PHP is yet one of most powerful languages used around the web with integration of web based shell execution commands PHP can even handle various areas where it can control whole server . PHP uses several functions which are treated as dangerous functions those functions can allow hackers to perform external system that will cause system damage or hacker can take control of your website or web server. Therefore its highly suggested to disable various dangerous functions to protect server and website from misuse.
Disable Dangerous Functions via WHM/Cpanel.
1. Login into WHM account and click on PHP Configuration Editor.
Open PHP Configuration Editor in Advance mode.
Search for “disable_functions”
And disable your desired functions.
Suggested disable functions:
apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode
Disable Dangerous Functions via SSH.
1. Login to your server through SSH client
2. Locate php.ini file
Open PHP.ini and find disable_functions add list of disabled functions into it (given above).
In this way you can protect your server from various PHP based shell scripts that can cause serve damage to your server..
