Protecting your Grav-installation server-side consists of using sensible options for your server and PHP. This guide does not cover settings for the server you run Grav on, nor ideal conditions, but rather highlights some tips and best practices in securing Grav or links to resources which detail how to secure the server. This is relevant for a production-server, not local development, and not recommended for novice users!
For Grav, you should always use an up-to-date directory-specific configuration relevant to your server. These are found in the GitHub repository. Further, periodically update your installation of Grav as new security-patches are implemented in new versions - for details consult the CHANGELOG.
Before meddling with PHP's configuration, be aware that most shared hosts that you rent hosting-space from will likely already have set up sensible, secure defaults. Also, in most cases they do not allow you to edit this yourself. Before disabling or changing any configuration, you should familiarize yourself with Grav's requirements, including PHP-extensions and how changes will affect them.
Generally, PHP's configuration is changed through
php.ini. You can find the location of this file from the command-line with the
php --ini-command, or if you do not have access to direct commands, create a file named
phpinfo.php in your webservers public root folder that contains
<?php phpinfo(); ?> and open it with your browser. The path will be listed under "Loaded Configuration File". Once located, delete the
Some general recommendations:
Common webserver, or HTTP server software includes Nginx and Apache, as well as more modern alternatives such as LiteSpeed or CaddyServer. The aforementioned webserver configurations include necessary defaults for Grav, but you can further secure the webserver through its configuration. Some relevant resources:
You should always keep your Operating System (OS) up to date. OS' are vulnerable to exploits and intrusions, even more so than PHP, and should be updated as frequently as possible. Also, you should always keep other software up to date: Your installation is never just OS, PHP, and Grav. Other software packages are also risk-factors, and should be updated frequently.
To protect your users' connection to your site, you should enable and enforce HTTPS with a SSL-certificate. This ensures that all communication between the server and browser remains private and encrypted. Free certificates and services are available through for example Let's Encrypt or CloudFlare.
If your server runs on Linux, enable Security Enhanced Linux. SELinux is typically enabled by default, and well worth the trouble to have. Some more recommendations for SysAdmins are available on nixCraft.