Why disable certain PHP functions
When securing a PHP server, it’s critical to disable some functions that allow attackers to execute harmful commands or scripts. PHP Functions like exec
, system
, and shell_exec
are used to execute external commands which poses a security risk. This could be called by a script you uploaded or by a WordPress plugin that you just installed. By adding these functions to the disable_functions
list in your php.ini
, config file you prevent their misuse. Attackers are very creative and try to always find a loophole to exploit. Additionally, consider replacing these functions with safer, built-in alternatives or through secure libraries to maintain functionality without compromising security.
Important Note: blocking those functions may affect some programs to do their job such backup plugins. Do make sure you check the logs or consult with the support if that changes caused any undesired side effects.
How to disable certain php functions?
disable_functions = curl_multi_exec, dbase_open, dbmopen, dl, eval, exec, fopen_with_path, fpassthru, highlight_file, passthru, pcntl_alarm, pcntl_exec, pcntl_fork, pcntl_get_last_error, pcntl_getpriority, pcntl_setpriority, pcntl_signal, pcntl_signal_dispatch, pcntl_sigprocmask, pcntl_sigtimedwait, pcntl_sigwaitinfo, pcntl_strerror, pcntl_wait, pcntl_waitpid, pcntl_wexitstatus, pcntl_wifcontinued, pcntl_wifexited, pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_uname, proc_close, proc_open, shell_exec, show_source, system
The change must be done at the php.ini file and cannot be one entering rules e.g. php_admin_value via .htaccess file.
You need to to your control panel and find where you can edit the php config values. Then look for a php info or create a blank file in the document root folder. It is named: public_html, www, htdocs, httpsdocs etc. and create a file zzzz_info.php and then open it via the browser. You should see for “disable_functions” section which should look like this below.
<?php phpinfo();
If you’re not using a control panel e.g. from DigitalOcean or Linode you need to edit the appropriate php config. If you’re using Apache web server the main php config file resides in
/etc/php/PHP_VER/apache2/php.ini
You can test it before doing so just in case to make sure things are ok.
apachectl -t
Syntax OK
Reload the web server’s configuration
service apache2 reload