How to Disable Dangerous PHP functions – cPanel PHP hardening
How to Disable Dangerous PHP functions – PHP hardening
After PHP installation, by default all the PHP functions will be enabled on the server. Hackers might use these PHP functions to hack the websites on your server so you must restrict few PHP functions on the server. There are many PHP functions that should be disabled server wide (Disabled for for all cPanel Accounts on the server) by editing the PHP configuration file.
Allowing PHP functions like system, exec etc server-wide is very dangerous because hackers might use system, exec php functions to execute commands on the server.
You can create a custom php.ini for the customer and enable these functions if the customer request to enable it for his account. Do the below steps to disable all the dangerous PHP functions on a cPanel server.
You have have server root access to disable the functions server-wide.
1. Log into your server via SSH as ‘root’ user
2. Find the main PHP configuration file on the server
Run the below command to find the php.ini configuration file on your server
Command : php --ini
OR
Command : php -i | grep php.ini
In the above image you can see that PHP configuration file on my server is /opt/cpanel/ea-php56/root/etc/php.ini
Loaded Configuration File => /opt/cpanel/ea-php56/root/etc/php.ini
php.ini file path might be different on your server so edit accordingly. On easyapache 3 servers php.ini file is /usr/local/lib/php.ini
3. First take a backup of the php.ini file before editing it
You should always take backup before editing any files on linux server.
Command to take backup : cp -a /opt/cpanel/ea-php56/root/etc/php.ini /opt/cpanel/ea-php56/root/etc/php.ini.original
4. Open php.ini file using vi editor and search for the line “disable_functions”
By default “disable_functions =” line will be empty and you must add all the PHP functions in this line separated by comma.
vi /opt/cpanel/ea-php56/root/etc/php.ini
Change the line disable_functions =
To
disable_functions=exec,system,shell_exec,passthru,curl_multi_exec,show_source,eval,proc_open,popen,curl_exec,proc_close
Save the php.ini file and exit
5. You must restart the webserver on the server after doing the above steps
Command to restart apache :
service httpd restart
OR
/etc/init.d/httpd restart
On Debian/Ubuntu servers you must restart “apache2” service after editing php.ini
Create a phpinfo file under any domain on the server to check whether the above functions are disabled.
Steps to disable dangerous PHP functions from WHM (Easyapache 3 Server)
1. Log into WHM using server root password
Link to access WHM : https://YourServerIP:2087
Username : root
Password : Enter server root password
2. Search for “PHP Configuration Editor” in WHM Search bar
3. Click on “PHP Configuration Editor” under “Service Configuration”
Home » Service Configuration » PHP Configuration Editor
4. Select “Advanced Mode” radio button
5. Scroll down and paste the PHP functions in the disable_functions field
6. Scroll down to end of the page and click on “Save”
Steps to disable dangerous PHP functions from WHM on EasyApache 4
1. Log in to WHM
2. Search for “MultiPHP INI Editor” in WHM search bar
3. Click on “MultiPHP INI Editor” editor under “Software”
Home » Software » MultiPHP INI Editor
4. Click on “Editor Mode”
5. Select the PHP version from the drop down
6. Add the disable_function line and save MultiPHP INI Editor
7. Do the same for other PHP versions on the server
In MultiPHP INI Editor, select the next PHP version from the dropdown and add PHP ‘disable_function’.
8. Restart the web service : service httpd restart
Comments