Should you modify the PHP configuration and disable commonly abused PHP functions?

Klaus Warzecha

Member
Registered
Joined
Nov 10, 2016
Messages
42
Points
8
Hi everyone, after installed my hosting control panel, I was recommended to disable PHP functions

Code:
disable_functions = show_source, allow_url_fopen, parse_ini_file, open_base, symlink, phpinfo, apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode
Should I modify the PHP configuration and disable commonly abused PHP functions above? they are commands should be closed from server to avoid hackers exploit your website?

Any suggestions?
 

Dewlance

Well-known member
Hosting Provider
Registered
Joined
Dec 20, 2014
Messages
114
Points
18
1 year ago, I was use this method to disable some function but later I found that most of popular software required this command and create issue so I no longer block this because of latest PHP software is more secure and we no longer use some old software.

For example, allow_url_fopen is used by common software so disabling this will affect script and it will not run properly.
 

David Beroff

Well-known member
Registered
Joined
Jun 14, 2016
Messages
1,477
Points
63
1 year ago, I was use this method to disable some function but later I found that most of popular software required this command and create issue so I no longer block this because of latest PHP software is more secure and we no longer use some old software.

For example, allow_url_fopen is used by common software so disabling this will affect script and it will not run properly.
Moreover that many companies are using APIs and by disabling such php functions it won't work.
I agree with Dewlance and isix, to secure your server, it is not only depending on disabling or enabling those functions, it depends on how you will configure your website cms and your hosting server.
 

WeWatchYourWebsite

New member
Registered
Joined
May 15, 2017
Messages
6
Points
0
Since php.ini files can be nested, you can disable globally and then add a php.ini in the folders that require those functions.

Yes, it's a pain in the neck, but so is an infected website. It's like disabling PHP in a /wp-content/uploads folders on WordPress sites. In the majority of cases, PHP code never needs to run in that folder. But frequently we find malicious code uploaded there. So why not disable it?

It's another layer in the "Defense in Depth" strategy.
 
Newer Threads
Replies
29
Views
12,913
Replies
7
Views
6,757
Replies
6
Views
2,342
Recommended Threads

Latest Hosting OffersNew Reviews

Sponsors

Tag Cloud

You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.

Top