PHP 5.3.28 is an older version of PHP, a popular web programming language used to power websites and applications worldwide. Recently, security researchers discovered a critical vulnerability in this version that puts thousands of websites at serious risk. If your site still uses PHP 5.3.28, attackers could exploit this flaw to gain unauthorized access to your server. In this guide, we'll explain the vulnerability in simple terms and show you exactly how to protect your website.
The vulnerability, identified as CVE-2013-6420, specifically affects how PHP handles SSL/TLS security certificates. These certificates are the padlock icons you see in your browser's address bar that prove a website is secure. When PHP 5.3.28 incorrectly reads certificate dates, attackers can bypass security checks and potentially execute malicious code on your server.
What is Php 5.3.28?
PHP 5.3.28 is an older version of PHP released before more secure versions became standard. PHP is the programming language that powers roughly 77% of all websites on the internet, including WordPress, Drupal, and countless custom-built sites. Like all software, older versions of PHP eventually have security issues discovered in them, which is why keeping your software updated is crucial for website safety.
When website developers don't update to newer PHP versions, they leave their sites vulnerable to known attacks. PHP 5.3.28 stopped receiving official security updates years ago, meaning any vulnerabilities discovered won't be patched by the PHP development team. This is why running this version today is like leaving your front door unlocked—it's just a matter of time before someone finds and exploits the problem.
Key Vulnerabilities in Php 5.3.28
1 CVEs found. The most critical are explained below.
HIGHCVE-2013-64207.5/10 · CVSS v2
⏱ Immediate
SSL Certificate Validation Bypass
PHP has a flaw in how it reads expiration dates from SSL certificates used to secure connections. This means your website might accept certificates that have already expired or aren't valid yet, potentially allowing hackers to impersonate legitimate websites.
Impact: An attacker could intercept encrypted connections to your website or services your website connects to, stealing customer data, login credentials, or injecting malicious content without detection.
1Log into your web hosting control panel (cPanel, Plesk, or your host's dashboard)
2Look for a 'PHP Version' or 'Software' section in your hosting settings
3Check if your current PHP version displays as '5.3.28' or any 5.3.x version
4If unsure, create a simple file with <?php phpinfo(); ?> and upload it to your site to see your exact version
How to Fix These Vulnerabilities
1Back up your entire website and database immediately using your hosting control panel's backup feature
2Contact your web hosting provider and request to upgrade PHP to version 7.4 or higher (ideally 8.1+)
3If you host your own server, download the latest PHP version from php.net and follow their installation guide
4After upgrading, test your website thoroughly on a staging site first before going live to ensure compatibility
5Update all plugins, themes, and extensions to their latest versions to ensure they work with the new PHP version
Conclusion
Running PHP 5.3.28 puts your website and your visitors' data at serious risk. The CVE-2013-6420 vulnerability allows attackers to manipulate SSL certificates and potentially take over your server completely. With 308 websites still using this outdated version, you could be next. The good news is that upgrading to a modern PHP version is relatively straightforward and takes just minutes.
Don't wait for a breach to happen. Use SiteRecipe.com's comprehensive security scanning tools to identify all vulnerabilities on your site, including outdated software versions and dangerous misconfigurations. Our platform provides actionable recommendations and automated reports that make fixing security issues simple, even for non-technical users. Start your free security audit today at SiteRecipe.com and sleep better knowing your website is protected.
Frequently Asked Questions
What exactly can attackers do if they exploit CVE-2013-6420?
Attackers can bypass SSL/TLS certificate validation checks, allowing them to perform man-in-the-middle attacks and potentially execute arbitrary code on your server. This gives them complete control over your website, your data, and potentially your visitors' information. They could steal customer data, install malware, or use your server to launch attacks on other websites.
Will upgrading PHP break my website?
Most modern websites upgrade from PHP 5.3 to 7.4+ without major issues, especially if they're built on WordPress or other popular platforms. However, very old custom code might need updates. That's why testing on a staging environment first is essential. Your hosting provider can usually help you troubleshoot any compatibility issues before going live.
Is PHP 5.3.28 still receiving security patches?
No, PHP 5.3 reached end-of-life in August 2014 and no longer receives any security updates from the official PHP development team. This means new vulnerabilities will never be patched, making it extremely dangerous to run in production. All supported PHP versions (7.4+) receive regular security updates.
How long does it take to upgrade PHP?
The actual upgrade typically takes 5-15 minutes through your hosting control panel. Testing your site afterward might take longer depending on complexity, but most sites are fully functional immediately after upgrade. Your hosting provider can usually complete the upgrade with a single click in their control panel.
Generate white-label reports for your clients
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.
DISCLAIMER: This report is based on publicly available CVE data from the National Vulnerability
Database (NVD) maintained by NIST. Detection of a technology version does not confirm active
exploitation on any specific website. For informational purposes only.
SiteRecipe is not responsible for actions taken based on this report.
Always consult a qualified security professional.