The Solution

The solution to this problem is to rename your .php files to .phps and make them executable (e.g. with rwxr-x--- permissions). Those PHPS scripts will then be run as the UNIX user associated with your hosting package instead of as the apache user increasing the security for your application considerably.

So securing your PHP application is a simple matter of:

1. Renaming all your .php files to .phps

2. Setting the permissions of all .phps files to rwxr-x--- (executable and inaccessible for the rest of the world)

3. Updating any links that point to .php files to point to the new .phps files

4. Tightening the permissions of other sensitive files in your account - you should make .inc files that are included in the PHPS scripts inaccessible to the rest of the world as well as property files that contain for example database and other passwords, etc

   You can use your favorite FTP client or the File Manager to accomplish those tasks.

The drawback of PHPS scripts is that they execute slower than standard mod_php4 scripts.