An article posted today on arstechnica.com looks at a well-known and fixed vulnerability in PHP that is still being used to hijack sites. See
PHP bug allowing site hijacking still menaces Internet 22 months on

PHP versions prior to 5.3.12 and 5.4.2 are vulnerable. The Imperva blog post said that an estimated 16 percent of public websites are running a vulnerable version. People running susceptible versions should upgrade right away. Readers who visit vulnerable sites should notify the operators of the risk their site poses.

Of course, that 16% estimate should be taken with a grain of salt, since the exploit depends on calling PHP via the common gateway interface (CGI). Many sites on apache run it via mod_php. Other web servers, like nginx, use the newer FCGI or FPM to execute PHP. CGI seems to be common in shared hosting setups or those that use web based admin panels to handle server configuration.

If you are using version 5.3 its long past time to upgrade. Not only are you missing new language features like traits and short array syntax, but 5.4 had changes under the hood that improved performance by about 20% and also trimmed memory usage. Before you embark on an upgrade, be sure to read up on the backward incompatiblity changes in 5.4.

If you’re ready to make the leap to 5.5, you can read up on BC breaks here. If you need more details and advice, the March issue of php[architect] has a deep dive into the new features, and advice on how to put them to use today. We also have a look at the future of PHP by previewing what’s coming with the release of 5.6.

What if you are using an older distributions of linux, or those that are just slow in bundling the latest in their package repositories? I’ve used dotdeb.org to get newest version of PHP (and more) on Debian servers. Webtatic.com and other sources are available for CentOS.