Last modified: July 22, 2022
Overview
You can update the settings of your server’s php.ini file to help secure your server. The method to use depends on your version of EasyApache.
Warning:
You must also use other security measures with these settings. When you use these alone, your server’s security is at risk. Malicious users can bypass most hardening measures.
Apache reads
all files with the .ini file extension. If you have a custom .ini file, you must update it manually.
Editing in EasyApache 3
On systems that run EasyApache 3, the /usr/local/lib/ directory contains your server’s php.ini file.
Editing in EasyApache 4
Note:
We recommend only editing these files with WHM’s
MultiPHP INI Editor interface (WHM >> Home >> Software >> MultiPHP INI Editor). This ensures that an operable version of PHP exists on the system.
On systems that run EasyApache 4, each version of PHP uses a separate php.ini file. You must make changes separately to each file. Each file exists in the /opt/cpanel/ea-php72/root/etc/php.ini file, where 72 is the PHP
version number.
Directives
| Directive | Description | Recommended value |
|---|
safe_mode
| This directive helps solve many problems that occur with using PHP in a shared hosting environment. It compares the PHP script’s UID with the UIDs of files and directories that it tries to access. If the UIDs don’t match, the system doesn’t allow the script access. Warning: PHP 5.3.0 deprecated this directive and PHP 5.4.0 removed it.
| On
|
disable_functions
| This directive disables a list of PHP functions. For example, you can disable ones that execute subprocesses.
| A comma-separated list of functions to disable.
|
register_globals
| This directive can allow attackers to bypass your settings via the URL. Warning: PHP 5.3.0 deprecated this directive and PHP 5.4.0 removed it.
| Off
|
display_errors
| This directive allows PHP to print run-time errors to generated HTML pages. When you disable it, PHP can still print errors to the appropriate error logs.
| Off
|
allow_url_fopen
| This directive can allow attackers to open remote files from your server. They do this via file inclusion vulnerabilities.
| Off
|
allow_url_include
| This directive can allow attackers to include remote files from your server. They do this via file inclusion vulnerabilities.
| Off
|
file_uploads
| This directive can allow attackers to move their scripts on to and off of your server.
| Off
|
open_basedir
| This directive limits file operations to a specific directory. Attackers may try to include local files in PHP scripts. This can allow them to access information about your server’s filesystem. Note: - This setting only affects servers that use the
mod_php Apache module. - If your system runs EasyApache 4, change this directive in the Editor Mode section of WHM's
MultiPHP INI Editor interface (WHM >> Home >> Software >> MultiPHP INI Editor).
| ~/public_html
|
session.cookie_httponly
| This directive keeps JavaScript from accessing PHP session cookies. This ensures that attackers can’t steal them. Important: You can’t use this directive if your users use PHP session cookies through JavaScript.
| 1
|
session.referer_check
| This directive allows it to check referrer values. You can specify a domain to make sure that session information stays internal. Then, users won’t be able to expose session information when they’re working on a web application. Warning: Do not rely on this security measure alone. It is trivial to send false referrer information. Note: If your system runs EasyApache 4, change this directive in the Editor Mode section of
WHM’s MultiPHP INI Editor interface (WHM >> Home >> Software >> MultiPHP INI Editor).
| On
|
There are certain scenarios when you may be asked to make changes to your PHP configuration. Specifically, you may be directed to edit a file on your server called php.ini, which usually holds a set of PHP directives.
While do not allow direct changes to PHP.ini on our servers. However, PHP configuration changes can be made from cPanel by following these steps.
The PHP Selector is not included by default in cPanel and might be
missing from your account if you are hosting with a different web host. All ChemiCloud customers should see the Select PHP Version section in their hosting account’s cPanel.
1) Log into cPanel.
2) Look for the SOFTWARE section and click on Select PHP version
cPanel > Software > Select PHP Version
3) In the new window click on the Switch To PHP Options button.
Select PHP Version > Switch to PHP Options
4) Here you can locate the PHP directive you wish to amend and click the value. A dropdown menu
or text input box will appear, allowing you to change the value as required. Check your script, plugin, or theme’s documentation (or an on-screen error message) to find the correct value.
5) Once you’ll do any change, please do a left-hand side click anywhere outside the dropdown or text input box. If the change was successful, you will see a green box with a message which will confirm that the change has been applied.
That’s all! Now you know how to edit the php.ini
file in cPanel
For further questions, or if you need help, please open a support ticket from your Client Area’s Dashboard.
