PHP is an incredibly popular language for developing web apps, with WordPress and Drupal being just two examples of PHP-based websites. The language itself is easy to learn and use, but that doesn’t mean you can ignore security. In fact, it’s important to be aware of common vulnerabilities in the code that you write, whether you’re building a new app or maintaining an existing one.
1. Use a password manager to ensure strong passwords.
Password managers are applications or extensions that allow you to store all your login information in one place and use it to log in to websites securely, without having to remember each site’s unique login details. Password managers also generate difficult-to-guess passwords for each site you use, which means you won’t have any trouble remembering them.
2. Use encryption whenever possible.
Encryption is one of the most powerful tools you can use to secure your PHP applications. The idea behind encryption is simple: it converts plaintext into an unreadable format called ciphertext, which only those with the secret key can decrypt back into plaintext.
3. Remove information from error messages.
To avoid leaking information, you can control what is displayed with PHP’s error_reporting() function. This takes an integer as its parameter that controls which error messages are shown in your application. For example:
$erro_level = E_ALL;
This will show all errors, which is useful for debugging purposes but not ideal for deployment.
4. Turn off error reporting when going live with an app.
One of the most common security problems is error reporting. Error reporting logs are a very useful tool for debugging, but they can also be a great way to get hacked.
This is because error reports typically include information about the server where they were created, including the database name and version number. This can be used by hackers to determine what database software you are running, and more importantly whether there are any known vulnerabilities for that particular version.
If you’re going live with an application then it’s best practice not to enable this feature.
5. Don’t use register_globals or allow_url_fopen.
A great example of this is the allow_url_fopen directive. The allow_url_fopen setting allows PHP to automatically open files from URLs, which can be useful for apps that need to access other resources on the web. But it also opens up your application to security risks.
For example, if an attacker inserts malicious code into a file they upload and then include in your site via an URL—which is especially easy if you’re using WordPress or another CMS—the attacker could cause your entire system to crash or execute commands on your server.
There are a lot of important things to remember when it comes to keeping your PHP app secure, but if you take these eight steps and use them consistently, you can rest assured that your app will be safe.