WordPress is written in PHP. In order to properly secure WordPress one needs to ensure that your server’s global PHP settings are configured in a secure manner in order to mitigate any security risks that may exist.
In a shared hosting environment you may have some access to modify PHP settings but these are generally managed by your hosting provider.
This post deals with what the proper PHP configuration settings need to be when you manage your own server and will be found in your php.ini file which is located in a subfolder under /etc. On the server that I am using for this example the file is located in /etc/php5/apache2.
As with any task that requires changing configuration on an existing service let’s first make a copy of the php.ini file before we start configuring it so that we can roll back should anything break.
I generally copy the file to my home folder using the following command:
sudo cp /etc/php5/apache2/php.ini ~
Once we have backed up lets now open the php.ini file located in the /etc directory. You can use any command line text editor installed on your server but my personal favorite is nano so to open the php.ini file we need to type in the following command: sudo nano /etc/php5/apache2/php.ini. If your are prompted for your sudo password enter it and hit enter again.
Now let’s look at the areas within php.ini that need to be checked and securely configured if necessary. The php.ini file is quite long and navigating through it by scrolling can be quite cumbersome. The nano text editor has a built in search function which makes finding items much easier. To utilize the search function in nano hit CTRL + w, type in the string you are looking for and hit enter.
This is only applicable to servers running PHP 5.3 or earlier. If this is the case then php_safe_mode should definitely be set to “on”.
This setting provides a way to access remote files but creates an attack vector for URL-injection which would enable a hacker to add an instruction to a specific URL. By default on the server I am using it is set to “On” as you can see in the screen clipping below.
To secure the server “On” needs to be changed to “Off” so that URL’s are not teated as files by the web server.
register_globals is another PHP 5.3 risk which is only applicable to earlier versions. If you are running an earlier version of PHP this setting must be set to off. On my server it is no longer part of the php.ini file as you can see by the output when I search for it using nano.
Once you have made these changes to your php.ini file hot CTRL + x to exit and hit enter to save the changes.