Programming Guideline for PHP

This document lists down the basic guideline that should be followed by the Techasofts.

• All websites/applications developed in PHP development platform must use PHP version 7.3 or greater. WP requirements: https://wordpress.org/about/requirements/
• The PHP based sites will be hosted on Windows Environment, with IIS 8.0 and above. The website must be compatible with the Microsoft Azure Cloud (PAAS)/AWS
• All Data capturing forms must be developed as PHP standard forms.
• All development should follow the standard PHP models to differentiate the front-end code and scripting.
• Coding standard must be followed for markups (HTML5) files.
• Front end files should use pluggable libraries for user inputs and output. If client site scripting also be used for validation provided the server site validations are also handled for the same.
• Any third-party templates or code libraries can be used provided it is stable and verified by the Techasoft and all the required libraries are included as part of the solutions.
• Appropriate server controls should be used in the front-end design for user friendliness Ex. Drop down list, Radio buttons, Grids
• All PHP code should be developed using the PHP coding standards.
• When designing the front end; try to use CSS based lay outing and CSS must be stored in an external file with proper naming convention.
• Client site scripting like JavaScript/jQuery can be used with proper open source licenses and same should be kept in external files.
• Make sure to choose latest and stable external libraries. It is a must and avoid using old vulnerable versions. Example: jQuery, jQuery-Ui & bootstrap etc.
• We suggest maintaining a global resource file for all form level Labels and Messages.
• All client side and server-side validations must be incorporated in the code level as listed below.
• All required fields must be marked with “*”
• Fields marked as required must be validated for empty/blank submits and user should be prompted with appropriate message. Use required field validators not java scripts.
• All input fields must be validated with regular expressions as required and should be restricted to capture alpha numeric.
• Email fields must be validated for valid email address using regular expressions.
• Date fields should use related calendar controls and must be validated for valid dates (ex. 30/02/1990)
• All input fields must be validated for the listed special characters i. Special characters: ~! @ # $ % ^ & * ( ) = + | \ { } [ ] < > ’ “ /
• All text boxes must be validated for maximum length according to the database field in the text box level
• Any other validation should be handled based on the data capturing requirement.
• All open database connections must be properly handled and closed.
• All methods must be written with exception handling and the exceptions must be handled with proper exceptions. (use try catch finally blocks).
• All exception and code level information must be logged using log4php/similar and logged in DB or file level.
• For any data capturing and storage module only the listed backend server technology should be used. The backend object scripting must be developed using the same technology versioning and standard as per chosen backend server.
• The data provider or the driver for the above backend server must be in latest version.
• MySQL database user should have low privileges. Recommended: SELECT, INSERT, UPDATE & DELETE.
• Specially, it will be considered in WordPress environment and access should be restricted with low privileges.
• Database connection string and other application related parameter must be kept and configured externally using configuration files and the password should be in encrypted mode.
• Create the data tables and data columns with appropriate names using naming conventions. Please follow the respective Database coding standards.
• Tables must include auditing information live timestamp, inserted/updated users, etc.
• Create necessary table indexes to optimize performance.
• Use table relationship, foreign key constraints and other constraints to maintain the data integrity.
• Try to use Stored Procedures to build the data logics and avoid construction SQL queries on the fly to avoid SQL injections.
• Use Views for complex queries and frequently used queries.
• All files should be organized in a structured way Ex: Style sheet and images must be in one separate folder
• As a security measure, the following items should be considered:
• Auto complete feature should be disabled by default
• Only POST method should be allowed not GET
• Should avoid passing values in URL unnecessarily
• Special character should be validated/removed to stop cross site scripting
• Google captcha should be included in all the login screen and registration forms.
• The files need to be tested on Techasoft side before sending it to Client for the following:
• Deploy in a windows platform over IIS and do a test. (Highly Recommended)
• Compilation Errors
• Run Time Errors
• Unit Test
• Functional Test
• All source files must be shared with Techasoft for security purposes and code review.
• All data capturing forms must have captcha included with refresh option including login.
• All login attempts must be tracked and the account should be locked after defined number of attempts with an admin based unlock feature.
• Forgot Password & Reset Password options must be provided to users.
• All the input fields must be validated with input length according to database column size.
• Any token based links should have an expiry period.

