🤖 Overview

PHP Version Tracker is a legitimate web crawler operated by the open‑source project PHP Version Tracker (hosted on GitHub at github.com/phpversiontracker/php-version-tracker), which aggregates statistics on PHP version usage across the public internet. Its primary purpose is to provide community‑driven insights into PHP adoption rates, security patch levels, and end‑of‑life distributions, helping developers and system administrators identify outdated deployments. The project is maintained by a group of volunteer security researchers and PHP core contributors.

🌐 Technical Behavior

The crawler systematically probes target websites by requesting known PHP information‑disclosure endpoints, such as /phpinfo.php, /info.php, /test.php, and /p.php, and also inspects HTTP response headers like X‑Powered‑By, Server, and Set‑Cookie for version‑specific fingerprints. Each request includes a randomly generated delay between 5 and 15 seconds to avoid overwhelming servers, and the bot limits concurrent connections to two per domain. It operates exclusively over IPv4 addresses drawn from the project’s hosting provider (DigitalOcean AS14061), and respects HTTP/1.1 keep‑alive while ignoring JavaScript and CSS resources. The crawler does not follow internal links beyond the initial homepage; it targets only a predefined set of paths known to reveal PHP metadata.

📋 robots.txt Compliance

As documented in the project’s README (github.com/phpversiontracker/php-version-tracker#readme), PHP Version Tracker fully complies with the Robots Exclusion Protocol. It caches robots.txt files and respects all disallow directives, pausing any path that is prohibited. Additionally, the bot automatically ceases crawling a domain for 24 hours if it receives a 429 Too Many Requests or 503 Service Unavailable response, demonstrating proactive obedience to server‑side rate limits.

🔍 Detection Indicators

The primary User‑Agent string is PHPVersionTracker/2.0 (compatible; +https://phpversiontracker.net/bot). Secondary variants include PHP‑Version‑Tracker/1.1 and PHPTracker/0.9. Behavioral fingerprints include a sequence of requests to version‑disclosure URLs immediately after the home page, with a distinct pattern of head requests followed by full GET requests. No custom headers beyond the standard Accept, User‑Agent, and Connection fields are present. The bot’s IP addresses are publicly listed in the project’s DNS TXT record at _ua.phpversiontracker.net.

📊 Data Usage

Collected PHP version data is aggregated into anonymised, publicly accessible dashboards at phpversiontracker.net/stats, showing global usage percentages for each PHP major and minor release. The data is used by the PHP Group to guide end‑of‑life timelines, by hosting providers to plan upgrade campaigns, and by security researchers to identify widespread exposure to unpatched vulnerabilities (e.g., CVE‑2023‑3247). No personal or content data is stored; only server software versions, response codes, and timestamps are retained for statistical analysis.

⚙️ Rate Limiting Policy

PHP Version Tracker is a legitimate, non‑malicious crawler, but its request volume across large server farms can still strain resources, especially on shared or low‑capacity environments. A sensible rate‑limiting policy is to allow 15 requests per minute per IP and trigger a 429 status after 40 requests in a 5‑minute sliding window, which the bot will honour and back off, ensuring fair use without permanent blocking.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the bots listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.