This article explains what HardenedPHP is, why it matters for your website's security, and how it fits into the multi-layer protection stack on every HOSTDOG server — alongside Imunify360 and ModSecurity WAF.
What is HardenedPHP
HardenedPHP is a security technology by CloudLinux that backports security patches to older PHP versions that have reached their official end-of-life. When the PHP development team stops releasing security updates for a version (e.g. PHP 7.4, PHP 8.0), any newly discovered vulnerabilities in that version remain unpatched — unless the hosting environment uses HardenedPHP.
HardenedPHP applies critical security fixes to these older versions, closing known vulnerabilities without changing the PHP version number or breaking application compatibility. Your website continues to run on the same PHP version it was built for, but with up-to-date security patches applied.
Why PHP version matters for security
PHP is the scripting language that powers most websites — including WordPress, Joomla, Drupal, and many custom applications. Like any software, PHP has security vulnerabilities discovered over time. The PHP project maintains security updates only for actively supported versions.
When a PHP version reaches end-of-life:
- No more security patches are released by the PHP development team
- New vulnerabilities remain open, making sites running that version a target
- Attackers specifically scan for servers running outdated PHP versions
Many websites cannot immediately upgrade to the latest PHP version because their CMS, plugins, or custom code are not yet compatible. HardenedPHP bridges this gap by providing security coverage while you plan your upgrade.
How HardenedPHP works on HOSTDOG
HardenedPHP is active on all HOSTDOG shared hosting servers as part of the CloudLinux operating system. It works automatically and transparently:
- No configuration needed: HardenedPHP is enabled server-wide. Every PHP version available on your hosting account benefits from it.
- No code changes required: The patches are applied at the PHP engine level. Your application code, plugins, and themes continue to work exactly as before.
- Continuous updates: When new CVEs (Common Vulnerabilities and Exposures) are published for supported PHP versions, CloudLinux releases HardenedPHP patches — often within hours.
Which PHP versions are covered
HardenedPHP provides security patches for PHP versions going back several years. The exact list of supported versions is maintained by CloudLinux and updated as new versions are added or very old versions are retired.
On HOSTDOG servers, you can select from multiple PHP versions through the PHP Selector in your control panel. All available versions — whether current or end-of-life — receive HardenedPHP patches.
HardenedPHP in the HOSTDOG security stack
HardenedPHP is one of three server-level security technologies that protect your HOSTDOG-hosted website:
| Layer | Technology | Protection |
|---|---|---|
| Network/request | ModSecurity WAF | Filters malicious HTTP requests (SQL injection, XSS, etc.) |
| Application/file | Imunify360 | Real-time malware scanning, proactive defence, automated cleanup |
| PHP engine | HardenedPHP | Patches PHP vulnerabilities at the runtime level |
These three layers work together to create defence in depth — even if one layer misses a threat, the others can catch it.
Frequently asked questions
No. HardenedPHP is active by default on all HOSTDOG servers. There is no toggle or setting to configure — it works automatically for every PHP version available on your hosting account.
No. HardenedPHP is a safety net, not a long-term substitute for upgrading. Newer PHP versions include performance improvements, new features, and better security architecture. Plan to upgrade your application to a supported PHP version when your CMS and plugins are compatible.
No. HardenedPHP patches only fix security vulnerabilities — they do not change PHP behaviour or functionality. Your application code continues to work exactly as it did before the patches were applied.