Set stricter PHP settings to secure joomla and wordpress installations

Wednesday, August 19, 2009 posted by admin

If you run a joomla or wordpress installation with mod_php, the following settings in the vhost configuration file or the “Apache directives” field in ISPConfig can be used to set stricter securitypolicys. This helps limit the impact of a possible hack to this websiteand protect the other sites on the server.

php_admin_value disable_functions “show_source system shell_exec passthru exec phpinfo popen proc_open”
php_admin_flag allow_url_fopen Off
php_admin_value session.save_path “/var/www/webXXX/phptmp/”
php_admin_value open_basedir “/var/www/webXXX/:/tmp”

Explanation

disable_functions disables functions that have a potential security impact e.g. because they allow the execution of external applications.

allow_url_fopen disables the ablity to open files via an URL.

session.save_path sets the path were php stores its session files. For ISPConfig 2, the path is e.g. “/var/www/webXXX/phptmp/” and for ISPConfig 3 the path is like “/var/www/clients/client1/web1/tmp/” If you dont use ISPConfig, set this path to a directory which is writable for the webserver user. the directory should be unique for every website.

open_basedir sets the path were php scripts are allowed to open files. For ISPConfig 2, the path is likeĀ  “/var/www/webXXX/” and for ISPConfig 3 the path is like “/var/www/clients/client1/web1/” If you dont use ISPConfig, set this path to a the root directory of this vhost. With :/tmp we allow php scripts to use also the /tmp directory of the server.

Be Sociable, Share!


One Response to “Set stricter PHP settings to secure joomla and wordpress installations”

  1. joomlaserviceprovider says:

    jSecure hides your Joomla administrator URL with a special key so that only you can access. The problem with Joomla is that anyone can tell if your site is Joomla by simply typing in the default URL to the administration area (i.e. http://www.yoursite.com/administrator). jSecure helps you hide the fact that your website is built with Joomla from prying eyes.

    Check out jSecure in action here: http://www.joomlaserviceprovider.com/

Leave a Reply