How to Secure PHP on Windows Server?

Steps to Secure PHP on Windows Server.

  1. Bhawani Singh
    Understanding PHP:

    PHP stands for Hypertext Pre-processor. It is a widely used open source common purpose scripting language which is particularly meant for web development. It can be rooted into HTML.

    The PHP works in a way that it produces the custom-built web information’s from receiver to the server.

    Risk attempting in PHP set:

    The main problem with PHP is that it is highly vulnerable to risk as the fetched data remotely on any surf. Hackers can easily attempt to infect the information’s based on commands like Trojan, or even control the website.

    You can design the settings of PHP to stiffen the security and help to protect the website from infections. The below mentioned table encapsulates the settings which affect security.


    Following is the console for recommended Php.ini settings:

    Code:
    allow_url_fopen = Off
    The above mentioned command defines about the way of only the documents which are within your website can be included, not an unique server; neither can people attack (RFI) which abbreviates as Remote file inclusion . Such commands are not authorized to access.

    You should involve a data in your website by stipulating the name of the file and its path respectively. If at all of URL including line, you can convert it as:

    Code:
    include($_SERVER['DOCUMENT_ROOT'] . '/page.php');
    $_SERVER['DOCUMENT_ROOT'] is a global variable stipulated as the base website folder. The static information is folded from another websites, copy it in the first website and insert it locally.

    Kindly focus to the site which have to include any data of foreign website access URL as set “allow_url_fopen = On”, then you should have another way to secured attacks of RFI. Refer to the below console:

    Code:
    DISPLAY_ERRORS =Off
    display_startup_errors = Off
    log_errors = On
    error_reporting = E_ALL
    The above strategy laid down that all the mistakes and notification is recorded to error log file and state no mistakes will display at any Webpage forwarded to the server. You must always check error log while testing any commands.

    Code:
    error_log = /home/yourUserID/public_html/phperr.txt
    The outline of the path through mistakes of PHP and notification are recorded. You must try filing text for recording error. Store the file on the Website in a place which is not exposed to all.

    Code:
    expose_php = Off
    The above setting enables the headers accompanying outbound pages to hide that the PHP is running.

    Code:
    register_globals = Off
    Code:
    safe_mode = Off
    These setting confines the access permit runs out in script of PHP. Just do it!

    How to View PHP Settings for your server information?

    Using the following instructions, now get a report of PHP:
    • Using .php creates a file text, and uploads the same in your server with a protected folder.
    Code:
    XML: <?php phpinfo(); ?>
    • Now click the web page and open it for following path on web address. Now enter the folder with the login credentials.
    Code:
    http://yoursite.com/whatever/filename.php
    3Check the page of result.
    • Just save the file page in the PC.
    • You can remove .php in the server.