PHP is one of the most used server scripting programming languages. The market share speaks volumes about its dominance. Even though the periodical changes have come out, many developers are skeptical about PHP's future. One reason is PHP security.
PHP security is a primary concern for developers. PHP offers robust security inside out, but it is in the hands of PHP development company or developers to implement them correctly. In this article, we will look at some PHP security tips for Linux admins. The tips will help you secure your Web application and ensure proper functioning in the long run.
Below are some tricks those will help you protect your website from different types of common attcks :
1. Restrict PHP Information Leakage : It is common for platforms to leak vital information. For example, PHP releases information such as versions and the fact that it is installed on the server. This is done through the expose_php directive. To prevent the leak, you need to set the directive to off in /etc/php.d/security.ini.
2. Disable Remote Code Execution : Remote code execution is one of the common security flaws in PHP security. By default, remote code execution is enabled on your system. The "allow_url_fopen" directive allows functions such as require, include, or URL-aware fopen wrappers to get direct access to the PHP files. The remote access is done by using HTTP or FTP protocol and can cause the system to be defenseless against the code injection vulnerabilities.
To ensure that your system is secure from remote code execution, you can set the directive "Off".
3. Get Rid of Unnecessary Modules : PHP comes with built-in PHP modules. They are useful for many tasks, but not every project requires them. You can view the available PHP modules by typing the following command :
# php - m
Once you get hold of the list, you now can get rid of the unnecessary modules. The reduced number of modules will help you to ramp up the performance and security of the Web application you are working on.
4. Disable Dangerous PHP Functions : PHP comes with useful functions for developmental purposes, but it is also plagued with functions that can be used by hackers to exploit the Web app. Disabling the functions can improve the overall security and ensure that you are not affected by dangerous PHP functions.
To do so, you first need to edit the php.ini file. Once there, find the disable_functions directive and set the dangerous functions in it. You can do it by just copy/pasting the following code.
5. Control File System Access : By default, PHP can access files by using functions such as fopen(). The open_basedir directive provides the access. For starters, always keep the open_basedir directive set to the /var/www/html directory. Setting it to any other directory can lead to security issues.
Security is one of the biggest concerns for Web developers and Linux administrators. With the preceding tips, you are sure to harden the security around the development environment and the PHP Web app