Last modified: July 22, 2022
Overview
You can update the settings of your server’s php.ini file to help secure your server. The method to use depends on your version of EasyApache.
Warning:
You must also use other security measures with these settings. When you use these alone, your server’s security is at risk. Malicious users can bypass most hardening measures.
Apache reads all files with the .ini file extension. If you have a custom .ini file, you must update it manually.
Editing in EasyApache 3
On systems that run EasyApache 3, the /usr/local/lib/ directory contains your server’s php.ini file.
Editing in EasyApache 4
Note:
We recommend only editing these files with WHM’s MultiPHP INI Editor interface (WHM >> Home >> Software >> MultiPHP INI Editor). This ensures that an operable version of PHP exists on the system.
On systems that run EasyApache 4, each version of PHP uses a separate php.ini file. You must make changes separately to each file. Each file exists in the /opt/cpanel/ea-php72/root/etc/php.ini file, where 72 is the PHP version number.
Directives
safe_mode | This directive helps solve many problems that occur with using PHP in a shared hosting environment. It compares the PHP script’s UID with the UIDs of files and directories that it tries to access. If the UIDs don’t match, the system doesn’t allow the script access. Warning: PHP 5.3.0 deprecated this directive and PHP 5.4.0 removed it. | On |
disable_functions | This directive disables a list of PHP functions. For example, you can disable ones that execute subprocesses. | A comma-separated list of functions to disable. |
register_globals | This directive can allow attackers to bypass your settings via the URL. Warning: PHP 5.3.0 deprecated this directive and PHP 5.4.0 removed it. | Off |
display_errors | This directive allows PHP to print run-time errors to generated HTML pages. When you disable it, PHP can still print errors to the appropriate error logs. | Off |
allow_url_fopen | This directive can allow attackers to open remote files from your server. They do this via file inclusion vulnerabilities. | Off |
allow_url_include | This directive can allow attackers to include remote files from your server. They do this via file inclusion vulnerabilities. | Off |
file_uploads | This directive can allow attackers to move their scripts on to and off of your server. | Off |
open_basedir | This directive limits file operations to a specific directory. Attackers may try to include local files in PHP scripts. This can allow them to access information about your server’s filesystem. Note:
| ~/public_html |
session.cookie_httponly | This directive keeps JavaScript from accessing PHP session cookies. This ensures that attackers can’t steal them. Important: You can’t use this directive if your users use PHP session cookies through JavaScript. | 1 |
session.referer_check | This directive allows it to check referrer values. You can specify a domain to make sure that session information stays internal. Then, users won’t be able to expose session information when they’re working on a web application. Warning: Do not rely on this security measure alone. It is trivial to send false referrer information. Note: If your system runs EasyApache 4, change this directive in the Editor Mode section of WHM’s MultiPHP INI Editor interface (WHM >> Home >> Software >> MultiPHP INI Editor). | On |
PHP configurations can be changed using the “php.ini” file. Php.ini is the main configuration file in for the open-source scripting language PHP.
Contents
- Requirements
- View the server’s PHP configurations
- How to find the php.ini file
- How to edit the php.ini file
Requirements
- Cloud Server with Linux (any distribution)
View the server’s PHP configurations
To view the current PHP configurations for your server, create a file named phpinfo.php in your website’s main directory:
sudo nano /var/www/html phpinfo.php
Then put the following content into this file:
Save and exit the file, then view it in a browser (“
example.com/phpinfo.php”
).
For security reasons, it is best to delete this file after you are finished.
How to find the php.ini file
When PHP starts up, it will search several possible locations on the server for a php.ini file. The default location for the php.ini file is:
- Ubuntu 16.04: /etc/php/7.0/apache2
- CentOS 7: /etc/php.ini
You can also create a new php.ini file with only the PHP configurations you need to change and place it in the same directory as the PHP script. This will override the configurations in the default php.ini file.
However, this will only be effective for scripts in the same directory as the php.ini file. It will not affect subdirectories. You will need to copy the new php.ini file to each working directory.
How to edit the php.ini file
To open the default php.ini file for editing, use one of the following commands (depending on which Linux distribution you’re using):
- Ubuntu 16.04: sudo nano /etc/php/7.0/apache2
- CentOS 7: sudo nano /etc/php.ini
Make the required changes. Each line that begins with a semicolon is “commented out” which means that PHP will ignore that line. If you want to enable an option that has been disabled this way, delete the semicolon at the beginning of the line to enable it.
Save and exit the file. Then restart the web server in order for the changes to take effect:
- Ubuntu/Debian: sudo systemctl restart apache2
- CentOS: sudo systemctl restart httpd
PHP 8: What you need to know about the latest version
PHP is one of the most important languages on the Internet. Many content management systems like WordPress, TYPO3 or Joomla are based on PHP. With the release of PHP 8, various new features were introduced. Also some old features were reworked, meaning that errors may occur if the code is not up to date. You can find all the important information about the new features of PHP 8 here.
PHP 8: What you need to know about the latest versionUsing PHP Composer in IONOS Webhosting Packages
Composer is a so-called "Dependency Management Tool", which makes it possible to comfortably reference external sources and libraries in one's own PHP projects and to keep them up-to-date.
Using PHP Composer in IONOS Webhosting PackagesChange the PHP Version on a Plesk Server
Learn how to change the PHP version for a server with Plesk. This tutorial includes instructions on how to find the PHP version your Plesk server is using, change to a different PHP version, and install a different PHP version if necessary.
Change the PHP Version on a Plesk ServerInstall and Use PHP Composer on Ubuntu 16.04
PHP Composer is a package management system for PHP which prevents users from having to "reinvent the wheel" when it comes to commonly-used website components like user authentication or database management. Composer is modelled on other popular package management systems like Ruby's Bundler.
Install and Use PHP Composer on Ubuntu 16.04