Prerequisites
Before disabling PHP functions, make sure you have:
- SSH access to your VPS
- Root or sudo privileges
⚠️ Disabling functions may break some applications. Test thoroughly!
Dangerous PHP Functions to Disable
Commonly disabled functions for security:
exec, shell_exec, system, passthru, proc_open, proc_close, popen, eval, assert, create_function, show_source, highlight_file, phpinfo, dl, ini_set, ini_alter, curl_multi_exec, pcntl_exec, systemMethod 1: Disable Functions in php.ini
Edit php.ini for your PHP version:
nano /etc/php/8.2/fpm/php.iniFind and modify:
disable_functions = exec,shell_exec,system,passthru,proc_open,popen,curl_multi_exec,pcntl_exec,parse_ini_file,show_sourceFor CLI as well:
nano /etc/php/8.2/cli/php.iniMethod 2: Disable Functions for Specific HestiaCP Domain
For per-domain configuration, create custom PHP-FPM pool:
nano /etc/php/8.2/fpm/pool.d/domain.confAdd:
[example.com]
user = admin
group = www-data
listen = /run/php/php8.2-fpm-example.sock
listen.owner = www-data
listen.group = www-data
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
php_admin_value[disable_functions] = exec,shell_exec,system,passthruMethod 3: Using HestiaCP Web Templates
Edit backend template:
nano /usr/local/hestia/data/templates/web/php-fpm/php82-custom.tplAdd inside template:
PHP_ADMIN_VALUE[disable_functions] = exec,shell_exec,systemRestart PHP-FPM After Changes
systemctl restart php8.2-fpmVerify Functions are Disabled
Create test script:
echo "" > /home/admin/web/example.com/public_html/test.phpVisit https://example.com/test.php to verify.
Allow Specific Functions for Certain Domains
For domains that need exec (like some backup scripts), create exceptions in their pool config.
✅ Dangerous PHP functions have been disabled!