Overview
This document recommends changes to the settings of your server's php.ini file to help secure your server.
- On systems that run EasyApache 3, the
/usr/local/lib/directory contains your server'sphp.inifile. - On systems that run EasyApache 4, multiple
php.inifiles manage your system's PHP. Each version of PHP on your systems uses its ownphp.inifile. You must make changes to each file separately.
Warnings:
- These settings do not function as effective security controls when you use them alone, because you can bypass most hardening measures.
- On systems that run EasyApache 3, we strongly recommend that you only edit this file with WHM's PHP Configuration Editor interface (WHM >> Home >> Service Configuration >> PHP Configuration Editor).
- On systems that run EasyApache 4, we strongly recommend that you only edit these files with WHM's MultiPHP INI Editor interface (WHM >> Home >> Software >> MultiPHP INI Editor). This ensures that an operable version of PHP exists on the system.
Checklist
| Directive | Description | Recommended value |
|---|---|---|
safe_mode | The safe mode directive attempts to solve many of the problems that occur in a shared hosting environment when you use PHP. It compares the PHP script's UID (user ID) with the UID Warning: PHP 5.3.0 deprecated this directive and PHP 5.4.0 removed it. | On |
disable_functions | This directive accepts a comma-separated list of PHP functions to disable. You may wish to disable most or all of the PHP functions that allow the system to execute subprocesses, because subprocesses run outside of other PHP security restrictions. You should also establish standards for particular functions for shell operations. | A comma-separated list of functions to disable. |
register_globals | When you enable the Warning: PHP 5.3.0 deprecated this directive and PHP 5.4.0 removed it. | Off |
display_errors | Disable this directive to deny PHP the ability to print run-time errors to HTML pages that it generates. When you disable this directive, PHP can still print errors to the appropriate error logs. | Off |
allow_url_fopen | Disable this directive to deny attackers the ability to open remote files from your server through file inclusion vulnerabilities. | Off |
allow_url_include | Disable this directive to deny attackers the ability to include remote files from your server through file inclusion vulnerabilities. | Off |
file_uploads | If possible, we recommend that you turn off file uploads, which denies attackers the ability to move their scripts on to and off of your server. | Off |
open_basedir | This directive allows you to limit file operations to a specific directory. Attackers often attempt to find ways to include local files in PHP scripts to gain information about your server's filesystem. Notes:
| ~/public_html |
session.cookie_httponly | Set this value to Important: If your users utilize PHP session cookies through JavaScript, the system may prevent your use of this directive. Note: If your system runs EasyApache 4, change this directive in the Editor Mode section of WHM's MultiPHP INI Editor interface (WHM >> Home >> Software >> MultiPHP INI Editor). | 1 |
session.referer_check | This directive allows PHP to check HTTP referrer values. This allows you to specify a domain, which ensures that session information only passes internally while a user works with a web application. This ensures that your users do not accidentally expose session information that may allow malicious users to follow links and steal a session. Warning: Do not rely on this security measure alone. It is trivial to send false referrer information. Note: If your system runs EasyApache 4, change this directive in the Editor Mode section of WHM's MultiPHP INI Editor interface (WHM >> Home >> Software >> MultiPHP INI Editor). | On |
Additional documentation