{"id":11835,"date":"2025-07-29T10:47:09","date_gmt":"2025-07-29T10:47:09","guid":{"rendered":"https:\/\/mainvps.net\/blog\/?p=11835"},"modified":"2025-09-23T11:45:25","modified_gmt":"2025-09-23T11:45:25","slug":"secure-php-vps-security-tips","status":"publish","type":"post","link":"https:\/\/mainvps.net\/blog\/secure-php-vps-security-tips\/","title":{"rendered":"How to Secure Your PHP VPS: Essential Security Tips"},"content":{"rendered":"\n<p>You&#8217;re in control of your server\u2014now make it safe. A well-configured PHP VPS isn\u2019t just faster; it&#8217;s tougher against hacks. Let\u2019s walk through simple, sensible tweaks to help you sleep better at night.<\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-light-blue ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 eztoc-toggle-hide-by-default' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/mainvps.net\/blog\/secure-php-vps-security-tips\/#1_Why_Securing_Your_VPS_Is_Non-Negotiable\" >1. Why Securing Your VPS Is Non-Negotiable<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/mainvps.net\/blog\/secure-php-vps-security-tips\/#2_Lock_the_Basics_Linux_SSH_Hardening\" >2. Lock the Basics: Linux &amp; SSH Hardening<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/mainvps.net\/blog\/secure-php-vps-security-tips\/#3_Web_Server_Safety_Apache_or_Nginx_Tweaks\" >3. Web Server Safety: Apache or Nginx Tweaks<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/mainvps.net\/blog\/secure-php-vps-security-tips\/#4_Securing_PHP_itself_phpini_Configuration\" >4. Securing PHP itself (php.ini Configuration)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/mainvps.net\/blog\/secure-php-vps-security-tips\/#5_File_Permissions_Respect_the_Folders\" >5. File Permissions: Respect the Folders<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/mainvps.net\/blog\/secure-php-vps-security-tips\/#6_Use_Firewalls_Isolation\" >6. Use Firewalls &amp; Isolation<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/mainvps.net\/blog\/secure-php-vps-security-tips\/#7_Scan_and_Monitor_Proactive_Protection\" >7. Scan and Monitor: Proactive Protection<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/mainvps.net\/blog\/secure-php-vps-security-tips\/#8_Backups_Monitoring_Build_Your_Safety_Net\" >8. Backups &amp; Monitoring: Build Your Safety Net<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/mainvps.net\/blog\/secure-php-vps-security-tips\/#9_Keep_Your_Apps_Fresh\" >9. Keep Your Apps Fresh<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/mainvps.net\/blog\/secure-php-vps-security-tips\/#Extra_Pro_Tip_Secure_Your_Deployment\" >Extra Pro Tip: Secure Your Deployment<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/mainvps.net\/blog\/secure-php-vps-security-tips\/#In_Summary\" >In Summary<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/mainvps.net\/blog\/secure-php-vps-security-tips\/#FAQs_You_Might_Be_Asking\" >FAQs You Might Be Asking<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"1_Why_Securing_Your_VPS_Is_Non-Negotiable\"><\/span>1. Why Securing Your VPS Is Non-Negotiable<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Think of your VPS like a car\u2014powerful, flexible, but risky if left unlocked. PHP sits at the center of most websites. PHP misconfiguration can expose data, bypass login systems, or open up your server to intruders. Since you have full control, it\u2019s your job to set up the locks properly.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"2_Lock_the_Basics_Linux_SSH_Hardening\"><\/span>2. Lock the Basics: Linux &amp; SSH Hardening<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li style=\"font-size:18px\"><strong>Update first<\/strong>\u2014run: <br>bash<br><code>sudo apt update &amp;&amp; sudo apt upgrade -y<\/code><\/li>\n\n\n\n<li><strong>Create a non-root user<\/strong> for day-to-day tasks: bashCopyEdit<code>sudo adduser deployer sudo usermod -aG sudo deployer<\/code><\/li>\n\n\n\n<li><strong>Secure SSH access<\/strong>:\n<ul class=\"wp-block-list\">\n<li>Use key-based login only (disable passwords).