Revive Adserver has explicit security advisories and hardening guidance from the project team. Use that guidance as baseline policy, not optional tuning.
¶ 1) Track advisories and stay on current stable release
Revive publishes security advisories and recommends reporting through HackerOne.
Operational policy:
- subscribe to Revive security advisory feed and release notes
- patch to latest stable release rapidly after testing
- do not run outdated branches in production
As of the advisory page snapshot, stable is v6.0.5 (released January 14, 2026).
¶ 2) Lock configuration files and sensitive paths
Revive’s hardening guide requires locking *.conf.php files read-only and preventing browser access to non-www/ paths.
Required controls:
- set config file permissions (example from docs:
chmod 644 *.conf.php)
- enforce deny rules in Apache/Nginx for internal folders
- verify
.htaccess behavior if Apache AllowOverride differs from defaults
Revive specifically warns about malicious PHP uploads under www/images and recommends disabling execution there.
- deny PHP execution in
www/images
- monitor uploads for unexpected executable content
- alert on new
.php file appearance in media paths
¶ 4) Enforce HTTPS and modern runtime requirements
Revive technical requirements call out HTTPS validity for cookie-dependent features (frequency capping/conversion tracking).
- enforce HTTPS with valid certificates for all ad endpoints
- run supported PHP versions (current stable requires PHP 8.1+)
- keep required/suggested PHP extensions current and patched
¶ 5) Governance and incident response
- define security owner for adserver platform
- log and review admin account and configuration changes
- run periodic restore tests for DB +
www/images + config
- use private disclosure path (HackerOne), not public issue trackers, for vulnerabilities
- Revive security advisories and disclosure process: https://www.revive-adserver.com/security/
- Revive hardening guide (config locks, path rules, images/PHP execution): https://www.revive-adserver.com/how-to/secure-your-installation/
- Revive technical requirements (PHP, HTTPS, server notes): https://www.revive-adserver.com/support/requirements/
Any questions?
Feel free to contact us. Find all contact information on our contact page.