Recommended PHP settings for Joomla additional security

Recommended PHP settings for Joomla additional security Parent Technology uses SiteGround Hosting for all its Joomla Installs.   Here is a security article. In order to improve the overall security of your Joomla application, you would need to start from the language itself, which powers this software. In this case, this is PHP. Although PHP is known to be very stable, there are certain parameters which you can adjust to add additional security to your website. All settings described here can be entered into a custom php.ini file residing in the very same directory where your Joomla website is hosted. For more information on how to create a custom php.ini please check out our php.ini article here: http://kb.siteground.com/article/How_to_change_the_value_of_a_PHP_setting.html The first and most important setting you should change is the register_globals value. Add the following line to the php.ini file: register_globals = off If this is left on, someone attempting to break your site could use it to inject your scripts with all sorts of variables. If this setting is set to ON, an attacker can send a variable which is otherwise unreachable. By default, register_globals is turned off on all SiteGround servers, except if you are using PHP 5.1 where it is enabled by default. Do NOT enable (i.e set register_globals = On) this feature. magic_quotes_gpc = On This is the PHP internal way to escape various input to your script. By default this is ON, unless you have overwritten it. Disabling this (magic_quotes_gpc=off) will allow a remote attacker to execute various malicious code such as SQL injection code. allow_url_fopen = off This function treats remote files as if they were local files on the server. What it does is to allow PHP to open any URL as if it was a file on your account. Although this is a very handy function, it will allow an attacker to include a file hosted on a remote server into your website and possibly execute it. In most cases, this is exactly how web shells and backdoors are installed into customers hosting accounts. You should not enable it, unless a very important extension/plugin requires it. expose_php = off (default value = on) One of the first steps an attacker takes is to try and get as much information as possible about the platform and the software his/her target is using. By disabling expose_php you will greatly reduce the information that an attacker will be able to discover.

Site Search

Contact Us

 
 
 
Parent Technology Inc.
1535 Rosalind Rd Se
East Grand Rapids, MI 49506, USA
 
 

This email address is being protected from spambots. You need JavaScript enabled to view it.