How to secure a WordPress website with php.ini

This tutorial will teach you how to secure a WordPress website with php.ini by hiding your PHP version and error messages, limiting resources and turning off global variables. Furthermore, we will go over how to disable remote connections and dangerous functions and prevent unauthenticated access to PHP scripts.

Please note that this tutorial is part of a series to help secure a WordPress blog. Some of these tips might not apply depending on the hosting environment. The following topics are covered:

What is php.ini?

The php.ini file contains PHP configurations. This file can be found in the root folder of your WordPress installation. If none is present, the first step is to create a “php.ini” file in that location.

Hide PHP version

It is best to hide your PHP version. Attackers may take advantage of known version vulnerabilities to target the server and gain access.

expose_php = Off

Hide PHP error messages

PHP error messages should be turned off as they can expose sensitive information such as paths and variables. Instead, errors should be logged into a separate file.

display_errors = Off
log_errors = On
error_log = path/to/log/file.log

Replace path/to/log/file.log with your desired log file location.

Disable remote connections

allow_url_fopen is enabled in the default PHP configuration. However, most hosts disable it as it ensures scripts are only retrievable locally.

allow_url_fopen = Off
allow_url_include = Off

Disable dangerous functions

WordPress is written in PHP; some PHP functions can be dangerous. Disable these functions with the following line:

disable_functions = exec,passthru,shell_exec,system,proc_open,popen,parse_ini_file,show_source,phpinfo

Prevent unauthenticated access to PHP scripts

Enable cgi.force_redirect to prevent unauthenticated users from calling PHP scripts via a URL.

cgi.force_redirect = On

Limit resources

Additionally, you should limit resources.

First, declare the maximum amount a time a script can take to execute in seconds.

max_execution_time = 30

Then declare the maximum amount of time a script can take to parse request data in seconds.

max_input_time = 30

Follow up with the maximum amount of memory a script can take.

memory_limit = 40M

Lastly, declare the maximum size of POST data.

post_max_size = 8M

Turn off automatic global variables

Finally, setting register_globals to on allows URLs to contains string queries that can possibly change an existing variable’s value. For example:

https://example.com?valid=true

Turn off this ability by setting register_globals to off.

register_globals = Off

Conclusion

In summary, one can secure a WordPress website with php.ini by hiding the PHP version and error messages, limiting resources and turning off global variables. Furthermore, one can disable remote connections and dangerous functions and prevent unauthenticated access to PHP scripts.

Given these points, if you know of any steps to take to secure a WordPress website with php.ini, please let me know in the comments down below!

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top