PHP 8.1: New Features!

PHP 8.1: New Features!

PHP 8.1 is the new PHP version released November 2021. This version comes with new features, performance improvements, and changes that will open more opportunities for PHP developers to work efficiently and more creatively.

There are over 20 new features, tons of changes, and several deprecations in PHP 8.1.

New features and improvements

PHP 8.1 continues the tradition of the previous versions and again brings a lot of new features and improvements. In the following, we present some of them in detail. An overview of all implemented features can be found here.

Available for HD Servers
PHP 8.1 is now available on all HDWEBPROVIDER shared, resellers and cloud servers and all clients can easily select it via the PHP Selector in cPanel. PHP 8.1 is the fastest version of PHP yet, which is why we recommend upgrading if your site is fully compatible with it. However, keep note that some plugins may not be compatible with the new version. Don’t forget to always check your website thoroughly after switching to a new PHP version.

Which applications and shop systems are compatible?

Here you will find more details on the (planned) compatibility of PHP 8.1 with common shop and CMS systems. We will provide you with the missing information as soon as it is available.

Magento 2 and PHP 8.1 According to the system requirements, Magento 2 will offer support for PHP 8.1 from the upcoming version 2.4.4. The release is announced for 08 March 2022.

Magento 1 and PHP 8.1 Due to the end-of-life of Magento 1, it cannot be assumed that there will be official support for PHP 8.1. Support for PHP 8.0 is currently being worked on as part of the Magento work “OpenMage Magento LTS”. Corresponding patches may also soon be available through the “Mage One” project. More about this in our FAQ.

Shopware 6 and PHP 8.1 Version 6.4.6.1, released on 24 November 2021, does not yet offer support for PHP 8.1. We firmly expect compatibility to be established with one of the following versions.

Shopware 5 and PHP 8.1 With the update to version 5.7.7, which was released on 05 January 2022, Shopware 5 is compatible with PHP 8.1.

WordPress / WooCommerce and PHP 8.1 WordPress and WooCommerce are currently not yet compatible with PHP 8.1. Since Automattic, the provider behind WordPress and WooCommerce, is also part of the newly founded PHP Foundation, support for PHP 8.1 will almost certainly follow soon.

TYPO3 and PHP 8.1 The current TYPO3 version v11.5.3, which was released on November 16, 2021, is already compatible with PHP 8.1.

EOL and roadmap of current PHP versions

Of course, you don’t have to switch to PHP 8.1 yet, but you should still take a look at the roadmap of current versions to plan your next steps. Some versions still receive unofficial security backports, which are also available on our clusters. However, we recommend using a current version if possible. In particular, the official support for PHP 7.3 will expire in a few days.

Version Security-Support
<= PHP 5.5 No more security updates
PHP 5.6 Unofficial security backports
PHP 7.0 Unofficial Security Backports
PHP 7.1 Unofficial Security Backports
PHP 7.2 Unofficial Security Backports
PHP 7.3 Official Security Support until 06.12.2021
PHP 7.4 Official Security Support until 28.11.2022
PHP 8.0 Official Security Support until 26.11.2023
PHP 8.1 Official Security Support until 25.11.2024
WordPress® Hardening: One-Click Security with cPanel

WordPress® Hardening: One-Click Security with cPanel

by cPanel: WordPress is far and away the most widely-used content management system on the web, but that popularity comes at a price. It’s also the most attacked CMS. Not because it’s un-secure, but because attackers know that a WordPress vulnerability is a gateway to tens of millions of websites.

As soon as a WordPress website goes online, automated bots begin to probe it for weaknesses. That’s why it’s critically important to security harden WordPress sites, ensuring that they have the smallest possible surface area for attackers to target.

Security hardening was once a long and complicated manual process, but WordPress Toolkit for cPanel  makes it a one-click affair. This article will explore some of the ways WordPress vulnerabilities are exploited and how WordPress Toolkit protects sites against many common attacks.

