How to Disable Dangerous PHP functions – cPanel PHP hardening

 
After PHP installation, by default all the PHP functions will be enabled on the server. Hackers might use these PHP functions to hack the websites on your server so you must restrict few PHP functions on the server. There are many PHP functions that should be disabled server wide (Disabled for for all cPanel Accounts on the server) by editing the PHP configuration file.
Allowing PHP functions like system, exec etc server-wide is very dangerous because hackers might use system, exec php functions to execute commands on the server.

You can create a custom php.ini for the customer and enable these functions if the customer request to enable it for his account. Do the below steps to disable all the dangerous PHP functions on a cPanel server.

You have have server root access to disable the functions server-wide.

1. Log into your server via SSH as ‘root’ user

2. Find the main PHP configuration file on the server

Run the below command to find the php.ini configuration file on your server

Command : php --ini

OR

Command : php -i | grep php.ini
 

 
In the above image you can see that PHP configuration file on my server is /opt/cpanel/ea-php56/root/etc/php.ini

Loaded Configuration File => /opt/cpanel/ea-php56/root/etc/php.ini

php.ini file path might be different on your server so edit accordingly. On easyapache 3 servers php.ini file is /usr/local/lib/php.ini

3. First take a backup of the php.ini file before editing it

You should always take backup before editing any files on linux server.

Command to take backup : cp -a /opt/cpanel/ea-php56/root/etc/php.ini /opt/cpanel/ea-php56/root/etc/php.ini.original

4. Open php.ini file using vi editor and search for the line “disable_functions”
 

 
By default “disable_functions =” line will be empty and you must add all the PHP functions in this line separated by comma.

vi /opt/cpanel/ea-php56/root/etc/php.ini

Change the line disable_functions =

To

disable_functions=exec,system,shell_exec,passthru,curl_multi_exec,show_source,eval,proc_open,popen,curl_exec,proc_close

Save the php.ini file and exit

5. You must restart the webserver on the server after doing the above steps

Command to restart apache :

service httpd restart

OR

/etc/init.d/httpd restart

On Debian/Ubuntu servers you must restart “apache2” service after editing php.ini

Create a phpinfo file under any domain on the server to check whether the above functions are disabled.
 

Steps to disable dangerous PHP functions from WHM (Easyapache 3 Server)

---

 
1. Log into WHM using server root password

Link to access WHM : https://YourServerIP:2087
Username : root
Password : Enter server root password

2. Search for “PHP Configuration Editor” in WHM Search bar

3. Click on “PHP Configuration Editor” under “Service Configuration”

Home » Service Configuration » PHP Configuration Editor
 

 
4. Select “Advanced Mode” radio button
 

 
5. Scroll down and paste the PHP functions in the disable_functions field
 

 
6. Scroll down to end of the page and click on “Save”
 

---

Steps to disable dangerous PHP functions from WHM on EasyApache 4

 
1. Log in to WHM

2. Search for “MultiPHP INI Editor” in WHM search bar
 

 
3. Click on “MultiPHP INI Editor” editor under “Software”

Home » Software » MultiPHP INI Editor

4. Click on “Editor Mode”

5. Select the PHP version from the drop down
 

 
6. Add the disable_function line and save MultiPHP INI Editor
 

 
7. Do the same for other PHP versions on the server

In MultiPHP INI Editor, select the next PHP version from the dropdown and add PHP ‘disable_function’.

8. Restart the web service : service httpd restart