I have finished my PHP project development. It was developed locally on my PC. Now I am ready to upload it on my web server and make it publicly accessible.
There is however one thing that bothers me: Currently, all the PHP files are in my WWW folder with all the HTML, JavaScript, CSS, and Images files. PHP files are sensitive, as they access MySQL Database and often contains password and file paths that are meant to remain secret from the users.
If I leave the PHP files within the WWW directory, am I afraid, they can become accessible to public in the same way, as the other files and images are. I am afraid that skilled users can download and read them, and therefore reveal are the secret information about my web server.
Are my worries legit? Does the web server automatically hides .php files? Should I move the PHP files into another location, away from WWW folder? Is there any other way to protect my PHP files from being downloaded?
I am using:
It's pretty safe. If you have PHP installed, your webserver will always try to run the PHP file rather than showing its code, and even if the code fails, you will get an error message or a blank page rather than the code.
Apart from that, you can use .htaccess or other kinds of server configuration to disable viewing of those files.
But.. It must be said though, that if any of these settings are not configured correctly, the webserver may indeed serve the PHP files as plain text files!
So I think it is a good idea to move all php files out of the www folder if they should not be accessed directly. Quite often you'll find only one index.php which handles all requests and includes other php files. PHP files that are not in www (the document root), can still be included, so it's a good safety measure to put these files in a separate folder. That way, you reduce the risk of exposing those files when you make a tiny little configuration error.
After all, even when it worked before, it's very easy to break it. Maybe you want to tweak your configuration a little, or you are on a shared host where the hosting provider might make changes without you knowing, so it's just a wise thing to do.
So.. It is a good idea to move files out of the www folder. It's usually very easy to do this (although it depends on your application structure), so it's just an extra safety measure that usually won't cost you a dime. And if it's hard (due to your current application structure) to completely move all files out of the document root, make sure that at least configuration files with passwords are outside of the www folder, followed by database access files that might expose any security issues you might have in your implementation.
Don't worry; files PHP are interpreted by the web server and the code is not accessible directly from a web browser. In the file httpd.conf of apache you can check that the extension php is "protected".
AddType application/x-httpd-php .php
If you are interested in give a little plus of security to your application, you can change the extension of your PHP files, and your webserver config (the line above). It is called Security through obscurity.