Menu
01101110 01100101 01110100 01110111 01101111 01110010 01101011 01100001 01100100 01101101 01101001 01101110 01110100 01101111 01101111 01101100 01110011 00001101 00001010

Background

Manage Engine

Our readers provide the funding for our platform, and we may receive a commission when you make a purchase using the links on our site.

Securing PHP

/ September 29, 2016 — Security

Average User Rating

    The first step to secure PHP is from the system perspective. Only provide what you have to. Of course, the code needs to be secure as well by using proper input validation, encryption, etc., but as systems administrators, we can head off some problems. First off, you can view a complete rundown of your current configuration by using a PHP script with these lines:

    <?php
phpinfo(); 
?>

    Please don’t call this phpinfo.php, OK? Do a search on phpinfo.php sometime. There is a lot of discussion about whether or not this is a security risk. Well, I absolutely do consider it a security risk to leave a PHP file with the above lines in it, so simply don’t do it, OK? Even if you don’t call it phpinfo.php, take it down when you are done, or put it in a secure directory at least. Better still, disable the feature using disable_functions when you aren’t using it. Just save the current PHP configuration to a file and store it someplace that isn’t accessible to others and disable it. If you leave phpinfo enabled and use some file other than phpinfo.php, it can still be found. It is pretty trivial to figure out that if you search for a couple specific terms, that you will find the PHP test page that somebody created and forgot about. Consider using safe mode. Just set:

    ; Safe Mode
;
safe_mode = On

    in php.ini and restart your webserver to use this. You can verify whether safe mode is enabled using the above phpinfo technique. Another item to consider is the disable_functions directive. For instance, you could set this:

    disable_functions = "dl,phpinfo,shell_exec,passthru,exec,popen,system,
proc_get_status,proc_nice,proc_open,proc_terminate,proc_close"

    Note that this list disables phpinfo as well as others. There is some overlap, here, with functions limited by safe mode. Be careful that you don’t break any features you need, of course. These security settings may cause issues, so test extensively. If you don’t need the functions, though, you should disable what you don’t need for better security. While we are on the subject, you can hide Apache version info with the ServerTokens and ServerSignature directives in httpd.conf. To set your server so the response header is sent back with just the kind of server (Apache), set:

    ServerTokens Prod

    Another setting that reveals specific server information is the ServerSignature. You can turn this off:

    ServerSignature Off

    We wrote about the ServerTokens setting in more detail in this article. See the Directive Quick Reference at apache.org for more details on the ServerTokens and ServerSignature directives.

    Information

    About