PHP has a lot of functions which can be used to crack your server if not used properly. You can set list of functions in php.ini using disable_functions directive. This directive allows you to disable certain functions for security reasons. It takes on a comma-delimited list of function names. disable_functions is not affected by Safe Mode. This directive must be set in php.ini file. For example, you cannot set this in httpd.conf file.
Open a terminal or login to your server over the ssh session. Open php.ini file:
# vi /etc/php.ini
Find disable_functions and set new list as follows:
I also recommend to disable allow_url_include and allow_url_fopen for security reasons:
Save and close the file. Restart the httpd server by tying the following command:
# service httpd restart
OR if you are using Debian/Ubuntu Linux, run:
# service apache2 restart
A note about systemd based system
If you are using systemd + RHEL/CentOS/Fedora Linux based system, enter:
# systemctl httpd restart
If you are using systemd + Debian/Ubuntu Linux based system, enter:
# systemctl restart apache2
- Linux: 25 PHP Security Best Practices For Sys Admins – A misconfigured server-side scripting language can create all sorts of problems. So, PHP should be used with caution. Here are twenty-five php security best practices for sysadmins for configuring PHP securely.