How to harden your PHP installation on your server.

Most servers run a fairly default configuration with PHP. In addition, there are a lot of bad programming practices that we see.

Here are some tips to harden and secure PHP:

1. Keep PHP Updated: Keeping PHP updated to the latest version can help patch security vulnerabilities and reduce the risk of attacks. Use an automated task for this or an industry standard control panel like WHM/cPanel, PLESK or Nodeworx.
2. Use Strong Passwords: Use strong, unique passwords for all PHP-related accounts and services, including any PHP application database passwords.
3. Sanitize User Input: User input can be a common source of security vulnerabilities. Sanitize all user inputs in forms to prevent injection attacks and other vulnerabilities.
4. Use Prepared Statements: Prepared statements can help prevent SQL injection attacks by separating the SQL code from the data being inserted or queried. Don’t get lazy on this one.
5. Use Secure Session Management: Use secure session management techniques, such as random session IDs and session timeouts, to prevent session hijacking attacks.
6. Enable HTTPS: Enable HTTPS on your PHP site to encrypt all data transmitted between the client and server and prevent man-in-the-middle attacks. At the server level (Apache) you should be enforcing HSTS.
7. Disable Dangerous Functions: Disable dangerous PHP functions, such as eval(), exec(), and system(), to prevent attackers from executing arbitrary code on your server. Warning – doing this on an existing server with running apps can break your applications so be sure to test first.
8. Use Access Controls: Use access controls, such as file permissions and .htaccess files, to restrict access to sensitive files and directories on your server.
9. Use Security Libraries: Use security libraries, such as the PHP Security Advisories Database and PHP CodeSniffer, to help identify and mitigate potential security vulnerabilities in your code.
10. Implement a Firewall: Implement a firewall, such as a web application firewall (WAF), to help block malicious traffic and attacks on your PHP site. ConfigServer make some great products that can help with this. Mod_Security is a good default WAF with a lo of configurable rule sets you can fine tune for you app or server.

By implementing these tips, you can help harden and secure your PHP installation and reduce the risk of attacks and security vulnerabilities.