Page tree
Skip to end of metadata
Go to start of metadata

Overview

Your server's php.ini file is located in the /usr/local/lib/ directory. To help harden the security of PHP on your server, we recommend the following changes to the settings that are listed below.

Warning:

  • While these settings harden the security of your server, they are not effective security controls when used alone. It is possible to bypass most hardening measures.
  • Although you can make changes to this file directly, we strongly recommend that you use WHM's PHP Configuration Editor feature (Main >> Service Configuration >> PHP Configuration Editor) to edit the PHP configuration file. For more information, read the PHP Configuration Editor documentation.

Checklist

ParameterDescriptionRecommended Value
safe_mode

Safe mode attempts to solve many of the problems that are associated with the use of PHP in a shared hosting environment. It compares the user ID (UID) of the PHP script with theUIDs of the files and directories that it attempts to access. If the UIDs do not match, the script will not be allowed to access the requested file or directory.

Warning:

This feature was deprecated as of PHP 5.3.0 and removed as of PHP 5.4.0.

On
disable_functionsThis parameter takes a comma-separated list of PHP functions that you wish to disable. You may wish to disable most or all of the PHP functions that allow subprocesses to be executed, since subprocesses run outside of other PHP security restrictions. You should also establish standards for particular functions for shell operations.A comma-separated list of functions to disable.
register_globals

When register globals is enabled, attackers may be able to override configuration variables through the URL.

Warning:

This feature was deprecated as of PHP 5.3.0 and removed as of PHP 5.4.0.

Off
display_errorsDisable this option to deny PHP the ability to print run-time errors to HTML pages that it generates. When you disable this function, PHP is still able to print errors to the appropriate error logs.Off
allow_url_fopenDisable this option to deny attackers the ability to open remote files from your server through file inclusion vulnerabilities.Off
allow_url_includeDisable this option to deny attackers the ability to include remote files from your server through file inclusion vulnerabilities.Off
file_uploadsIf possible, we recommend that you turn off file uploads. This will deny attackers the ability to move their scripts onto and off of your server.Off
open_basedir

This parameter allows you to limit file operations to a specific directory. Attackers will often attempt to find ways to include local files in PHP scripts to gain information about your server's filesystem. 

Note:

This setting only affects servers that use mod_php.

~/public_html
session.cookie_httponlySet this value to 1 to deny JavaScript the ability to access PHP session cookies. This can help prevent the theft of session cookies by attackers. However, you may be unable to use this directive if your users utilize PHP session cookies through JavaScript.1
session.referer_check

This parameter allows PHP to check HTTP referrer values. This allows you to specify a domain, which will ensure that session information is only passed internally while a user works with a web application. This will help to ensure that your users do not accidentally expose session information that may allow malicious users to follow links and steal a session. 

Warning:

Do not rely on this security measure alone. It is trivial to send false referer information.