Editing Your php.ini File

Your server's php.ini file is located at /usr/local/lib/php.ini. However, we strongly recommend using WHM's PHP Configuration Editor feature (Main >> Service Configuration >> PHP Configuration Editor) to edit PHP's configuration file.

You must access the Advanced Configuration Editor to change many of the settings listed below.

Checklist

Parameter	Value
safe_mode Safe mode attempts to solve many of the problems associated with using PHP in a shared hosting environment. It checks the user ID (UID) of the PHP script and the files and directories it attempts to access. If the UIDs do not match, the script will not be allowed to access the requested file or directory. Note: This feature is deprecated as of PHP 5.3.0.	On
disable_functions This parameter takes a comma-separated list of PHP functions you wish to disable. You will likely want to disable most or all of the PHP functions that have the ability to execute code remotely. You should take the time to talk to your developers and have them standardized on a particular function for shell operations as well.	A comma-separated list of functions to disable.
register_globals When register globals is enabled, attackers may be able to override configuration variables via the URL.	Off
display_errors Disabling this option prevents PHP from printing run-time errors to HTML pages that it generates. Disabling this function still allows PHP to print errors to the appropriate error logs.	Off
allow_url_fopen Disabling this option prevents attackers from opening remote files from your server via file inclusion vulnerabilities.	Off
allow_url_include Disabling this option prevents attackers from including remote files from your server via file inclusion vulnerabilities.	Off
file_uploads If possible, we recommend turning off file uploads. This will prevent attackers from moving their scripts onto and off of your server. However, many times it is not possible to disable file uploads.	Off
open_basedir This parameter allows you to limit file operations to a specific directory. Attackers will often attempt to find ways to include local files in PHP scripts to gain information about your server's filesystem. Note: This setting only affects servers using mod_php.	~/public_html
session.cookie_httponly Setting this value to 1 prevents JavaScript from accessing PHP session cookies. This can help prevent attackers from stealing session cookies. However, you may be unable to use this directive if your users utilize PHP session cookies via JavaScript.	1
session.referer_check This parameter allows PHP to check HTTP referrer values. This allows you to specify a domain, ensuring that session information is only passed internally during the time a user is working with a web application. This will prevent your users from accidentally exposing session information that may allow malicious users to follow links and steal a session.	example.com