Best practice to make your PHP site secure

Best practice to make your PHP site secure

PHP is one of the most popular programming languages for the web. Sometimes a feature-friendly language can help the programmer too much, and security holes can creep in, creating roadblocks in the development path. When it comes to security, in addition to securing your hardware and platform, you also need to write your code securely. A programmer should follow the best habits that can develop in order to protect his or her application from attack. It will help you to avoid some common PHP security pitfalls and development glitches. So, PHP should be used with caution.

This article will explain how to keep your PHP site secure and less vulnerable to hacking. But, before that, you should aware of the types of attack.

PHP based sites can face the different types of attacks. And most noticeable attacks are -

XSS - Cross-site scripting is a vulnerability in PHP web, which attackers may exploit to steal users’ information.

SQL injection – It is a vulnerability in the database layer of a PHP application. When user input is incorrectly filtered any SQL statements can be executed by the application.

File uploads – It allows your visitor to place files (upload files) on your server. This can result into various security problems such as delete your files, delete the database, get user details and much more.

Including local and remote files – An attacker can open files from a remote server and execute any PHP code. This allows them to upload the file, delete the file and install backdoors.

eval() – Evaluate a string as PHP code. This is often used by an attacker to hide their code and tools on the server itself. You can configure PHP to disable eval().

Sea-surf Attack (Cross-site request forgery – CSRF) – This attack forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. A successful CSRF exploit can compromise end user data and operation in case of a normal user. If the targeted end user is the administrator account, this can compromise the entire web application.

Let's see the practices to prevent attacks -

Validate Input Data

While designing your application, you should be striving to guard your app against bad input. Don’t trust user input. there is always a chance that some bad user will try to attack your app by entering bad input. If you always validate and filter the incoming data, you can build a secure site. Validating in JavaScript is okay, but to guard against these types of problems then you should re-validate the data in PHP as well too.

File upload

You can disable file uploads using PHP or write secure code like validating user input and only allow image file types such as png or gif.

Use Proper Error Reporting

During the development process, web error reporting is your best friend. Error reports can help you find spelling mistakes in your variables, detect incorrect function usage and much more. However, once the site goes live the same reporting that was an ally during development can turn traitor and tell your users much more about your site than you may want them to know.

Minimize Loadable PHP Modules

PHP supports “Dynamic Extensions”. By default, RHEL loads all the extension modules found in /etc/php.d/ directory. To enable or disable a particular module, just find the configuration file in /etc/php.d/ directory and comment the module name. You can also rename or delete module configuration file. For best PHP performance and security, you should only enable the extensions your website requires.

Turn Off Remote Code Execution

If enabled, allow_url_fopen allows PHP’s file functions - such as file_get_contents() and the include and require statements - can retrieve data from remote locations, like an FTP or web site. The allow_url_fopen option allows PHP’s file functions – such as file_get_contents() and the include and requires statements – can retrieve data from remote locations using FTP or HTTP protocols. Programmers frequently forget this and don’t do proper input filtering when passing user-provided data to these functions, opening them up to code injection vulnerabilities. You can configure PHP to disable remote file execution.

Securing Database Queries

Use of prepared statements or parameterized queries is the secure option when it comes to interaction with the database. The input entered by the user is used to dynamically construct the query that is sent to the database. The user input can be maliciously crafted to change the logic of a query. This potentially allows the user to run any kind of query or bypass security measures.

Update Regularly

You must update your PHP application on regular basis. If you are still using an older version of  PHP then you will be having a lot of deprecations while upgrading PHP apps. You will also need to update your code and change some functional logics like password hashing etc.

Protecting against SQL Injection

SQL Injection is very famous, dangerous, and easily preventable. The idea is that the attacker can inject SQL code into your database when you are reading user input in your code. So the solution is to sanitize every time you are building an SQL query using user input. PHP offers many different ways for sanitizing input. You can configure Apache and write secure code (validating and escaping all user input) to avoid SQL injection attacks. A common practice in PHP is to escape parameters using the function called mysql_real_escape_string() before sending the SQL query.

Disclosure is dangerous

Your website may be vulnerable if any of the data returned is viewable to an attacker. If an attacker can see phpinfo() it is definitely a vulnerability. So, don't disclose your site related any sensitive data.

Favor simplicity

Securing your site would be simple if your implementation is simple. Can you avoid adding many fringe features, nice-to-haves, and assumed extensions?

Prevent XSS attacks

Cross-site scripting (XSS) attacks inject malicious JavaScript into your pages, which then runs in the browsers of your users, and can change page content, or steal information to send back to the attacker. To protect your site from these kinds of attacks, run the input data through strip_tags() to remove any tags present in it. When showing data in the browser, apply htmlentities()function on the data. You can configure Apache and write more secure PHP scripts (validating all user input) to avoid XSS attacks.

Regular Monitoring

Monitor, alert sparingly and trace everything. A great enabler for Security is the ability of your system to monitor and track all interactions. This will help for a post-event analysis of any vulnerability exposures and you can build your defense.

Writing Secure Code

If you write enough code, you will accidentally write a vulnerability at some point in your career as a developer. So, it's better to write secure PHP code.


HTTPS is a protocol used to provide security over the Internet. HTTPS guarantees that users are talking to the server they expect and that nobody else can intercept or change the content they're seeing in transit. If you have anything that your users might want private, it's highly advisable to use the only HTTPS to deliver it.


By keeping the above points in mind it’s possible to secure PHP sites to a great extent. You can share your experiences with us in the comments below. Thank you!

Comments (0)

  • To add your comment please or

We use cookies to improve your experience on our site and to show you personalised advertising. Please read our cookie policy and privacy policy.

Got It!