Recently I was doing some hardening of my web hosting to reduce the probability of future attacks on PHP sites and popular CMS systems like WordPress. Just a few days back, some 30,000 WordPress sites were hacked due to insecure admin passwords and outdated software. Both of those have extremely easy solutions but you can also check out an older post here that I wrote on WordPress security. It has some easy steps you can take to reduce successful breaches in security.
I recently moved my hosting to a VPS and I run all my PHP sites in Fast_CGI Mode for the performance benefits. When running PHP as a FastCGI process, each domain has its own php.ini which is located at “/var/www/vhosts/yourdomainhere.com/etc/php.ini”, instead of the normal location of just /etc/php.ini. Making changes to just /etc/php.ini will not do anything when running as FastCGI.
Unfortunately having a couple domains on my server already, I had to go through each path to make some changes to the php.ini file to add some security. I used a great tool put out by the PHP Security Consortium called: PHPSecInfo. It provides an equivalent to the phpinfo() function but reports security information about the PHP environment, and offers suggestions for improvement. It is as easy as uploading the files to your webserver and navigating to the folder. (Instructions below.)
Why use PHPSecInfo to secure your server?
There are many ways to see information about your server that you’d probably rather keep private. If you are reading this and running WordPress on a VPS or Dedicated server, scan your domain here: Sucuri SiteCheck
Hopefully you don’t find anything bad but a few sites (some well known) I entered as tests came back to me showing their full internal paths. I’m not a huge fan of security through obscurity as a primary security strategy but PHP is very good in leaking the internal paths of your system in case of errors. You can find out exactly where the blog is hosted (/var/www, /home/user, etc) and you can 99% of the time guess the admin user used for administration solving half of the riddle to accessing your server administration section.
How to fix this specific error:
Open your php.ini file (generally at /etc/php.ini however for the scope of this article read above again for location if you are running PHP as a FastCGI process) and set:
display_errors = Off
How to use PHPSecInfo to secure your server
- Download PHPSecInfo
- Extract the files and folders from the zip file you just downloaded.
- Rename the extracted folder to phpsecinfo.
- Upload the renamed folder to the root directory for your domain using SFTP/FTP.
- Now, simply open your browser and browse to http://yourdomainwhereyouuploaded.com/phpsecinfo.
How to make a php.ini template for new domains you create
(Consider this was written for Plesk)
- SSH into your server as root
If you don’t see a conf directory after listing files, make one:
cp php.ini /var/www/vhosts/.skel/0/conf
Now make any changes to this php.ini file and any new domains you add will use this as a template.
Now what about current domains I have?
Unfortunately there is no shortcut to editing your current domains. You’ll have to access their php.ini’s one by one and add any changes you want. I would at least suggest adding these 3:
display_errors = 'Off'
allow_url_fopen = 'Off'
expose_php = 'Off'
Again, you can access this on a per domain basis here:
Note: This will look different that the php.ini file you copied from /etc/php.ini but you can add individual settings like the 3 above.