PHP.INI settings: Disable exec, shell_exec, system, popen and Other Functions To Improve Security
run a small Apache based web-server for my personal use, and it is shared with friends and family. However, most script kiddie try to exploit php application such as WordPress using exec(), passthru(), shell_exec(), system() functions. How do I disable these functions to improve my php script security?
|Estimated completion time||N/A|
PHP has a lot of functions which can be used to crack your server if not used properly. You can set list of functions in php.ini using disable_functions directive. This directive allows you to disable certain functions for security reasons. It takes on a comma-delimited list of function names. disable_functions is not affected by Safe Mode. This directive must be set in php.ini file. For example, you cannot set this in httpd.conf file.
Open a terminal or login to your server over the ssh session. Open php.ini file:
# vi /etc/php.ini
Find disable_functions and set new list as follows:
I also recommend to disable allow_url_include and allow_url_fopen for security reasons:
Save and close the file. Restart the httpd server by tying the following command:
# service httpd restart
Facebook itGoogle+ itPDF itFound an error/typo on this page?
- Linux: 25 PHP Security Best Practices For Sys Admins - A misconfigured server-side scripting language can create all sorts of problems. So, PHP should be used with caution. Here are twenty-five php security best practices for sysadmins for configuring PHP securely.