### Why disable certain PHP functions
When securing a PHP server, it’s critical to disable some functions that allow attackers to execute harmful commands or scripts. PHP Functions like exec, system, and shell\_exec are used to execute external commands which poses a security risk. This could be called by a script you uploaded or by a WordPress plugin that you just installed. By adding these functions to the disable\_functions list in your php.ini, config file you prevent their misuse. Attackers are very creative and try to always find a loophole to exploit. Additionally, consider replacing these functions with safer, built-in alternatives or through secure libraries to maintain functionality without compromising security.
**Important Note: blocking those functions may affect some programs to do ther job such backup plugins. Do make sure you check the logs or consult with the support if that changes caused any undesired side effects.**
### How to disable certain php functions?
disable\_functions = curl\_multi\_exec, dbase\_open, dbmopen, dl, eval, exec, fopen\_with\_path, fpassthru, highlight\_file, passthru, pcntl\_alarm, pcntl\_exec, pcntl\_fork, pcntl\_get\_last\_error, pcntl\_getpriority, pcntl\_setpriority, pcntl\_signal, pcntl\_signal\_dispatch, pcntl\_sigprocmask, pcntl\_sigtimedwait, pcntl\_sigwaitinfo, pcntl\_strerror, pcntl\_wait, pcntl\_waitpid, pcntl\_wexitstatus, pcntl\_wifcontinued, pcntl\_wifexited, pcntl\_wifsignaled, pcntl\_wifstopped, pcntl\_wstopsig, pcntl\_wtermsig, popen, posix\_getpwuid, posix\_kill, posix\_mkfifo, posix\_setegid, posix\_seteuid, posix\_setgid, posix\_setpgid, posix\_setsid, posix\_setuid, posix\_uname, proc\_close, proc\_open, shell\_exec, show\_source, system
The change must be done at the php.ini file and cannot be one entering rules e.g. **php\_admin\_value** via .htaccess file.
You need to to your control panel and find where you can edit the php config values. Then look for a php info or create a blank file in the document root folder. It is named: public\_html, www, htdocs, httpsdocs etc. and create a file zzzz\_info.php and then open it via the browser. You should see for “**disable\_functions**” section which should look like this below.
<?php phpinfo();
If you’re not using a control panel e.g. from DigitalOcean or Linode you need to edit the appropriate php config. If you’re using Apache web server the main php config file resides in
>/etc/php/**PHP\_VER**/apache2/php.ini
You can test it before doing so just in case to make sure things are ok.
apachectl -t Syntax OK
Reload the web server’s configuration
service apache2 reload
[ad_2]
> PHP Functions like exec, system, and shell_exec are used to execute external commands which poses a security risk
And they’re unfortunately used by many plugins, e.g. plugins that reformat images outside of PHP (which is better/more efficient, but opens up a security hole).
It would be worth making a list of which plugins call which functions, to have a compatibility list with these excludes, to know beforehand which plugins will break.
What you said kinda falls within the security through obscurity practice.
Because while you do patch the meaning of malicious execution, you do not patch the security hole itself. It will just stay hidden until you change the hosting or some of those functions get activated.
Practicing a good site hygiene will get you further and do you better.
– Don’t use obscure plugins, don’t use plugins for something simple that you can perhaps do manually thorugh wp-config/htaccess/cpanel;
– Make sure everything is updated (themes, core, plugins);
– Use some bruteforce protection, recaptcha and strong passwords for everything (db, ftp, wp, cpanel, ssh);
– do NOT use nulled/unlicensed/cracked scripts;
– use good hosting companies that have good setups, avoid self hosting on a VPS unless you truly know what to do. Simply installing everything and forgetting about it is NOT the way.