Asked 7 years ago
11 Jan 2017
Views 1307
rajiv

rajiv posted

how to improve PHP security ?

my site hacked twice in last year 2016 . so is that any remedy which should i apply to make PHP Website more secure and strong system.

so some hack really needed to make PHP more secure ?
what is the setting should i change in the PHP to make it more secure ?
Rasi

Rasi
answered Nov 30 '-1 00:00

you need to change some php.ini setting which are really needed to be at its default value

1. expose_php directive is used to whether tell client about php version or not
expose_php =1 means all header sent back to client have php version
expose_php =0 means avoid php version expose to client side
so set expose_php =0 in php.ini

expose_php = 0 // say no to expose php version at client by header


2.display_errors directive is used to decide that whether show error at client side or not
display_errors =1 means send PHP error to client side . it must be enable when developing or debugging.
display_errors =0 means dont send PHP error to client side . it must be disable on production site.

display_errors =0 // say no to display error


3.disable_functions have list of function which should be disabled to run in PHP
So i have some list which should be disabled to run in PHP because that cause possible harm . or attacker can use that function to harm Website or webserver

disable_functions  = exec,passthru,shell_exec,system,
proc_open,proc_close,proc_terminate,popen,curl_exec,curl_multi_exec,
show_source,posix_kill,posix_getpwuid,posix_mkfifo,posix_setpgid,
posix_setsid,posix_setuid,posix_setuid,posix_uname,php_uname,syslog


let me explain why this function in disabled function list .
exec - it help to execute any PHP code which is quite tricky part for hacker to run their code in our System.
suppose

echo exec('whoami');// outputs the username that owns the running php/httpd process

by this function hacker can get username , password of server / Database Server or run directly some code without any restriction .
so make sure exec is not be accessible to any user

passthru - is same exec function , it Execute an external program and display raw output
so on all function is not good to make available to all people so disable it

4. allow_url_fopen and allow_url_include is set 1 than it allow to remote access of server file , which is not good . if you dont need it to make it open than please disable it allow_url_fopen and allow_url_include

    allow_url_fopen = 0
    allow_url_include = 0


5. open_basedir is limit access of the file or directory .

open_basedir = "www/tmp/"


when Script try to files from tmp by include or fopen , PHP will refuse to access it.
you can set your file path or directory path which you want to secure from script.
Phpworker

Phpworker
answered Nov 30 '-1 00:00

best approach to secure website is change directory access.
Change Access Of file / folder by Script
chmod used to change the acess of the file or folder by PHP
0755 Is acess mode , here 0755 means change access to read and write access of website owner(server admin) and read and execute for other user.

chmod("/root", 0755);


or you can use cpanel or ftp to change access permission of file / folder


try to change access of all folder and files which need to be secured.

suggest more if more we can do access security over file and folders , if any one have ideas.
Post Answer