php recommend disable_functions
Hello,
Got a question about hardening php and figure I will ask it here since so many of us use it on our servers.
[url=http://www.cyberciti.biz/faq/linux-unix-apache-lighttpd-phpini-disable-functions/]PHP.INI settings: Disable exec, shell_exec, system, popen and Other Functions To Improve Security
That article recommends setting these directives in php.ini:
disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
Is it likely that disabling these functions will have any affect on standard drupal or wordpress installs? Do you recommend disabling any others? Or any other general hardening tips?
I use modsuphp, disabled shell access, latest version of php 5.3 & 5.4 (migrating all to 5.4), keep apache up-to-date, etc.
Thank you.
-
I have used this for disable_functions for a long time and never had any problems with wordpress or other common CMS software: disable_functions = show_source,system,shell_exec,passthru,exec,phpinfo,popen,proc_open,allow_url_fopen The other ones you listed are probably OK to disable too. Other than that make sure you have some form of cross-account symlink protection, even if it's just the patch in EA. 0 -
[quote="Venomous21, post: 1731242">Or any other general hardening tips?
Hello :) The "Security Advisor" option in WHM is a good place to start for tips on how to improve security on your server. Thank you.0 -
quizknows, thank you. Is the allow_url_fopen needed in disable_functions if I have it set globally to Off already in php.ini? I am also already using the EA symlink patch and security advisor :) Thanks for the info! 0 -
It's probably not needed, but it also won't hurt anything. 0 -
If you have disabled allow_url_fopen in php.ini then there is no need to add it in list of disable functions list. 0
Please sign in to leave a comment.
Comments
5 comments