Page tree
Skip to end of metadata
Go to start of metadata

Overview

This document recommends changes to the settings of your server's php.ini file to help secure your server.

The /usr/local/lib/ directory contains your server's php.ini file.

Warning:

  • These settings do not function as effective security controls when you use them alone, because you can bypass most hardening measures.
  • Although you can edit the php.ini file directly, we strongly recommend that you edit this file with WHM's PHP Configuration Editor interface (Home >> Service Configuration >> PHP Configuration Editor ).  

Checklist

DirectiveDescriptionRecommended Value
safe_mode

The safe mode directive attempts to solve many of the problems that occur in a shared hosting environment when you use PHP. It compares the PHP script's UID (user ID) with the UIDs of the files and directories that it attempts to access. If the UIDs do not match, the system does not allow the script to access the requested file or directory.

Warning:

This directive was deprecated as of PHP 5.3.0 and removed as of PHP 5.4.0.

On
disable_functionsThis directive accepts a comma-separated list of PHP functions to disable. You may wish to disable most or all of the PHP functions that allow the system to execute subprocesses, since subprocesses run outside of other PHP security restrictions. You should also establish standards for particular functions for shell operations.A comma-separated list of functions to disable.
register_globals

When you enable the register_globals directive, attackers may gain the ability to override configuration variables through the URL.

Warning:

This directive was deprecated as of PHP 5.3.0 and removed as of PHP 5.4.0.

Off
display_errorsDisable this directive to deny PHP the ability to print run-time errors to HTML pages that it generates. When you disable this directive, PHP can still print errors to the appropriate error logs.Off
allow_url_fopenDisable this directive to deny attackers the ability to open remote files from your server through file inclusion vulnerabilities.Off
allow_url_includeDisable this directive to deny attackers the ability to include remote files from your server through file inclusion vulnerabilities.Off
file_uploadsIf possible, we recommend that you turn off file uploads, which denies attackers the ability to move their scripts on to and off of your server.Off
open_basedir

This directive allows you to limit file operations to a specific directory. Attackers often attempt to find ways to include local files in PHP scripts to gain information about your server's filesystem.

Note:

This setting only affects servers that use the mod_php directive.

~/public_html
session.cookie_httponly

Set this value to 1 to deny JavaScript the ability to access PHP session cookies. This prevents the theft of session cookies by attackers.

Important:

However, if your users utilize PHP session cookies through JavaScript, the system may prevent your use of this directive.

1
session.referer_check

This directive allows PHP to check HTTP referrer values. This allows you to specify a domain, which ensures that session information only passes internally while a user works with a web application. This ensure that your users do not accidentally expose session information that may allow malicious users to follow links and steal a session.

Warning:

Do not rely on this security measure alone. It is trivial to send false referrer information.