Common WordPress Vulnerabilities

Every vulnerability is unique, but most attacks against WordPress sites fall into one of four categories:

  • Brute force and dictionary attacks: Attackers attempt to guess security credentials such as usernames and passwords. Attacks of this type are carried out by bots that can quickly flood WordPress authentication systems with a deluge of login attempts.
  • Denial of Service (DOS) and Distributed Denial of Service (DDoS) attacks: Bad actors bombard sites and networks with requests and data, consuming resources, degrading performance, and potentially taking them offline. WordPress includes a system called XML-RPC, which is often used in denial of service attacks.
  • Core, plugin, and theme vulnerabilities: Bugs in code can be exploited to circumvent authentication systems, upload malicious code, or gain extra privileges.  Bad actors often look in a site’s files for clues about the sort of attack it is vulnerable to.
  • Code injection attacks: Running malicious code is a goal of many bad actors. They scour WordPress sites searching for vulnerabilities that will let them inject PHP, JavaScript, or SQL code.

WordPress Toolkit for cPanel implements features and security measures that protect sites against each of these attack types.

Security Hardening with WordPress Toolkit for cPanel

cPanel’s WordPress Toolkit is a complete WordPress management solution with an intuitive interface. You can think of it as a single dashboard for controlling all of your WordPress sites. It automates WordPress hosting tasks, including installation, updates, and backups. It also surfaces configuration tweaks that you’d otherwise have to dig around in the admin interface or edit configuration files to change.

WordPress security hardening is one of the places where WordPress Toolkit really shines. First, it applies fixes for critical vulnerabilities during installation, so sites are secure before they go online. Second, it scans existing sites for suboptimal security settings and can fix them at the click of a button.

We’ll have a look at some of the security fixes it applies in a moment, but first, we’ll show you just how easy it is to security harden a WordPress site with cPanel.

To use one-click hardening, you will need:

  • A cPanel instance with WordPress Toolkit installed
  • A WordPress Toolkit Deluxe license.

You can find the WordPress Toolkit in Applications on cPanel’s main page. Sites are listed on the overview page with status information and configuration switches.

Second Log4j vulnerability discovered, patch already released

Second Log4j vulnerability discovered, patch already released

After the disastrous Log4j vulnerability disrupted the online world, another vulnerability surfaced online.

The Log4j vulnerability has become one of the largest security issues we’ve seen in recent times. With the level of attention now being focused on this problem both by attackers and defenders, it’s likely that we’ll see further information and possible vulnerabilities.

A second vulnerability involving Apache Log4j was found on Tuesday after cybersecurity experts spent days attempting to patch or mitigate CVE-2021-44228. The description of the new vulnerability, CVE 2021-45046, says the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was “incomplete in certain non-default configurations.”

“This could allow attackers… to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack,” the CVE description says.

In the aftermath of the immediate response, companies should carefully consider how they can manage this type of risk strategically. Improving detection of software versions and using software supply chain security tools are good examples of defense-in-depth security measures that can provide short-term mitigations. Using these tools gives IT departments the time needed to coordinate comprehensive patching and testing of their software systems in a safe and controlled fashion.

It turns out that the first patch was ‘incomplete’, and therefore, another Apache Log4j version has been released. Second Apache Log4j Bug Found Reportedly, Apache has released another major update for its Log4j code library addressing a serious bug. Identified as CVE-2021-45046, this vulnerability appeared following an incomplete patch of the (now infamous) Log4Shell flaw (CVE-2021-44228). As stated in the vulnerability description, It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.

This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack.

Log4j

Log4j

Log4j is a Java library that adds a drop-in functionality to many online software products. For an end user it’s not something they would generally download and use. It’s a Java library that would be included as part of the software. Because of that, end users aren’t generally aware if the software they use contain the vulnerability. The log4j vulnerability is rated at 10 on a scale of 1 to 10, with 10 representing the most dangerous level of vulnerability.

The popular cPanel web hosting server control panel software recently issued a patch to fix a critical flaw in the log4j Java library discovered in part of the software used for email. The vulnerability itself is named, Log4Shell.

Internal Update
Our team is currently investigating CVE-2021-44228, a critical vulnerability that’s affecting a Java logging package log4j which is used in a significant amount of software, including Apache, Apple iCloud, Steam, Minecraft and others. Our security team is actively monitoring the effects of this vulnerability.

At this point, we have not identified an impact to the HDWEBPROVIDER Platform, but our teams are monitoring activities to ensure all instances of our back-end are safe and will be taking appropriate action as needed.

The only cPanel service affected by the log4j vulnerability was the Dovecot Solr cPanel plugin which we are NOT using our servers. We already did not recommend that plugin because of its higher resource usage for no real benefits to IMAP searches. 

Status:
cPanel has already put out a patch for this as of Friday and our servers and cloud network is fully secured against this vulnerability.