PHP is an open-source server-side scripting language, and it is a widely used. The Apache/Nginx/Lighttpd web server provides access to files and content via the HTTP OR HTTPS protocol. A misconfigured server-side scripting language can create all sorts of problems. So, PHP should be used with caution. Here are twenty-five php security best practices for sysadmins for configuring PHP securely.
Our Sample Setup For PHP Security Tips – DocumentRoot: /var/www/html – Default Web server: Apache ( you can use Lighttpd or Nginx instead of Apache)
Default PHP configuration file: /etc/php.ini – Default PHP extensions config directory: /etc/php.d/ – Our sample php security config file: /etc/php.d/security.ini (you need to create this file using a text editor)
Operating systems: RHEL / CentOS / Fedora Linux (the instructions should work with any other Linux distributions such as Debian / Ubuntu or other Unix like operating systems such as OpenBSD/FreeBSD/HP-UX). Default PHP server TCP/UDP ports: none
Most of the actions listed in this post are written with the assumption that they will be executed by the root user running the bash or any other modern shell: Continue reading