he issue of
security is often either overlooked completely or under utilized.
Security not only involves minimizing programming errors as much as possible, but putting
proper safeguards in place to protect against possible vulnerabilities. This often means using
several “layers” of protection to guard sensitive data against hackers, which if compromised,
could cause a catastrophic result to the website or entire server.
exploits are responsible for the vast majority of compromised servers. Securing
itself starts with ensuring the server is properly conﬁgured and as secure as possible. The
cPanel documentation links below highlight some proper server security practices.
Recommended cPanel Security settings.
Types of PHP vulnerabilities include some of the following:
Allows an attacker to execute
code on your server
from a remote source. The best way to secure your site from RFI attacks is through
php.ini directives, speciﬁcally the allow_url_fopen and the allow_url_include directives.
The allow_url_fopen directive is set to “on” by default, and the allow_url_include is set
to “off.” These two simple directives will help protect your site from RFI attacks.
SQL Injection -
Allows an attacker to retrieve crucial information from a Web server's
database through unsanitized input being passed to PHP scripts.
Format string vulnerabilities -
A malicious user may use the %s and %x format
tokens, among others, to print data from the stack or other locations in memory.
This attack requires the victim to execute a malicious URL
which may be crafted in such a manner to appear to be legitimate at ﬁrst look.
Although there are many other types of vulnerabilities, these are the most common.
Thereʼs no such thing as a 100% secure server no matter how many layers of security you
add. You can utilize common server security practices and ward off most hackers since
they generally go for easy targets. Security is not only a reaction but an action in an
3RD Party Protection
ere are some common 3rd party applications that can be utilized to help secure your
Apache and/or PHP implementations. These are options included with cPanel, easily
implemented via EasyApache.
(web application ﬁrewall) -
mod_security checks HTTP requests for malicious payloads by matching against regex
rules. Mod_security rules are not included by default and must be manually added and
maintained. Sites such as gotroot.com provide rules you can utilize and customize to
mod_evasive is an apache module that helps protect against DoS Attacks.
Suhosin is a secure php hardening module that offers many security features such as
disabling binary uploads and disabling memory_limit function.
as the user.) -
suPHP performs various security checks before executing
scripts. suPHP also
runs PHP as the user.
Best Practices for PHP and Apache Security
est practices begin with the Server Administrator. If you donʼt know what youʼre doing,
then ﬁnd or hire someone that does. If you cannot properly secure your server or websites
then itʼs just a matter of “when” you will get hacked, not “if”.
Always use latest secure version of
and keep them updated.
Never put phpinfo() in your webroot. You can disable it using disable_functions in
Never trust other users
Store passwords with Encryption
allows you to set restrictions on the amount of memory that
can be used by a script or the maximum execution time of every script. Use sane
values for these resources.
max_execution_time = 300 ; Maximum execution time of each script, in seconds
max_input_time = 60 ; Maximum amount of time each script may spend parsing data
memory_limit = 8M ; Maximum amount of memory a script may consume (8MB)
expose_php = Off
safe_mode = On
enable_dl = Off (unless needed)
allow_url_fopen = Off
allow_url_include = Off
disable_functions = show_source, system, ini_set, shell_exec, passthru, exec,
phpinfo, popen, proc_open
Turn off register_globals (
6.0.0 has removed the feature.)
Enabling safe_mode causes
to check the user ID (
) of the script
as it attempts to open a ﬁle against that ﬁle's (or directory's)
. If the user IDs do not
match, the script cannot open or modify the ﬁle or directory. (Deprecated in PHP-5.3.0)
Stop users from setting up .htaccess ﬁles which can override security features you've
conﬁgured. Here's one way to do it in the Apache Includes ﬁle.
9. Server Side Includes - If you don't need it, then disable it.
10. Use PHP open_basedir protection ( WHM > Security)
11. Use an Anti Virus to scan uploaded ﬁles (ClamAV)
12. Use a Caching System
Disable modules you donʼt use.
Limit memory usage where possible in Apache and PHP.
hen talking about PHP security this will usual entail MySQL. Most MySQL changes are
about optimization and not security.
To secure MySQL this basically comes down to binding MySQL to the localhost so external
access cannot occur. Usually only websites on the server locally need to access MySQL.
Unless youʼre using a Remote MySQL setup, simply binding MySQL to the localhost is the
most secure option you can use. If youʼre using remote MySQL or need to allow remote
MySQL access, limit connections to MySQL only for authorized users. This can be done
using ﬁrewall rules or MySQL access host settings in WHM & cPanel.
bind-address = 127.0.0.1
PHP Based Software
f your server runs Joomla, Wordpress, or
Based Forum software, then your server
and sites are extremely vulnerable. The vast majority of
exploits out there are not the
result of these applications themselves but are instead the result of poorly coded 3rd party
plugins and applications created for use with the software.
Keeping PHP up to date is very important, but the PHP applications and software using
PHP also need to be kept up to date. Being one version behind can leave your sites
vulnerable to exploits or hackers.
he only true way to secure
is not to use it, but as with most sites and hosting
is necessary. Simply including
or allowing it is not enough. As
threats evolve and hackers ﬁnd new ways to exploit PHP, work must be done to secure it
from hackers, exploits, and other users on an ongoing basis.
Set appropriate ﬁle and directory permissions
Set read permissions for 'nobody' and 'user'; no access for 'other'
Disable write for everyone
Disable execute on ﬁles for everyone
Disable access to *.sql, *.bak ﬁles
Disable Server Side Include (SSI) if not needed
Limit Memory usage Apache can use
Disable modules you donʼt need or use.
Limit memory usage
updated to latest version.
Use suPHP, mod_security and Suhosin.
Disable register_globals, expose_php, enabled_dl
Set disable_functions to turn off unwanted PHP functions
Use open_basedir protection
Use Caching system
Set sane values for the use of resources (memory, execution time)
When uploads are needed, make sure that the PHP codes sanitizes the user input
Bind only to the localhost address (127.0.0.1)
Secure system from unwanted intrusion or exploit
Keep system Kernel updated to prevent kernel exploits
Practice secure methods with passwords