WordPress runs on PHP and is a key component to pay attention to when enhancing the WordPress site. This article will introduce some of the most common and less hanging fruits that PHP security can solve. Note – be careful when changing PHP settings. Incorrect settings and syntax may damage the website. Always test your changes in a development or staging environment before making changes to your production environment. Use the latest PHP version of the directory to suppress the PHP version from deleting all phpinfo () files. Include PHP error and warning suppression restrictions on remote files, including disabling dangerous functions, disabling or restricting PHP execution in sensitive directories. Conclusion the latest PHP version uses the operating system, MySQL server In addition to confirming whether to patch the web server (such as nginx, Apache, IIS…), it is also absolutely important to confirm whether to run the fully supported version of PHP androg 1 androg or not
Because PHP is exposed on the Internet (WordPress runs on PHP interact), if the vulnerability in PHP is found to be malicious, the risk of attack will be greater. In this context, keeping PHP up-to-date (and thus avoiding the termination of the 5. X PHP version) is important not only to prevent attacks, but also to allow attackers to expand attacks in the following cases: They (for example, maliciously exploit the vulnerability of WordPress plug-in) have laid the foundation for your WordPress website. As with most web server software, PHP version suppression. By default, PHP exposes the running version through the X-Power ed by HTTP header. As in other cases, this is not a security vulnerability in itself, but listing software versions is usually useful for attackers in the attack reconnaissance phase. Therefore, disabling the PHP version may make the attack more difficult to succeed.
Fortunately, the exposer_php setting can be easily disabled. php. Simply add the following to the INI configuration file: expose_php = Off
Delete all phpinfo () files. For debugging purposes, creating PHP files using the phpinfo () function is a common bad habit for many PHP system administrators. If an attacker discovers the \
In fact, if you need to run phpinfo (), you’d better do the following on the command line: php -i
If the system has multiple PHP configurations (very common), use PHP with the following command. You can specify an INI file. php -c \/etc\/php\/apache2\/php. ini -i
PHP error and alert suppression errors, warnings, and exceptions are useful during development, but if displayed in a public environment, attackers often use this information to gain insight into server configuration, application layout, and components. Error messages are one of the most common ways to disclose information, often revealing information, such as application installation path and database connection details. Make sure this information is logged instead of displaying errors and warnings. More information about this topic can be found in the official PHP documentation.
Fortunately, you can easily disable it using the display_errors setting. php. Simply add the following to the INI configuration file: display_errors = Off
log_errors = On
Due to the restricted include File Inclusion Vulnerability, an attacker can control the PHP include() statement. PHP is included in the file
Run all PHP code, but output other code (assuming plain text). This means that an attacker who controls the file to contain vulnerabilities can eventually perform similar operations and grant access to important system files. Refer to this document for more information about the included files.
include \
php. If you specify the open_basedir setting in ini, you can instruct PHP to allow inclusion only under a specific directory. This does not eliminate vulnerabilities, including files, but does further limit vulnerabilities and prevent advanced attacks that can lead to code execution if the attacker can execute commands on the server. php. In the INI file, you can specify the open_basedir PHP setting: open_basedir = \/var\/www\/html\/example. com
In addition to using the disable remote file include open_basedir to restrict local include to a specific directory, it is recommended to disable remote include. Instead of using a remote file inclusion attack, an attacker can use a file inclusion attack (including a remote file inclusion attack) to the network, rather than a remote file inclusion attack. This is very dangerous, and most RFI attacks end up allowing an attacker to execute arbitrary code (remote code execution or RCE) on the web server.
To disable remote file inclusion, execute the following PHP. In the INI file, use the allow_url_fopen and allow_url_include PHP options. allow_url_fopen = Off
allow_url_include = Off
If dangerous features are disabled or restricted, an attacker can successfully find and exploit vulnerabilities in WordPress’s PHP security. The last thing is to allow the server to execute arbitrary coding If an attacker can run arbitrary code on the server, he can install a web shell or set up a reverse shell to further control the server and use it for malicious bidding (for example, using a website to spread malware, phishing activities, or denial). Service attack, or cryptocurrency mining).
Disabling functions such as shell_exec() and system() can prevent users and attackers from using these dangerous functions. You may have legitimate reasons to use these features, but they are rare, somewhere in between, and there are usually safer ways to get the same results. Note: some running software \/ plug-ins may depend on these functions, so please thoroughly test the following in the test or dump environment before running in the production environment: Here is PHP. This is a potentially dangerous set of functions that can be disabled in PHP using the disable_functions setting in the INI file.
disable_functions = php_uname, getmyuid, getmypid, passthru, leak, listen, diskfreespace,
tmpfile, link, ignore_user_abord, shell_exec, dl, exec, system, highlight_file, source,
show_source, fpaththru, virtual, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid,
posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid,
posix_getpgrp, posix_getpid, posix_getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit,
posix_getsid, posix_g
