A powerful language like PHP can give life and great functionality to your site but it can also destroy it. With this guide, we’ll help you disable some of the most dangerous PHP functions out there.
It will prevent most PHP shells from doing what they do best as well as protect you from poorly coded applications.
We do this for our clients as part of our Server hardening package.
Updating PHP’s configuration file
Find the location of your php.ini file
php -i | grep php.ini
Open that file and look for “disable_functions” and replace it with the following line
disable_functions = exec,system,passthru,readfile,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,ini_alter,dl,popen,parse_ini_file,show_source,curl_exec
Now save the changes and restart apache
/etc/init.d/httpd restart
If you want to make sure that it’s working you can check with a php_info file or with
php -i | grep disable_functions
PHP Functions and Description
exec: Execute an external program
system: Execute an external program and display the output
passthru: Execute an external program and display raw output
readfile: Outputs a file
shell_exec: Execute command via shell and return the complete output as a string
escapeshellarg: Escape a string to be used as a shell argument
escapeshellcmd: Escape shell metacharacters
proc_open: Execute a command and open file pointers for input/output
proc_close: Close a process opened by proc_open() and return the exit code of that process
ini_alter: Alias of ini_set()
dl: Loads a PHP extension at runtime
popen: Opens process file pointer
parse_ini_file: Parse a configuration file
show_source: Alias of highlight_file()
curl_exec: Perform a cURL session
Discover how our services can benefit your business. Leave your contact information and our team will reach out to provide you with detailed information tailored to your specific needs. Take the next step towards achieving your business goals.
PostgreSQL blends relational and NoSQL for modern app needs
Mutable vs immutable infra key perks drawbacks and Terraform hacks
Find out which cloud stack AWS or Azure powers your business best