you need to change some php.ini setting which are really needed to be at its default value
1. expose_php directive is used to whether tell client about php version or not
expose_php =1 means all header sent back to client have php version
expose_php =0 means avoid php version expose to client side
so set expose_php =0 in php.ini
expose_php = 0 // say no to expose php version at client by header
2.display_errors directive is used to decide that whether show error at client side or not
display_errors =1 means send PHP error to client side . it must be enable when developing or debugging.
display_errors =0 means dont send PHP error to client side . it must be disable on production site.
display_errors =0 // say no to display error
3.disable_functions have list of function which should be disabled to run in PHP
So i have some list which should be disabled to run in PHP because that cause possible harm . or attacker can use that function to harm Website or webserver
disable_functions = exec,passthru,shell_exec,system,
proc_open,proc_close,proc_terminate,popen,curl_exec,curl_multi_exec,
show_source,posix_kill,posix_getpwuid,posix_mkfifo,posix_setpgid,
posix_setsid,posix_setuid,posix_setuid,posix_uname,php_uname,syslog
let me explain why this function in disabled function list .
exec - it help to execute any PHP code which is quite tricky part for hacker to run their code in our System.
suppose
echo exec('whoami');// outputs the username that owns the running php/httpd process
by this function hacker can get username , password of server / Database Server or run directly some code without any restriction .
so make sure exec is not be accessible to any user
passthru - is same exec function , it Execute an external program and display raw output
so on all function is not good to make available to all people so disable it
4. allow_url_fopen and allow_url_include is set 1 than it allow to remote access of server file , which is not good . if you dont need it to make it open than please disable it allow_url_fopen and allow_url_include
allow_url_fopen = 0
allow_url_include = 0
5. open_basedir is limit access of the file or directory .
open_basedir = "www/tmp/"
when Script try to files from tmp by include or fopen , PHP will refuse to access it.
you can set your file path or directory path which you want to secure from script.