Security Essentials for PHP websites

1. Remove unnecessary modules

PHP comes with a built-in PHP module. They are useful for many tasks, but they are not required for every project. Simply enter the following command to view the available PHP modules:

# php-m

Once you have viewed the list, you can now delete unnecessary modules. Reducing the number of modules helps improve the performance and security of the Web applications you work with.

2. Restricting the disclosure of PHP information

Platform leaks critical information is commonplace. For example, PHP will leak some information, such as the version and the fact that it is installed on the server. This can be done through the expose_php command. To prevent leaks, you need to set the command off in/etc/php.d/security.ini.

expose_php=Off

If you need to know the version and its status, just run a simple curl command against the site address to get that information.

I http://www.livecoding.tv/index.php

The previous command returns the following information:

x-powered-by:php/7.0.10  content-type:text/html; charset=utf-8

3. Disabling Remote code Execution

Remote code execution is one of the common security vulnerabilities in PHP security systems. By default, remote code execution is enabled on your system. The "allow_url_fopen" command allows functions such as request (require), including (include) or URL-aware fopen wrappers to access PHP files directly. Remote access is implemented by using the HTTP or FTP protocol, which can cause the system to be unable to defend against code injection security vulnerabilities.

To ensure that your system is safe and secure from remote code execution, you can set the command to "OFF" as follows:

allow_url_fopen=off  allow_url_include=off  

4. Write PHP errors into the log

Another easy way to enhance Web application security is to not display errors to visitors. This will ensure that hackers simply cannot compromise the security of the site. Need to be edited in the/etc/php.d/security.ini file.

display_errors=Off

Now you might think: After this step, "How does the developer debug without the help of the error message?" Developers can use the log_errors command for debugging purposes. They only need to set the Log_errors command to "on" in the Security.ini file.

log_errors=on  error_log=/var/log/httpd/php_scripts_error.log 

5. Reasonable control of resources

To ensure the security of your application, it is important to control resources. To ensure proper execution and security, you need to limit the execution of PHP scripts. In addition, you should limit the time spent parsing the requested data. If execution time is controlled, other resources such as memory used by the script should also be configured accordingly. All of these metrics can be managed by editing the Security.ini file.

# Set in seconds      30M  

6. Disable the dangerous PHP function

PHP comes with utility functions for development, but there are a number of functions that hackers can use to break into Web applications. Disabling these functions can improve overall security and ensure that you are not affected by the dangerous PHP functions.

To do this, you first edit the php.ini file. Once you enter the file, locate the disable_functions command and disable the dangerous function inside. To do this, you just copy/paste the following code.

Disable_functions =exec,passthru,  shell_exec,system,proc_open,popen,curl_exec,  curl_ Multi_exec,parse_ini_file,show_source     

Here (https://www.eukhost.com/blog/webhosting/dangerous-php-functions-must-be-disabled/) You can learn more about disabling PHP functions that are dangerous.

7. Uploading Files

If your application does not need to upload any files, disabling the ability to upload files can help improve security. To prevent users from uploading files, simply edit the Security.ini file in the/etc/php.d/directory and set the File_uploads command to OFF.

file_uploads=Off

8. Keep the version up-to-date

Developers work uninterrupted in 24/7, patching the technology you use. PHP is the same. Because it has an open source community, patches and revisions are regularly released. The update also provides security patches for first-day vulnerabilities and other security vulnerabilities. If you focus on the security of your application, always make sure that your PHP solution is the latest version. In addition, the latest patches for other related technologies will ensure maximum security.

9. Controlling File system access

By default, PHP can use functions such as fopen () to access files. The Open_basedir command provides access. First, always set the Open_basedir command to the/var/www/html directory. Setting it to any other directory can cause security issues.

open_basedir="/var/www/html/"

10. Control the Post size

Our last PHP security key is to control the post size function. The HTTP post function uses the client's browser to send data to the Web server. For example, a user might upload a certificate and then send it to a Web browser for processing. Everything runs smoothly until one day hackers attempt to send huge files to run out of server resources. This is likely to cause the server to crash or slow to respond. To protect the server from this vulnerability, you need to set the post size. The post size can be set in the/etc/php.d/security.ini file.

post_max_size=1k

Security Essentials for PHP websites