PHP has been plagued with vulnerabilities since the day it was invented. It has a horrible track-record not only for the core, but for almost everything that runs it.
The default settings don’t offer any protection, so here is what I did to make my website run more secure with PHP:
Change display_errors to off so that php errors are not displayed on the browser.
Also, turn on error logging so that the developers can debug their code.
log_errors = On
error_log = phperrors_log
Make sure register_globals is disabled. This will prevent hackers from modifying variables that they should not be allowed to. This has been the default setting in PHP for the past few years.
register_globals = Off
Disable the ability to open files via a url. Hackers can exploit PHP with a remote file inclusion attack to execute their own php script on a target host. This setting will prohibit that attack.
allow_url_fopen = Off
allow_url_include = Off
Change expose_php to off so that php version information is not displayed in the header.
expose_php = Off
Disable dangerous functions. Some of these functions may be used, so plan accordingly.
By disabling these functions, remote php shell exploits are rendered useless.
disable_functions=exec, passthru, shell_exec, system, proc_open, popen, curl_exec, curl_multi_exec, parse_ini_file, show_source, phpinfo, fopen_with_path, dbmopen, dbase_open, putenv, move_uploaded_file, chdir, mkdir, rmdir, chmod, rename, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo
Configure PHP to force the browser to use a cookie for the session:
session.use_only_cookies = 1
URL-based session management is disabled by default. Double-check with:
session.use_trans_sid = 0
Disallow javascript to interact with cookies (prevents XSS cookie stealing)
session.cookie_httponly = 1
In httpd.conf, change
AddType application/x-httpd-php .php4 .php3 .phtml .php
to
AddType application/x-httpd-php .php5 .php4 .php3 .phtml .php .inc .class
This will prevent hackers from viewing .inc and .class files that contain php code.