New WordPress host running old Apache HTTP

aknewhope asked:

My employer recently had me help move our static web site to a new WordPress host. The new host claims to be super up to date on everything. When requesting anything from the site and inspecting headers, I see “Server: Apache/1.3.42 (Unix) mod_gzip/ mod_log_bytes/1.2 mod_bwlimited/1.4 mod_ssl/2.8.31 OpenSSL/0.9.8e-fips-rhel5”. Should I be concerned about this old version of Apache?

My answer:

Apache 1.3 is hardly up to date.

First released in 1998, it was superseded by Apache 2.0 in 2002, 11 years ago. Since that time it has received security and critical bug fixes, and went end of life in 2010 with the 1.3.42 release that you have there. It has one known post-EOL vulnerability for which a release was never made.

It’s quite surprising that any web host would still be running it, since 2.0 and later versions have better performance out of the box, and far, far better once they’re reasonably tuned. Not to mention all the various features that 1.3 never had and never will because, well, it’s ancient.

The irony there is that that seems to be an EL5 system, and EL5 came with Apache 2.2. So your web host intentionally and inexplicably downgraded it.

In short, run away.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.