Linux 25 PHP Security Best Practices For Sys Admins
Abraham Dahunsi
PHP is an open-source server-side scripting language, and it is a widely used. The Apache/Nginx/Lighttpd web server provides access to files and content via the HTTP OR HTTPS protocol. A misconfigured server-side scripting language can create all sorts of problems. So, PHP should be used with caution. Here are twenty-five
PHP security best practices
Our sample setup for PHP security tips
DocumentRoot:
/var/www/html
Default Web server:
Apache
( you can use
Lighttpd
or
Nginx
instead of Apache)
Default PHP configuration file:
/etc/php.ini
or
/etc/php/7.0/fpm/php.ini
Default PHP extensions config directory:
/etc/php.d/
OR
/etc/php/7.0/fpm/conf.d/
Our sample php security config file:
/etc/php.d/security.ini
OR
/etc/php/7.0/fpm/conf.d/99-security.conf
OR
/etc/php/8.0/fpm/conf.d/99-security.conf
(you need to create this file using a text editor)
Operating systems:
RHEL
/
CentOS
/ Fedora Linux (the instructions should work with
any other Linux distributions
such as
Debian
/
Ubuntu
or other
Unix
like operating systems such as
OpenBSD
/
FreeBSD/HP-UX
).
Default PHP server TCP/UDP ports: none
Most of the actions listed in this post are written with the assumption that they will be executed by the root user running the bash or any other modern shell. Here is
PHP 5.3.3 (cli) (built: Oct 24 2011 08:35:41) Copyright (c) 1997-2010 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
OR
PHP 8.3.3 (cli) (built: Feb 16 2024 01:31:30) (NTS) Copyright (c) The PHP Group Zend Engine v4.3.3, Copyright (c) Zend Technologies with Zend OPcache v8.3.3, Copyright (c), by Zend Technologies
For demonstration purpose I’m going to use the following operating system:
Red Hat Enterprise Linux Server release 6.1 (Santiago)
OR
Rocky Linux 8.9 (Green Obsidian)
