PHP can parse any valid script, whether it is called foo.php, very_long_name.php.php.php, or even wom.bat. Using the default extension of ".php" means that before your hackers start you have already told them you are using PHP. As mentioned, you can use any filename for your scripts - if you are using PHP for every script on your server, consider using the ".html" extension for your scripts and making PHP parse HTML files.
If you are running Apache, you can change your file extension by changing this line:
AddType application/x-httpd-php .php
The .php part can be changed to .html, .foo, or whatever else you want - be creative!
Author's Note: Using something other than .php as your file extension is nothing more than security through obscurity, a technique most people would argue against. However, as long as changing the file extension is not your only form of defence, there's no reason not to use it - every little helps, and if it deters just 1% of hackers from trying to break into your site then you should be pleased.
Next chapter: Put key files outside your document root >>
Previous chapter: register_globals
Home: Table of Contents
Copyright ©2015 Paul Hudson. Follow me: @twostraws.