This is possibly the single most important change you can make to your web server “vhost” to improve security to the entire server. PHP can do anything it likes to your server that the user it runs as can. In other words, it can read your “/etc/passwd” file, your filrewall rules and the processes that are running. It can also change files on any website you have on that same server.
Importantly, this only works with “mod_php” and NOT “php-fpm”.
This article explains how to lock PHP scripts into a single directory root per “vhost”.
The line below is what locks the PHP process into the specified directory root:
php_admin_value open_basedir "/var/www/html/www.example.com/wordpress:/tmp"
The above says that PHP can run in “/var/www/html/www.example.com/wordpress” and “/tmp” but no where else. It can’t read “/etc/passwd” for example.
The following is an example “vhost” file used for a WordPress website:
<VirtualHost *:80> <FilesMatch "xmlrpc\.php"> Order Deny,Allow Deny From all </FilesMatch> <Directory /var/www/html/www.example.com/wordpress> php_admin_value open_basedir "/var/www/html/www.example.com/wordpress:/tmp" AllowOverride All Order allow,deny allow from all </Directory> ServerName www.example.com ServerAdmin [email protected] ErrorLog logs/www.example.com_log CustomLog logs/www.example.com_log common DocumentRoot /var/www/html/www.example.com/wordpress </VirtualHost>
