🛡️Disable_Functions in PHP for Security

By /

Purpose:
Restrict dangerous PHP functions to improve the security of your cPanel/WHM server, especially for shared hosting environments.

Why Disable Functions?

Disabling certain PHP functions helps prevent attackers or compromised scripts from executing system-level commands or accessing sensitive server internals.

Commonly Abused Functions:

  • system
  • exec
  • shell_exec

These three are the most commonly disabled, and usually sufficient for general shared hosting environments.

However, for tighter security, especially with unknown or untrusted user scripts, you can disable a broader set.

Step-by-Step Instructions

1. Edit PHP Configuration

If using cPanel/WHM, do the following:

WHM:

  1. Go to: WHM » Software » MultiPHP INI Editor
  2. Select your PHP version
  3. In Editor Mode, find the line: disable_functions =
  4. Add the list of functions you want to disable.

2. Recommended Disable List

Use this carefully curated list that avoids breaking most applications, but disables functions with potentially dangerous use:

disable_functions = ini_set,fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict,psockopen,php_ini_scanned_files,shell_exec,system,dl,phpini,systemroot,server_software,get_current_user,php_uname,ini_restore,popen,pclose,exec,passthru,proc_open,proc_nice,proc_terminate,proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid,posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,posix_getsid,posix_getuid,posix_isatty,posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod,posix_strerror,posix_initgroups,apache_setenv,define_syslog_variables,eval,ftp_connect,ftp_exec,ftp_get,ftp_login,ftp_nb_fput,ftp_put,ftp_raw,ftp_rawlist,highlight_file,ini_alter,ini_get_all,openlog,phpAds_remoteInfo,phpAds_XmlRpc,phpAds_xmlrpcDecode,phpAds_xmlrpcEncode,syslog,show_source,phpinfo,allow_url_fopen

✅ Recommended Secure Function List

This list strikes a balance between tight security and common app compatibility:

⚠️ Important Note:
Disabling too many functions can break legitimate scripts. Always test your web applications after applying.

3. Apply and Restart PHP

After saving the changes:

For ea-php:

/scripts/restartsrv_apache_php_fpm

For alt-php (CloudLinux):

service php-fpm restart

Recommended for Use With

  • CloudLinux: Use PHP Selector to manage disable_functions per PHP version.
  • cPanel/WHM: Easily managed through MultiPHP INI Editor.
  • Imunify360: Will warn if essential functions like exec or shell_exec are enabled and exploited.

Optional: Verify

You can check the active disabled functions in a PHP info file:

Create a file called phpinfo.php with:

<?php phpinfo(); ?>

Look for the disable_functions directive in the output.

Final Tips

  • Always keep a backup of your original php.ini before editing.
  • Audit server logs and user scripts before disabling functions if unsure.
  • Combine with tools like Imunify360 or CageFS for added protection.

Would you like me to generate a version specifically tailored for CloudLinux PHP Selector or PHP-FPM pool configurations?

Scroll to Top