PHP is a well known open source general-purpose scripting language. It is well suited server-side web development. Securing a PHP application is always a difficult task. To secure our PHP application,we also need to secure our hardware, platform and configure PHP securely.
These Php security best practices will help you in configuring your PHP securely on your server.
The steps involved in configuring PHP securely are as follows.
- Disable the insecure PHP functions.
- Disable Unused PHP Modules (PHP)
- Disable Remote Code Execution
- Limit PHP Access To File System (PHP)
- Secure location to store PHP temporary files
- Configure PHP logging.
- Restrict PHP version Information
- Make your PHP configuration files immutable
- Enable Limits in PHP (PHP)
- Disallow Uploading Files
- Turn on cgi.force_redirect in php.ini
- Test you PHP settings with PHPSECINFO.
1. Disable the insecure PHP functions.
The first of php security tips to secure our PHP installation is to disable the insecure/dangerous PHP functions.
We will define the names of all the insecure PHP functions that we want to disable in disable_functions directive in the loaded php.ini file.
First of all, we need to find the location of the loaded php.ini file in our server.
shell> php -i | grep php.ini Loaded Configuration File => /etc/php.ini
For PHP 7.0 in CentOS 7.
shell> php70 -i | grep php.ini Configuration File (php.ini) Path => /etc/opt/remi/php70 Loaded Configuration File => /etc/opt/remi/php70/php.ini
Add this line at the end of your php.ini file.
disable_functions = system,phpinfo,exec,passthru,shell_exec,passthru,popen,proc_open,proc_terminate,curl_exec,curl_multi_exec,parse_ini_file,show_source
Here’s a list of PHP functions that Flywheel hosting disables for security in PHP.
2. Disable Unused PHP Modules.
This second php security tip is to enhance performance and security of PHP. It is highly recommended to minimize the number of modules used with PHP. We can see the list of modules installed by executing the following command:
shell> php -m [PHP Modules] bz2 calendar Core posix date
For PHP 7.0
shell> php70 -m [PHP Modules] bz2 calendar Core posix date
We can disable any unused module in the system by changing configuration file name. For example, if we want to disable POSIX module from loading in PHP, then we can use these steps.
shell> cd /etc/php.d/ shell> mv posix.ini posix.ini.disable
For PHP 7.0
The names of modules are slightly different in PHP 7.
shell> cd /etc/opt/remi/php70/php.d
shell> ls -l total 148 -rw-r--r--. 1 root root 4078 Nov 8 20:25 10-opcache.ini -rw-r--r--. 1 root root 47 Nov 8 20:26 20-bz2.ini -rw-r--r--. 1 root root 51 Nov 8 20:26 20-posix.ini -rw-r--r--. 1 root root 57 Nov 8 20:26 20-calendar.ini -rw-r--r--. 1 root root 51 Nov 8 20:26 20-ctype.ini .......
Disable the module.
shell> mv posix.ini posix.ini.disable
3. Disable Remote Code Execution
If allow_url_fopen is enabled on your setup, It allows file functions like file_get_contents() and the include and require statements. These functions can retrieve data from http or ftp remote locations and execute their code. These functions can cause php security issues if not disabled. We will disable allow_url_fopen and allow_url_include in our php.ini file.
4. Limit PHP Access To File System
Another important tip for your PHP web application security is to limit the PHP to get access to the directories allowed only by setting open_basedir directive.
Enter your server’s document root to limit PHP file access operations to that directory only. If your document root is /var/www/html then you should use something like this.
Edit your php.ini file.
5. Secure Location to store PHP temporary files.
After setting open_basedir option, there’s a chance that you will start getting an upload_tmp_dir error when you are trying to upload files through PHP. You can solve this by specifying the upload_tmp_dir option. This can help also you in dealing with file upload vulnerability issue.
Also, Make sure the path specified in the upload_tmp_dir is inside this path defined in open_basedir.
If open_basedir directive is on, then the system default directory must be allowed for an upload to succeed.
You should set upload_tmp_dir to a folder that is:
- outside the document root of your website
- not readable or writable by any other system users
Create a folder to store temporary PHP files. Make sure it is inside the directory structure defined in open_basedir directive.
shell> mkdir -p /var/www/php/sessions
Edit php.ini file.
upload_tmp_dir = /var/www/php/sessions
Make sure it is non-world writable
shell> chmod 770 -R /var/www/php
6. Configure PHP logging.
We will configure secure logging for PHP by not displaying the PHP errors to everyone.
Edit php.ini file.
display_errors = off log_errors = on error_log = /var/log/nginx/php-errorrs.log ignore_repeated_errors = Off
7. Hide PHP version Information.
Different PHP versions have their own loopholes. we can make it a bit difficult for anyone to exploit those shortcomings by hiding the version information of our PHP.
Edit php.ini to hide the version information of PHP.
expose_php = Off
8. Make your PHP configuration files immutable.
Another PHP security tip is to secure important files and folders from accidental deletion or modification even as a root user. We can set the immutable attribute to those files and folders to prevent them from accidental deletion and modification.
To set immutable attribute on php.ini file , log in as root as use the following command.
shell> chattr +i /etc/php.ini shell> lsattr php.ini ----i----------- php.ini
Now, try to delete this file as root user.
root@engy:~# rm -rf php.ini rm: cannot remove 'php.ini': Operation not permitted
Now php.ini cannot be altered without changing this attribute first.
To alter this file again, use this command.
shell> chattr -i /etc/php.ini shell> lsattr php.ini ---------------- php.ini
Moreover, You can use this attribute to secure other important files also.
9. Enable Limits in PHP.
We can also control how many and maximum size of files are allowed to upload by PHP. Other limits on max execution time and max input time for scripts should also be configured properly.
To allow users to upload files of maximum size, update following configuration value.
upload_max_filesize = 256K # Recommended
- Maximum execution time of each script.
max_execution_time = 30 # seconds
- The maximum amount of time each script may spend parsing request data.
max_input_time = 60 # seconds
- The maximum size of POST data that PHP will accept.
post_max_size = 200K # Recommended
- Set the Maximum amount of memory a script may consume.
memory_limit = 8M # Recommended.
However, These are the recommended values but you should change them to suit your server requirements.
10. Disallow Uploading Files
Set file_uploads to off to turn off any file uploads to your site unless you require this feature
Edit php.ini file.
file_uploads = off # Only if you don't require uploading files to server.
11. Turn on cgi.force_redirect in php.ini
cgi.force_redirect is necessary to provide security in running PHP as a CGI under most web servers. Left undefined, PHP turns this on by default.
Edit php.ini file.
cgi.force_redirect = 1
12. Test you PHP settings via running PHPSECINFO in your server.
Now that we have applied all the PHP security best practices, we can now use phpsecinfo for php security test. Phpsecinfo reports security information about the PHP environment. It can be used to test our PHP security configuration.
- How to use PHPSECINFO.
Download phpsecinfo.zip from here.
- upload phpsecinfo.zip to your server and extract it to your document root.
- Access phpsecinfo from your browser by visiting.
phpsecinfo-20070406 is the name of phpsecinfo folder after extracting it on my server. It can have a different name in our case.
In conclusion, These Php security best practices are important to improve the security of your PHP installation. The longer you will wait to implement these security measures in PHP, the less effective they will become. These security measures must be implemented from the start alongside your applications you want to use.
Thanks for visiting this page and Have a Good day. 🙂