Hiding php.ini

[yintercept]

Odd, I just noticed that php.ini is in public_html (for all the world to see). Publishing the site's configuration is always an invitation to hackers. Is there any way to hide it?

When I removed php.ini, PHP started using a different configuration file in a place that I could not access. I assume that this is some sort of shared php.ini.

I guess one way to avoid publishing my site's configuration to the world would be to start using the default php.ini. Using a shared configuration file brings up the scary question about changes to the shared file. How often does Bluehost change the file, and how do I learn about changes to the configuration?

[evarlast]

thank you for pointing this out. I am a new customer and I will immediately be adding this to my root .htaccess file.

<Files php.ini>
Require group admin
</Files>

since I haven't configured a password file or any htauth, this should deny all access to this file.

...
testing before I actually post this reply.
...
Yup. It works. I expected to get a 403 access denied message, but instead I got a 500.

I probably got the 500 because in seeing the require directive apache looks for an htauth config so that it can send an HTTP AUTH request back to the browser, but the apache can't find this directive so instead of a 403 it gives a 500. Either way it works. Your php.ini file is protected.

[comperr]

change that to

Code:

<Files php.ini>
order allow,deny
deny from all
</Files>

[yintercept]

I added the code to .htaccess.

[evarlast]

change that to

Code:

<Files php.ini>
order allow,deny
deny from all
</Files>

nice fix comperr. Much nicer than what I posted

[charlesp]

I am not sure what is required here to protect the php.ini file. Do I have to physically move the php.ini file to .htaccess or just add the code to the .htaccess file?

[felgall]

Just put that code in the .htaccess file. Leave the php.ini file alone.

[SparkySU1]

This is great information for someone just starting up.

Is there any place where a newb can get more information on how to secure their BlueHost site?

I just finished a war with a group of hackers that resulted in me having to just erase my entire osCommerce store directory to keep them from turning my site into a porn site. Needless to say I lost about 4 months worth of work.

I'd love to use osCommerce, but am unwilling to load it again unless I know how to secure it from hackers. Since I deleted the osCommerce directory, I have not been hacked into - but being reduced to just an html site is absurd.

I've been going through various forums and have yet to find a simple guide of what to do to ensure that normal hacker groups do not have a way of infiltrating your osCommerce store... or any PHP based service for that matter.