Server-side

Protecting your Grav-installation server-side consists of using sensible options for your server and PHP. This guide does not cover settings for the server you run Grav on, nor ideal conditions, but rather highlights some tips and best practices in securing Grav or links to resources which detail how to secure the server. This is relevant for a production-server, not local development, and not recommended for novice users!

Grav and default configuration

For Grav, you should always use an up-to-date directory-specific configuration relevant to your server. These are found in the GitHub repository. Further, periodically update your installation of Grav as new security-patches are implemented in new versions - for details consult the CHANGELOG.

PHP configuration

Before meddling with PHP's configuration, be aware that most shared hosts that you rent hosting-space from will likely already have set up sensible, secure defaults. Also, in most cases they do not allow you to edit this yourself. Before disabling or changing any configuration, you should familiarize yourself with Grav's requirements, including PHP-extensions and how changes will affect them.

Generally, PHP's configuration is changed through php.ini. You can find the location of this file from the command-line with the php --ini-command, or if you do not have access to direct commands, create a file named phpinfo.php in your webservers public root folder that contains <?php phpinfo(); ?> and open it with your browser. The path will be listed under "Loaded Configuration File". Once located, delete the phpinfo.php-file.

Some general recommendations:

  • Always keep your PHP-version up to date: Use a supported version of PHP, preferably one that is in active, stable development. For instance, PHP 5.6 will only have security-fixes implemented until December 2018, whilst PHP 7.0 remains in active development alongside PHP 7.1.
  • Consider disabling the display of errors and PHP-version publicly: PHP.earth article.
  • Use a separate user with restricted permissions to execute PHP for Grav: Permissions in Docs.
  • Use Suhosin for advanced protection of PHP.

Webserver configuration

Common webserver, or HTTP server, software includes Nginx and Apache, as well as more modern alternatives such as LiteSpeed or CaddyServer. The aforementioned webserver configurations include necessary defaults for Grav, but you can further secure the webserver through its configuration. Some relevant resources:

Server configuration

You should always keep your Operating System (OS) up to date. OS' are vulnerable to exploits and intrusions, even more so than PHP, and should be updated as frequently as possible. Also, you should always keep other software up to date: Your installation is never just OS, PHP, and Grav. Other software packages are also risk-factors, and should be updated frequently.

To protect your users connection to your site, you should enable and enforce HTTPS with a SSL-certificate. This ensures that all communication between the server and browser remains private and encrypted. Free certificates and services are available through for example Let's Encrypt or CloudFlare.

If your server runs on Linux, enable Security Enhanced Linux. SELinux is typically enabled by default, and well worth the trouble to have. Some more recommendations for SysAdmins are available on nixCraft.