Securing PHP

The first step to secure PHP is from the system perspective. Only provide what you have to. Of course, the code needs to be secure as well by using proper input validation, encryption, etc., but as systems administrators, we can head off some problems. First off, you can view a complete rundown of your current configuration by using a PHP script with these lines:

<?php
phpinfo(); 
?>

Please don’t call this phpinfo.php, OK? Do a search on phpinfo.php sometime. There is a lot of discussion about whether or not this is a security risk. Well, I absolutely do consider it a security risk to leave a PHP file with the above lines in it, so simply don’t do it, OK? Even if you don’t call it phpinfo.php, take it down when you are done, or put it in a secure directory at least. Better still, disable the feature using disable_functions when you aren’t using it. Just save the current PHP configuration to a file and store it someplace that isn’t accessible to others and disable it. If you leave phpinfo enabled and use some file other than phpinfo.php, it can still be found. It is pretty trivial to figure out that if you search for a couple specific terms, that you will find the PHP test page that somebody created and forgot about. Consider using safe mode. Just set:

; Safe Mode
;
safe_mode = On

in php.ini and restart your webserver to use this. You can verify whether safe mode is enabled using the above phpinfo technique. Another item to consider is the disable_functions directive. For instance, you could set this:

disable_functions = "dl,phpinfo,shell_exec,passthru,exec,popen,system,
proc_get_status,proc_nice,proc_open,proc_terminate,proc_close"

Note that this list disables phpinfo as well as others. There is some overlap, here, with functions limited by safe mode. Be careful that you don’t break any features you need, of course. These security settings may cause issues, so test extensively. If you don’t need the functions, though, you should disable what you don’t need for better security. While we are on the subject, you can hide Apache version info with the ServerTokens and ServerSignature directives in httpd.conf. To set your server so the response header is sent back with just the kind of server (Apache), set:

ServerTokens Prod

Another setting that reveals specific server information is the ServerSignature. You can turn this off:

ServerSignature Off

We wrote about the ServerTokens setting in more detail in this article. See the Directive Quick Reference at apache.org for more details on the ServerTokens and ServerSignature directives.