After you have installed php you should go about securing php.
One major issue with php.ini file the following entry. Please note, if the line below is commented out AND =0 is NOT specified then the server will default to the value =1

cgi.fix_pathinfo=1

You can find this entry in your php.ini with the following command:

grep 'cgi.fix_pathinfo' /etc/php.ini

Explanation:
When the value of cgi.fix_pathinfo=1 then the PHP interpreter will process files with similar file names rather than exact names.
For example, if the script mysript.php cannot be found the PHP interpreter will try to find a similar file name such as myscript.jpg and try to execute this.
This is obviously a security risk.

Make sure you commend out cgi.fix_pathinfo=1
Example:

;cgi.fix_pathinfo=1

And then add the following:

;cgi.fix_pathinfo=0

The following command can be used to view the value of php-fpm cgi.fix_pathinfo

php-fpm -i 2>&1 | grep 'pathinfo'