PHP Settings

Server Management > Security > PHP Settings

This page allows you to configure security and performance related settings of PHP. These changes are applied to your php.ini config file of PHP. Please keep in mind that PHP is very powerful and can often be used to exploit a server. Hence we configure it in a very restrictive and secure fashion. You can loosen these restrictions on a per site basis in the Site Management PHP settings of an individual virtual site.

Settings that are controlled here will modify the server-wide PHP settings, as reflected in the server's php.ini file, which can be reviewed by clicking on the Review php.ini tab.


Main PHP Settings

  • PHP Version: Shows the version of PHP of the public web server.
  • Location: This shows where your php.ini file is located.
  • Register Globals: For maximum security you must set “register_globals” to “Off”. Otherwise it is easily possible that unsecurely programmed PHP scripts can be used to hack your server.
  • Open Basedir (Server): The open_basedir directive limits the file access of PHP scripts to certain directories. Global (ie: all virtual sites) have access to the directories specified here. If you wish to grant the PHP scripts of virtual sites access to additional directories, then you can specify those here. When the file is outside the specified directory-tree, PHP will refuse to open it. Note that individual vsites can be granted additional access in their site-specific PHP settings.
  • Disable Functions: This directive allows you to disable certain functions for security reasons. It takes on a comma-delimited list of function names. disable_functions is not affected by Safe Mode.
  • Disable Classes: This directive allows you to disable certain classes for security reasons. It takes on a comma-delimited list of class names. disable_classes is not affected by Safe Mode.
  • Allow URL fopen: Off by default. If enabled, allow_url_fopen allows PHP's file functions - such as file_get_contents() and the include and require statements - can retrieve data from remote locations, like an FTP or web site. Programmers frequently forget this and don't do proper input filtering when passing user-provided data to these functions, opening them up to code injection vulnerabilities. A large number of code injection vulnerabilities and hacks reported in PHP-based web applications are caused by the combination of enabling allow_url_fopen and bad input filtering.
  • Allow URL include: If disabled, allow_url_include bars remote file access via the include and require statements, but leaves it available for other file functions like fopen() and file_get_contents. Please note: include and require are the most common attack points for code injection attempts, so this setting plugs that particular hole without affecting the remote file access capabilities of the standard file functions. By default, allow_url_include is disabled.
  • Upload Max Filesize: upload_max_filesize limits the maximum size of files that PHP will accept through uploads. Attackers may attempt to send grossly oversized files to exhaust your system resources; by setting a realistic value here you can mitigate some of the damage by those attacks. By default, PHP sets this value to 2MB.
  • Post Max Size: This protection allows you to limit the maximum size POST request that PHP will process. Attackers may attempt to send grossly oversized POST requests to exhaust your system resources; by setting a realistic value here you can mitigate some of the damage by those attacks.
  • Max execution time: Maximum amount of time each script may run.
  • Max input time: Maximum amount of time each script may spend parsing request data.
  • Memory limit: Defines how much memory a script may use. Settings this to a high value leaves the server vulnerable to attacks that attempt to exhaust resources and creates an environment where poor programming practices can propagate unchecked.