Living With PHP - What you need to know after you have contracted PHP
|PHP on an Apache Server
At this time, Apache servers are the most secure and popular website servers in the world: They offer a secure
shared environment for millions of websites.
To accomplish this, every website owner is provded with a part of the servers' resources that part is isolated
from all the other websites on the server. This is called "shared hosting".
Imagine a big circle of shops and stores in a very large building, each shop with an outside facing public access
door and an interior facing private door.
Large gangs of theives roam unabated on the outside of the building and mingle with the normal everyday customers
who frequent these shops. But they have to be able to break down the inside access door in order to compromise
Normally, only shop owners have access to the inside door, thus isolating each shop one from another. Each owner
has his own unique access key to open the inside door. This is accomplished by assigning user names and passwords,
as well as labeling all the store contents with a unique ID identifying that shop.
Occasionally, a janitor or building manager needs to have access to the store, so there is a special key given
to those people so they can access all the inside doors to perform their respective duties. Much like the key a
Maid uses in a hotel so she can change the linens and clean the bathrooms.
Like the "Maid" key, each server also has a "master key" that has access to everything on the
The writers of the PHP programming language decided early on to require "master key" level access to
any server that runs applications written in that language. Well, almost. As long as a PHP application doesn't
want to store any data collected from the shop customers, "master key" access is not required.
But, the people who program in PHP almost all want to store user or other data. And "Aye Matey, There's the
When "master key" access is given to any shop owner, he now has inside door access to EVERY OTHER SHOP
ON THE SERVER running PHP. If that server hosts 10,000 shops, every PHP shop owner has access to every other PHP
shop owner's store and any data inside the store.
Now, you guessed correctly. The Gangs on the outside wanting to get in have pretty much stopped trying to pick
the inside door locks, one-by-one. They quickly decided to trick any one unsuspecting shop owner into giving up
his key. That's all it takes for the criminals to have access to ALL THE PHP SHOPS on the server because that shop
owner's key is a "master key". How fortunate for them!!
With the "master key" there is NOTHING ANY OTHER PHP SHOP OWNER CAN DO TO STOP THE GANGS FROM RAIDING
EVERY OTHER PHP STORE IN THE BUILDING! There is no software, armed guard, or trap that can even slow them down.
No Government: No "Wyatt Earp" who can stop them and there is no way to protect against them as long
as a shop owner uses PHP programs. The ONLY protected shop owners are the ones who haven't granted "master
key" access to EVERYONE!
So Technical Note: "Master Key" access means "World Writeable Folders". The World is every
website on the same server. Every website with 777 folders is "world writeable". My Advice: If you are
conversing with a PHP advocate and that person is ignorant of that fact, run away from that person as fast as you
All you can do is keep backups and when your website is compromised, simply restore from the backup and wait until
next time to repeat the process. Changing your passwords is like standing in a large forest screaming for help
when there is no one to hear you. It offers no protection at all from other sites on the same server.
You don't have to feel badly about any of the other PHP sites being compromised through your site because you have
no way to know if you were the first to be compromised or someone else. Basically, it's like getting an STD. If
you are going to play, you have to accept the consequences. The "preventative" measures one can take
all are only partial preventions. They do not protect from every circumstance. Just consider PHP an acceptable
risk and move forward with many, many backup restoration cures.
And, REALLY don't believe anyone who says PHP never gets hacked, or that they never have been hacked. Every PHP
site with "master key" access get hacked!
You might ask yourself: "why would I want to have a website written in PHP?". The answer is simple. Everyone
is doing it, why not you? Get into the lifestyle and you will get used to it.
Some common PHP applications:
CMS (Content Management Systems) Joomla, Drupal and Wordpress are the most popular. There are many others too numerous
to list here:
Shopping Cart programs: There are almost no shopping kart programs today not written in PHP, just consider they
all are. (But why would you want your shopping customer data stored with "master key" accees? Oh well,
everyone is doing it. Why not you too?
Forums: Again, virtually every forum today is written in PHP. It is really had to find one that isn't.
Accounting Software: Many accountig programs today are written in PHP. What in the world for? Who woudl want to
trust their company records to "world writable folders"? Almost everyone. Why not you?
Guset books and Membership access: Same story.
Hey PHP writers: You pretty much have infected the entire world with your langage. How about fixing it? One simple
thing. I know that Windoes didn't have a permission based system but they somewhat do now. Don't procrastinate.
Fix it today rather than tomorrow. You can do it! Just believe in yourselves and try.
WHAT WE DON'T DO IS JUST AS IMPORTANT AS WHAT WE DO.
No high pressure tactics, no gimmicks or gadgets, no black hat techniques.
Integrity is our bottom line. We employ white hat techniques and specialize in relationships with individuals and
companies that want more than just a web presence. We guide you through the vast Internet maze while demystifying
the process. If Internet sales of your product or service is what you want -
not just traffic or a high ranking - you have come to the right place!
All backed with knowledge -
Gained from years of experience, being in the website business since 1996, and our outstanding customer service.