Skip to main content

Harden Your WordPress Hosting With A Default PHP.INI Config File

By May 9, 2018March 5th, 2021Blog, Technology, Web Development, Website Design

Here is a basic set of PHP.ini directives for any cPanel type hosting to help secure and harden your hosted WordPress websites.

Sometime your servers are in another state or country and in the wrong time zone. This can mess up some date and time plugins – this is how you fix it.

;force new time zone -
date.timezone = "America/Detroit"

Lots of bad thing hide in encrypted code and Base64 is the garbage of the internet. This will block any Base64 code from even running. Protecting you from a world of hidden virus and back door payloads. As an added bonus, lots of the themes in the WordPress theme gallery chooser are full of encrypted footers with author links, logos and nags to buy something. This will weed out those crap themes because they won’t work at all.

; turn base64 garbage off
base64_decode = Off

Hide your PHP code from being viewed from a browser or scraped from a bot.

; hide php code and version
expose_php = Off

Sometimes is nice to know when you have an error with php during development or scheduled updates, but you don’t need to let a hacker know where they are by displaying the error.

; Disable displaying errors to screen
display_errors = off

If your going to use the previous one to hide the errors, you still need to know if they are happening. With this code you can write any errors to the apache log files on the server to see whats going on.

; Enable writing errors to server logs
log_errors = on

If your WordPress site is basically brochure-ware sitting out on the web that is rarely used for uploading any files, you can use this to disable uploads all together. I suggest using this in a .user.ini file for specific sites and not using this in the root php.ini. You could accidentally disable uploads to all your sites. Although, of you suspect a server hack, you could quickly disable uploading on all your sites using this too.

; allows wordpress uploads
file_uploads = On

Sets your global PHP upload size. This can be over-ridden on a directory by directory basis using the same code in a .user.ini file also.

; MB user can upload via php
upload_max_filesize = 2M
post_max_size = 2M
max_execution_time = 300

Some PHP can retrieve information and data from other servers. A lot of WordPress plugins are famous for this and eat a lot of bandwidth and resources and you would probably never know it. This will stop that.

; disables retrieving data from remote locations using php ftp or http protocols.
allow_url_fopen = on

Disables attaching files to urls that can be written back into a database.

; disables attaching files to urls that can be written back into the database
allow_url_include = Off

If an attacker somehow manages to inject Javascript code for stealing user’s current cookies – the document.cookie string – the HttpOnly cookie you’ve set won’t show up in the list.

; Javascript Cookie Protection
session.cookie_httponly = off

Kills processes that are stuck or taking longer than 30 seconds to complete. Adjust this to fit your needs. Uploading video or audio can sometimes take longer that 30 seconds.

; resource control set in seconds
; max_execution_time = 30
; max_input_time = 30
; memory_limit = 40M

Disable these most vulnerable to attack server functions that are rarely used:

; disabling dangerous PHP functions
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source