Edit Your php.ini File

Overview

Your server's php.ini file is located in the /usr/local/lib/ directory. To help harden the security of PHP on your server, we recommend the following changes to the settings that are listed below.

ALERT! Warning: While these settings harden the security of your server, they are not effective security controls when used alone. It is possible to bypass most hardening measures.

PICK Important: Although you can make changes to this file directly, we strongly recommend that you use WHM's PHP Configuration Editor feature (Main >> Service Configuration >> PHP Configuration Editor) to edit the PHP configuration file. For more information, read the PHP Configuration Editor documentation.

Checklist

Parameter Description Recommended Value
safe_mode Safe mode attempts to solve many of the problems that are associated with the use of PHP in a shared hosting environment. It compares the user ID (UID) of the PHP script with the UIDs of the files and directories that it attempts to access. If the UIDs do not match, the script will not be allowed to access the requested file or directory.
PICK Important: This feature was deprecated as of PHP 5.3.0 and removed as of PHP 5.4.0.
On
disable_functions This parameter takes a comma-separated list of PHP functions that you wish to disable. You may wish to disable most or all of the PHP functions that allow subprocesses to be executed, since subprocesses run outside of other PHP security restrictions. You should also establish standards for particular functions for shell operations. A comma-separated list of functions to disable.
register_globals When register globals is enabled, attackers may be able to override configuration variables through the URL.
PICK Important: This feature was deprecated as of PHP 5.3.0 and removed as of PHP 5.4.0.
Off
display_errors Disable this option to deny PHP the ability to print run-time errors to HTML pages that it generates. When you disable this function, PHP is still able to print errors to the appropriate error logs. Off
allow_url_fopen Disable this option to deny attackers the ability to open remote files from your server through file inclusion vulnerabilities. Off
allow_url_include Disable this option to deny attackers the ability to include remote files from your server through file inclusion vulnerabilities. Off
file_uploads If possible, we recommend that you turn off file uploads. This will deny attackers the ability to move their scripts onto and off of your server. Off
open_basedir This parameter allows you to limit file operations to a specific directory. Attackers will often attempt to find ways to include local files in PHP scripts to gain information about your server's filesystem.
note Note: This setting only affects servers that use mod_php.
~/public_html
session.cookie_httponly Set this value to 1 to deny JavaScript the ability to access PHP session cookies. This can help prevent the theft of session cookies by attackers. However, you may be unable to use this directive if your users utilize PHP session cookies through JavaScript. 1
session.referer_check This parameter allows PHP to check HTTP referrer values. This allows you to specify a domain, which will ensure that session information is only passed internally while a user works with a web application. This will help to ensure that your users do not accidentally expose session information that may allow malicious users to follow links and steal a session.
ALERT! Warning: Do not rely on this security measure alone. It is trivial to send false referer information.
example.com

Topic revision: r8 - 11 Nov 2013 - 21:54:07 - Main.SarahHaney
AllDocumentation/WHMDocs.PhpIni moved from Sandbox.PhpIni on 13 Oct 2010 - 18:40 by Main.JustinSchaefer - put it back