PHP Security

The issue of PHP security is often either overlooked completely or under utilized. PHP
Security not only involves minimizing programming errors as much as possible, but putting
proper safeguards in place to protect against possible vulnerabilities. This often means using
several layers of protection to guard sensitive data against hackers, which if compromised,
could cause a catastrophic result to the website or entire server.
PHP exploits are responsible for the vast majority of compromised servers. Securing PHP
itself starts with ensuring the server is properly congured and as secure as possible. The
cPanel documentation links below highlight some proper server security practices.
cPanel SecureServerChecklist
cPanel PhpSecurityConcepts
Recommended cPanel Security settings.
Types of PHP vulnerabilities include some of the following:
1. RFI: or Remote File Inclusion - Allows an attacker to execute PHP code on your server
from a remote source. The best way to secure your site from RFI attacks is through
php.ini directives, specically the allow_url_fopen and the allow_url_include directives.
The allow_url_fopen directive is set to on by default, and the allow_url_include is set
to off. These two simple directives will help protect your site from RFI attacks.
2. SQL Injection - Allows an attacker to retrieve crucial information from a Web server's
database through unsanitized input being passed to PHP scripts.
3. Format string vulnerabilities - A malicious user may use the %s and %x format
tokens, among others, to print data from the stack or other locations in memory.
4. (XSS): Cross Site Scripting - This attack requires the victim to execute a malicious URL
which may be crafted in such a manner to appear to be legitimate at rst look.
Although there are many other types of vulnerabilities, these are the most common.
There!s no such thing as a 100% secure server no matter how many layers of security you
add. You can utilize common server security practices and ward off most hackers since
they generally go for easy targets. Security is not only a reaction but an action in an
ongoing process.
3RD Party Protection
Here are some common 3rd party applications that can be utilized to help secure your
Apache and/or PHP implementations. These are options included with cPanel, easily
implemented via EasyApache.
mod_security (web application rewall) -
mod_security checks HTTP requests for malicious payloads by matching against regex
rules. Mod_security rules are not included by default and must be manually added and
maintained. Sites such as gotroot.com provide rules you can utilize and customize to
your needs.
mod_evasive (DOS prevention)
mod_evasive is an apache module that helps protect against DoS Attacks.
Hardened PHP (Suhosin)
Suhosin is a secure php hardening module that offers many security features such as
disabling binary uploads and disabling memory_limit function.
suPHP (mod_suphp Runs PHP as the user.) -
suPHP performs various security checks before executing PHP scripts. suPHP also
runs PHP as the user.
Best Practices for PHP and Apache Security
Best practices begin with the Server Administrator. If you don!t know what you!re doing,
then nd or hire someone that does. If you cannot properly secure your server or websites
then it!s just a matter of when you will get hacked, not if.
1. Always use latest secure version of PHP and Apache and keep them updated.
2. Never put phpinfo() in your webroot. You can disable it using disable_functions in
php.ini
3. Never trust other users
4. Store passwords with Encryption
5. Utilize PHP limits - PHP allows you to set restrictions on the amount of memory that
can be used by a script or the maximum execution time of every script. Use sane
values for these resources.
max_execution_time = 300 ; Maximum execution time of each script, in seconds
max_input_time = 60 ; Maximum amount of time each script may spend parsing data
memory_limit = 8M ; Maximum amount of memory a script may consume (8MB)
expose_php = Off
safe_mode = On
enable_dl = Off (unless needed)
allow_url_fopen = Off
allow_url_include = Off
disable_functions = show_source, system, ini_set, shell_exec, passthru, exec,
phpinfo, popen, proc_open
6. Turn off register_globals (PHP 6.0.0 has removed the feature.)
7. safe_mode - Enabling safe_mode causes PHP to check the user ID (UID) of the script
as it attempts to open a le against that le's (or directory's) UID. If the user IDs do not
match, the script cannot open or modify the le or directory. (Deprecated in PHP-5.3.0)
8. Stop users from setting up .htaccess les which can override security features you've
congured. Here's one way to do it in the Apache Includes le.
<Directory />
AllowOverride None
</Directory>
9. Server Side Includes - If you don't need it, then disable it.
10. Use PHP open_basedir protection ( WHM > Security)
11. Use an Anti Virus to scan uploaded les (ClamAV)
12. Use a Caching System
Memcached
APC
XCache
Zend Cache
eAccelerator
13. Disable modules you don!t use.
14. Limit memory usage where possible in Apache and PHP.
MySQL
When talking about PHP security this will usual entail MySQL. Most MySQL changes are
about optimization and not security.
To secure MySQL this basically comes down to binding MySQL to the localhost so external
access cannot occur. Usually only websites on the server locally need to access MySQL.
Unless you!re using a Remote MySQL setup, simply binding MySQL to the localhost is the
most secure option you can use. If you!re using remote MySQL or need to allow remote
MySQL access, limit connections to MySQL only for authorized users. This can be done
using rewall rules or MySQL access host settings in WHM & cPanel.
/etc/my.cnf
bind-address = 127.0.0.1
PHP Based Software
If your server runs Joomla, Wordpress, or PHP Based Forum software, then your server
and sites are extremely vulnerable. The vast majority of PHP exploits out there are not the
result of these applications themselves but are instead the result of poorly coded 3rd party
plugins and applications created for use with the software.
Keeping PHP up to date is very important, but the PHP applications and software using
PHP also need to be kept up to date. Being one version behind can leave your sites
vulnerable to exploits or hackers.
Conclusion
The only true way to secure PHP is not to use it, but as with most sites and hosting
providers, PHP is necessary. Simply including PHP or allowing it is not enough. As
threats evolve and hackers nd new ways to exploit PHP, work must be done to secure it
from hackers, exploits, and other users on an ongoing basis.

Summary:
Apache
Set appropriate le and directory permissions
Set read permissions for 'nobody' and 'user'; no access for 'other'
Disable write for everyone
Disable execute on les for everyone
Disable access to *.sql, *.bak les
Disable Server Side Include (SSI) if not needed
Limit Memory usage Apache can use
Disable modules you don!t need or use.
Limit memory usage
PHP
Keep PHP updated to latest version.
Use suPHP, mod_security and Suhosin.
Disable allow_url_fopen
Disable allow_url_fopen
Disable register_globals, expose_php, enabled_dl
Set disable_functions to turn off unwanted PHP functions
Use open_basedir protection
Use Caching system
Set sane values for the use of resources (memory, execution time)
When uploads are needed, make sure that the PHP codes sanitizes the user input
Mysql
Bind only to the localhost address (127.0.0.1)
System
Secure system from unwanted intrusion or exploit
Keep system Kernel updated to prevent kernel exploits
Practice secure methods with passwords