Old 14th December 2011, 11:04
vaio vaio is offline
Join Date: Nov 2010
Posts: 48
Thanks: 21
Thanked 1 Time in 1 Post
Post PHP.ini security

Hello dear ISP community.

I would like to ask you about php.ini settings to have security in mind.
I have run ISP now for about a year and thought that i since i have followed great How to forges about installation and security - that server is quite safe.

Now on WP i have installed plugin which showed me:

The allow_url_fopen directive is set to ON. It is recommended that you disable allow_url_fopen in the php.ini file for security reasons. This allows PHP file functions, such as include, require, and file_get_contents(), to retrieve data from remote locations (Example: FTP, web site). According to PHP Security Consortium, a large number of code injection vulnerabilities are caused by the combination of enabling allow_url_fopen, and bad input filtering.

How can turn it off and what (possible) changes can that bring? Will it somehow affect wordpress working?

The display_errors setting in php.ini is set to ON. This means that PHP errors, and warnings are being displayed. Such warnings can cause sensitive information to be revealed to users (paths, database queries, etc.).

How can we turn this off?

Magic Quotes is set to ON. This feature has been depreciated as of PHP 5.3 and removed as of PHP 6.0. Relying on this feature is highly discouraged. It is preferred to code with magic quotes off and to instead escape the data at runtime, as needed.

I thought i had it off. How can we turn this off?

Unable to determine if mod_security for Apache is installed. This can happen if a host uses a different name for the Apache module, or if the apache_get_modules() function is not available in your PHP installation. ModSecurity can help protect your server against SQL injections, XSS attacks, and a variety of other attacks. The Apache module is available for free at http://www.modsecurity.org.

Is this because i use Vserver?

Is there any other list of reccomended security settings? I have used some of them from How to Forge and this forum .

Is it possible to see server load usage by users? I mean i have 5 users on ISP and is it possible to see for each individual?

Hope your advices will also help others to better protect your servers which are running ISP config!
Thank you,
Reply With Quote
Sponsored Links
Old 14th December 2011, 13:09
vaio vaio is offline
Join Date: Nov 2010
Posts: 48
Thanks: 21
Thanked 1 Time in 1 Post

Ok, solutions have been found, maybe only explanation of someone how something affects sites:
Insert this into PHP.INI:
magic_quotes_gpc = Off
allow_url_fopen = Off
display_errors = Off
Reply With Quote


configuration, php.ini, security

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem with ispconfig 3 staff007 Installation/Configuration 4 10th October 2011 22:17
Aditional php.ini ivomendonca General 3 22nd October 2010 00:09
Site Directives and Custom php.ini GoremanX Installation/Configuration 14 1st May 2010 19:31
Unable to install ISPConfig bdonecker Installation/Configuration 21 26th May 2009 09:20
need to change toggle settings of php.ini file in SSH bpstyle Installation/Configuration 4 13th February 2007 12:33

All times are GMT +2. The time now is 19:49.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.