mirsad / stock.adobe.com
Your website security process likely tackles how to secure your WordPress site at the server level as well as protect your site on the file level. But do you need to protect your programming language? Are there PHP security best practices you need to follow? Does PHP need to be secured?
Yes, yes and yes.
If you run a WordPress website but don’t focus on keeping your PHP code secure, you could be susceptible to a major incident.
There is a ton of benefits to using PHP to develop your WordPress website:
- It’s easy enough to use as a novice and flexible enough for programming pros.
- It works great across all platforms (e.g. Linux, Windows, etc.).
- It’s also very WordPress-friendly.
- It can improve site speed.
That said, PHP isn’t without its flaw. PHP-programmed applications can be at risk for:
- SQL injections
- Cross-site scripting
- Exposed login credentials
- Session hijacking
- Spoofed forms
- And other nasty security risks
Related: How to Check Your WordPress Site’s PHP Version (And Upgrade Compatibility)
Obviously, this isn’t meant to put you off your desire to use PHP to program your WordPress website. It’s a highly reliable and flexible language and, when secured properly, can be an incredibly powerful tool that also helps to streamline your process.
The following PHP security checklist will teach you all the PHP security best practices you need to know about to keep your programming language and PHP-built applications secure going forward.
The Ultimate PHP Security Checklist for WordPress
Want to ensure your WordPress website remains safe from hackers? Then it’s up to you to ensure that all the tools you use to build it (including your programming language) adhere to security best practices. Specifically when it pertains to PHP, you’ll need to pay close attention to the following:
- PHP coding best practices
- Restrictions to access on the backend of your site
- User account management and monitoring
- Validation, sanitization, and escaping of data
- User-submitting data and upload monitoring
- Web host reliability
If you want more information on the above PHP security checkpoints and how to use them in WordPress development, then keep reading for the ultimate PHP security checklist
PHP Best Practices
- Use PHP7: Always use the latest version of PHP. The same goes for any libraries and third-party applications you use along with it.
- Hide Version: The current version of PHP you’re using can let hackers know what sort of vulnerabilities you’ve left your site open to, so turn this setting off in your header using expose_php.
- Rename phpinfo: Additional information about your installation needs to be hidden too, so be sure to change the phpinfo.php file name.
- Change Error Code: Change the default error message that displays to users when a connection to your site fails. This will prevent them from seeing information about your IP or file path. Instead, just log those errors on your end.
- Limit System Commands: The general consensus is that you shouldn’t use shell functions in PHP. If you have to, however, don’t include user data.
Protect the Backend
- Use SFTP: When transferring files on the backend, always use SFTP.
- Restrict Access to Directory: Change the default directory name for your PHP application.
- Configure the Session Path: If you’re using shared hosting for your site, then other users on the server may be able to see your session data. You can stop this by storing new session paths below the root directory.
- Create Separate Admins: If you’re running more than one PHP-based website on a single server, make sure you use a separate admin with completely different login credentials for each. This will prevent cross-site infections.
- Make Directory Read-Only: Protect your web-accessible directory by setting it to read-only.
- Store Sensitive Files Outside Directory: Sensitive application files (like configuration files) need to be placed into a non-web-accessible directory. You can then route them using a PHP script.
Secure User Information
- Encrypt All Passwords: This one is obvious, but make sure you apply it across the board–for your passwords as well as all logged-in users.
- Secure Sessions: Prevent the hijacking of sessions by creating a complex session ID. You could also add a special token to each URL.
- Destroy Old Sessions: When someone has logged out or if their access rights have changed, always delete the cookies from their session and force a new session ID.
- Verify New Users: Always verify the identity of new users and grant them access privileges accordingly. This is especially important if they’re trying to access a restricted page.
- Use a Throttle: Too many failed logins should be blocked with a password throttle.
Validate Input and Output from Users
- Validate and Sanitize Input: Any data, files, URLs, embedded content, CSS, or HTML sent through your site by a user–known or unknown–needs to be reviewed and sanitized. This means only the data that you expected to receive (e.g. username for username, email address for email address, etc.) should be allowed in. Keep “bad” words like “FROM” or “WHERE” or punctuation like a single quotation mark on your radar as they can be a sign that someone’s trying to sneak malicious code into your site.
- Escape Output: Before publishing any user data or files to your site, make sure they’ve also been escaped to keep potentially dangerous characters and code from getting through (like single quotation marks or <script>).
- Limit POST data: If hackers want to attack your site with an overwhelming amount of data, you can keep this at bay by setting limits to how much POST data can be sent. You can also limit the input time.
- Disable Register_Globals: There should never be leeway in what type of information can be submitted in your site’s forms. Register_globals, unfortunately, opens up that opportunity to hackers.
- Disable Magic_Quotes: Magic_quotes in and of itself won’t harm your site, but people who use it to escape your outputted data could unintentionally introduce a vulnerability.
Monitor Uploads
- Disable File Uploads: This might not always be possible. But if you don’t need to receive files or data from users, get rid of this functionality.
- Verify Uploaded Files: If you do need to allow users to upload files to your site, you’ll need to analyze the file content for harmful injections. As a shortcut, you can resave the file in a different format. If it’s still valid, then there’s less of a likelihood there’s an issue.
- Use a Virus Scanner: If your site accepts a lot of uploaded files, you’ll want a virus scanner installed.
Use Secure Web Hosting
- Use a Reliable Host: No matter how much work you put into securing your website, files, login area, or programming language, security needs to start at the hosting level. That’s why you must partner with a reliable web host that prioritizes security and provides support specifically for PHP7.
- Get a CDN: Another way to cut down on security threats at the server level is to get a content delivery network (CDN). While these are often most associated with improving performance for globe-trotting websites, CDNs also provide an extra layer of protection.
- Get an SSL Certificate: This is a best practice regardless of whether you program with PHP or not. SSL certificates add an extra encrypted layer between your server and your visitors’ browsers.
While each of the points above is indeed valid, this particular point is worth stressing as the quality of web hosting you rely on can ultimately make or break your site’s security strategy.
As it’s often difficult to sniff out the good from the bad–especially when looking for something as specific as PHP7 support–we’d suggest you start with web hosts like WP Engine and Kinsta.
Related: Fully Managed WordPress Hosting through WP Engine & Kinsta
WP Engine is a managed WordPress hosting provider that includes PHP7 support in each of its hosting plans. In addition, WP Engine regularly handles the subject of PHP7 on its blog with special shoutouts to its PHP Compatibility Checker plugin. To say this company is dedicated to PHP7 user support would be an understatement.
Another managed WordPress hosting company, Kinsta hosts all of its client websites with PHP7. This is to ensure high performance and speed across the board. Kinsta also offers its users the ability to update their PHP Engine to the latest PHP version.
And, of course, there’s WP Buffs’ fully-managed WordPress hosting to consider, too. WP Buffs always remains ahead of the curve by keeping its servers and PHP versions up-to-date with the latest and greatest, so you’ll never have to worry about managing those upgrades yourself (which is part of the joy in outsourcing WordPress management to someone else, right?)
Wrapping Up
When building a WordPress website, security is always a primary concern. That’s why you use trustworthy plugins and themes and always keep your core updated, among other security best practices. PHP is no different. Handle it like you do your other WordPress tools: keep it up-to-date and always abide by security best practices, and you (and your website) can sleep much sounder at night.
Want to give your feedback or join the conversation? Add your comments 🐦 on Twitter.
SaveSave