Production Security Checklist
1

Turn off detailed error display

1

Make sure display_errors is off in production

Open includes/config.php and make sure the display_errors lines near the top are commented out (between /* */), as they are by default.

Why? A detailed PHP error message sometimes reveals internal file paths or even parts of the database code — useful information for anyone trying to breach the site. Only leave error display enabled temporarily while debugging, then turn it off immediately.

2

Update the system and PHP regularly

2

A simple monthly update schedule

sudo apt update && sudo apt upgrade -y

Most breaches don't specifically target your site — they automatically scan for servers running outdated versions with known, already-patched vulnerabilities. A simple monthly update closes this door almost entirely.

3

Block repeated login attempts

3

Install Fail2Ban

sudo apt install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Fail2Ban monitors repeated failed login attempts (whether for SSH or the site's login page) and automatically bans an IP address after a certain number of failed attempts within a short time — significantly preventing automated "password guessing" attacks.

4

Restrict or remove phpMyAdmin

4

If you installed it only to help during setup

If you no longer need it after finishing the database import, remove it entirely:

sudo apt remove phpmyadmin -y

If you want to keep it, restrict access to your device's IP address only within your Apache configuration (Require ip your_IP_address) instead of leaving it open to anyone on the internet.

A phpMyAdmin instance open to everyone is one of the most common entry points for breaches on small and medium PHP sites — never leave it with its default settings on a real production server.
5

Always enforce HTTPS

5

Automatically redirect any HTTP visit to HTTPS

If you already enabled SSL via Certbot (from the installation guide), make sure it added an automatic redirect. To check, open the link with http:// explicitly in your browser — it should redirect you automatically to https://. If it doesn't, rerun:

sudo certbot --apache -d workup.yourcompany.com --redirect
6

Strong, unique passwords

6

Review every password in use

The database user password for workup_user is strong and not used anywhere else.
The MySQL root password itself is also strong (and not blank as in the default local setup).
The first admin account in the abma panel has had its default password changed if one was included with the original build.
Firebase/OneSignal keys (if configured) are not shared outside the admin team.
7

Backups and safe updates

These are also two essential parts of security, and each has its own complete dedicated guide: Backup and restore guide and Safe update guide.
8

The full checklist

Detailed error display is off.
The system and PHP are updated to the latest stable version.
Fail2Ban is installed and running.
phpMyAdmin is removed or restricted to a specific IP address.
HTTPS is enforced on all visits.
All passwords are strong and unique.
Automatic backups are scheduled and tested.
Security isn't a one-time step to set and forget — review this checklist every few months.
Security WorkUp