10 ways to improve the security of your PHP
You've been using PHP for years and it seems to work perfectly, but have you ever wondered what more you can do to secure your scripts? With security flaws becoming increasingly common and destructive, there are a number of best practices you can implement in your scripts to ensure they are safe from hackers of all levels. Here are ten ways to improve the security of your PHP scripts today, starting with the obvious and moving on to slightly less common areas that could save you from disaster in the future.
1) Change the default ports
Most web servers operate on ports 80 and 443. If your PHP application is exposed on one of these ports, you should change them as soon as possible to something like: 1141 (443) and 1142 (80). There are several reasons to change these ports. Firstly, it is much harder for an intruder to gain access, as most people assume that these two numbers have already been used. Secondly, it avoids conflicts with other services running on those ports. Finally, some ISPs may block ports 80/443 if they are not already in use, but virtually all ISPs allow traffic on ports 1143 or higher without restriction. Changing your default ports does not mean that you should not implement security measures; they should still be implemented, but on non-standard HTTP/HTTPS channels.
2) Use HTTPS at all times
Many websites do not use HTTPS, although they should. It is important that your website is secure at all times by ensuring that you use HTTPS instead of HTTP. This will protect your data and personal information by encrypting it so that it cannot be read by others over an unsecured connection. HTTPS is especially important for sites that handle sensitive data, such as credit card numbers or medical information; if someone intercepts your traffic, your data can easily be compromised.
3) Use strong passwords
There is no reason not to use strong passwords that contain a mixture of numbers, letters and special characters. A good password should be long (ideally more than 12 characters) and contain at least one number and one symbol. And remember: These days, it is often more secure to use two different passwords than one passphrase. Make sure you use different passwords for your different logins. If someone finds out your login details for a site, they can easily compromise your entire digital life with a few clicks. Consider password managers like LastPass and KeyPass, which allow you to store all your passwords in an encrypted database that syncs across all your devices.
4) Disable remote code execution
If remote code execution is enabled, attackers can execute arbitrary code on your server. This feature should be disabled at all times. Because of its potential consequences, remote code execution should be one of your top priorities when securing a web application. Make sure you have properly configured the settings to disable it. Disable it for all files If possible, don't just disable it for .php files, but for all file types, so that attackers can't use other file types as backdoors into your site. As an added bonus, disabling remote code execution will reduce your exposure to remote downloads and other types of malicious scripts loaded from untrusted sources on your website. Evaluate third-party plugins Third-party plugins are notorious for being riddled with security holes, as they are not subject to the usual quality control measures. Therefore, if you do not develop custom features yourself, third-party plugins are very likely to contain errors that could cause security problems on your site. Consider using only high-quality plugins with a history of maintaining secure code or proprietary code developed in-house by experienced developers with a high level of expertise in web application security. Check web server configuration options Although not necessarily directly related to PHP vulnerabilities, some Apache configuration options are general good security practices, as they limit what different processes running on your system are allowed or not allowed to do.
5) Activate ModSecurity or another WAF
Even if you are not a web application developer, one of your primary responsibilities as an information security professional is to help developers implement secure coding practices. That's why it's so important that you become familiar with WAFs, or web application firewalls, and learn how to enable them for your organisation. Even a little knowledge can go a long way in making your organisation more secure. For example, by enabling ModSecurity on all your web servers (and Apache load balancers), you greatly increase the security - and peace of mind - of everyone involved.
6) Relying on built-in safety features
From safe_mode to open_basedir, there are many ways to improve the security of your site by taking advantage of built-in features. For example, if you are creating a new file upload function, use validate_file_name() rather than doing it yourself. If in doubt, see what WordPress or another popular framework does. If their code doesn't have an obvious vulnerability, yours probably won't either. Don't reinvent what has already been written. Use the built-in functions: There are so many functions available for every language! Make sure you learn and use them! Save time by trying to write something complicated when someone else has already solved it for you.
7) Do not run the administration tools on the production servers
Of course, using some administration tools may be convenient on your development server, but it can only get you into trouble if you use them on a production server. Tools like phpMyAdmin and Adminer offer potential hackers a route of attack that, with enough knowledge and persistence, can lead directly to your database. Don't do it. If you need remote access to your database for development or debugging purposes, use an SSH tunnel instead. For MySQL users who want GUI access, check out LAMP stack offerings such as PhpMyAdmin Lite or Adminer; both are solid alternatives that offer good data security practices. Or better yet, keep command line access to completely protect your data from malicious intent by placing critical connections outside a web environment. Think twice before allowing passwordless accounts: It may seem convenient for a developer to set up a passwordless root account on their local development workstation, but this is exactly why many security professionals warn against using them in production environments. When databases are not properly secured, anyone with login credentials can easily exploit SQL injection vulnerabilities and execute commands as any user they choose (even as root). Even worse, these same people can potentially work their way through sudo permissions to root, once access is granted via login credentials.
8) Check third party libraries before using them
If you are using third-party libraries in your application, such as those that scan downloaded files, it is extremely important that you first check these libraries for known vulnerabilities. While it may be easier to use a pre-written library than to spend time writing your own scanning code, we can never guarantee that we won't introduce new security vulnerabilities by relying on external code, and we will only improve the security of our application if we check everything before we integrate it into our project. Read more: How to check for security vulnerabilities in third-party libraries.
9) Move configuration files out of the web root
These files can contain all sorts of sensitive data, including MySQL passwords. If an attacker gains access to these files through a vulnerability in your application, all they need to do is change a few lines of code and execute a single command. Keep configuration files out of the website root by placing them outside your website's document directory - in wp-content/config , for example. Better still, put them on a different server altogether. If you use continuous integration tools like Gitlab CI or Github, put the configuration files in a private repository and don't push those repositories to public servers. Then set up an automated process that updates the configuration files every time you deploy new code.
10) Keep PHP up to date
Keeping your code up to date is a surefire way to ensure that you are not vulnerable to known vulnerabilities. If you are building something from scratch, try using Composer for dependency management; it can be integrated with GitLab CI for automated deployments. If you're working on an existing project or want to add one line of code at a time, don't forget git diff and git pull requests; these features make it easy to ensure that everyone knows what they're doing when updating their local environments or files. You might also consider creating a process that requires people to review and approve changes. Ultimately, knowing who made changes and when (and how) will help you detect vulnerabilities sooner rather than later. Don't wait for someone to tell you there's a problem, take precautions proactively! And speaking of notifications: never miss them again with GitLab issue notifications or Mattermost notifications.
Matthieu Robin is the CEO of Hidora, an experienced strategic leader, a former system administrator who has managed and configured more environments manually than anyone else on the planet and after realising that it could be done with a few clicks created Hidora SA. He is a regular speaker at conferences and helps companies optimise their business processes with DevOps. Follow him on Twitter.