1. Use open_basedir to restrict virtual host cross-directory access (restrict php activities in the specified directory)
2. Disable unsafe PHP functions
disable_functions = show_source,system,shell_exec,passthru,exec,popen,proc_open,proc_get_status,phpinfo
3. php user read only
For example, the user and group in the root directory of the site www.share.com are nobody, and the user and group running php are phpuser. The directory permission is 755, and the file permission is 644. In this way, php is read-only and cannot write any files to the site directory. That is to say, users cannot upload files. Even if there are loopholes, hackers cannot pass backdoors, and it is even more impossible to hang Trojans. Before doing so, tell the programmer to change the file cache to nosql memory cache (such as memcached, redis, etc.), and the uploaded files pass through The interface is passed to other servers (static servers).
4. Turn off the php error log
display_errors = On 改为 display_errors = Off
5. php upload separation
Upload files to a remote server, such as nfs, etc. Of course, you can also call the written php interface. Even if there is an upload vulnerability, the file will be uploaded to the static server, and files such as Trojan horses cannot be executed at all.
6. Close php information
expose_php = On
change to
expose_php = Off
Hide your php version information to prevent hackers from attacking this version of php
7. Disable dynamic loading of link libraries
disable_dl = On; change to
enable_dl = Off;
8. Disable open remote url
allow_url_fopen = On changed to
allow_url_fopen = Off
In fact, this is not really safe, and it will not lead to problems such as web intrusion, but this greatly affects performance.
The following method will not be able to get the remote url content
$data = file_get_contents("http://www.baidu.com/");
The following methods can get the local file content
$data = file_get_contents("test.txt");