I deal with compromises often enough of PHP-based websites that I wish to improve hardening.
One obvious way to improve things is to not serve PHP files which are
writeable by the webserver-user. This would ensure that things like
wp-content/uploads didn't get served as PHP if a compromise wrote
valid PHP there.
In the past using php5-suhosin would have allowd this via the
Since suhosin is no longer supported under Debian Jessie I wonder if there is a simple way to achieve this?
I've written a toy-module which allows me to call
stat on every
request, and return a 403 on access to writeable files/directories. But
it seems like I shouldn't need to write my own code for this
Any pointers welcome; happy to post my code if that is useful but suspect not - it just shouldn't exist.