PHP Server Security Configuration Guide
This article provides a comprehensive step‑by‑step guide to hardening PHP server settings, covering safe mode activation, directory restrictions, disabling dangerous functions, hiding version information, managing error reporting, and creating low‑privilege MySQL and Apache accounts for enhanced security.
Enable PHP safe mode : Set safe_mode = on in php.ini to restrict functions like system() and limit file‑operation permissions.
Group security : Disable group‑based safe mode with safe_mode_gid = off so scripts cannot access files merely because they share a group.
Restrict executable directory : Define a dedicated directory for allowed executables, e.g., safe_mode_exec_dir = D:/usr/www (or any isolated folder).
Include directory for shared files : Set safe_mode_include_dir = D:/usr/www/include/ to limit which files can be included under safe mode.
Limit accessible paths : Use open_basedir = D:/usr/www to confine PHP scripts to the web root and prevent access to sensitive system files.
Disable dangerous functions : Add to disable_functions a list such as system,passthru,exec,shell_exec,popen,phpinfo , and optionally extend it with file‑handling functions like chdir,chroot,opendir,readdir,scandir,fopen,unlink,delete,copy,mkdir,rmdir,rename,file,file_get_contents,fputs,fwrite,chgrp,chmod,chown to mitigate shell attacks.
Hide PHP version : Set expose_php = Off so the PHP version is not disclosed in HTTP headers.
Turn off automatic global variables : Configure register_globals = Off to prevent POST/GET variables from becoming global, forcing the use of $_GET , $_POST , etc.
Enable magic quotes (deprecated) : Although deprecated, you can set magic_quotes_gpc = On to automatically escape quotes in user input, helping to mitigate SQL injection.
Control error display : Disable direct error output with display_errors = Off . If errors must be shown, limit the level using error_reporting = E_WARNING & E_ERROR .
Log errors : Activate logging via log_errors = On and specify a log file, e.g., error_log = D:/usr/local/apache2/logs/php_error.log , ensuring the Apache user has write permissions.
Run MySQL with low privileges : Create a restricted MySQL user, for example: net user mysqlstart /add net localgroup users mysqlstart /del , then configure the MySQL service to use this account.
Run Apache with low privileges : Create a non‑group user for Apache: net user apache /add net localgroup users apache /del , assign the account in the Apache service properties under "Log on" and restart the service.
Laravel Tech Community
Specializing in Laravel development, we continuously publish fresh content and grow alongside the elegant, stable Laravel framework.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.