PHP has a lot of dangerous functions that can be used to hack your server if used maliciously. These functions include exec, passthru, shell_exec, system, proc_open, popen, curl_exec, curl_multi_exec, parse_ini_file, show_source. For maximum security, you’ll want to disable all of these functions in your php.ini file so that none of your clients/users can use them on your server. You can do this by using the disable_functions directive.

disable_functions takes a comma delimited list of functions and prevents these functions from being executed by PHP scripts. disable_functions is not affected by Safe Mode either. Follow the instructions below to improve your PHP security.

How To Improve PHP Security by Disabling Functions

  1. Edit your php.ini file (location of your php.ini file may be different)

    # vim /etc/php.ini

  2. Scroll down or search for the disable_fucntions directive (or go to the end of the file and add a new line)

  3. It should look like this:

     disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

  4. Restart your webserver

    # service httpd restart

That’s it. No one will be able to use these functions on your server now. When a script attempts to use one of these functions, they will see a warning instead:

Warning: exec() has been disabled for security reasons in ...