Page tree
Skip to end of metadata
Go to start of metadata

Overview

This document recommends changes to the settings of your server's php.ini file to help secure your server.

  • On systems that run EasyApache 3, the /usr/local/lib/ directory contains your server's php.ini file.
  • On systems that run EasyApache 4, multiple php.ini and local.ini files manage your system's PHP.  Each version of PHP on your systems uses its own php.ini and local.ini file. You must make changes to each file separately. 

Warnings:

  • These settings do not function as effective security controls when you use them alone, because you can bypass most hardening measures.
  • On systems that run EasyApache 3, we strongly recommend that you only edit this file with WHM's PHP Configuration Editor interface (Home >> Service Configuration >> PHP Configuration Editor). 
  • On systems that run EasyApache 4, we strongly recommend that you only edit these files with WHM's MultiPHP INI Editor interface (Home >> Software >> MultiPHP INI Editor).  This ensures that an operable version of PHP exists on the system.

Checklist

DirectiveDescriptionRecommended value
safe_mode

The safe mode directive attempts to solve many of the problems that occur in a shared hosting environment when you use PHP. It compares the PHP script's UID (user ID) with the UIDs of the files and directories that it attempts to access. If the UIDs do not match, the system does not allow the script to access the requested file or directory.

Warning:

PHP 5.3.0 deprecated this directive and PHP 5.4.0 removed it.

On
disable_functionsThis directive accepts a comma-separated list of PHP functions to disable. You may wish to disable most or all of the PHP functions that allow the system to execute subprocesses, because subprocesses run outside of other PHP security restrictions. You should also establish standards for particular functions for shell operations.A comma-separated list of functions to disable.
register_globals

When you enable the register_globals directive, attackers may gain the ability to override configuration variables through the URL.

Warning:

PHP 5.3.0 deprecated this directive and PHP 5.4.0 removed it.

Off
display_errorsDisable this directive to deny PHP the ability to print run-time errors to HTML pages that it generates. When you disable this directive, PHP can still print errors to the appropriate error logs.Off
allow_url_fopenDisable this directive to deny attackers the ability to open remote files from your server through file inclusion vulnerabilities.Off
allow_url_includeDisable this directive to deny attackers the ability to include remote files from your server through file inclusion vulnerabilities.Off
file_uploadsIf possible, we recommend that you turn off file uploads, which denies attackers the ability to move their scripts on to and off of your server.Off
open_basedir

This directive allows you to limit file operations to a specific directory. Attackers often attempt to find ways to include local files in PHP scripts to gain information about your server's filesystem.

Notes:

  • This setting only affects servers that use the mod_php Apache module.
  • If your system runs EasyApache 4, change this directive in the Editor Mode section of WHM's MultiPHP INI Editor interface (Home >> Software >> MultiPHP INI Editor).
~/public_html
session.cookie_httponly

Set this value to 1 to deny JavaScript the ability to access PHP session cookies. This ensures that attackers cannot steal session cookies.

Important:

If your users utilize PHP session cookies through JavaScript, the system may prevent your use of this directive.

Note:

If your system runs EasyApache 4, change this directive in the Editor Mode section of WHM's MultiPHP INI Editor interface (Home >> Software >> MultiPHP INI Editor).

1
session.referer_check

This directive allows PHP to check HTTP referrer values. This allows you to specify a domain, which ensures that session information only passes internally while a user works with a web application. This ensures that your users do not accidentally expose session information that may allow malicious users to follow links and steal a session.

Warning:

Do not rely on this security measure alone. It is trivial to send false referrer information.

Note:

If your system runs EasyApache 4, change this directive in the Editor Mode section of WHM's MultiPHP INI Editor interface (Home >> Software >> MultiPHP INI Editor).

On

Additional documentation