PHP/WordPress Websites

• Any WordPress page Permalink to be SEO friendly and not have any ID/numbers
• Avoid Query string parameter in the website.
• WordPress sites need to follow/have the following:
• Remove Un-necessary/default templates
• Plugin selection to be selected based on the Stable/Rating/Last Release Date. Plugin last update should not be greater than 3 months from the current date.
• Change the WordPress database table prefix, don’t use wp_
• All the website forms should be developed and tested as per the standards mentioned in the document.
• WordPress CMS should update to latest version along with plugins.
• /wp-admin path should not visible to end user. If users trying to access http://www.anywebsite.com/wp-admin it should not open admin login page (Based on IP Source). It will be restricted to TECHASOFT networks.
• Change the 'wp-admin' name similar to any other names like www.anywebsites.com/anywebsite. Use this WP plugin for name modification.
• Recommended WP plugin - https://wordpress.org/plugins/wps-hide-login/
• Prevent Hotlinking on server & CDN
• Delete default users
• Automatically log idle users out of your site
• File Permissions
• Secure wp-config.php
• Disable XML-RPC, File editing in the dashboard. WordPress JSON REST API details should not expose to public. Access should be restricted accordingly.
• Harden HTTP security headers – Use https://securityheaders.com/ and make sure your website is fully secured and receive A result.
• Hide WordPress version.
• Apply google re-captcha or invisible captcha to secure login form.
• SMTP Plugin restricted to - https://wordpress.org/plugins/wp-mail-smtp/
• Remove WordPress logo from admin panel.
• Make sure that forms are integrated with google invisible captcha which is easy and effective, it doesn't interfere with the user experience.
• GTMetrix report should have a page speed score of 80% and above.
• Website HTML should comply with the W3C standards.
• WordPress super admin privilege to be shared only with the Techasoft team.
• Accounts with restricted privilege to be configured for Content Update and shared with the relevant business users. Master account won’t share with any users once it deployed in TECHASOFT environment.
• Recommended plugins to be considered.
• Backup - https://wordpress.org/plugins/vaultpress/
• Security - https://wordpress.org/plugins/sucuri-scanner/
• Audit - https://wordpress.org/plugins/wp-security-audit-log/
• Authentication/Authorization - https://wordpress.org/plugins/miniorange-saml-20-single-sign-on/
• Multi Lingual - https://wpml.org
• Forms - https://www.gravityforms.com
• Compression & Minification - https://wordpress.org/plugins/autoptimize/
• CDN - https://wordpress.org/plugins/wp-super-cache/
• Autotomize & WP-Super-Cache Conflict Resolution - https://gregsullivan.com/wordpress/autoptimize-wp-super-cache-conflict/
• IMAGE Compression – Use recommended high rating plugins.
• There are always bad bots, scrapers, and crawlers hitting your WordPress sites and stealing your bandwidth. See a comprehensive list of bots at botreports.com. Many of the security plugins mentioned above can work great to block bad bots, but sometimes you might need to do this at the server level. If you wanted to block multiple User-Agent strings at once, you could add the following to your .htaccess file:

  RewriteEngine On
  RewriteCond %{HTTP_USER_AGENT} ^.*(agent1|Wget|Catall Spider).*$ [NC]
  RewriteRule .* - [F,L]
  Or you can also use the BrowserMatchNoCase directive like this:
  BrowserMatchNoCase "agent1" bots
  BrowserMatchNoCase "Catall Spider" bots
  Order Allow,Deny
  Allow from ALL
  Deny from env=bots
  And here is an example on Nginx.
  if ($http_user_agent ~ (agent1|Wget|Catall Spider)) {
  return 403;
  }

  Refer below URL for web.config update which will work out in windows environment. https://www.saotn.org/hackrepair-bad-bots-htaccess-web-config-iis/

  Above mentioned changes/updates are recommended before it deploy in Techasoft environment. Once the changes are applied then you can share the source code with MySQL for deployment in Techasoft Environment or Cloud (Microsoft Azure - Windows) platform.