesk offers the ability to secure websites running outdated PHP versions using custom PHP packages from TuxCare, a CloudLinux brand. Those PHP packages come with fixes for security issues that are discovered after the community support for a particular PHP version has stopped.

In this topic, you will learn how to install custom PHP packages from TuxCare on your Plesk server, how to secure websites, and also how to keep the custom PHP packages up to date.

Overview

Every PHP version falls into one of three categories:

Active support These versions are being actively supported. Updates with fixes for bugs and security issues are released regularly.
Security fixes only These versions only receive updates with fixes for critical security issues.
End of life (or « EOL » for short) These versions no longer receive updates or fixes, even for critical security issues.

Websites coded in PHP are usually created with a specific PHP version in mind. If made to use a different PHP version, they may work incorrectly, or not at all. Updating such a website so that it can work correctly with an up-to-date PHP version can be costly, and may not even be practical.

However, if a security vulnerability is discovered in an EOL PHP version, websites running that PHP version are at risk. Worse yet, such a vulnerability may make the entire Plesk server vulnerable as well. In such a situation, the vulnerable website’s owner and their hosting provider have a number of choices, none of which are good:

  • Have the website’s owner update it, if they have the means to do so, and if it is even possible.
  • Take the website offline.
  • Continue hosting the website and accept the risks.

Plesk and TuxCare offer another choice, one that enables the website to remain online without either costly upgrades, or the risks associated with running EOL PHP versions:

  • TuxCare provides custom PHP packages with fixes for security issues affecting the EOL PHP versions. The TuxCare team goes to a lot of effort to develop and test patches for EOL PHP versions in a timely manner, aiming to provide patches for critical and high-risk vulnerabilities (CVSS 7+) within 14 days of the vulnerabilities being publicly disclosed.
  • Plesk offers an extension that makes it easy to install those packages, and also to secure the websites running EOL PHP versions by switching them to secured PHP handlers of the same version.

TuxCare is a part of the CloudLinux family of brands. CloudLinux is a trusted vendor standing behind such products and services as the CloudLinux OS and KernelCare, and has been serving hosting providers for fifteen years.

Prerequisites

Note: A single license covers any number of websites, and allows access to the packages for all patched PHP versions supplied by TuxCare.

Challenges and Limitations

  • TuxCare Extended Lifecycle Support for PHP provides security updates for PHP 5.6 and later EOL versions. Learn about the current support status of all PHP versions.
  • TuxCare Extended Lifecycle Support for PHP only covers the PHP versions shipped by Plesk. It does not cover the PHP versions installed from the OS vendor’s repository.

Installing Secured PHP Versions

Before you can secure your websites, you need to install the PHP packages from TuxCare for one or more EOL PHP versions present on the server.

You can install the packages for some EOL PHP versions, but not for others. Installing the packages does not impact the websites in any way.

Note: TuxCare Extended Lifecycle Support for PHP is a paid extension. If your license expires, you will still be able to use the secured PHP versions you have installed, but will no longer have access to future updates with additional security fixes.

To install a secured PHP version:

  1. Log in to Plesk.
  2. In the navigation pane, click Extensions, and then go to the « My Extensions » tab.
  3. Find the « TuxCare Extended Lifecycle Support for PHP » extension, and then click Open.
  4. For each PHP version you want to secure, click [Install].

image not configured

The installation should not take more than a few minutes. Once a secured PHP version has been installed, for every « outdated » PHP handler of that version, a « secured » PHP handler will be added. You can see the new PHP handlers on the Tools & Settings > PHP Settings page (under « General Settings »).

image secured handlers

Note: Keep in mind that installing a secured PHP version is not enough by itself. To secure websites, you need to manually switch them to secured PHP versions.

Securing Websites

Once a secured PHP version has been installed, you can start securing websites by switching them to the « secured » versions of PHP handlers.

Note: Secured PHP versions come with the same sets of handlers (for example, « FastCGI application » or « Dedicated FPM application ») as the « outdated » (not secured) ones. Switching a website to the secured version of the same PHP version and handler should not affect it in any way other than removing security vulnerabilities).

To secure all websites running a specific EOL PHP version:

  1. Log in to Plesk.
  2. In the navigation pane, click Extensions, and then go to the « My Extensions » tab.
  3. Find the « TuxCare Extended Lifecycle Support for PHP » extension, and then click Open.
  4. Find the desired EOL PHP version, and then click [Switch].

image configured

Every website running that PHP version will be switched to the « secured » version of the same PHP version and handler.

To secure a specific website running an EOL PHP version:

  1. Log in to Plesk.
  2. In the navigation pane, click Websites & Domains.
  3. Find the website in question, and then click PHP (Under « Dev Tools » on the « Dashboard » tab).
  4. Select the « Secured » PHP version from the drop-down list, and then click OK.

image php secured

The website will be switched to the selected PHP version keeping the same type of handler.

Reverting to Not Secured PHP Versions

If one or more websites experience issues after being secured, you can always revert to the original « outdated » (not secured) PHP versions. Note that doing so may put the websites at risk.

  • To revert a specific website, change its PHP handler to the « outdated » handler of the same PHP version.
  • To revert all websites running a specific EOL PHP version, on the extension’s page, click [Rollback].

image roll back

Reconfiguring Secured PHP Versions

After making changes to the global PHP configuration (for example, editing the global php.ini file, installing new PECL or PEAR extensions, enabling or disabling PHP extensions, and so on), we strongly recommend that you manually reconfigure the secured PHP versions. Doing so ensures that both the « secured » and « outdated » (not secured) PHP versions are configured identically and behave in the same way.

To reconfigure all secured PHP versions:

  1. Log in to Plesk.
  2. In the navigation pane, click Extensions, and then go to the « My Extensions » tab.
  3. Find the « TuxCare Extended Lifecycle Support for PHP » extension, and then click Open.
  4. For every secured PHP version, click [Reconfigure].

image reconfigure

Every website running a secured PHP version will adopt the changes made to the global PHP configuration.

Updating Secured PHP Versions

To keep your websites secure, the PHP packages from TuxCare must be kept up to date. Those packages can be updated like any other system package. The names of the PHP packages from TuxCare start with alt-php. You can see them in the Plesk System Updates tool interface.

image update tool

The PHP packages from TuxCare can be updated either automatically or manually. To protect your websites using EOL PHP versions, we strongly recommend that you update the PHP packages from TuxCare automatically. You can do so, for example, by using the Plesk System Updates tool.

If you choose to update the PHP packages from TuxCare manually, you will need to keep track of the released updates. To do so, we recommend that you visit the official list of RSS feeds on the TuxCare website and subscribe to the feed(s) for the operating system(s) that are relevant to you.