0

I have a deep antipathy for PHP due to its security record and the way the project handles security in general. Unfortunately I have to deploy a CMS and I need a modern theme for it. So far I have looked almost everywhere but it always comes down to a PHP based CMS because that is what the masses are using and the designers are designing for. :(

Now I've settled for Drupal which is a properly maintained project and handles security flaws exemplary. But there is still the bitter after taste of having to publicly deploy php in general.

So far what I have done is:

  • chained PHP with PHP-FPM: sockets, chroot, unpriviledged own user, ...
  • hardened the filesystem permissions around my web root
  • stayed on PHP 5.3.x w/ suhosin active (no suhosin yet for 5.4.x)
  • kept every module out of PHP that Drupal does not need
  • ...

My main concern is PHP, in all honesty. What else can I do to secure the host machine? And to those who have more experience with Drupal and PHP (being a C++ dev myself), how much of a security risk does PHP really pose on a system that does only deploy one known package and no user PHP scripts or anything alike?

Even if it may sound like it, I am no Linux or server newbie. :) PHP is just not my main play area due to its recurring and ongoing bad press and my lack of interest in web development...

Alternatively, I would really like to use a CMS that relies on Perl, Python or even Ruby. So if anyone knows a good CMS system that has good paid themes available, supports a flexible layout along with a blog engine and also supports PostgreSQL (the db of my choice), I'd be all ears...

Thanks for taking the time to read through this somewhat strange posting. :-)

UPDATE: I forgot to mention that it goes without saying that I properly maintain my server, have a restrictive firewall in place and do the best one can do these days.

khaos
  • 213
  • 2
  • 8

2 Answers2

2

You mention that you have a restricted firewall in place - don't forget you can block outgoing connections by UID.

If you're running PHP under its own user ID you can (& should!) deny that user outgoing HTTP/HTTPS connections unless you need to allow for update checking or RSS feed fetching. This will prevent any exploited code from being able to download a rootkit.

  • 1
    I run a tight server and such measures have already been in place since day one but nevertheless a very good thought imho. :-) I would vote your answer up but I have not enough reputation yet, sorry. :( – khaos Apr 22 '12 at 15:30
0

I got bit confused of your question, but I do recognise your problem in my experience. What it comes to template building, probably Wordpress (even thou not initially planed as CMS) instead of Drupal is the best choice for many designers.

I been running virtual servers with only wordpress installation on it, and as far as you update the package frequently there should be any major faults. Beside few unsuccessful tries of someone trying to cache cookies, I have see anything disturbing.

What it was my problem as well was the general vulnerability of the php and the amount of users out there exploiting security wholes, which was also a reason not to jump in the popular world of Java web development. My solution is the use of Python Web Framework and specifically Django Project. My main focus is the front-end of the web services, applications or web sites, for which all Django works great on back end. Designing an template for it is extremely easy once you have a html/css designed template, which seems to be what you are looking for.

Hope that gives you some alternative views on CMS possibilities and answers somewhat your question.

Phreedom
  • 101
  • 1
  • I looked into WordPress too but their security history is not so great as well **but** there are some excellent templates available for buying. Nevertheless if I have to go down the PHP route, I guess I am good with Drupal. I also looked into Django (and specifically django-cms) but there is almost nothing available (with regards to templates). Now your thought sounds interesting, if I can buy a html/css template and **easily** adapt it to django-cms (which is based on django) that would be an interesting alternative. – khaos Apr 22 '12 at 15:37
  • On the Django topic, you may check [Wilson Miner's blog article on portfolio website with Django tut.](http://wm4.wilsonminer.com/posts/2006/may/10/are-you-generic/) I guess it will give you quick inside behind the structure of the django framework and especially from design point of view. – Phreedom Apr 29 '12 at 14:02