How to Secure PHP and Mysql Database on Your Dedicated Sever – The Basics
We’ve discussed methods to secure Apache server and general security guidelines for server admins in the previous posts. Today, we take you through the basics to mitigate known security risks associated with PHP and Mysql Database.
1. Use php-fpm to install PHP: The fastcgi process manager php-fpm makes it easy for you to be able to manage and run PHP applications in their own user group. When you run Apache and PHP as separate users the security risks of one compromised application being able to compromise another application is considerably reduced.
2. Transmit information with POST method: PHP uses POST and GET to transmit information. Always use POST method to hide the information. When you use GET method, the information is transmitted through a URL and therefore quite visible. This leaves sensitive information very vulnerable to hijacks.
3. Validate form and text input: A form can be used to inject or upload malicious scripts. Validating form and file input can help prevent cross site scripting and SQL injection. It is important to prevent these notorious hacking methods as they are the vulnerabilities that hackers can easily target with malicious code.
4. Hide PHP version: We have emphasized on the importance of hiding the version of the software that you are running. It is just as critical to hide the PHP version as it is to hide your Apache web server version. To hide the php version, open the php.ini file and edit the following:
expose_php = Off
5. Log the PHP errors to a file: Track all errors to identify unauthorized activity by logging them to a file. Hacking attempts often go through several trial and error before being able to actually hack into your sever. If these attempts are spread over days, logs can help you track and prevent the attacks. Use the following:
display_errors = Off
log_errors = On
error_log = /var/log/httpd/php_error.log
6. Run the MySQL Secure Install script: The mysql_secure_installation helps you implement recommended security measures for a database. It must be run right after installing a MySQL database. We also recommend that you lock root access to local host and add a MySQL root password and complete the steps to remove the databases that you don’t need.
7. Secure your MySQL installation: The next step to secure a MySQL installation is to secure the users and databases by removing the ones that you don’t need. User accounts can be protected by creating strong passwords and the databases can be protected by limiting user’s access to their respective databases.