PHP Security Recommendations

By admin, May 19, 2017 13:09

The following settings can be used to tighten the security of a PHP installation. To make the recommended changes, locate and open the php.ini file and edit the configuration settings as described below:

Setting Description
allow_url_fopen=Off allow_url_include=Off Disable remote URLs for file handling functions, which may cause code injection vulnerabilities.
register_globals=Off Disable register_globals.
open_basedir=”c:\inetpub\” Restrict where PHP processes can read and write on a file system.
safe_mode=Off safe_mode_gid=Off Disable safe mode.
max_execution_time=30 max_input_time=60 Limit script execution time.
memory_limit=16M upload_max_filesize=2M post_max_size=8M max_input_nesting_levels=64 Limit memory usage and file sizes.
display_errors=Off log_errors=On error_log=”C:\path\of\your\choice” Configure error messages and logging.
fastcgi.logging=0 The IIS FastCGI module will fail the request when PHP sends any data on stderr by using the FastCGI protocol. Disable FastCGI logging to prevent PHP from sending error information over stderr and generating 500 response codes for the client.
expose_php=Off Hide the presence of PHP.

Leave a Reply