Disable PHP insecure functions with disable_functions

When hacking vulnerable web sites, hackers use PHP functions that allow program execution or disk access to get access to server.

Some most commonly used functions are exec, shell_exec and system. These commands allow hackers to execute program as web server user. Most applications may not need these functions, so these functions can be safely disabled with out affecting functionality of your web site.

To disable insecure functions, create a file php.ini with following content

disable_functions = "exec,passthru,shell_exec,system,proc_open,popen,parse_ini_file,show_source"
allow_url_fopen = Off
allow_url_include = Off

If you have dedicated server or VPS, you can disable these functions server wide by editing php.ini of your server.

Once change is made, make sure it is working properly by checking phpinfo page.

Need help with Linux Server or WordPress? We can help!

Leave a Reply

Your email address will not be published. Required fields are marked *