1. Remove Unnecessary PHP Modules
By default, you get a set of PHP modules that can be helpful in various tasks but some unnecessary modules might not be useful for each project. To list available PHP modules, utilize the given command:
$ php -m
For example, let’s remove the curl module by utilizing the given command:
$ sudo rm -r 20-curl.ini
2. Disable Remote PHP Code Execution
To disable fopen, we need to open the PHP configuration file by utilizing the given command:
$ sudo nano /etc/php.ini
Now, use CRTL + w and type allow_url_fopen which will land us on specific lines from where we will disable those options.
allow_url_fopen=Offallow_url_include=Off
3. Disable PHP Information Leakage
When not disabled, the world can easily identify which version of PHP is currently used by our web server.
Now, change the defaults to “Off”.
expose_php=Off
4. Disable Dangerous PHP Functions
PHP has various functions enabled by default and can be helpful for development purposes. But many functions can be used by hackers to exploit our web server and disabling them will add a layer of security.
disable_functions = system, exec, shell_exec, passthru, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, putenv, move_uploaded_file, chdir, mkdir, rmdir, chmod, rename, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo
5. Protect PHP Configurations
While removing unnecessary files, we often remove some crucial files or even directories. So we must tweak settings in such a way that even root users can’t delete them.
$ sudo chattr +i /etc/php.ini
6. Session Security
Sessions are used to preserve information across multiple requests for individual users. The actual information is stored on the server, and a cookie (or, less securely, HTTP request data) containing a session ID is used to validate users. Sessions are used for purposes including authentication into a web application, which is one reason why its security is so important. The following settings can be updated to help reduce the risk of session interception.
session.use_strict_mode = 1
Create a new session ID if the browser sends a previously-uninitialized ID. This helps prevent an attack called session fixation.
session.cookie_httponly = 1
Allow the session cookie to be accessible only from a HTTP request, and not from other sources such as JavaScript. This helps prevent an attack called an XSS attack.
session.use_cookies = 1session.use_only_cookies = 1session.use_trans_sid = 0
Save session ID in a cookie, rather than sending it as a URL parameter. This helps keep a user’s session secure by preventing session fixation attacks.
session.name = custom_session_id
Cookies store their information in key-value format. It is advisable to update the default key name of the cookie that stores the session ID. Update “custom_session_id” with a custom value.
session.cookie_secure = 1
If your web application runs over the HTTPS protocol for security, enable this setting to force cookies containing session IDs to be accessed only over a secure connection.
session.referer_check = example.com
Check where the request came from in order to determine whether to allow access to session data. Update this setting value to your application’s domain name to help prevent session information from being accessed if a script is loaded from an external source.
session.save_path = "/var/lib/php/session"
The default session file save path is writeable by all system users. The location should be switched to a more secure directory. Ensure that the new directory location is not located within the web root. If you are using a file manager such as the one included with cPanel, then an easy location to create the session directory is directly outside of the web root (i.e. the same directory that public_html is located within). Another secure location is to create the directory within the PHP directory in “/var/lib”. The path depends on the operating system, i.e. “/var/lib/php” or “/var/lib/php5”. If have open_basedir restrictions in effect, ensure that the session save path is included in the open_basedir whitelist.
session.hash_function = sha512
SHA-512 is a more secure hashing algorithm for creating session IDs compared to the default MD5 hash function. This algorithm is available in PHP version 5.3+. If you are running a lesser version of PHP, use the SHA1 hash algorithm instead. To do so, set “session.hash_function = 1”.
session.bug_compat_42 = 0session.bug_compat_warn = 0
Soap Cache
soap.wsdl_cache_dir = /var/lib/php/soap_cache
As with file uploads and session data, SOAP cache data should not be stored within the default temporary directory. Set this to a more secure directory.
