The Joomlashack Blog

Move to a Safer PHP Version for Joomla 3

Written by Valentín García Valentín García
Published: 21 December 2015 21 December 2015
How to Move to a Safer PHP version for Joomla 3

Joomla has just released 3.4.7, a new update which specifically targeted people on old, out-of-date PHP versions.

If you are impacted by this security issue, then you really need to talk to your hosting company. They have you on an old and insecure version of PHP.

I'm going share some tips to keep your Joomla site secure before and after the release of Joomla 3.4.7.

Recommended PHP versions

These are the recommended minimum versions for Joomla 3:

  • 5.4.45 or newer
  • 5.5.29 or newer
  • 5.6.13 or newer

For example, if you're using PHP 5.4 series, be sure your version is 5.4.45 or newer to keep your site protected.

Check your PHP version

In your Joomla administrator, go to:

  • System > System information.
  • Check PHP Version.

In this example, I am on 5.5.14 which is out-of-date. I need my hosting company to update to PHP 5.5.29 or higher.

Joomla 3.4.7

Switch PHP version on shared hosting

This step depends on your hosting provider. If you're in a shared hosting such as Arvixe, login to cPanel and look for the "PHP selector" icon:

Joomla 3.4.7

Choose a newer version from the list, and click the "Set" button:

Joomla 3.4.7

Repeat the previous step to confirm the new PHP version matches Joomla's official recommendations.

Contact to your hosting provider

If you don't find a way to move to a safer PHP version using cPanel, ask your hosting provider so they can do it for you.

Update to Joomla 3.4.7

In addition to updating your PHP version, don't forget to update Joomla.

  • Go to Components > Joomla Update.
  • Update to Joomla 3.4.7.

Joomla 2.5 and 1.5 security patches

The Joomla Security Strike Team has issued patches for Joomla versions 1.5 and 2.5. You can download them from this link.

You can update using the same technique described here.

Backwards compatiblity for extensions

The Joomla Security Strike Team offered this advice for developers:

The update may effect your extension(s) if you are using $_SESSION to read or write data shared with the Joomla core or other extensions.

Extensions using $_SESSION should be adjusted to use JSession instead of $_SESSION directly.