I run a small Apache based web-server for my personal use, and it is shared with friends and family. However, most script kiddie try to exploit php application such as WordPress using exec(), passthru(), shell_exec(), system() functions. How do I disable these functions to improve my php script security?
PHP has a lot of functions which can be used to crack your server if not used properly. You can set list of functions in php.ini using disable_functions directive. This directive allows you to disable certain functions for security reasons. It takes on a comma-delimited list of function names. disable_functions is not affected by Safe Mode.
This directive must be set in php.ini file. For example, you cannot set this in httpd.conf file. This page shows how to edit the php.ini to disable certain function and restart the required services.
PHP.INI settings Disable exec, shell_exec, system, popen and Other Functions To Improve Security
Open a terminal application or login to your server over the ssh session using ssh command. Open php.ini file using a text editor such as vim command or nano command:
$ sudo vi /etc/php.ini
$ sudo nano /etc/php.ini
Find disable_functions and set new list as follows:
# list of function to disable globally # disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
# list of function to disable globally #
I also recommend to disable allow_url_include and allow_url_fopen for security reasons:
Save and close the file. Restart the httpd server by tying the following command:
# service httpd restart
OR if you are using Debian/Ubuntu Linux, run:
# service apache2 restart
A note about systemd based system
If you are using systemd + RHEL/CentOS/Fedora Linux based system, enter:
# systemctl httpd restart
If you are using systemd + Debian/Ubuntu Linux based system, enter:
# systemctl restart apache2
A note about PHP-fpm under a Debian/Ubuntu/CentOS Linux
Create a file named security.ini /etc/php/7.0/fpm/conf.d/ directory:
$ vi sudo /etc/php/7.0/fpm/conf.d/99-security.ini
Append the following settings:
# disable functions disable_functions=exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
# disable functions
Save and close the file when using a vim text editor. Next you need to restart the php-fpm/php7.0-fpm/php5.0-fpm service service, run:
$ sudo systemctl restart php-fpm # <- CentOS/RHEL 7.x
$ sudo systemctl restart php7.0-fpm.service # <- Ubuntu/Debian
- Linux: 25 PHP Security Best Practices For Sys Admins – A misconfigured server-side scripting language can create all sorts of problems. So, PHP should be used with caution. Here are twenty-five php security best practices for sysadmins for configuring PHP securely.