A powerful language like PHP can give life and great functionality to your site but it can also destroy it. With this guide, we’ll help you disable some of the most dangerous PHP functions out there.
It will prevent most PHP shells from doing what they do best as well as protect you from poorly coded applications.
We do this for our clients as part of our Server hardening package.
Updating PHP’s configuration file
Find the location of your php.ini file
php -i | grep php.ini
Open that file and look for “disable_functions” and replace it with the following line
disable_functions = exec,system,passthru,readfile,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,ini_alter,dl,popen,parse_ini_file,show_source,curl_exec
Now save the changes and restart apache
/etc/init.d/httpd restart
If you want to make sure that it’s working you can check with a php_info file or with
php -i | grep disable_functions
PHP Functions and Description
exec: Execute an external program
system: Execute an external program and display the output
passthru: Execute an external program and display raw output
readfile: Outputs a file
shell_exec: Execute command via shell and return the complete output as a string
escapeshellarg: Escape a string to be used as a shell argument
escapeshellcmd: Escape shell metacharacters
proc_open: Execute a command and open file pointers for input/output
proc_close: Close a process opened by proc_open() and return the exit code of that process
ini_alter: Alias of ini_set()
dl: Loads a PHP extension at runtime
popen: Opens process file pointer
parse_ini_file: Parse a configuration file
show_source: Alias of highlight_file()
curl_exec: Perform a cURL session
Cut your Kubernetes cloud bill with these 5 hacks for smarter scaling and resource tuning
PostgreSQL blends relational and NoSQL for modern app needs
Mutable vs immutable infra key perks drawbacks and Terraform hacks