PHP is one of the most common programming languages for everything from basic scripts to full web applications. It is part of the famous LAMP stack (Linux Apache MySQL and PHP), and is one of the easiest systems to use in terms of installing third-party content management systems and other tools.
Because PHP is so popular, however, it is also a prime target for cyber attacks. Keeping that in mind, system administrators should do everything possible to make sure PHP is as secure as possible. That may not do anything to make up for user error, but it can at least keep your server a little more safe. One way you can secure PHP is to install and use suPHP.
The premise behind suPHP is rather simple. Instead of running all PHP scripts as a generic user like “nobody” (via CGI) or, even worse, running as the apache user, suPHP runs each script under the user who owns it. In other words, if one web hosting account user starts a script, it will run under his or her user name. Any other users will run theirs under their own accounts. This significantly limits the damage that an attacker can do, since hosting account users have limited privileges.
As its website describes it, suPHP executes PHP scripts using the script owner’s permissions. It accomplishes this using an Apache module called mod_suphp and a binary executable called suphp that the Apache module uses to change the uid of the the process that executes the PHP script interpreter. The result is a much more secure execution of PHP scripts, and that means safer web applications.