I have a deep antipathy for PHP due to its security record and the way the project handles security in general. Unfortunately I have to deploy a CMS and I need a modern theme for it. So far I have looked almost everywhere but it always comes down to a PHP based CMS because that is what the masses are using and the designers are designing for. :(
Now I've settled for Drupal which is a properly maintained project and handles security flaws exemplary. But there is still the bitter after taste of having to publicly deploy php in general.
So far what I have done is:
- chained PHP with PHP-FPM: sockets, chroot, unpriviledged own user, ...
- hardened the filesystem permissions around my web root
- stayed on PHP 5.3.x w/ suhosin active (no suhosin yet for 5.4.x)
- kept every module out of PHP that Drupal does not need
- ...
My main concern is PHP, in all honesty. What else can I do to secure the host machine? And to those who have more experience with Drupal and PHP (being a C++ dev myself), how much of a security risk does PHP really pose on a system that does only deploy one known package and no user PHP scripts or anything alike?
Even if it may sound like it, I am no Linux or server newbie. :) PHP is just not my main play area due to its recurring and ongoing bad press and my lack of interest in web development...
Alternatively, I would really like to use a CMS that relies on Perl, Python or even Ruby. So if anyone knows a good CMS system that has good paid themes available, supports a flexible layout along with a blog engine and also supports PostgreSQL (the db of my choice), I'd be all ears...
Thanks for taking the time to read through this somewhat strange posting. :-)
UPDATE: I forgot to mention that it goes without saying that I properly maintain my server, have a restrictive firewall in place and do the best one can do these days.