disabled_functions safe list
-
Greetings.
I am investingating the possibility of limiting the functions available to the php installs I control, via the .ini directive disable_functions. This would be done with the objective of improving site security (if you cannot exec, you cannot shell out, etc.) Obviously the breakage of potential of doing this is pretty large.
I wonder if a list of functions that can safely be disabled for wordpress and its most popular plugins/themes (say woocommerce and somesuch). Going about this by the disable/see what’s broken method is not high on my possible methodology list.
I see that the following:
disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_sourceseems to be pretty popular.
Advanced thanks.
-
Anyone have any hard information about this question? I can understand why it appears that WordPress has not published any recommendations about this particular subject. However, hardening PHP by limiting more dangerous functions is a good thing. The question is, if you do this thing, which of your favorite plug-ins will stop working? I don’t have time to chase down and diagnose problems in plug-ins. Any valid insight would be appreciated. Guesses really aren’t much help.
Gee, wouldn’t it be nice if we could search the contents of plug-in code? Then we could search for those commands and if they don’t exist there would be no problem. Again, I don’t have time to manually read through most every file in a plug-in for a list of commands. There is the pop-up function list but that’s not going to solve my problem given the number plug-ins I’m using.
The topic ‘disabled_functions safe list’ is closed to new replies.