Image for post: PHP security: hardening PHP configuration

PHP security: hardening PHP configuration

05 November 2022 Estimated reading time: 3 minutes

Hardening the configuration of your PHP installation is a critical step in securing your web applications. PHP powers a large percentage of websites across the internet, and misconfigurations can leave your applications vulnerable to a wide range of attacks.

Security doesn’t stop at the application level—your infrastructure, server, and environment all play a role. While some hardening techniques require root or dedicated server access, many can still be applied even if you are on shared hosting. Below, we’ll walk through some of the most important PHP hardening tips you should implement, especially in production environments.

1. Keep PHP Up to Date

Running the latest stable version of PHP ensures you receive important security patches and performance improvements. Attackers often target outdated versions with known vulnerabilities.

  • Use your operating system’s package manager to check for updates.
  • Regularly visit php.net to stay informed about new releases.

2. Remove unnecessary PHP modules

PHP loads many modules by default, but not all are needed for your application. Each extra module increases the attack surface.

List all active PHP modules:

php -m

Move to the configuration directory:

cd /etc/php.d/ ls

Remove an unnecessary module:

sudo rm -r 20-curl.ini

Only keep what you actually use in production.

3. Disable remote PHP code execution

Allowing remote file inclusion is a major security risk that can lead to arbitrary code execution. Disable it in your php.ini:

allow_url_fopen = Off allow_url_include = Off

This prevents PHP from including or executing code from remote sources.

4. Prevent PHP information leakage

By default, PHP may expose its version in HTTP headers, giving attackers useful information. Disable it by editing your php.ini:

expose_php = Off

This small change makes fingerprinting your server setup harder.

5. Configure error handling and logging

Errors should never be displayed to users in production, as they may reveal sensitive information about your application or server. Instead, log them securely:

display_errors = Off log_errors = On error_log = /var/log/php_errors.log

Make sure your log files are not publicly accessible.

6. Control PHP resource usage

PHP scripts can consume server resources if not properly limited. Set resource limits in your php.ini:

max_execution_time = 30 memory_limit = 128M post_max_size = 8M upload_max_filesize = 2M

These restrictions help prevent denial-of-service (DoS) attacks caused by resource exhaustion.

7. Restrict PHP file access

Limit the files PHP can access with the open_basedir directive:

open_basedir = /var/www/html:/tmp

This ensures PHP can only access files within specified directories, reducing the risk of arbitrary file reads.

8. Secure File uploads

If your application allows file uploads, enforce strict rules:

  • Limit file size with upload_max_filesize and post_max_size.
  • Restrict allowed file types using server-side validation.
  • Store uploads outside of the webroot to prevent direct access.
  • Rename uploaded files to avoid arbitrary execution.

9. Disable dangerous PHP functions

Some PHP functions can be abused by attackers. Disable them unless you explicitly need them:

disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

This prevents attackers from executing shell commands or accessing sensitive system functionality.

10. Secure your PHP configuration file

Your php.ini file may contain sensitive information such as database credentials. Protect it with proper permissions:

chmod 600 /etc/php.ini chown root:root /etc/php.ini

Never allow it to be accessible from the web.

11. Regular security reviews

Hardening PHP is not a one-time task. Regularly review your configuration and update it as best practices evolve. Combine PHP hardening with secure coding practices and compliance with OWASP Top 10 principles for maximum protection.

Final thoughts

Securing PHP is about minimizing risks wherever possible. By updating your PHP version, disabling unnecessary modules, preventing remote execution, securing error handling, controlling resources, and disabling risky functions, you greatly reduce the chances of your application being compromised.
Hardening should always be combined with secure development practices, strong server configurations (Apache, Nginx, or others), and continuous monitoring. Security is a process, not a destination.