How to configure php.ini for improving web server security

The configuration file (php.ini) is read when PHP starts up. For the server module versions of PHP, this happens only once when the web server is started. For the CGI and CLI versions, it happens on every invocation.

PHP 7.3

How to configure php.ini for improving web server security

  1. Disable unwanted PHP functions
    This option can set which PHP functions are forbidden. Some functions in PHP are still quite risky. If you allow these functions to be executed, when PHP programs are vulnerable, the loss is very serious! Below we give the recommended disable function settings:
    disable_functions = phpinfo,passthru,exec,system,popen,chroot,escapeshellcmd,escapeshellarg,shell_exec,proc_open,proc_get_status
    Note: If your server contains some PHP programs for CentOS system status detection, do not disable shell_exec, proc_open, proc_get_status and other functions.
  2. The execution time for PHP scripts
    max_execution_time = 30
    This option sets the maximum execution time of the PHP program. If a PHP script is requested and the PHP script fails to complete within the max_execution_time time, then PHP does not continue execution and directly returns a timeout error to the client. There is no special need for this option to keep the default setting of 30 seconds. If your PHP script does require long execution time, you can increase this time setting appropriately.
  3. PHP scripts memory usage
    memory_limit = 8M

    This option specifies the maximum memory that PHP script processing can occupy. The default is 8MB. If your server memory is more than 1GB, this option can be set to 12MB for faster PHP script processing efficiency.
  4. PHP global function declaration
    register_globals = Off

    Many articles about PHP settings on the Internet recommend setting this option to On. In fact, this is a very dangerous method of setting, which may cause serious security problems. If there is no special need, it is highly recommended to keep the default settings!
  5. PHP upload file size limit
    upload_max_filesize = 2M

    This option sets the maximum upload file size allowed by PHP. The default is 2MB. This setting can be appropriately increased according to the actual application requirements.