WebCitz Blog

Top 9 Best Practices for Securing PHP Applications

Top 9 Practices for Securing PHP Applications

Application security is an important topic for all software developers, including PHP developers. In this blog post, we’ll explore our nine best practices for securing a PHP application. We’ll even discuss how you can implement some of these changes within your PHP application.

Simple Ways to Secure a PHP Application

1.) Update your PHP version

Your PHP-based web applications should always be running on the latest PHP version. Each PHP release includes new features, performance improvements, and security patches that help make your application better. However, unless you change the PHP version of your hosting account to the newer version, you’ll never get to take advantage of those benefits.

Here are our recommendations:

  • Log into your hosting control panel to see if you can upgrade your PHP version
  • If you can, go ahead and upgrade it. Otherwise, ask your hosting provider to do it for you.
  • Test your application on the latest PHP version. If there are issues, seek to resolve those yourself or through a PHP development company.

2.) Encrypt sensitive data

There are countless websites on the internet that are vulnerable to the loss of sensitive data that isn’t being encrypted. Here are some simple ways to improve your data security:

  • Always use an SSL certificate on your website to create a secure, https:// connection.
  • Always use TLS for sending and receiving email messages.
  • Always use SFTP or FTPS for connecting to your hosting account to manage files.
  • Always use a secure network connection for anything important – don’t trust public WiFi networks at airports, restaurants, hotels, or convention centers.
  • Always encrypt sensitive data that is at rest on your hosting account, especially employment application forms, financial data, etc.

3.) Protect against SQL injection attacks *

A SQL (Structured Query Language) Injection vulnerability occurs when user input is accepted and processed by your web application without proper validation of its type and intent. This compromises the integrity and reliability of your web application because unauthorized code could potentially be processed, exposing your business data and sensitive information

The best way to protect against SQL injection attacks is by sanitizing data input within your web application. By stopping hackers from injecting their own code into the website via a form field, you’ll be in a much better security posture.

For example, you want to sanitize any user-submitted values before inserting them into an SQL query, like so:

$input = filter_var($_POST['field'], FILTER_SANITIZE_STRING);
if (!empty($input)) { echo "You entered: " . $input; } else { echo 'Please enter something'; }

Notice how we’ve used the empty() function to make sure there are no empty fields?

4.) Don’t reuse passwords

If you use the same password between multiple websites, then anyone with access to those websites will be able to get your password.

For instance, if an attacker is able to download the user database of an ecommerce store you placed an order with last week, then that attacker might be able to discover your password. Pretty simple, right? Now all that hacker has to do is try your email address and password on common websites like Google, Facebook, PayPal, Venmo, Amazon, or even eBay to see if you’ve been using the same password on multiple websites.

Don’t become a victim of this common type of security exploit. You should get in the habit of creating unique, secure passwords for each website you have an account at. If you find it dificult to manage multiple complex passwords, consider a tool like LastPass. You want a secure password to include uppercase letters, lowercase letters, numbers, and special characters.

5.) Protect against XSS attacks *

XSS (Cross-Site Scripting) is an attack where malicious code is injected into a website, and then executes on a visitor’s browser.

This can often lead to cookie theft or session hijacking, which gives hackers access to all of your sensitive data without having to enter their own credentials.

An XSS attack, also called cross-site scripting, is when your web app executes remote code without your permission. An XSS attack can happen, for example, when your web app accepts user input and prints it to the web page. When a malicious user adds HTML, JavaScript, or even CSS, your web application will execute the remote code.

6.) Protect against CSRF attacks *

CSRF (Cross-Site Request Forgery) is a type of attack in which unauthorized commands are transmitted from the attacker’s site to your web application. This can lead to session hijacking or cookie theft, among other things.

It may seem difficult at first glance, but all you need to do is provide an extra token that needs verification for any action where sensitive information could be exposed, such as logging into another user’s account. This will ensure that there isn’t just one single point of vulnerability and make sure automated accounts aren’t used on your website.

7.) Update your web hosting service

If you have a shared web hosting account, it is likely your hosting provider is taking care of software updates for you on the web server.

If your business or organization uses a VPS or cloud hosting service, you may not realize your web server is potentially already running insecure applications. When you sign up for hosting with providers like Amazon AWS, Microsoft Azure, or Digital Ocean it is incumbent upon you to update your web server regularly. This is often overlooked, since people often think large corporations are taking care of all your security needs. Those hosting providers are only responsible for the server hardware required to provide you the hosting service. The operating system, web server software, database engine, and any other installed applications are for you to configure, optimize, and update.

8.) Don’t leave debug mode enabled in production environments

Most web applications have a debug mode that exposes database credentials, platform information, and other sensitive data to web developers actively working on your website. This is helpful to those developers, but what happens when that setting is left on in a production environment? Make sure these settings are disabled on a live environment to help prevent accidental disclosure of protected information.

9.) Don’t use “admin” as a username

You can minimize your risk of a brute force attack by using non-standard user names for administrator accounts.

Most web applications create a default administrator account with the user name of “admin” during the installation process. What may seem like a standard practice actually creates a security vulnerability. If someone knows the type of web application you are using, they can simply assume that you’ll have an administrator account with “admin” as the user name. This will reduce the effort needed for brute forcing the admin login form of your website.

A simple change like this goes a long way to preventing one of the most common attack vectors.

Final Thoughts on Securing PHP Websites

These were just a few security practices you can apply to your web application to keep it safe. It’s not always easy, but if you put in the effort you’ll be rewarded with an online presence that’s less likely to become compromised! If you need help, you can always hire a PHP web developer for assistance.

Disclaimer: WebCitz, LLC does not warrant or make any representations concerning the accuracy, likely results, or reliability of the information found on this page or on any web sites linked to from this page. This blog article was written by Timothy A in his or her personal capacity. The opinion(s) expressed in this article are the author's own and may not reflect the opinion(s) of WebCitz, LLC.