Four Ways to Keep LAMP Secure

The Apache HTTP server has a great security record, at least when it runs on Linux or any proper Unix-type operating system. But plain old static read-only Web sites are an endangered species; now we have all this LAMP guff (Linux, Apache/Lighttpd, MySQL/PostgreSQL/SQLite, Python/PHP/Perl/Ruby) powering dynamic Web sites, which may or may not represent progress.

Me, I liked the days of plain, static HTML, because even though browser support and site quality were just as iffy then as they are now, at least they didn't bog down or even lock up my entire system by running fat, inefficient, error-ridden scripts. If they're going to chew up my CPU cycles and memory, the least they could do is finance my system upgrades. And they did not have the power to infect my systems merely by visiting their sites were I foolish enough to surf with Windows and IE. But the bad guys are getting smarter all the time, so it's no good sitting around being all smug and complacent just because I run Linux.

But I digress, because this article is about proper LAMP security practices. It's very easy to install a LAMP stack and throw up a dynamic Web site over a weekend, thanks to Linux distributions like XAMMP and Ubuntu, and thanks to the enormous popularity of the PHP (PHP: Hypertext Preprocessor) scripting language. But this level of ease is not necessarily a good thing. I dislike raining on anyone's parade, but all wannabe-Web moguls need to invest some serious time and energy into learning their LAMP stacks inside out. Any Internet-exposed server requires extra attention to security, and dynamic Web servers even more so because of their complexity. The risk for collateral damage is high. Bigtime organized crime is behind computer exploits these days, and malware is just a gateway to fraud, extortion, and theft. They're not going to break into your systems to hurt them, but to quietly steal data and to assimilate them into the worldwide botnet.