This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit


Revision as of 04:48, 2 January 2019 by Danehrlich1 (talk | contribs) (change)

Jump to: navigation, search


There are 1.8 billion websites on the internet today. Nearly 80% are powered by the PHP programming language. Democracy, freedom, and a better world are not possible if PHP is insecure. This project seeks to be the clearing house for the best ways of protecting PHP websites, apps, and the data they have. Thank you for reading. ​

What Does PHP Security Mean?

  • Is my code secure? E.g. am I using the latest version of PHP?
  • Is my architecture secure? E.g. Have I hardened the web server the application runs on?
  • Is my development infrastructure secure? E.g. Do I have 2FA on my Github account along with all other developers?

What Can You Learn Here?

  • Fastest way to secure a legacy PHP application
  • What options do I need in my php.ini file for security?
  • The proper way to sanitize data in 2019 with PHP
  • How can I check my dependencies for vulnerabilities?
  • How to secure the web server running your PHP
  • How to secure phpmyadmin, MySQL, and Postgres databases
  • How to harden your WordPress or Drupal site


Lead: Dan Ehrlich

Please email [email protected] if you would like to help out.


Last Update: 12/2018

Other Resources

Mailing List

Related Projects

It is not easy to produce a PHP application without security vulnerabilities. Most application security vulnerabilities apply to PHP applications just like other environments.

The goals of this project are to provide information about building, configuring, deploying, operating, and maintaining secure PHP applications

PHP Security for Developers
* This section covers dangerous calls and common vulnerabilities associated with them, such as system() exec(), eval() and so on. This section will also cover standard security mechanisms available in the standard language, such as cryptography, logging, encryption, and error handling. Securing elements of an application, such as controllers, business logic, and persistence layers will be covered. We'll discuss handling request parameters, encoding, injection, and more.
PHP Security for DevSecOps
* How to secure a PHP application when running on the major cloud providers. How to secure a PHP application if all you've got is an unmanaged Linux server. Harden web server, harden database, and various network defenses such as WAFs, GeoIP, and DNSBL.
* How to secure the development environment. Do you have control over the Source code repository? Are commits signed? How do you know which Docker Images to trust? Do you scan containers for vulnerabilities?
PHP Security for Software Architects
* Provides information about the design and architectural considerations for a PHP web application. Which frameworks to use, which frameworks are dead, and using the various FIGs.

To get involved join the mailing list: OWASP PHP Mailing List

Please visit the Tutorial and remember to add the tag: [[Category:PHP]] at the end of articles so that they're properly categorised.


The previous version of this PHP Project home page is archived here: OWASP_PHP_Project_Archive_(03.2015)