Hide Source Code at Deployment

Is there a way to bundle a full PHP project as an executable to be delivered to a client ?

Basically I need to deploy the site to multiple clients’ owned servers where the source code is not part of the deal - but I don’t think obfuscation is what I am looking for.

So how else do I protect the source code from my clients ?

Why not?

Basically the only way you’re going to be able to do this is with a remote server that your clients’ code calls to deobfuscate the code. At the end of the day, the client’s local PHP engine has to be able to read the code to operate.

That or you use your remote server to process the code, but at that point… your client is just a proxy for your server.

1 Like

Creating an executable from a PHP project for deployment while protecting the source code is a bit challenging due to the nature of PHP as an interpreted language. However, there are a few approaches you could consider:

  1. PHP Compilers: Tools like PHC can compile PHP scripts into executable binary files. This can offer some level of code protection but may not be entirely foolproof.

  2. Using a Code Encoder/Obfuscator: Tools like ionCube PHP Encoder and Zend Guard can encode and obfuscate your PHP code. This doesn’t create an executable, but it does make the code difficult to read and modify.

  3. Web Application Deployment: Consider deploying your application as a web service. You can host the application and provide access to your clients via the web. This way, the source code remains on your server.

  4. Docker Containers: Package your application in a Docker container. While this doesn’t prevent someone determined to access the source code, it does encapsulate everything in one package that can be easily deployed on client servers without exposing the source code directly.

  5. Virtual Machine Images: Similar to Docker, you could deploy your application as a VM image. The clients run the VM without direct access to the source code inside.

Remember, no method is entirely foolproof, and determined individuals might still find ways to access the code. These methods are about increasing the difficulty of accessing the source code, not making it impossible.

Good luck


There are, of course, tradeoffs in all things suggested.
Security through Obscurity will, by its nature, slow your process down, because the server needs to run extra stuff (deobfuscator, executable, extra connection to an external service, passing through the additional layer of OS to VM, etc). Not always a concern, but something to consider if your code needs to deliver on performance.

Do note that if you use a php compiler, you must include the PHP License in your deliverable, to be compliant with the PHP Distribution Guidelines.

If you do not trust your customer to not use your source code without your permission (which would be a crime act), don’t do a business with him…

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.