Why Securing PHP Is Important
PHP is the programming language WordPress is developed in. You can strengthen your WordPress site by disabling certain functions and options in the PHP configuration file. The file is called php.ini.
If you are on shared hosting your hosting provider should allow you to have your own php.ini file. The configuration can vary from host to host, so ask them if you are in doubt.
If you are using a dedicated server you will be able to make modifications to the php.ini file.
Why Securing PHP Is Important
You WordPress site will constantly be probed by robots, that will try to:
- submit malicious data and scripts to your site
- make your server execute malicious scripts located on external servers
- read and write files on your server
They want to take control of your site and use it for their own purposes.
Tightening the security in the PHP configuration file can help prevent those types of attacks.
How You Complete This Security Checkpoint
You need to change a few settings in your php.ini file to make PHP more secure.
Note that this might break some plugins if they require some of these functions to work properly. Therefore it is important that you test your site after making these changes to verify everything is working. If you encounter a problem try changing one setting at a time to its original value until you find the setting that causes the problem.
If you need that particular plugin then you have to live with a slightly less secure configuration of PHP. You are still miles ahead of most other web sites.
- Ask your host about your options for modifying the php.ini file.
Typically there is one php.ini file in the public_html folder, however some hosts allow you to have multiple php.ini files.
- Locate your php.ini file.
If it does exist find each setting (e.g. search for short_open_tag) and change the value.
If it does not exist create a text file, name it php.ini and add the code below.
[gn_note color="#ffffff"]; BEGIN WordPress Security Checklist Additions register_globals = Off allow_url_fopen = Off short_open_tag = Off display_errors = Off display_startup_errors = Off log_errors = On magic_quotes_gpc = Off magic_quotes_sybase = Off ; If you experience problems after changing the php.ini ; the line below is the place to look first. disable_functions = show_source, system, passthru, exec, phpinfo, popen, proc_open ; END WordPress Security Checklist Additions[/gn_note]
Test! Especially plugins that allow user input, e.g. forums, commenting, contact forms, galleries etc. If you do find any plugins have stopped working you are most likely to find the problem in the disable_functions line.
Comment out the whole line by adding a semicolon (;) at the beginning of the line.
If the plugin starts working try taking out each function one at a time until you find the one (or two) that stop the plugin from working. Leave in as much as possible.
What the steps do
register_globals = Off
Important setting! Setting register_globals to Off will make it harder for someone to inject code as variables in php cannot easily be changed.
allow_url_fopen = Off
Important setting! Setting allow_url_fopen to Off will stop WordPress from including and executing code from other websites in the php code. This is a very common way of injecting malicious code into a website.
short_open_tag = Off
Setting short_open_tag to Off will make php code interpretation more strict. Some types of poorly written code will be rejected.
display_errors = Off display_startup_errors = Off log_errors = On
These settings make sure WordPress does not display error information publicly. Error information can be a great source for hackers to discover intimate information about your server configuration.
Instead errors will be logged to a file.
|Note! If you had an existing php.ini file check the setting for error_log. This sets the file name for the error log.
If your file name is not error_log you will need to modify the .htaccess file as discussed in Securing Your .htaccess File Manually (you need to scroll down a little bit to get to the part about the error_log).
; Log errors to specified file. error_log = error_log
magic_quotes_gpc = Off magic_quotes_sybase = Off
This setting will tell php to apply a strict interpretation on the use of quotes in the code.
disable_functions = ...
This setting tells php to turn off certain powerful functions, which are typically used by hackers. However some of these functions can also be used legitimately by some plugins.
Therefore you need test your plugins carefully after enabling this.
The more of these settings you can successfully apply the better. However you should not sacrifice required functionality on your WordPress site in case there is a problem with one of these settings.