1

I tried to access my website recently and I saw something disturbing -- users could download the index.php file and see its contents, the PHP code!

How is this possible, for Apache to serve up PHP source instead of running the PHP source code? Is it because we were updating our website for maintenance?

I used this code:

ErrorDocument 503 "Our website is temporarily closed for maintenance. It should reopen by..."
RewriteEngine On
# TO ALLOW YOURSELF TO ACCESS THE SITE NORMALLY, SET THE NEXT LINE TO YOUR IP ADDRESS.
RewriteCond %{REMOTE_ADDR} !^111\.222\.333\.444$
RewriteRule .* - [R=503,L]

Now this message appears.

But how I can make it automatically appear when this happens again?

Jeff Atwood
  • 12,994
  • 20
  • 74
  • 92
Mostafa Elkady
  • 119
  • 1
  • 6

2 Answers2

5

Apache wasn't "deleted" or "off", or else you wouldn't have been able to see the php source either. You can add the below codeblock to turn off serving .php files when php isn't loaded:

<IfModule !mod_php4.c>
    <FilesMatch "\.php$">
        Order allow,deny
        Deny from all
        Allow from none
    </FilesMatch>
</IfModule>
Sander Rijken
  • 87
  • 3
  • 11
  • 2
    php 4 ?! .. /shudder/ ... Please note this code will only cover php4; which you shouldn't touch with a barge pole anyway, as it is at end-of-life and therefore has had no security updates, or updates of any kind since december 2007 – Cheekysoft Jan 12 '10 at 09:51
4

To answer the poster's comment posted as an answer, one of the following should work for the PHP5 module, depending on how it's installed (Sander Rijken's modified):

<IfModule !mod_php.c>
    <FilesMatch "\.php$">
        Order allow,deny
        Deny from all
        Allow from none
    </FilesMatch>
</IfModule>

Or,

<IfModule !mod_php5.c>
    <FilesMatch "\.php$">
        Order allow,deny
        Deny from all
        Allow from none
    </FilesMatch>
</IfModule>

Include only one of these two snippets, depending on which works for your configuration.

Matchu
  • 213
  • 2
  • 8