Securing PHP Configuration for Production VPS

Introduction

PHP powers many web applications. A misconfigured PHP can lead to code injection, file disclosure, and other issues. This guide covers secure php.ini settings for production.

1. Disable Dangerous Functions

Set disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source.

2. Limit File Uploads

upload_max_filesize = 10M, post_max_size = 10M (adjust for your needs).

3. Disable Remote File Inclusion

allow_url_fopen = Off, allow_url_include = Off.

4. Disable Dangerous PHP Tags

short_open_tag = Off (prevents

5. Hide PHP Version

expose_php = Off – remove PHP header from responses.

6. Disable Globals

register_globals = Off (already off in modern PHP).

7. Set Proper Error Reporting

display_errors = Off (production), log_errors = On.

8. Open Basedir Restriction

open_basedir = /var/www/html:/tmp – prevents scripts from accessing outside.

9. Session Security

session.cookie_httponly = On, session.cookie_secure = On, session.use_strict_mode = On.

10. Disable File Uploads Execution

Use cgi.fix_pathinfo = 0 to prevent PHP execution in uploaded files.

11. PHP-FPM Security

Run pools as separate users, set pm.max_children sensible limits.

12. Disable PHP Execution in Certain Directories

In Nginx/Apache, block uploads and cache folders from executing PHP.

13. Suhosin Extension (Deprecated)

For older PHP, use Suhosin; on PHP 7+, use built‑in hardening.

14. Use Latest PHP Version

PHP 8.2 / 8.3 / 9.x receive security fixes. Avoid EOL versions.

15. OpCache Security

Enable OpCache but ensure opcache.validate_permission=1.

16. Disable Composer Exec from Web

Never expose Composer’s autoloader or executable to web.

17. Secure File Permissions for PHP Files

644 for .php files, 755 for directories, owned by non‑www‑data user.

18. Use System Environment Variables for Secrets

Do not hardcode database passwords in PHP code. Use getenv().

19. Input Validation and Output Escaping

This is application‑level, but PHP configuration cannot fix bad coding.

20. Regular PHP Updates

Subscribe to PHP security announcements and apply patch releases.

Conclusion

Start with disabling dangerous functions and hiding version. Then add open_basedir and session hardening.

# PHP # Security # Configuration