Dangerous/Insecure PHP Functions Which Must Be Disabled

Dangerous/Insecure PHP functions Which Must Be Disabled

There are certain functions in PHP which must be disabled as they can be used to exploit the web server. With these dangerous functions, a person can get root level access of the web server. They were not designed to be dangerous and are useful for many things but can be used for malicious purposes. If you are a web hosting provider then it is highly recommended that you disable these dangerous functions. If you are a newbie and use custom CMS like WordPress then also it is highly recommended to disable these functions as some untrusted plugins might contain these functions and exploit your web server/website.

These functions are applicable both on Linux as well as Windows server.

List of Dangerous PHP Functions

  • apache_child_terminate
  • apache_get_modules
  • apache_note
  • apache_setenv
  • define_syslog_variables
  • disk_free_space
  • disk_total_space
  • diskfreespace
  • dl
  • escapeshellarg
  • escapeshellcmd
  • exec
  • extract
  • get_cfg_var
  • get_current_user
  • getcwd
  • getenv
  • getlastmo
  • getmygid
  • getmyinode
  • getmypid
  • getmyuid
  • ini_restore
  • ini_set
  • passthru
  • pcntl_alarm
  • pcntl_exec
  • pcntl_fork
  • pcntl_get_last_error
  • pcntl_getpriority
  • pcntl_setpriority
  • pcntl_signal
  • pcntl_signal_dispatch
  • pcntl_sigprocmask
  • pcntl_sigtimedwait
  • pcntl_sigwaitinfo
  • pcntl_strerrorp
  • pcntl_wait
  • pcntl_waitpid
  • pcntl_wexitstatus
  • pcntl_wifexited
  • pcntl_wifsignaled
  • pcntl_wifstopped
  • pcntl_wstopsig
  • pcntl_wtermsig
  • php_uname
  • phpinfo
  • popen
  • posix_getlogin
  • posix_getpwuid
  • posix_kill
  • posix_mkfifo
  • posix_setpgid
  • posix_setsid
  • posix_setuid
  • posix_ttyname
  • posix_uname
  • posixc
  • proc_close
  • proc_get_status
  • proc_nice
  • proc_open
  • proc_terminate
  • ps_aux
  • putenv
  • readlink
  • runkit_function_rename
  • shell_exec
  • show_source
  • symlink
  • syslog
  • system

Disabling These Functions

These can be disabled easily by php.ini.

First step is to locate the php.ini file and the common location is /etc/php.ini

After opening the php.ini files, find disable_functions  and replace it with the following line

disable_functions = “apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode”


Once you have added the functions to be disable in the php.ini configuration file, you will have to restart the Apache web server (if on Linux) and IIS web server (if on Windows server) for the changes to take effect.

After disabling these functions, you may encounter a bit of problems which can be fixed easily. Let me know


yoast seo premium free