WebCitz Blog

Top 12 Security Best Practices for PHP

Top 12 Security Best Practices for PHP

Security is an important topic for all software developers, but PHP developers face some unique challenges. In this blog post, we’ll explore the top 12 security best practices for PHP, along with how you can implement them in your code to help keep your website safe and secure. You can always use the professionals at WebCitz to handle your PHP programming needs!

1. Update Your PHP Version Regularly

Ensure your PHP version is up-to-date to minimize the risk of security vulnerabilities. Patching often fixes known bugs, so it’s important that you take advantage of them as they are released.

Hackers have already begun exploiting the latest flaws in PHP. Those of you with older releases will be vulnerable to their intrusions unless you change your setup!

You can try the preview release, but security advisors warn companies to avoid preview releases of a new software because they might still have unknown security flaws.

PHP Logo

2. Do Not Expose Sensitive Data to the Internet Via an Unencrypted Connection

Many websites are still vulnerable because their developers made a mistake of exposing database or file system credentials on the public Internet using an unprotected FTP protocol, email account with no SSL protection, etc.

Protect these files and folders by encrypting them before transmitting them over any network connection that is not encrypted with TLS/SSL.

Security lock graphic

3. Protect Against SQL Injection Attacks

A SQL (Structured Query Language) Injection vulnerability occurs when user input is used within a query without proper validation of its type and intent, which compromises the reliability of results shown by following queries stitched together from submitted strings.

That sounds complicated, but all you need to know is that this attack can expose your business data and sensitive information.

The best way to protect against SQL injection attacks is by securing the input – stopping hackers from injecting their own code into the website via a form field or break out box. You want to sanitize any user-submitted values before inserting them into an SQL query, like so: $input = filter_var($_POST[‘field’], FILTER_SANITIZE_STRING); if(!empty($input)){ echo “You entered: “.$input.”

“; }else{echo ‘Please enter something’;} . Notice how we’ve used empty () to make sure there are no empty fields.

Security locks in a row all blue besides one thats red in the center and unlocked

4. Ensure that You are Storing Sensitive Data Securely

When it comes to keeping passwords and credit card information safe, there is no room for error – the stakes are too high if a hacker gains access to these files or databases containing this information!

To minimize the risk of such an attack from happening, always use a strong encryption algorithm when storing sensitive data in your database – preferably one with 128-bit AES encryption such as SHA512_RSA.

There is also software available that makes managing encrypted databases easier: MySQL Encryption Utilities (MEU). It’s important to note that MEU only encrypts text fields in MySQL databases, but that’s good enough for most use cases.

person working on a server rack

5. Don’t Reuse Passwords

Reusing the same password over and over again is a sure way to get your account hacked sooner than later! If you’re using PHP’s built-in functions to generate random strings of text (such as rand()), remember that they are only short-lived, so be sure to change them every few months at least.

You want it to include upper case letters, lowercase letters, numbers and symbols. It also doesn’t hurt to have more complex rules surrounding when a new string should be generated too – such as once per week or after three attempted login attempts with an incorrect password. There’s even software available that can do the math for you!

Username and password login fields

6. Ensure that Your Applications are Not Vulnerable to XSS Attacks

XSS (Cross-Site Scripting) is an attack where malicious code is injected into a website, and then executes on a visitor’s browser. This can often lead to cookie theft or session hijacking, which gives hackers access to all of your sensitive data without having to enter their own credentials – such as passwords or credit card numbers.

This vulnerability can be exploited by using JavaScript form validation on web pages, so that any input entered by visitors gets executed automatically via the page refresh, displaying hyperlinks with active content like images inside them, and appending user supplied parameters onto dynamic URLs like ‘?account=123’ etc.

hacker sitting at desk

7. Protect Against CSRF Attacks

CSRF (Cross-Site Request Forgery) is a type of attack in which unauthorized commands are transmitted from the attacker’s site to your web application. This can lead to session hijacking or cookie theft, among other things.

It may seem difficult at first glance, but all you need to do is provide an extra token that needs verification for any action where sensitive information could be exposed, such as logging into another user’s account – this will ensure that there isn’t just one single point of vulnerability and make sure automated accounts aren’t used on your website.

person hacking

8. Don’t Forget About Regular Patches!

It often goes without saying, but you should keep up with patching new vulnerabilities when they’re released by your system provider or software vendor.

You never know what security hole somebody else has found but you’re not be aware of, and it’s better to stay informed than have your website hacked!

person hacking with the word security behind them

9. Don’t Leave Debug Mode Enabled in Production Environments

Debugging code often has capabilities to enable things like remote file editing (using fopen()) and generating raw SQL queries via mysql_query().

These are great if you want to generate full stack traces when errors happen, but it opens up major security risks on your production website. Disabling these functions and removing any instances where they’re used will save you a lot of time when it comes to patching bugs too!

graphic of a magnify glass over a bug thats on a computer screen

10. Check the Firewall for Open Ports

It may be tempting to just hit ‘next’ whenever Windows is done installing updates, but don’t forget about checking what services are running and whether everything’s configured correctly or not – that includes updating firewalls too if needed.

It’ll help keep unwanted visitors out if hackers can’t find an entry point into your system through which they could execute their attack as easily.

person looking at a computer screen with code on it

11. Don’t Use “admin” as Account Name

If you want to protect yourself from having someone else access your site by guessing passwords, try using another username, like “admin” or something else that isn’t so obvious.

If someone does try to access your account, they’ll have a much harder time guessing the password and it’s also more difficult for hackers to exploit brute-force methods if you’re using an uncommon username!

key on a keyboard with a fingerprint as a key

12. Stay Up-to-Date With New Vulnerabilities

It may seem daunting at first, but staying informed about what security holes other people find will help keep your system safe in the event of any leaks.

Keeping track of all those updates can be tough though – luckily there are many tools available now which make this task easier than ever before. One such tool is called ‘Debian Long Term Support’, which is designed to support multiple versions of the OS and all kinds of software – including web servers with PHP.

person smiling at the camera while using a computer


In conclusion, these are just a few of the best security practices you can apply to your website in order to keep it safe. It’s not always easy, but if you take some time to put in the effort, then you’ll be rewarded with an online presence that’s less likely to be hacked!

Disclaimer: WebCitz, LLC does not warrant or make any representations concerning the accuracy, likely results, or reliability of the information found on this page or on any web sites linked to from this page. This blog article was written by Timothy A in his or her personal capacity. The opinion(s) expressed in this article are the author's own and may not reflect the opinion(s) of WebCitz, LLC.