This tutorial will teach you how to secure a WordPress website with php.ini by hiding your PHP version and error messages, limiting resources and turning off global variables. Furthermore, we will go over how to disable remote connections and dangerous functions and prevent unauthenticated access to PHP scripts.
Please note that this tutorial is part of a series to help secure a WordPress blog. Some of these tips might not apply depending on the hosting environment. The following topics are covered:
- Redirecting users to HTTPS
- Installing WordPress securely
- .htaccess for WordPress security
- php.ini for WordPress security
- Security plugins
- Security maintenance
What is php.ini?
The php.ini file contains PHP configurations. This file can be found in the root folder of your WordPress installation. If none is present, the first step is to create a “php.ini” file in that location.
Hide PHP version
It is best to hide your PHP version. Attackers may take advantage of known version vulnerabilities to target the server and gain access.
expose_php = Off
Hide PHP error messages
PHP error messages should be turned off as they can expose sensitive information such as paths and variables. Instead, errors should be logged into a separate file.
display_errors = Off log_errors = On error_log = path/to/log/file.log
path/to/log/file.log with your desired log file location.
Disable remote connections
allow_url_fopen is enabled in the default PHP configuration. However, most hosts disable it as it ensures scripts are only retrievable locally.
allow_url_fopen = Off allow_url_include = Off
Disable dangerous functions
WordPress is written in PHP; some PHP functions can be dangerous. Disable these functions with the following line:
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,parse_ini_file,show_source,phpinfo
Prevent unauthenticated access to PHP scripts
cgi.force_redirect to prevent unauthenticated users from calling PHP scripts via a URL.
cgi.force_redirect = On
Additionally, you should limit resources.
First, declare the maximum amount a time a script can take to execute in seconds.
max_execution_time = 30
Then declare the maximum amount of time a script can take to parse request data in seconds.
max_input_time = 30
Follow up with the maximum amount of memory a script can take.
memory_limit = 40M
Lastly, declare the maximum size of POST data.
post_max_size = 8M
Turn off automatic global variables
on allows URLs to contains string queries that can possibly change an existing variable’s value. For example:
Turn off this ability by setting
register_globals = Off
In summary, one can secure a WordPress website with php.ini by hiding the PHP version and error messages, limiting resources and turning off global variables. Furthermore, one can disable remote connections and dangerous functions and prevent unauthenticated access to PHP scripts.
Given these points, if you know of any steps to take to secure a WordPress website with php.ini, please let me know in the comments down below!