PHP web security, application securize

Sometimes we manage PHP applications to our surprise have been hacked, have replaced the home page, added code in the header of the page, malicious code inserted between the application files (for example sending email spam), etc. ..

Leave some pictures:


ataque 405 email sender ataque islamic ghosts team Ataque merdeka

This type of attack is most likely suffer if our application is relatively popular, WordPress, Joomla, Drupal, etc …

The safety improvement plan includes the processes:

We go step by step:

Modify the Apache configuration

The idea is to provide the minimum information to a potential attacker will modify some settings:


This policy configures which information will be returned in the head by the Apache server. The values can be: Full | OS | Minimal | Minor | Major | Prod.

The default is Full that indicates the version of Apache, on which operating system is running, modules, versions … wonderful to let any attacker.

The recommended value is Prod, which only indicates that the Web server is Apache, so we must fix:

ServerTokens Prod

Depending on the OS, this directive should be included in a file or another:

  • Ubuntu: /etc/apache2/conf.d/security
  • CentOS/RedHat: /etc/httpd/conf/httpd.conf

More information in:

User, Group

These directives allow you to modify the user and group that Apache will be executed. Keep in mind that any change in these directives implies a change of ownership or at least modify permissions on the files included in the directory documentRoot.

Depending on the operating system, these modifications are made in different places:

  • Ubuntu: /etc/apache2/envvars. You need to modify entries:
export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data
  • CentOS/RedHat: /etc/httpd/conf/httpd.conf. Directly modify
  • Source   
    User apache
    Group apache

    More information in:

    Modify PHP settings

    PHP configuration is in the php.ini file, which depending on the operating system can be found at:

    • Ubuntu: /etc/php5/apache2/php.ini
    • CentOS/RedHat: /etc/php.ini

    The directives of interest are:


    This directive exposes the version of PHP installed, default on, we must put it to off.

    expose_php = Off

    More information in:


    Basically avoid opening a file operating system, passing it as part of the URL. This directive should be treated with care because it could affect the operation of the application.

    Ideally disable:

    allow_url_fopen = Off

    More information in:


    This directive defines directories or files will be accessible to PHP, is very powerful. The idea is to keep a list of directories/files that PHP can access, separated by “:“.

    Define something like:

    open_basedir = /tmp:/var/www/html/

    Any other access to an undefined directory fails.

    More information in:


    With this directive we can disable the use of dangerous functions. We must treat it with care because the application may stop working.

    An acceptable value that improves security can be:

    disable_functions = disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,system,passthru,escapeshellarg,escapeshellcmd,proc_close,proc_open,ini_alter,popen,show_source,pcntl_exec

    More information in:

    Changing ownership of files DocumentRoot

    If all else fails, they can still inject malicious code. The best way to avoid this is to not allow writing in the DocumentRoot for Apache, for this we must know that the user is running and act accordingly.

    If for example is running with the user www-data and DocumentRoot is /var/www/html, run:

    chmod ug-w /var/www/html -R

    We must be careful with this kind of action, you may need to write PHP in the DocumentRoot, for example if you have installed any cache plugin in WordPress.

    If we allow writing again Apache DocumentRoot must undo the change:

    chmod ug+w /var/www/html -R

    Refuse to execute certain programs from the user running Apache

    Additionally it is possible to refuse to execute certain programs from the Apache user. For this we can use the ACL functionality of Linux that allows add/deny permissions accurately.

    For example, to deny access to bash and sh for the www-data (which is used to run Apache) user:

    setfacl -m u:www-data:--- /bin/sh
    setfacl -m u:www-data:--- /bin/bash

    For more information about ACL look at this entry Linux ACL tutorial

    Good luck…

    Leave a Reply