25 PHP Security Best Practices for Secure Server Configuration

PHP is a widely used open‑source server‑side scripting language, but misconfiguration can expose many vulnerabilities; therefore careful configuration is essential.

Example environment

DocumentRoot: /var/www/html Web server: Apache (or Lighttpd/Nginx) PHP config file: /etc/php.ini Modules directory: /etc/php.d/ Security config file: /etc/php.d/security.ini OS: RHEL/CentOS/Fedora (compatible with Debian/Ubuntu, OpenBSD, FreeBSD, etc.)

Best practice 1 – Know your threats

Common attacks include XSS, SQL injection, unsafe file uploads, remote file inclusion, use of eval(), and CSRF. Mitigate them by validating all input, disabling dangerous functions, and configuring Apache securely.

Best practice 2 – Review built‑in PHP modules

List modules with php -m and remove unnecessary ones, e.g.: # rm /etc/php.d/sqlite3.ini or

# mv /etc/php.d/sqlite3.ini /etc/php.d/sqlite3.disable

Best practice 3 – Hide PHP version information

Set expose_php=Off in security.ini to stop PHP from sending its version in HTTP headers.

Best practice 4 – Limit loaded extensions

Disable unneeded dynamic extensions, e.g. to turn off GD:

# cd /etc/php.d/
# mv gd.{ini,disable}
# /sbin/service httpd restart

Best practice 5 – Log all errors

Disable display of errors to users and enable logging:

display_errors=Off

log_errors=On
error_log=/var/log/httpd/php_scripts_error.log

Best practice 6 – Control file uploads

Disable uploads globally with file_uploads=Off or enable with size limits:

file_uploads=On
upload_max_filesize=1M

Best practice 7 – Disable remote code execution

Turn off allow_url_fopen and allow_url_include:

allow_url_fopen=Off

allow_url_include=Off

Best practice 8 – Enable SQL safe mode

Set sql.safe_mode=On and disable magic_quotes_gpc for better input handling.

Best practice 9 – Limit POST size

Configure post_max_size=1K and restrict HTTP methods in httpd.conf to reduce DoS risk.

Best practice 10 – Resource limits

Set execution time, input time, and memory limits:

max_execution_time=30
max_input_time=30
memory_limit=40M

Best practice 11 – Install Suhosin

Suhosin provides additional hardening patches and a PHP extension for protection against buffer overflows and other exploits.

Best practice 12 – Disable dangerous functions

In security.ini add:

disable_functions=exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

Best practice 13 – FastCGI configuration

Enable cgi.force_redirect=On to prevent direct script invocation.

Best practice 14 – Run PHP as non‑root

Use suEXEC or mod_suPHP so PHP processes run under a low‑privilege user such as phpcgi.

Best practice 15 – Restrict filesystem access

Set open_basedir="/var/www/html/" to limit file access.

Best practice 16 – Secure session storage

Define session.save_path="/var/lib/php/session" and ensure proper SELinux context.

Best practice 17 – Keep software up‑to‑date

Regularly apply updates via yum update or apt‑get update && apt‑get upgrade.

Best practice 18 – Harden file permissions

Run Apache as a non‑root user, set files to 0444 and directories to 0445, and use chattr +i to make configuration files immutable.

Best practice 19 – Use SELinux

Enable appropriate SELinux booleans for httpd and disable unnecessary ones.

Best practice 20 – Install ModSecurity

Configure rules to block access to /etc/ and detect SQL injection patterns.

Best practice 21 – Run services in chroot or containers

Isolate Apache/PHP in a chroot jail or use container technologies for additional isolation.

Best practice 22 – Restrict outbound traffic

Use iptables owner module to limit which users can make outbound connections.

Best practice 23 – Log and audit

Continuously monitor Apache and PHP logs, and employ auditd for SELinux event tracking.

Best practice 24 – Separate services

Deploy static content, dynamic PHP, MySQL, and caching on separate servers or VM instances to limit blast radius.

Best practice 25 – Additional tools

Consider PHPIDS for intrusion detection and PhpSecInfo for security information reporting.

Following these practices helps protect PHP applications from a wide range of attacks and hardens the underlying Linux/Apache environment.