To follow the tips below you have to locate your php.ini file in your system and keep a backup first.
A common place for php.ini file in linux is: /etc/php5/apache2/
1. Enable safe mode
Locate line: safe_mode = Off and change it to safe_mode = On
By enabling safe_mode, PHP scripts are able to access files only those owned by Apache.
2. Disable register globals
Locate line: register_globals = On and change it to register_globals = Off
When register_globals is turned on all the variables, Environment, GET, POST, Cookie and Server are automatically registered as global variables.
3. Disable allow_url_fopen
Locate line: allow_url_fopen = On and change it to allow_url_fopen=Off
By turning allow_url_fopen off you prevent URLs from being used in PHP include and in some other places.
4. Do not display errors
locate the following variables and adjust them as shown below:
display_errors = Off display_startup_errors = Off log_errors = On error_reporting = E_ALL error_log = /path/to/your/logs
5. Restrict what PHP can access for reading/writing
Locate line: open_basedir = and change it to open_basedir = /var/www/htdocs/mysite for ex
6. Limit PHP maximum execution time, memory, maximum upload file size, post etc
max_execution_time = 30 ; Maximum execution time of each script, in seconds max_input_time = 60 ; Maximum amount of time each script may spend parsing request data memory_limit = 16M ; Maximum amount of memory a script may consume upload_max_filesize = 2M ; Maximum allowed size for uploaded files post_max_size = 8M ; Maximum size of POST data that PHP will accept
Change the values to suit your needs.
7. Disable magic quotes
Locate line: magic_quotes_gpc = On and change it to magic_quotes_gpc = Off
and line: magic_quotes_sybase = On and change it to magic_quotes_sybase = Off
and handle the input filtering on your scripts.
8. Change upload_tmp_dir
upload_tmp_dir allows you to specify the temporary directory used for storing uploaded files. This directory should not be within the document root of the web site and readable or writable by any other system user.
ex. upload_tmp_dir = /var/www/mysite