Contrary to popular belief, PHP is still a viable language for building web applications. PHP is just another tool that you need to learn to use properly. Let's discuss a few items specific to PHP that will make your site safer.
Limit Your Web Root to an index.php and Asset Files
In modern PHP, you will point your web server to a directory with an index.php file in it that will be the single point of entry for the entire site. The index.php will load Composer packages and boot your private code to generate the response. It can be tempting to throw other PHP files in the web root for testing as a php developer. However, you do not want those files to be accidentally committed and expose a problem in your app. In addition, no configuration files should go in the web root because the web server can deliver them publicly. The only static files that should be in your web root are JavaScript, CSS and image files.
Encrypt All Communication
In your PHP app, you will often have to communicate with other services or storage mechanisms. It is important that you always use encrypted connections to the services. When using curl or soap, always use https URLs to APIs to verify the data in transit is encrypted. In addition, if you are using FTP, make sure you use some form of secure FTP, either FTPS or SFTP. If you don't use any kind of secure transmission, then you might leak user data over the network activity. Using TLS also verifies the URL is what it claims to be which protects you from sending data to a bad actor.
Use a Template Framework
PHP itself is often used as the template language embedded in HTML files. However, PHP does not escape output by default. Escaping prevents a bad actor from embedding malicious JavaScript in user controlled forms or pages. Consider using a custom template solution like Twig. Twig automatically escapes all output using its template syntax which protects you from forgetting to escape user data.
