Linux

Linux 25 PHP Security Best Practices For Sys Admins

PHP is an open-source server-side scripting language, and it is a widely used. The Apache/Nginx/Lighttpd web server provides access to files and content via the HTTP OR HTTPS protocol. A misconfigured server-side scripting language can create all sorts of problems. So, PHP should be used with caution. Here are twenty-five php security best practices for Linux and Unix sysadmins for configuring PHP securely.

PHP security best practices

Our sample setup for PHP security tips

  • DocumentRoot: /var/www/html
  • Default Web server: Apache ( you can use Lighttpd or Nginx instead of Apache)
  • Default PHP configuration file: /etc/php.ini or /etc/php/7.0/fpm/php.ini
  • Default PHP extensions config directory: /etc/php.d/ OR /etc/php/7.0/fpm/conf.d/
  • Our sample php security config file: /etc/php.d/security.ini OR /etc/php/7.0/fpm/conf.d/99-security.conf (you need to create this file using a text editor)
  • Operating systems: RHEL / CentOS / Fedora Linux (the instructions should work with any other Linux distributions such as Debian / Ubuntu or other Unix like operating systems such as OpenBSD/FreeBSD/HP-UX).
  • Default PHP server TCP/UDP ports: none

Most of the actions listed in this post are written with the assumption that they will be executed by the root user running the bash or any other modern shell:
$ php -v
Sample outputs:

PHP 5.3.3 (cli) (built: Oct 24 2011 08:35:41)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies

OR

PHP 7.3.7 (cli) (built: Jul  8 2019 09:58:12) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.7, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.3.7, Copyright (c) 1999-2018, by Zend Technologies

For demonstration purpose I’m going to use the following operating system:
$ cat /etc/redhat-release

PHP is an open-source server-side scripting language, and it is a widely used. The Apache/Nginx/Lighttpd web server provides access to files and content via the HTTP OR HTTPS protocol. A misconfigured server-side scripting language can create all sorts of problems. So, PHP should be used with caution. Here are twenty-five php…

PHP is an open-source server-side scripting language, and it is a widely used. The Apache/Nginx/Lighttpd web server provides access to files and content via the HTTP OR HTTPS protocol. A misconfigured server-side scripting language can create all sorts of problems. So, PHP should be used with caution. Here are twenty-five php…

Leave a Reply

Your email address will not be published. Required fields are marked *