diff --git a/hardening/apache24-php.sh b/hardening/apache24-php.sh
new file mode 100644
index 0000000..67ecf0e
--- /dev/null
+++ b/hardening/apache24-php.sh
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+# This script requires TLS1.2
+
+APACHE_BASE=$( httpd -S 2>&1 | awk '/ServerRoot/ {print $2}' | tr -d \")
+
+# Harden apache
+cp -p $APACHE_BASE/conf/httpd.conf $APACHE_BASE/conf/httpd.conf-pre-hardening
+cat <<EOF >> $APACHE_BASE/conf/httpd.conf
+TraceEnable off
+RewriteEngine On
+RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
+RewriteRule .* - [F]
+SSLFIPS On
+ServerTokens PROD
+ServerSignature off
+EOF
+
+# Disable unused modules
+sed -i.preHardening -e 's/^/#/g' $APACHE_BASE/conf.modules.d/00-dav.conf
+sed -i.preHardening -e 's/^/#/g' $APACHE_BASE/conf.modules.d/00-proxy.conf
+
+
+httpd -S 2>/dev/null | grep ":443" | awk '{print $NF}' | tr -d '[()]' | awk -F: '{print $1}' | while read c; do
+sed -i.preHardening -e 's/SSLProtocol.*/SSLProtocol -ALL +TLSv1.2/g' $c
+sed -i.preHardening2 -e 's/SSLCipherSuite.*/SSLCipherSuite \"EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+AESGCM EECDH HIGH !MEDIUM !LOW !aNULL !eNULL !LOW !RC4 !MD5 !EXP !PSK !SRP !DSS !DH !3DES\"/g' $c
+done
+
+sed -i.preHardening -e 's/^expose_php.*/expose_php = Off/g' /etc/php.ini
+