Drukuj

Set stricter PHP settings to secure joomla and wordpress installations

Mariusz BAYER Beyrowski Włączony 10 kwiecień 2012. Opublikowany w ISPconfig

If you run a joomla or wordpress installation with mod_php, the following settings in the vhost configuration file or the “Apache directives” field in ISPConfig can be used to set stricter securitypolicys. This helps limit the impact of a possible hack to this websiteand protect the other sites on the server.

php_admin_value disable_functions “show_source system shell_exec passthru exec phpinfo popen proc_open”
php_admin_flag allow_url_fopen Off
php_admin_value session.save_path “/var/www/webXXX/phptmp/”
php_admin_value open_basedir “/var/www/webXXX/:/tmp”

Explanation

disable_functions disables functions that have a potential security impact e.g. because they allow the execution of external applications.

allow_url_fopen disables the ablity to open files via an URL.

session.save_path sets the path were php stores its session files. For ISPConfig 2, the path is e.g. “/var/www/webXXX/phptmp/” and for ISPConfig 3 the path is like “/var/www/clients/client1/web1/tmp/” If you dont use ISPConfig, set this path to a directory which is writable for the webserver user. the directory should be unique for every website.

open_basedir sets the path were php scripts are allowed to open files. For ISPConfig 2, the path is like  “/var/www/webXXX/” and for ISPConfig 3 the path is like “/var/www/clients/client1/web1/” If you dont use ISPConfig, set this path to a the root directory of this vhost. With :/tmp we allow php scripts to use also the /tmp directory of the server.

Kto jest online

  • Current Active Users7
  • Active Guests7
  • Active Registered0

Twoje dane

United States

Unknown Bot
Your IP: 54.162.164.86

Kraje

Top 5:
United States flag 26%United States (37971)
Russia flag 18%Russia (26731)
Ukraine flag 11%Ukraine (16748)
Poland flag 10%Poland (15058)
China flag 3%China (4810)
147219 wizyt 130 z krajów