Securing PHP

PHP is the programming language WordPress is developed in. You can strengthen your WordPress site by disabling certain functions and options in the PHP configuration file. The file is called php.ini.

If you are on shared hosting your hosting provider should allow you to have your own php.ini file. The configuration can vary from host to host, so ask them if you are in doubt.

If you are using a dedicated server you will be able to make modifications to the php.ini file.

Why Securing PHP Is Important

You WordPress site will constantly be probed by robots, that will try to:

  • submit malicious data and scripts to your site

  • make your server execute malicious scripts located on external servers

  • read and write files on your server

They want to take control of your site and use it for their own purposes.

Tightening the security in the PHP configuration file can help prevent those types of attacks.

How You Complete This Security Checkpoint

You need to change a few settings in your php.ini file to make PHP more secure.

Note that this might break some plugins if they require some of these functions to work properly. Therefore it is important that you test your site after making these changes to verify everything is working. If you encounter a problem try changing one setting at a time to its original value until you find the setting that causes the problem.

If you need that particular plugin then you have to live with a slightly less secure configuration of PHP. You are still miles ahead of most other web sites.

  • Ask your host about your options for modifying the php.ini file.
    Typically there is one php.ini file in the public_html folder, however some hosts allow you to have multiple php.ini files.

  • Locate your php.ini file.
    If it does exist find each setting (e.g. search for short_open_tag) and change the value.
    If it does not exist create a text file, name it php.ini and add the code below.

[gn_note color="#ffffff"]; BEGIN WordPress Security Checklist Additions 

register_globals = Off
allow_url_fopen = Off
short_open_tag = Off
display_errors = Off
display_startup_errors = Off
log_errors = On
magic_quotes_gpc = Off
magic_quotes_sybase = Off

; If you experience problems after changing the php.ini
; the line below is the place to look first.
disable_functions = show_source, system, passthru, exec,
phpinfo, popen, proc_open

; END WordPress Security Checklist Additions


Test! Especially plugins that allow user input, e.g. forums, commenting, contact forms, galleries etc. If you do find any plugins have stopped working you are most likely to find the problem in the disable_functions line.

Comment out the whole line by adding a semicolon (;) at the beginning of the line.

If the plugin starts working try taking out each function one at a time until you find the one (or two) that stop the plugin from working. Leave in as much as possible.

What the steps do

register_globals = Off

Important setting! Setting register_globals to Off will make it harder for someone to inject code as variables in php cannot easily be changed.

allow_url_fopen = Off

Important setting! Setting allow_url_fopen to Off will stop WordPress from including and executing code from other websites in the php code. This is a very common way of injecting malicious code into a website.

short_open_tag = Off 

Setting short_open_tag to Off will make php code interpretation more strict. Some types of poorly written code will be rejected.

display_errors = Off
display_startup_errors = Off
log_errors = On

These settings make sure WordPress does not display error information publicly. Error information can be a great source for hackers to discover intimate information about your server configuration.

Instead errors will be logged to a file.

Note! If you had an existing php.ini file check the setting for error_log. This sets the file name for the error log.

If your file name is not error_log you will need to modify the .htaccess file as discussed in Securing Your .htaccess File Manually (you need to scroll down a little bit to get to the part about the error_log).


; Log errors to specified file. 
error_log = error_log

magic_quotes_gpc = Off
magic_quotes_sybase = Off

This setting will tell php to apply a strict interpretation on the use of quotes in the code.

disable_functions = ... 

This setting tells php to turn off certain powerful functions, which are typically used by hackers. However some of these functions can also be used legitimately by some plugins.

Therefore you need test your plugins carefully after enabling this.


The more of these settings you can successfully apply the better. However you should not sacrifice required functionality on your WordPress site in case there is a problem with one of these settings.

Further Resources

whiterabbitFollow The White Rabbit

[gn_spoiler title="Click Here" open="0" style="1"]Are you reading this article as a part of the Interactive Version of The WordPress Security Checklist?

Then you can find your next article below.

If not you should take a look at the Table Of Contents.

Next article: Rescue Plan
Previous article: .htaccess files[/gn_spoiler]

Questions Or Comments?

Please leave them below. Thanks!

About Anders Vinther

Anders is on a mission to make it easy for you to secure your WordPress.

Let's make it harder for the bad guys!

Want More?

Sign up for our newsletter and we'll let you know when we have got new stuff about WordPress Security for you. See past emails.

Most Popular Articles – All Time

Most Popular Articles – This Week

Speak Your Mind

   Login Using:


To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    Markdown is turned off in code blocks:
     [This is not a link](

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see