Notorious ransomware groups typically don’t rely on sophisticated exploits to break into corporate or e-commerce platforms. They don’t have to, because many businesses still run their websites on outdated PHP environments and use long-abandoned CMS plugins with publicly documented vulnerabilities. In this article, we’ll explain why legacy code is the easiest entry point for ransomware operators, how these attacks unfold, and how to prevent them.
What makes legacy PHP and outdated plugins perfect targets for attacks?
Ever since 1995, PHP has been the backbone of millions of web projects. According to W3Techs, it’s used as a primary server-side programming language on 72.9% of all websites. And most importantly, every widely-used CMS – WordPress, Drupal, etc. – is based on it.
The problem is that PHP versions (the current one is PHP 8.5) have lifecycles. Once a version reaches its end of life, it stops receiving security patches. And then, any newly discovered vulnerability becomes permanent… and publicly documented in CVE or other exploit lists. Obviously, such databases were designed with security teams in mind. They were supposed to help them communicate and manage threats effectively. However, these databases also provide cybercriminals with a roadmap for identifying and exploiting weaknesses.
Stale plugins present an equally serious issue. Whether your site is based on Drupal, WordPress, or Magento, plugins and modules are the building blocks that make it function. Unfortunately, many site owners tend to install plugins to address their website’s immediate needs, then simply forget about them.
That’s a considerable risk, as most plugins have vulnerabilities, even when developed by large teams. Developers might discover them and release a patch in the meantime. Still, if you don’t update it, you’ll be running software with documented security holes… and as we mentioned before, attackers know precisely how to take advantage of it.
How does a ransomware attack unfold?
Let’s walk through what actually happens when a ransomware attack targets a website.
Phase 1: reconnaissance and vulnerability scanning
It’s worth noting that attackers don’t start by targeting your website specifically. Instead, they run automated scans across thousands of sites to detect visible vulnerabilities. If your website is running PHP 7.4 and has three plugins that haven’t been updated in over a year, it might appear on their radar.
Phase 2: initial compromise
Now, the attackers focus on your site. Let’s say that some stale plugin you use is an abandoned contact form add-on with a file upload vulnerability.
Phase 3: privilege escalation and persistence
With the web shell in place, the attackers have an anchor point and now only need more access to deploy ransomware effectively.
Phase 4: ransomware deployment
When the attackers are ready, they deploy the ransomware payload. This is typically a script that systematically encrypts your files – your website code, databases, uploaded content, everything.
Phase 5: the aftermath
You discover the attack when you try to access your website or maybe a customer emails you asking why your site is down. Either way, you’re now facing a decision: pay the ransom (with no guarantee you’ll get your data back!), restore from backups (if you have clean, uncompromised backups), or rebuild from scratch.
What you need to know is that the average ransom payment in 2024 was… $553,959, according to Coveware cybersecurity reports.
A practical self-assessment – is your website at risk?
Every single attack chain phase can be prevented with proper maintenance. That’s why we prepared a practical checklist to help you identify red flags – issues that make your site a target for automated ransomware attacks.
Check your PHP version. Log in to your hosting control panel and locate your current PHP version. Verify if you’re running PHP 8.3 or higher. An earlier version means you need to update it urgently (for example, PHP 8.2 reaches its “end of life” by the end of December 2026).
Conduct a thorough plugin audit. Pay attention to anything older than 12 months. Also, verify if each plugin is still actively maintained by checking its official page or repository. Any add-ons that have been abandoned by their developers should be removed, and the rest updated to their latest versions. You might also take a moment to pinpoint plugins your website’s not actually using… and delete them, too. It will have a huge impact on your site’s performance.
Review user accounts and their permissions. List all user accounts with access to your website admin panel and remove those for unrecognized users, former employees, or contractors. Ensure each user has the minimum permission level needed for their role. Remember – these accounts might become an access point for attackers after compromising your website’s vulnerabilities and deploying a web shell.
Verify your backup and recovery options in case of a successful ransomware attack. Confirm automated backups are running on schedule and, preferably, stored separately from your primary server. It’s worth getting acquainted with a 3-2-1 backup rule. And if you can afford it, test a complete restoration in a staging environment to ensure backups actually work.
Website security is always an ongoing process
If there’s one lesson you need to learn, it’s that the only reliable defense against ransomware attacks is regular maintenance. Keeping your PHP version supported and your modules up-to-date is essential. Attackers never wait for the best moment; instead, they scan the web 24/7, looking for sites that have fallen even a few weeks behind on updates.
Of course, not every business has the resources to handle that in-house. If so, outsourcing your website’s security processes might be the best way. Check out smartbees.co https://smartbees.co/and see how a team of experienced specialists can help you migrate off legacy PHP versions or keep ongoing maintenance of your CMS’s environment.
