I'm not a PHP expert, and this may not be specifically about LimeSurvey, but I'm looking for advice on how to lock down publicly available LimeSurvey deployments to prevent malicious attacks.
Partly this is down to making sure you set up strong passwords on LimeSurvey accounts of course. But also it is about protecting access to web resources that don't need to be exposed over HTTP.
For example, I presume you don't want people to submit HTTP requests against arbitrary limesurvey PHP files, but I can happily enter a URL to any php file; so far it doesn't seem to do anything other than return a blank page but it would be much better if e.g. I got a 404 back.
In my case I'm looking at deploying LimeSurvey wrapped up in a WAR file, so I have the filtering capabilities of web.xml (from the Java world) at my disposal. This means I can lock out HTTP access to all files except the ones that really need to be exposed.
Is there a safe list of PHP files etc. that need to be exposed over HTTP?