Do you suggest to disable any specific PHP functions for better security?

Do you suggest to disable any PHP functions for better security in php.ini? As most of us use CMS like wordpress which functions is safe to be disabled? I checked MyVesta panel and it disable by default the following php functions :

disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,exec,system,passthru,shell_exec,proc_open,popen



First of all, try to play with any of these: GitHub - xl7dev/WebShell: Webshell && Backdoor Collection to understand that most of the changes related to php - useless.
phpbash – A Terminal Emulator Web Shell

For your questions - no simple, short answer, such stuff very, very complex.
If re-phrase your question: “what doorlock to use to protect from thieves”?
But who said that thief will go by door? Why not by window? Or by the hole in a wall? Or from under the floor?

You better need to switch your thinking strategy.
Instead of “how to prevent” to “okay, i’m hacked what should i do earlier, to minimize impact of leaked files / dbs? Is user data in db hashed? is their emails hashed?” An bla bla bla.

Solution always simple:

  • backups (Frequent)
  • monitoring tool (resources & files)
  • file tracking (git is enough)
  • linux ACL
  • notificaations/alerts
  • investigation (goaccess, /var/log checks, parsers, etc)

Or alternatively pay money and se some kind of WAF from for example
just an example.

Each line above - extremely complex stuff. Security not an easy thing to do.
Because you need keep in mind that almost any component probably contain exploit, or 0day exploit and waiting for its time.

Just make sure that you’re ready for disaster, recovery, and minimizing impact before leak and after leak.

1 Like

yes. you are right but disabling some function like shell_exec can harden the security. Τhe article you refer to phpbash – A Terminal Emulator Web Shell concludes than disabling php functions is usefull so…