Added docs on configuring PHP to turn off register globals and not display errors

git-svn-id: http://svn.automattic.com/wordpress-mu/trunk@535 7be80a69-a1ef-0310-a953-fb0f7c49ff36

1 files changed, 48 insertions, 12 deletions

diff --git a/README.txt b/README.txt
index c1cb67a..a8573a8 100644
--- a/README.txt
+++ b/README.txt
@@ -2,7 +2,12 @@ WordPress Multi User
 --------------------
 
 WordPress MU is a multi user version of WordPress.
-
+If you're not comfortable editing PHP code, taking care of a complex
+webserver and database system and being pro-active about following
+developments of this project then run, don't walk, to 
+http://wordpress.com/ and sign yourself and your friends up to free blogs.
+It's easier in the long run and you'll save yourself a lot of pain
+and angst.
 
 Install
 =======
@@ -22,17 +27,48 @@ LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so
 line
 "AllowOverride None"
 and change it to
-"AllowOverride FileInfo"
-
-Maintenance
-===========
-If you have PEAR Cache, it'll be used to significantly speed up
-things. However, this generates cached files which have to be cleared
-from time to time.
-Uncomment the code in wp-inst/maintenance.php and make sure it's 
-protected by IP checks or username/passwords. You should call this
-script at least once a day, and maybe more depending on how busy
-your server is.
+"AllowOverride FileInfo Options"
+
+PHP
+===
+For security reasons, it's very important that PHP be configured as follows:
+1. Don't display error messages to the browser. This is almost always
+turned off but sometimes when you're testing you turn this on and forget
+to reset it.
+2. GLOBAL variables must be turned off. This is one of the first things
+any security aware admin will do. These days the default is for it to
+be off!
+
+The easiest way of configuring it is via the .htaccess file that is
+created during the install. If you haven't installed WPMU yet then edit
+the file htaccess.dist in this directory and add these two lines at the
+top:
+
+php_flag register_globals 0
+php_flag display_errors 0
+
+This is NOT included in that file by default because it doesn't work on
+all machines. If it doesn't work on your machine, you'll get a cryptic
+"500 internal error" after you install WPMU. To remove the offending lines
+just edit the file ".htaccess" in your install directory and you'll see
+them at the top. Delete and save the file again.
+Read here for how to enable this: http://ie.php.net/configuration.changes
+
+If you don't want to edit your .htaccess file then you need to change your
+php.ini. It's beyond the scope of this README to know exactly where it is
+on your machine, but if you're on a shared hosted server you probably
+don't have access to it as it requires root or administrator privileges
+to change.
+If you do have root access, try "locate php.ini" or check in:
+/etc/php4/apache2/php.ini
+/usr/local/lib/php.ini
+Once you have opened your php.ini, look for the sections related to 
+register_globals and display_errors. Make sure both are Off like so:
+display_errors = Off
+register_globals = Off
+
+You'll have to restart Apache after you modify your php.ini for the 
+settings to be updated.
 
 Support Forum:
 http://mu.wordpress.org/forums/