PHP 7.4 and the security of ancient scripts

Unfortunately, many PHP 7.4 scripts or web applications are still running on many servers. These are mostly old, unmaintained projects that cannot or should not go offline for a variety of reasons.

The use of such web applications is increasingly becoming extremely insecure, PHP 7.4 offers a larger attack surface and in many cases the applications themselves have not been updated against security vulnerabilities for years.

To reduce the number of attack vectors, an in-depth check of all requests should be activated in the WAF. It may also be advisable to adjust the PHP settings via php.ini and prevent particularly risky operations. This includes, for example, deactivating the upload options and much more.

disable_functions = exec,passthru,shell_exec,system,proc_open,popen,eval,assert

allow_url_fopen = Off
allow_url_include = Off

expose_php = Off

display_errors = Off
log_errors = On

file_uploads = Off

If users no longer use a script, but should only view a website, it may also make sense to simply prevent all POST requests. This means that registrations, uploads and logins are no longer possible. Here is an example using the htaccess file, in which only an activated IP can perform such requests:

<If "%{REQUEST_METHOD} == 'POST' || %{REQUEST_METHOD} == 'PUT' || %{REQUEST_METHOD} == 'DELETE'">
  Require ip 11.11.11.11
</If>

Of course, certain areas or files can also be blocked for the public in the same way:

  RewriteEngine On

  # Protect specific sensitive paths
  RewriteCond %{REQUEST_URI} ^/(callback|login\.php|admin|login_admin\.php|ResponsiveFilemanager|StyleEdit|updater) [NC]
  RewriteCond %{REMOTE_ADDR} !^11\.11\.11\.11$
  RewriteRule .* - [F,L]

This could also be useful: Assign important files such as htaccess and index.php to the root user. This means that the files can no longer be changed.

chown root:psacln index.php
chown root:psacln .htaccess