Most of what you read about securing PHP is how to write secure code - and that is really important.
In addition it helps to setup PHP on the server for best security.
There is plenty we can do to harden the setup without hurting the functionality we need.
The more layers we have in our security setup the better.
There are various guides to securing php.ini settings
The common factors are
- reduce the information you give to attackers
- log more information for yourself
- disable dangerous functions that you don’t need
- add strict limits that suit your application
PHP is written to be powerful and flexible - to be able to do all sorts of stuff - but much of it you don’t need.
Like including PHP files from remote servers, or running shell commands.
Read up on how to tighten your settings
Try this script to review your config
Snuffleupagus has a lot of features that can be divided in two main categories: bug-classes killers and virtual-patching. The first category provides primitives to kill various bug families (like arbitrary code execution via unserialize for example) or raise the cost of exploitation. The second category is a highly configurable system to patch functions in php itself.