The Ultimate PHP Security Checklist of WordPress Best Practices

Become a WordPress Buff
PHP Security Checklist
Share on twitter
Share on email
Share on facebook
Share on linkedin

Your website security process likely tackles how to secure your WordPress site at the server level as well as protect your site on the file level. But do you need to protect your programming language? Are there PHP security best practices you need to be following? Does PHP need to be secured?

Yes, yes and yes.

If you run a WordPress website but don’t focus on keeping your PHP code secure, you could be susceptible to a major incident.

Oh No Omg GIF by Friends

There is a ton of benefits to using PHP to develop your WordPress website:

  • It’s easy enough to use as a novice and flexible enough for programming pros.
  • It works great across all platforms (e.g. Linux, Windows, etc.).
  • It’s also very WordPress-friendly.
  • It can improve site speed.

That said, PHP isn’t without its flaw. PHP-programmed applications can be at risk for:

  • SQL injections
  • Cross-site scripting
  • Exposed login credentials
  • Session hijacking
  • Spoofed forms
  • And other nasty security risks

Related: How to Check Your WordPress Site’s PHP Version (And Upgrade Compatibility)

Obviously, this isn’t meant to put you off your desire to use PHP to program your WordPress website. It’s a highly reliable and flexible language and, when secured properly, can be an incredibly powerful tool that also helps to streamline your process.

The following PHP security checklist will teach you all the PHP security best practices you need to know about to keep your programming language and PHP-built applications secure going forward.

Our team at WP Buffs helps website owners, agency partners and freelancer partners follow PHP security best practices. Whether you need us to manage 1 website or support 1000 client sites, we’ve got your back.

The Ultimate PHP Security Checklist for WordPress

Want to ensure your WordPress website remains safe from hackers? Then it’s up to you to ensure that all the tools you use to build it (including your programming language) adhere to security best practices. Specifically when it pertains to PHP, you’ll need to pay close attention to the following:

  • PHP coding best practices
  • Restrictions to access on the backend of your site
  • User account management and monitoring
  • Validation, sanitization, and escaping of data
  • User-submitting data and upload monitoring
  • Web host reliability

If you want more information on the above PHP security checkpoints and how to use them in WordPress development, then keep reading for the ultimate PHP security checklist

PHP Best Practices

  • Use PHP7: Always use the latest version of PHP. The same goes for any libraries and third-party applications you use along with it.
  • Hide Version: The current version of PHP you’re using can let hackers know what sort of vulnerabilities you’ve left your site open to, so turn this setting off in your header using expose_php.
  • Rename phpinfo: Additional information about your installation needs to be hidden too, so be sure to change the phpinfo.php file name.
  • Change Error Code: Change the default error message that displays to users when a connection to your site fails. This will prevent them from seeing information about your IP or file path. Instead, just log those errors on your end.
  • Limit System Commands: The general consensus is that you shouldn’t use shell functions in PHP. If you have to, however, don’t include user data.

Protect the Backend

  • Use SFTP: When transferring files on the backend, always use SFTP.
  • Restrict Access to Directory: Change the default directory name for your PHP application.
  • Configure the Session Path: If you’re using shared hosting for your site, then other users on the server may be able to see your session data. You can stop this by storing new session paths below the root directory.
  • Create Separate Admins: If you’re running more than one PHP-based website on a single server, make sure you use a separate admin with completely different login credentials for each. This will prevent cross-site infections.
  • Make Directory Read-Only: Protect your web-accessible directory by setting it to read-only.
  • Store Sensitive Files Outside Directory: Sensitive application files (like configuration files) need to be placed into a non-web-accessible directory. You can then route them using a PHP script.

Secure User Information

  • Encrypt All Passwords: This one is obvious, but make sure you apply it across the board–for your passwords as well as all logged-in users.
  • Secure Sessions: Prevent the hijacking of sessions by creating a complex session ID. You could also add a special token to each URL.
  • Destroy Old Sessions: When someone has logged out or if their access rights have changed, always delete the cookies from their session and force a new session ID.
  • Verify New Users: Always verify the identity of new users and grant them access privileges accordingly. This is especially important if they’re trying to access a restricted page.
  • Use a Throttle: Too many failed logins should be blocked with a password throttle.

Validate Input and Output from Users

  • Validate and Sanitize Input: Any data, files, URLs, embedded content, CSS, or HTML sent through your site by a user–known or unknown–needs to be reviewed and sanitized. This means only the data that you expected to receive (e.g. username for username, email address for email address, etc.) should be allowed in. Keep “bad” words like “FROM” or “WHERE” or punctuation like a single quotation mark on your radar as they can be a sign that someone’s trying to sneak malicious code into your site.
  • Escape Output: Before publishing any user data or files to your site, make sure they’ve also been escaped to keep potentially dangerous characters and code from getting through (like single quotation marks or <script>).
  • Limit POST data: If hackers want to attack your site with an overwhelming amount of data, you can keep this at bay by setting limits to how much POST data can be sent. You can also limit the input time.
  • Disable Register_Globals: There should never be leeway in what type of information can be submitted in your site’s forms. Register_globals, unfortunately, opens up that opportunity to hackers.
  • Disable Magic_Quotes: Magic_quotes in and of itself won’t harm your site, but people who use it to escape your outputted data could unintentionally introduce a vulnerability.

Monitor Uploads

  • Disable File Uploads: This might not always be possible. But if you don’t need to receive files or data from users, get rid of this functionality.
  • Verify Uploaded Files: If you do need to allow users to upload files to your site, you’ll need to analyze the file content for harmful injections. As a shortcut, you can resave the file in a different format. If it’s still valid, then there’s less of a likelihood there’s an issue.
  • Use a Virus Scanner: If your site accepts a lot of uploaded files, you’ll want a virus scanner installed.

