Skip to main content

In "Security Precautions [for] PHP on Apache Servers," Steven Whitney describes in detail the configuration settings for PHP that are effective at blocking the most common types of webserver attacks. The configuration adjustments are few and the rules are pretty simple.

There are two files where PHP configuration commands reside: php.ini (preferred) or .htaccess. File php.ini specifies the configuration settings PHP will use when it is running on your website. It determines what things PHP scripts are allowed to do and what they are prohibited from doing.

  • PLAN A: Modify PHP.INI File

    If supported by your webhost, create a custom php.ini file with the following commands:

    ; Prevent URLs from being used in PHP include() statements.
     allow_url_fopen = Off
     allow_url_include = Off
    ; Don't display server errors from users.
      display_errors = Off
    ; Don't display any errors that may occur during the PHP startup sequence, either.
      display_startup_errors = Off
    ; Log errors for your review.
      log_errors = On
    ; Log all PHP errors.
      error_reporting = E_ALL
    ; Secure PHP error log file—not accessible from the public directory.
      error_log = /home/my_domain_account/phperr.txt
    ; Don't advertise that PHP (including version) is installed on the server.
      expose_php = Off
    ; Block HTTP requests associated with injection attacks.
      register_globals = Off
    ; Note: the following are deprecated in PHP 5.3.0
      magic_quotes_gpc = On 
      magic_quotes_sybase = Off
  • PLAN B: Create .USER.INI File

    If a custom php.ini file isn't permitted by your webhost, create a .user.ini file in your top-level public directory with the commands above. In addition to the main php.ini file, PHP scans for INI files in each directory, starting with the directory of the requested PHP file, and working its way up to the current document root (as set in $_SERVER['DOCUMENT_ROOT']). In case the PHP file is outside the document root, only its directory is scanned.


    If your webhost doesn't allow you to use your own php.ini or .user.ini files, configuration commands can be placed in your .htaccess file instead. Unfortunately, not all php.ini commands have .htaccess equivalents, but some of them do. The following Apache settings have the same effects as their php.ini counterparts above, but the format of the commands is somewhat different:

    php_flag display_errors Off
    php_flag display_startup_errors Off
    php_flag log_errors On
    php_flag magic_quotes_sybase Off
    php_flag magic_quotes_gpc On
    php_flag register_globals Off
    php_value error_log /home/your_domain/phperr.txt
    php_value error_reporting 2147483647

Verify PHP Configuration

Utilize <?php phpinfo(); ?> to ensure configuration modifications are in effect. Afterwards, either delete the file or move it to a secure area (such as the directory where the error log is stored).

Restrict PHP.INI Access

If you've modified settings in the php.ini file, restrict access to it by adding the following to your .htaccess file:

# Deny web access to php.ini file.
<files php.ini>
  order allow,deny
  deny from all

Advanced PHP.INI Settings

If permitted by your webhost, utilize the disable_functions setting in the php.ini file to prevent functions you specify from being executed. (No .htaccess equivalent.) For example:

disable_functions = exec, shell_exec, passthru, system, eval, show_source, proc_open,  popen, parse_ini_file, dl

These functions are especially powerful; by prohibiting their use you prevent the many malicious scripts that use them from causing much of their damage. On the other hand, some of these functions are used in popular third party PHP scripts (e.g., forums, blogs, galleries, shopping carts, and so on), so ensure your code doesn't require them before including them in your disable_functions list.