SuPHP, FastCGI and similar Apache modules work by making a site's PHP files run under the user-owner rather than as the Apache group. That way, if one of your .php scripts is manipulated, the damage is limited to your files without affecting my files or those of other users.
Apache, on the other hand, has some level of access to the server-wide web files, at least, meaning there's a greater risk of wider attack penetration.
Clearly that's useful and, accordingly, SuPHP is widely employed by shared web hosts. Equally, modules like this spread the risk if you host a bunch of your own sites. Simply create a new user for each and, once set up, a module like SuPHP creates the barrier.
SuPHP suits most of us so we'll example its installation. So there.
How to install SuPHP
Assuming the root superuser, download the Apache module along with its dependencies:
The module should enable automatically. It replaces Apache's standard PHP go-between, mod-php5, so we'll disable that to take effect when we reboot soon:
All that's left is to reset any particular site's permissions and, if there isn't one, to give it a unique user-owner. Correcting the paths and swapping user for yours, paste this lot:
That's it, reboot Apache with apache2ctl restart, quit root using the exit command and, hurrah, job done.
Alternatives to SuPHP
Have two alternatives, why not? These have the same security benefits but, particularly in the case of mod_ruid2 instead of SuPHP, folks swear by the performance boost:
That's enough on PHP. Let's crack into MySQL …