Friday, March 20, 2026 • Sachin Prajapati

PHP Hardening Checklist

Below is a comprehensive PHP Hardening Checklist (50+ settings) used by security engineers to secure production servers running PHP through the configuration file php.ini.

This checklist is divided into security categories so it’s easier to understand and implement.

1. Information Disclosure Protection

These settings prevent attackers from learning information about your server.

1. Hide PHP Version

expose_php = Off

Prevents headers like:

X-Powered-By: PHP/8.x

2. Disable Error Display

display_errors = Off

Users should never see internal errors.

3. Enable Error Logging

log_errors = On

4. Define Error Log Location

error_log = /var/log/php_errors.log

5. Disable HTML Errors

html_errors = Off

Prevents formatted error output.

6. Ignore Repeated Errors

ignore_repeated_errors = On

Reduces log flooding.

7. Ignore Repeated Source

ignore_repeated_source = On

Avoids duplicate error logs.

2. File System Security

Restrict PHP’s access to server files.

8. Restrict File Access

open_basedir = /var/www/html/

Only allows access inside this directory.

9. Disable Remote File Access

allow_url_fopen = Off

Stops loading remote files.

10. Disable Remote File Inclusion

allow_url_include = Off

Blocks Remote File Inclusion (RFI) attacks.

11. Disable Directory Traversal

doc_root = /var/www/html

Restricts document root.

12. Restrict Include Paths

include_path = ".:/var/www/html"

13. Disable Symlink Access

enable_dl = Off

Prevents dynamic loading of extensions.

3. Command Execution Protection

Prevent attackers from running OS commands.

14. Disable Dangerous Functions

disable_functions = exec,passthru,shell_exec,system,proc_open,popen

15. Disable File System Modification Functions

Example additions:

disable_functions = exec,passthru,shell_exec,system,proc_open,popen,chmod,chown

16. Disable Dangerous Classes

disable_classes = DirectoryIterator

Used in highly restricted environments.

4. File Upload Security

Protect file upload features.

17. Enable Uploads Carefully

file_uploads = On

18. Limit Upload File Size

upload_max_filesize = 2M

19. Limit POST Data

post_max_size = 8M

20. Limit Number of Uploads

max_file_uploads = 10

21. Temporary Upload Directory

upload_tmp_dir = /tmp/php_uploads

22. Validate MIME Types in Code

(Not in php.ini but essential)

5. Resource Limiting (Prevent DoS)

Protect server resources.

23. Script Execution Time

max_execution_time = 30

24. Input Processing Time

max_input_time = 30

25. Memory Limit

memory_limit = 128M

26. POST Request Size

post_max_size = 8M

27. Maximum Input Variables

max_input_vars = 1000

Prevents large request attacks.

6. Session Security

Protect user sessions.

28. HTTPOnly Cookies

session.cookie_httponly = On

Protects from JavaScript session theft.

29. Secure Cookies (HTTPS)

session.cookie_secure = On

Only sent over HTTPS.

30. Strict Session Mode

session.use_strict_mode = 1

Prevents session fixation.

31. Use Cookies Only

session.use_only_cookies = 1

Prevents session ID in URL.

32. Regenerate Session IDs

session.sid_length = 48

Longer session IDs improve security.

33. Session Hash Bits

session.sid_bits_per_character = 6

Stronger session randomness.

34. Session Save Path

session.save_path = "/var/lib/php/sessions"

Store sessions securely.

7. Input Data Protection

Protect against malicious user input.

35. Disable Global Variables

register_globals = Off

Prevents variable injection.

(Deprecated in modern PHP but important historically.)

36. Disable Magic Quotes

magic_quotes_gpc = Off

Old feature that breaks input handling.

37. Enable Input Filtering

filter.default = unsafe_raw

Use carefully with application validation.

8. Network Security

Control network behavior.

38. Disable Remote Connections (if not needed)

allow_url_fopen = Off

39. Set Default Socket Timeout

default_socket_timeout = 60

40. Disable Automatic File Upload from URLs

Handled by:

allow_url_include = Off

9. Logging and Monitoring

Improve incident detection.

41. Enable Error Logging

log_errors = On

42. Log Maximum Length

log_errors_max_len = 1024

43. Track Errors

track_errors = Off

44. Enable Slow Request Logging

Server-level configuration recommended.

10. Performance + Security Optimization

45. Enable Opcode Caching

Use OPcache

opcache.enable=1

46. Limit OPcache Memory

opcache.memory_consumption=128

47. Disable Timestamp Validation

opcache.validate_timestamps=0

(Production environments)

48. Disable Unused Extensions

Remove modules not needed.

Example:

php -m

Check loaded modules.

49. Disable Dynamic Extension Loading

enable_dl = Off

Prevents runtime extension loading.

50. Configure Timezone

date.timezone = Asia/Kolkata

Prevents warning leakage.

11. Advanced Security Controls

51. Disable Path Info Processing

cgi.fix_pathinfo = 0

Critical for PHP-FPM security.

52. Set Realpath Cache Size

realpath_cache_size = 4096k

Improves performance safely.

53. Restrict PHP Execution Directory

Use web server configuration alongside php.ini.

Example Hardened php.ini Snippet

A simplified hardened configuration:

expose_php = Off
display_errors = Off
log_errors = On
allow_url_fopen = Off
allow_url_include = Off
disable_functions = exec,system,shell_exec,passthru,popen,proc_open
open_basedir = /var/www/html/
file_uploads = On
upload_max_filesize = 2M
post_max_size = 8M
max_execution_time = 30
memory_limit = 128M
session.cookie_httponly = On
session.cookie_secure = On
session.use_strict_mode = 1
cgi.fix_pathinfo = 0

Final Concept

Hardening PHP using php.ini is part of server-side defense-in-depth.

A properly hardened configuration helps prevent:

  • Remote Code Execution (RCE)

  • File Inclusion Attacks

  • Session Hijacking

  • Information Disclosure

  • Denial-of-Service attacks

  • Malware uploads