<\/li>\n\n\n\n<li>Disable root <a href=\"https:\/\/mainvps.net\/blog\/ssh-explained-secure-remote-access\/\">SSH<\/a> login in <code>\/etc\/ssh\/sshd_config<\/code>.<\/li>\n\n\n\n<li>Close or rename port 22 or install something like <code>fail2ban<\/code> to slow attackers.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"3_Web_Server_Safety_Apache_or_Nginx_Tweaks\"><\/span>3. Web Server Safety: Apache or Nginx Tweaks<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Disable modules you aren\u2019t using\u2014less software equals fewer vulnerabilities.<\/li>\n\n\n\n<li>Turn on HTTPS using Let\u2019s Encrypt certificates.<\/li>\n\n\n\n<li style=\"font-size:18px\">Set security headers so browsers block risky behavior:<br>apache<br><code>Header set X-Frame-Options \"SAMEORIGIN\" Header set X-Content-Type-Options \"nosniff\" Header set Content-Security-Policy \"default-src 'self';\"<\/code><\/li>\n\n\n\n<li>Never show raw PHP errors in production\u2014log them instead.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"4_Securing_PHP_itself_phpini_Configuration\"><\/span>4. Securing PHP itself (php.ini Configuration)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>In your <code>php.ini<\/code> file, make changes like:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\" style=\"font-size:18px\">ini<br>expose_php = Off<br>display_errors = Off<br>log_errors = On<br>error_log = \/var\/log\/php-errors.log<br>memory_limit = 128M<br>upload_max_filesize = 10M<br>session.cookie_secure = 1<code><br><\/code><\/pre>\n\n\n\n<p>These small changes limit what attackers can see or exploit\u2014and help keep memory hogs in check.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"5_File_Permissions_Respect_the_Folders\"><\/span>5. File Permissions: Respect the Folders<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Avoid opening up everything with <code>777<\/code>. Instead:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\" style=\"font-size:18px\">bash<br><br>chown -R deployer:www-data \/var\/www\/html<br>find \/var\/www\/html -type d -exec chmod 755 {} \\;<br>find \/var\/www\/html -type f -exec chmod 644 {} \\;<code><br><\/code><\/pre>\n\n\n\n<p>Just one bad permission can expose config files or credentials\u2014don\u2019t leave that to chance.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"6_Use_Firewalls_Isolation\"><\/span>6. Use Firewalls &amp; Isolation<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li style=\"font-size:18px\">Set up a firewall like UFW: <br>bash<br><code>sudo ufw allow ssh sudo ufw allow 80,443\/tcp sudo ufw enable<\/code><\/li>\n\n\n\n<li>Run apps in contained environments\u2014like <a href=\"https:\/\/mainvps.net\/blog\/install-scrypted-with-docker-compose\/\">Docker<\/a> containers or chrooted folders\u2014to isolate traffic.<\/li>\n\n\n\n<li>Use <a href=\"https:\/\/mainvps.net\/blog\/protect-mysql-with-fail2ban-security-guide\/\"><strong>Fail2Ban<\/strong> <\/a>to block repeated login attempts or brute force attacks automatically.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"7_Scan_and_Monitor_Proactive_Protection\"><\/span>7. Scan and Monitor: Proactive Protection<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Install tools like <code>rkhunter<\/code> or <code>chkrootkit<\/code>.<\/li>\n\n\n\n<li>Set up malware scanning using ClamAV or Maldet.<\/li>\n\n\n\n<li>Schedule daily scans and check logs regularly to catch weird activity early.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"8_Backups_Monitoring_Build_Your_Safety_Net\"><\/span>8. Backups &amp; Monitoring: Build Your Safety Net<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Schedule <strong>daily backups<\/strong> of code and databases\u2014just in case.<\/li>\n\n\n\n<li>Monitor key logs:\n<ul class=\"wp-block-list\">\n<li>PHP errors: <code>\/var\/log\/php-errors.log<\/code><\/li>\n\n\n\n<li>Web traffic: Apache or Nginx logs<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Use lightweight <a href=\"https:\/\/mainvps.net\/blog\/monitoring-kvm-vps-performance-essential-tools-and-techniques\/\">monitoring tools<\/a> like <strong>Monit<\/strong> or <strong>Grafana + Prometheus<\/strong> for real-time alerts.