Securing PHP through WHM

Expertise level: Medium

There is a global configuration editor for php on WHM. Please follow these procedures to secure PHP on your server:

  1. Log on to your WHM as root.
  2. Go to "Service Configuration" section.
  3. Click on "PHP Configuration Editor".
  4. You can configure various PHP security and performance tweaks there.

Most of the tweak options are explained in your WHM itself. The performance-related tweaks should be done depending upon the server type.

If you have many users running different php scripts at the same time, you should keep the following variables to a minimum value to deliver optimum performance to all users. If you run a server with only power users who need to use the applications heavily and deal with huge file uploads, then you can set the limits to higher values.

  • max_execution_time
  • upload_max_filesize
  • memory_limit
  • max_input_time

As far as security tweaks are concerned, keeping register_globals globally turned OFF will add to server security. If some scripts require it turned ON, you could turn it ON separately for the owner of the script using a php.ini file and add the following directive into the file:

  • register_globals = On

Also, you can keep safe_mode ON for php, which disables many vulnerable functionality of PHP.


* Click on "Save" to save changes. 

You can enable php-openbase-dir  for enhancing php security by following that pocedure:

  1. Log on to your WHM as root.
  2. Go to "Security Center" section.
  3. Click on "PHP open_basedir Tweak".
  4. Activate "Enable php open_basedir Protection".

Enabling open_basedir prevents the users from opening files from outside their home directory. This prevents intruder scripts from browsing through the file system, thereby providing you better security.

Please check the relevant screen captures:





Article is closed for comments.
Powered by Zendesk