Securing PHP

PHP is secure for general use in it’s default configuration. However additional steps can be taken to make it further secure.

Securing PHP involves the following steps.
1) Disabling unnecessary extensions
2) Hiding the PHP version



1) Disabling unnecessary extensions
The first step to security is – Do not use things that we do not need.
PHP comes with several extensions bundled. If we are concerned of security, we must disable all the unnecessary extensions. We can disable specific extensions at compile time using the option syntax --disable-FEATURE or --without-PACKAGE with the configure script.
View the complete list of bundled PHP extensions.
View the complete list of configure options for PHP.



2) Hiding the PHP version
By default the webserver sends back the PHP version in the HTTP header. This increases the visibility to attacks that rely on simple reconnaissance technique that looks for specific PHP versions with security holes to exploit. We can turn this off.
Turning this feature may not make our server any more secure, but it makes less of a target. If someone is determined to get through a server nothing can stop them. It does not mean we have to do them a favor by giving away information.

The X-Powered-By; field in header reveals the PHP version. This field is controlled by expose_php directive which is turned on by default. Open the PHP configuration file php.ini. Look for the line containing expose_php directive. Turn the option off. Now it must look as shown below.

expose_php = Off

Save and close the file.

Restart the apache service gracefully.

# service apache graceful




After securing PHP, it is recommended to view the following section.
Customizing PHP


You may go directly to the following section.
Installing phpMyAdmin