WP Security Padlocks

What PHP functions to disable to secure your WordPress server

Leave a Comment / DevOps / By

Sharing is caring!

Why disable certain PHP functions

When securing a PHP server, it’s critical to disable some functions that allow attackers to execute harmful commands or scripts. PHP Functions like exec, system, and shell_exec are used to execute external commands which poses a security risk. This could be called by a script you uploaded or by a WordPress plugin that you just installed. By adding these functions to the disable_functions list in your php.ini, config file you prevent their misuse. Attackers are very creative and try to always find a loophole to exploit. Additionally, consider replacing these functions with safer, built-in alternatives or through secure libraries to maintain functionality without compromising security.

Important Note: blocking those functions may affect some programs to do their job such backup plugins. Do make sure you check the logs or consult with the support if that changes caused any undesired side effects.

How to disable certain php functions?

disable_functions = curl_multi_exec, dbase_open, dbmopen, dl, eval, exec, fopen_with_path, fpassthru, highlight_file, passthru, pcntl_alarm, pcntl_exec, pcntl_fork, pcntl_get_last_error, pcntl_getpriority, pcntl_setpriority, pcntl_signal, pcntl_signal_dispatch, pcntl_sigprocmask, pcntl_sigtimedwait, pcntl_sigwaitinfo, pcntl_strerror, pcntl_wait, pcntl_waitpid, pcntl_wexitstatus, pcntl_wifcontinued, pcntl_wifexited, pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_uname, proc_close, proc_open, shell_exec, show_source, system

The change must be done at the php.ini file and cannot be one entering rules e.g. php_admin_value via .htaccess file.

You need to to your control panel and find where you can edit the php config values. Then look for a php info or create a blank file in the document root folder. It is named: public_html, www, htdocs, httpsdocs etc. and create a file zzzz_info.php and then open it via the browser. You should see for “disable_functions” section which should look like this below.

<?php phpinfo();
Php Ini Disable Php Functions 1

If you’re not using a control panel e.g. from DigitalOcean or Linode you need to edit the appropriate php config. If you’re using Apache web server the main php config file resides in

/etc/php/PHP_VER/apache2/php.ini

You can test it before doing so just in case to make sure things are ok.

apachectl -t
Syntax OK

Reload the web server’s configuration

service apache2 reload

Sharing is caring!

Leave a Comment

Your email address will not be published. Required fields are marked *