This article is for educational purposes only, WITHOUT WARRANTY OF ANY KIND. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY. Make sure your site works in Staging before even thinking of making these changes in Production as it may Break your site! Do one thing/change at a time, then TEST if all is still working... User BEWARE of these risks before continuing on with this post, make Backups before proceeding on. Hardening PHP, starting ideas to Secure PHP for your VPS or Dedicated Server. 1) Update PHP Regularly! 2) Install a Web Application Firewall like ModSecurity: https://github.com/SpiderLabs/ModSecurity Also, consider hardening PHP 7/8 itself with snuffleupagus: https://snuffleupagus.readthedocs.io 3) Restrict direct access to include or library files: Consider placing in your Apache2 httpd.conf to block direct access to .inc and .phps files: Options None Order Allow, Deny Deny from All AllowOverride None Satisfy All Options None Order Allow, Deny Deny from All AllowOverride None Satisfy All In Ngnix: location ~ /\.inc { deny all; } location ~ /\.phps { deny all; } 4) Prevent Cross-site scripting (XSS) - Escape ALL user input that will be used as output later on: $search = $_POST['q']; $search_safe = htmlspecialchars($search, ENT_QUOTES, 'UTF-8'); echo "Looking for: {$search_safe}"; 5) Avoid remote file inclusion, if needed to have user input change the page dynamiclly use a match or switch case...to limit to specific files. $page = match($_POST['page']) { 'intro' => 'intro.php', 'welcome' => 'welcome.php', default => 'main.php', }; include $page; 6) Prevent SQL Injection Attacks - Allways use prepared statements. Use PDO if its supported for your DB. PHP.ini file settings: 1) Limit DIR access via open_basedir function in php.ini file. open_basedir=/var/www/myproject:/var/www/myotherproject:/var/lib/php/session In linux, a : is a field separator. In Windows, the ; is the field separator. 2) Disable File uploading via php.ini if not needed: file_uploads=Off 3) On live servers disable displaying errors... display_errors=Off, display_startup_errors=Off, and log_errors=On 4) Prevent large POST requests from consumming all your servers resources: max_input_vars = 100 If Uploads are disabled, php.ini set: post_max_size=1K Else to upload large files, this value must be larger than upload_max_filesize. 5) Restrict PHP Information Leakage, in php.ini: expose_php=Off 6) Stop Remote Code Execution via php.ini: allow_url_fopen=Off allow_url_include=Off 7) Limiting DoS attacks: memory_limit = 40M # set in seconds max_execution_time = 30 max_input_time = 30 8) Limit Dangerious Functions in php.ini: disable_functions = system, exec, shell_exec, passthru, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, putenv, move_uploaded_file, chdir, mkdir, rmdir, chmod, rename, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo, curl_exec, curl_multi_exec, parse_ini_file, Plus much more: https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass#other-interesting-php-functions 9) register_globals = off -) Lock down PHP config files by write protecting (make immutable) them: Note you may have a different path: /etc/php/yourVersionNumbers/apache or fpm... $ sudo -i $ cd /etc/php $ chattr +i 8.1/fpm/php.ini $ chattr +i 8.1/fpm/conf.d/* Note: chattr -i will_make_the_file_writable again! So, these were my Starting Points, be sure to keep Researching PHP Hardening.