I just got a VPS to host my client’s website. It includes WHM, cPanel and LAMP.
Have just spent the last few days learning the basics of WHM and cPanel and thought I was ready to go, when it occurred to me that I probably have to set things up with PHP!
Locally I have been working with MAMP, and so most everything I needed was configured out of the box.
What kinds of things will I need to do with PHP to not only make it ready for my code, but also safe and secure?
About 4 years ago when I first started learning PHP, I vaguely remember poking around some .ini file and some other things per a book I was reading at the time. But even if I remembered what the book told me to do - which I don’t - I have no clue what to do on a LAMP VPS that is ready for prime time!!
Some help and suggestions from anyone running a production environment would be appreciated!!
The P in LAMP means PHP. So PHP should be included on the server. You shouldn’t need to worry about security of ini settings for PHP on the providers servers. That is the responsibility of your service provider. Though those settings might need to be tuned and what not depending on your application or if the provider will even allow you to do so.
There is a Tweek settings link on the WHM panel you can use to adjust email etc. At the bottom of the navigation on the left there is a security check where you can get an idea of your security with suggestions on what to fix. If it is installed as a plugin - ConfigServer Security & Firewall - Check Server Security.
You can update php and add apache modules with easyApache again it is a link on the left.
Expect to get quite a few emails from the server concerning security!
I could try and look at my Dev php.ini file and maybe I have some notes, but it just seems like there should be a clearly defined list of “.ini Settings Your Should No Use Defaults On!!”
Many providers of shared servers don’t allow modification of their ini settings. It is highly unlikely those settings can be changed on a shared server without talking to the service provider themselves. That is unless they have some type of GUI you can access to change the settings but direct access to the ini settings and installing new extensions unlikely. What would prevent you from changing the settings or introducing unsecure code onto server than absolutely nothing. Unless you’re using a dedicated hosting environment or aws or something most basic providers don’t allow changing those settings easily partially for the exact reason you’re talking about – security.
