hide php script extension

Generally speaking, improving security through hidden means is considered to be of little effect. But in some cases, adding as much security as possible is worth it.

Some simple methods can help hide PHP, which can make it more difficult for attackers to discover system weaknesses. Setting expose_php = off in the php.ini file reduces the amount of useful information they can obtain.

Another strategy is to let the web server parse different extensions using PHP. Whether through .htaccess files or Apache configuration files, you can set file extensions that can mislead attackers:

Example #1 Hide PHP as another language

# 使PHP看上去像其它的编程语言
AddType application/x-httpd-php .asp .py .pl

Or hide it completely:

Example # 2 Use an unknown extension as the PHP extension

# 使 PHP 看上去像未知的文件类型
AddType application/x-httpd-php .bop .foo .133t

or hide it as an HTML page, so that all HTML files will pass through the PHP engine, which will add some burden to the server:

Example #3 Use HTML to make PHP files Suffix

# 使 PHP 代码看上去像 HTML 页面
AddType application/x-httpd-php .htm .html

For this method to take effect, the extension of the PHP file must be changed to the above extension. This improves security through concealment, although defense capabilities are low and have some drawbacks.