Linux: 25 PHP Security Best Practices For Sys Admins

PHP is an open-source server-side scripting language, and it is a widely used. The Apache/Nginx/Lighttpd web server provides access to files and content via the HTTP OR HTTPS protocol. A misconfigured server-side scripting language can create all sorts of problems. So, PHP should be used with caution. Here are twenty-five php security best practices for sysadmins for configuring PHP securely.

Our Sample Setup For PHP Security Tips – DocumentRoot: /var/www/html – Default Web server: Apache ( you can use Lighttpd or Nginx instead of Apache)

Default PHP configuration file: /etc/php.ini – Default PHP extensions config directory: /etc/php.d/ – Our sample php security config file: /etc/php.d/security.ini (you need to create this file using a text editor)

Operating systems: RHEL / CentOS / Fedora Linux (the instructions should work with any other Linux distributions such as Debian / Ubuntu or other Unix like operating systems such as OpenBSD/FreeBSD/HP-UX). Default PHP server TCP/UDP ports: none

Most of the actions listed in this post are written with the assumption that they will be executed by the root user running the bash or any other modern shell: Continue reading



Comment moderation is enabled. Your comment may take some time to appear.


  • vidi verum 24 January 2017 at 16:58:01

    Thanks. This will help lock things down. Currently integrating PHP Sessions() into my website as HTTP re…