Configuring PHP for Secure Operation

PHP is the language of three of the four CMSs spotlighted in this book. Joomla!, Drupal, and WordPress are written in PHP.

PHP is an interpreted language, meaning that the commands are acted upon by a command-line processor added to the web server. This PHP processor module will generate a traditional web page from the commands. PHP has been around since 1994 and has a very actively maintained code base.

Securing PHP is important not only for your server and data, but also for others on the Internet. Running an older, insecure version of PHP is just the same as running a vulnerable server. Fortunately, you can secure PHP fairly easily.

This section covers various security tools and processes, as well as a little about the php.ini configuration file.


One of the first items of business is to determine (if you do not know) what the baseline of your PHP software is. Ideally, you want to be running suPHP, which is a tool that forces PHP scripts (like your CMS) to be executed with the permissions of their owners.

suPHP is a great tool to use to ensure that you are running PHP in a very secure fashion. If you are using a managed virtual private server (VPS) or dedicated server at a hosting company, a quick telephone call to the support staff can help you establish if you are running it.

The next method is to try to set folder permissions to 777. If you're running suPHP, you'll get a 500 Internal Error when you browse.


PHP has a great ...

Get CMS Security Handbook: The Comprehensive Guide for WordPress®, Joomla!®, Drupal™, and Plone® now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.