PHP is powerful, and allows static html pages to become dynamic. It also allows information to translate into commands and functions. Because of this you should implement a variety of security features. The biggest security feature, which increases security of the host machine, is setting the basedir parameter. This locks PHP functions to a particular directory, not allowing them to run processes or effect files further down the tree. Use nano and the cntrl-w function to search for “open_basedir” in /etc/php5/apache/php.ini. It will most likely be commented with a # sign. Remove the # sign and add the document root of your website. If you virtualhost, you can add the root of all documents served.
Also turn off several other parementers.
Also turn off the Magic Quotes options in php.ini. In /etc/apache2/apache2.conf turn off the signature option. Search for “ServerSignature”. There is an apache modules that should be iplemented; mod security; I’ll save it for the next post.