PHP is powerful, and allows static html pages to become dynamic. It also allows information to translate into commands and functions. Because of this you should implement a variety of security features. The biggest security feature, which increases security of the host machine, is setting the basedir parameter. This locks PHP functions to a particular directory, not allowing them to run processes or effect files further down the tree. Use nano and the cntrl-w function to search for “open_basedir” in /etc/php5/apache/php.ini. It will most likely be commented with a # sign. Remove the # sign and add the document root of your website. If you virtualhost, you can add the root of all documents served.

Also turn off several other parementers.

allow_url_fopen

allow_url_include

display_errors

register_globals

safe_mode

Also turn off the Magic Quotes options in php.ini. In /etc/apache2/apache2.conf turn off the signature option. Search for “ServerSignature”. There is an apache modules that should be iplemented; mod security; I’ll save it for the next post.