Securing Apache, Tip#2: PHP display_errors

On the same topic as in Tip#1, you have to make sure you do not potentially leak information about your site when your PHP web application displays errors.

Simply setting:

display_errors = Off

in your php.ini of your production server will prevent you from leaking information that may give intruders hints to the structure of your system.

This directive controls whether or not and where PHP will output errors,
notices and warnings too. Error output is very useful during development, but
it could be very dangerous in production environments. Depending on the code
which is triggering the error, sensitive information could potentially leak
out of your application such as database usernames and passwords or worse.
It’s recommended that errors be logged on production servers rather than
having the errors sent to STDOUT.

See other tips:

Securing Apache, Tip #1: Minimize banner information