As some of you may know, I work in the internet field providing support for a popular hosting company. From time to time I will speak with customers whose sites have been hacked, and they, believing this is due to the security of our servers like to blame us. That is not the case. These sites are hacked through common security holes found in PHP based scripts. Today I am telling you the 2 easiest ways to secure your PHP based sites. Performing these things will take only minutes, and can save you a great deal of potential pain resulting from a hacked site.

First: and foremost. KEEP YOUR SCRIPTS UPDATED! Most open source projects are updated very frequently, and most of these updates address known security issues. Check the home page of your script frequently for updates, and as soon as possible, patch your scripts to latest versions. This is the most important thing you can do to be secure. I cannot stress this enough.

Second: Add the following things to your .htaccess file to prevent users from seeing your php.ini file.

<Files php.ini>
Order allow,deny
Deny from all
</Files>

This simple addition to your .htaccess file will prevent those from viewing your php.ini settings while visiting. No one needs to see this file, and allowing people to see this will only allow them to know specifics about your PHP setup which will help them break in.

Note that this is not going to prevent every person with bad intentions from gaining access to your site, but these two things will prevent most common issues.