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"9_Keep_Your_Apps_Fresh\"><\/span>9. Keep Your Apps Fresh<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Regularly update your CMS (<a href=\"https:\/\/mainvps.net\/wordpress-hosting\">WordPress<\/a>, Drupal), plugins, and composer packages.<\/li>\n\n\n\n<li>Remove unused plugins or libraries.<\/li>\n\n\n\n<li>Lock down dependencies in <code>composer.json<\/code> to prevent unexpected updates.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Extra_Pro_Tip_Secure_Your_Deployment\"><\/span>Extra Pro Tip: Secure Your Deployment<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Don\u2019t keep environment files in the web root.<\/li>\n\n\n\n<li>Use deployment keys or CI\/CD tools with limited access.<\/li>\n\n\n\n<li>Log deployment activities so you know what changed and when.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"In_Summary\"><\/span>In Summary<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Securing your PHP VPS doesn\u2019t need to feel like rocket science. Each layer\u2014SSH, web server, PHP, and file permissions\u2014can be tightened with simple, sensible configurations. And the payoff? Peace of mind, faster performance, and fewer surprises.<\/p>\n\n\n\n<p>Need help locking down your PHP stack, or want us to review your setup? <strong><a href=\"https:\/\/mainvps.net\">MainVPS<\/a><\/strong> offers tips, audits, and support so your <a href=\"https:\/\/mainvps.net\/vps\">VPS <\/a>remains both powerful and secure.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"FAQs_You_Might_Be_Asking\"><\/span>FAQs You Might Be Asking<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p><strong>Q: Should I use PHP-FPM or mod_php?<\/strong><br>PHP-FPM is recommended. It isolates PHP processes, improving performance and reducing risks.<\/p>\n\n\n\n<p><strong>Q: What should log levels look like?<\/strong><br>Use <code>log_errors = On<\/code>, but keep <code>display_errors = Off<\/code>\u2014let PHP log, not expose.<\/p>\n\n\n\n<p><strong>Q: Is Docker overkill for simple sites?<\/strong><br>Not at all. Containers help isolate apps and make updates cleaner\u2014even for small deployments.<\/p>\n\n\n\n<p><strong>Q: How often should I rotate SSH keys?<\/strong><br>Once every 3 months is a reasonable routine\u2014especially if team members change often.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>You&#8217;re in control of your server\u2014now make it safe. A well-configured PHP VPS isn\u2019t just faster; it&#8217;s tougher against hacks. Let\u2019s walk through simple, sensible tweaks <a class=\"read-more-link\" href=\"https:\/\/mainvps.net\/blog\/secure-php-vps-security-tips\/\">Read More<\/a><\/p>\n","protected":false},"author":4,"featured_media":11865,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,20],"tags":[],"class_list":["post-11835","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-web-hosting","category-servers"],"_links":{"self":[{"href":"https:\/\/mainvps.net\/blog\/wp-json\/wp\/v2\/posts\/11835","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mainvps.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mainvps.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mainvps.net\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/mainvps.net\/blog\/wp-json\/wp\/v2\/comments?post=11835"}],"version-history":[{"count":3,"href":"https:\/\/mainvps.net\/blog\/wp-json\/wp\/v2\/posts\/11835\/revisions"}],"predecessor-version":[{"id":11839,"href":"https:\/\/mainvps.net\/blog\/wp-json\/wp\/v2\/posts\/11835\/revisions\/11839"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mainvps.net\/blog\/wp-json\/wp\/v2\/media\/11865"}],"wp:attachment":[{"href":"https:\/\/mainvps.net\/blog\/wp-json\/wp\/v2\/media?parent=11835"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mainvps.net\/blog\/wp-json\/wp\/v2\/categories?post=11835"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mainvps.net\/blog\/wp-json\/wp\/v2\/tags?post=11835"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}