Securing PHP

PHP is one of the most popular applications that run on Linux and Windows servers today. It’s also one of the main sources for servers and user accounts getting compromised. If a secure server is one of your priorities, you can do the basic PHP security hardening as given below.

1. First, you want to figure out how you can edit php.ini This is the main configuration file for PHP. You can find it by logging into shell and typing in the following:

php -i |grep php.ini

2. Turn on safe_mode

Safe mode is an easy way to lock down the security and functions you can use. PHP.net explains php safe_mode as, “The PHP safe mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this problem at the PHP level, but since the alternatives at the web server and OS levels aren’t very realistic, many people, especially ISP’s, use safe mode for now.”

3. Disable Dangerous PHP Functions

Search the php.ini file for:

disable_functions = 

Add the following:

disable_functions = dl,system,exec,passthru,shell_exec

4. Turn off Register Globals

Register_globals will inject your scripts with all sorts of variables, like request variables from HTML forms. This coupled with the fact that PHP doesn’t require variable initialization means writing insecure code is that much easier.

register_globals = On

Replace it with

register_globals = Off

5. Run PHP through PHPsuexec Preventing Nobody Access

For this you will need to recompile PHP with suexec. On cPanel /scripts/easyapach has this build in.

Wish you a Secure hosting !!