All HowTo's Cybersecurity Web Servers

Chroot Apache PHP Scripts

This is possibly the single most important change you can make to your web server “vhost” to improve security to the entire server. PHP can do anything it likes to your server that the user it runs as can. In other words, it can read your “/etc/passwd” file, your filrewall rules and the processes that are running. It can also change files on any website you have on that same server.

Importantly, this only works with “mod_php” and NOT “php-fpm”.

This article explains how to lock PHP scripts into a single directory root per “vhost”.

The line below is what locks the PHP process into the specified directory root:

php_admin_value open_basedir "/var/www/html/"

The above says that PHP can run in “/var/www/html/” and “/tmp” but no where else. It can’t read “/etc/passwd” for example.

The following is an example “vhost” file used for a WordPress website:

<VirtualHost *:80>

 <FilesMatch "xmlrpc\.php">
  Order Deny,Allow
  Deny From all

 <Directory /var/www/html/>
  php_admin_value open_basedir "/var/www/html/"
  AllowOverride All
  Order allow,deny
  allow from all

 ServerAdmin [email protected]
 ErrorLog logs/www.example.com_log
 CustomLog logs/www.example.com_log common
 DocumentRoot /var/www/html/


Leave a Reply

Your email address will not be published. Required fields are marked *