The majority of blogs, forums and small websites (and some large) are using PHP to power their content. This brings about two important side effects: majority usage, and inherent security holes.
PHP is no stranger to vulnerabilities. During its inception, there have been hundreds of security flaws reported and, for the most part, patched. The concept of completely secure software is far-fetched, at best.
Today I’ll be assisting you in hiding your web server’s (Apache, specfically) use of PHP to help deter attackers.
First, we must determine the security of our website. Hiding your PHP installation will not completely prevent certain people from exploiting part or all of your site. It is your duty to ensure that all forms, variables and scripts in your website are validated and secure. Ensure that any user input is cleaned of potentially malicious JavaScript or HTML code if it is going to reappear anywhere on your website. Also make sure that they cannot hijack SQL queries. This can be extremely damaging to your website and database.
Next, go into your php.ini file. You can typically find this file by executing phpinfo() on your server, and then look for the value under “Configuration File (php.ini) Path”. Once you have located and opened the file, look for “expose_php”, set this directive to “Off”.
Now you’ll need to allow people to view PHP files under a different extension. I’ll use .html in this case. There are two ways of doing this.
The first and easiest way is to rewrite URLs as aliases to files. This is sufficient for cPanel-based servers. You’ll need mod_rewrite installed on your Apache server to do this. Create or modify .htaccess in the highest directory that you want this to take effect, typically “/home/username/public_html”. Add the following:
RewriteEngine on
RewriteRule ^([a-zA-Z0-9-_]+)\.html$ $1.php [NC]
This will tell your web server that when a valid .html file is requested, parse its PHP file equivalent.
The second and potentially less available method is to add a Type entry in your httpd.conf file (you will have to locate this yourself, though it is usually found in Apache’s “conf” directory. If you’re on a shared hosting plan this may not be a possibility, in which case the previous method should work.
Look for “AddType application/x-httpd-php” and add .html after the entries.
Next, you’ll have to rename all .php files on your server to .html. This may take a while unless you use a batch program, so I suggest using den4b’s ReNamer, which is completely free to use. The program is Windows only, but Linux users should have no trouble using BASH commands to achieve the same effect.
The first option is generally less secure because people can still locate the physical PHP files by typing the URL in manually as http://hostname/file.php, whereas the second option does not allow that (no *.php files actually exist). Either way, you will need to redo your website’s hyperlinks to reflect this change.
No comments