Use Secure Web Hosting

  • Use a Reliable Host: No matter how much work you put into securing your website, files, login area, or programming language, security needs to start at the hosting level. That’s why you must partner with a reliable web host that prioritizes security and provides support specifically for PHP7.
  • Get a CDN: Another way to cut down on security threats at the server level is to get a content delivery network (CDN). While these are often most associated with improving performance for globe-trotting websites, CDNs also provide an extra layer of protection.
  • Get an SSL Certificate: This is a best practice regardless of whether you program with PHP or not. SSL certificates add an extra encrypted layer between your server and your visitors’ browsers.

While each of the points above is indeed valid, this particular point is worth stressing as the quality of web hosting you rely on can ultimately make or break your site’s security strategy.

As it’s often difficult to sniff out the good from the bad–especially when looking for something as specific as PHP7 support–we’d suggest you start with web hosts like WP Engine and Kinsta.

Related: Fully Managed WordPress Hosting through WP Engine & Kinsta

WP Engine is a managed WordPress hosting provider that includes PHP7 support in each of its hosting plans. In addition, WP Engine regularly handles the subject of PHP7 on its blog with special shoutouts to its PHP Compatibility Checker plugin. To say this company is dedicated to PHP7 user support would be an understatement.

Another managed WordPress hosting company, Kinsta hosts all of its client websites with PHP7. This is to ensure high performance and speed across the board. Kinsta also offers its users the ability to update their PHP Engine to the latest PHP version.

And, of course, there’s WP Buffs fully-managed WordPress hosting to consider, too. WP Buffs always remains ahead of the curve by keeping its servers and PHP versions up-to-date with the latest and greatest, so you’ll never have to worry about managing those upgrades yourself (which is part of the joy in outsourcing WordPress management to someone else, right?)

Wrapping Up

When building a WordPress website, security is always a primary concern. That’s why you use trustworthy plugins and themes and always keep your core updated, among other security best practices. PHP is no different. Handle it like you do your other WordPress tools: keep it up-to-date and always abide by security best practices, and you (and your website) can sleep much sounder at night.

Want to give your feedback or join the conversation? Add your comments 🐦 on Twitter.

Share this post:
Share on twitter
Share on email
Share on facebook
Share on linkedin
Did you enjoy this post? Subscribe for more
No thanks. I can manage, speed up, secure, fix and grow websites myself.

Schedule a private call with our team to discuss our 24/7 WordPress care plans for serious website owners or 24/7 white-label site management for agencies and freelancers

Register for our next live WP AMA event!

🏆Chance to win weekly giveaways

📆 Instant invites to our Weekly WP AMA

🙋 First access to submit questions

💻 Direct links to all of our events

WP Buffs, LLC is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please enter your name and email address above.

You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy. By clicking submit above, you consent to allow WP Buffs, LLC to store and process the personal information submitted above to provide you the content requested.

Read about how we increased Rigorous Digital's profit margin by 23% and helped remove all website issues for MEP Publishers and their 3 complex websites.

Case study eBook cover (MEP Publishing)
No thanks, I don't need more profit and I can tackle all my WordPress issues myself.
Case study eBook cover (Rigorous Digital)

WP Buffs, LLC is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please enter your name and email address above.

 

You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit above, you consent to allow WP Buffs, LLC to store and process the personal information submitted above to provide you the content requested.

Which care plans best fit your websites (or client sites)?

✔️ White-label site management

✔️ $1,000+ of premium plugins free under our care plans
✔️ 24/7 website edits and priority support
✔️ Ongoing speed and security optimization
✔️ 24/7 website uptime monitoring
✔️ 4x daily cloud backups
✔️ Weekly plugin, theme and core file updates
✔️ Weekly reports detailing any on-site changes

No thanks. I can manage, speed up, secure, fix and grow websites myself.
Questionnaire

Finally, a WordPress newsletter you'll actually read every single month.

✔️ High-impact news

✔️ Actionable tutorials and videos

✔️ #WordPress Twitter highlights

✔️ Vote on receipient of $200 donation and WP Buffs merch giveaways

✔️ Fully curated so you only receive the best 5% of content

No thanks, I have other ways to stay updated with WP

WP Buffs, LLC is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please enter your name and email address above.

You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy. By clicking submit above, you consent to allow WP Buffs, LLC to store and process the personal information submitted above to provide you the content requested.

Finally, get your website 99.9999% secure and loading in under 1 second.

Our free eBooks and easy-to-follow checklists will have your website fully optimized in just a few hours.

No thanks, my website is as fast and secure as I want it.

WP Buffs, LLC is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please enter your name and email address above.

You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy. By clicking submit above, you consent to allow WP Buffs, LLC to store and process the personal information submitted above to provide you the content requested.

How to Sell Your Very First Care Plans Cover

Finally, an email list that helps make WordPress simple and effective for you.

Speed & security optimization tips and detailed how-to guides with advice you can implement today.

No thanks, I already know everything about WordPress.
Speed checklist eBook cover

WP Buffs, LLC is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please enter your name and email address above.

 

You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy. By clicking submit above, you consent to allow WP Buffs, LLC to store and process the personal information submitted above to provide you the content requested.

Case study eBook cover (Rigorous Digital)
Case study eBook cover (MEP Publishing)
How to Sell Your Very First Care Plans Cover

Honed and proven strategies we've used successfully 500+ times to help you sell your first care plans. Action steps you can implement in minutes.

No thanks, I can already sell as many care plans as I want.
How to Sell Your Very First Care Plans Cover

WP Buffs, LLC is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please enter your name and email address above.

 

You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit above, you consent to allow WP Buffs, LLC to store and process the personal information submitted above to provide you the content requested.