PHP.INI settings Disable exec, shell_exec, system, popen and Other Functions To Improve Security

I run a small Apache based web-server for my personal use, and it is shared with friends and family. However, most script kiddie try to exploit php application such as WordPress using exec(), passthru(), shell_exec(), system() functions. How do I disable these functions to improve my php script security?

PHP has a lot of functions which can be used to crack your server if not used properly. You can set list of functions in php.ini using disable_functions directive. This directive allows you to disable certain functions for security reasons. It takes on a comma-delimited list of function names. disable_functions is not affected by Safe Mode.

My sample php.ini

This directive must be set in php.ini file. For example, you cannot set this in httpd.conf file. This page shows how to edit the php.ini to disable certain function and restart the required services.

PHP.INI settings Disable exec, shell_exec, system, popen and Other Functions To Improve Security

Open a terminal application or login to your server over the ssh session using ssh command. Open php.ini file using a text editor such as vim command or nano command:
$ sudo vi /etc/php.ini
OR
$ sudo nano /etc/php.ini
Find disable_functions and set new list as follows:

# list of function to disable globally #
disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

# list of function to disable globally #
disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

I also recommend to disable allow_url_include and allow_url_fopen for security reasons:

allow_url_fopen=Off
allow_url_include=Off

allow_url_fopen=Off
allow_url_include=Off

Save and close the file. Restart the httpd server by tying the following command:
# service httpd restart
OR if you are using Debian/Ubuntu Linux, run:
# service apache2 restart

A note about systemd based system

If you are using systemd + RHEL/CentOS/Fedora Linux based system, enter:
# systemctl httpd restart
If you are using systemd + Debian/Ubuntu Linux based system, enter:
# systemctl restart apache2

A note about PHP-fpm under a Debian/Ubuntu/CentOS Linux

Create a file named security.ini /etc/php/7.0/fpm/conf.d/ directory:
$ vi sudo /etc/php/7.0/fpm/conf.d/99-security.ini
Append the following settings:

# disable functions 
disable_functions=exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

# disable functions
disable_functions=exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

Save and close the file when using a vim text editor. Next you need to restart the php-fpm/php7.0-fpm/php5.0-fpm service service, run:
$ sudo systemctl restart php-fpm # &lt- CentOS/RHEL 7.x
$ sudo systemctl restart php7.0-fpm.service # &lt- Ubuntu/Debian

See also:
  • Linux: 25 PHP Security Best Practices For Sys Admins – A misconfigured server-side scripting language can create all sorts of problems. So, PHP should be used with caution. Here are twenty-five php security best practices for sysadmins for configuring PHP securely.

Posted by: SXI ADMIN

The author is the creator of SXI LLC and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.