WPCloud Deploy Documentation

Understanding PHP Restrictions

When we install a site, we assume that it is going to be run in a shared environment.  This means that some important PHP restrictions are added.

First and foremost, we add the open_basedir directive to ensure that PHP will only access the designated folders. These folders are the folders that WordPress is installed in and a TMP folder.

Next we disable a set of sensitive functions to prevent PHP from using them – we provide the list of disabled functions at the end of this document.

We also apply the following restrictions:

In version 3.0.0 and later we apply:

  • allow_url_fopen = 0
  • allow_url_include = 0
  • session.use_strict_mode = 1
  • session.cookie_httponly = 1
  • session.use_cookies = 1
  • session.use_only_cookies = 1
  • session.use_trans_sid = 0
  • session.name = <domain>
  • session.referer_check = <domain>

In version 2.9.0 we applied:

  • allow_url_fopen = 0
  • allow_url_include = 0
  • session.use_strict_mode = 1
  • session.cookie_httponly = 1
  • session.use_cookies = 1
  • session.use_only_cookies = 1
  • session.use_trans_sid = 0
  • session.name = <domain>
  • session.referer_check = <domain>

These restrictions are located in the /etc/php/7.4/fpm/pool.d/domain.conf file on your server.  The items in bold can change – 7.4 can be replaced with the version of php you’re running and domain is replaced with your domain name for the site.

Certain plugins or themes might need some of these restrictions lifted – to do so just edit the pool file for the domain and update them.  Just be careful that you don’t inadvertently allow plugins and themes to access other sites if you’re in a shared environment.

Updraft Plus Plugin

The technical support folks at Updraft Plus states the the following restricted functions need to be enabled.  Note that we have been able to use this plugin with these functions restricted but if you run into issues yourself you might need to remove these from your restricted list.  If you do, you probably should not be running those sites in a shared environment!

  • shell_exec
  • exec
  • system

Appendix: List of disabled functions in PHP

In version 3.0.0 and later we disable:

  • dl
  • exec
  • fpassthru
  • getmypid
  • getmyuid
  • highlight_file
  • ignore_user_abort
  • link
  • opcache_get_configuration
  • passthru
  • pcntl_exec
  • pcntl_get_last_error
  • pcntl_setpriority
  • pcntl_strerror
  • pcntl_wifcontinued
  • phpinfo
  • popen
  • posix_ctermid
  • posix_getcwd
  • posix_getegid
  • posix_geteuid
  • posix_getgid
  • posix_getgrgid
  • posix_getgrnam
  • posix_getgroups
  • posix_getlogin
  • posix_getpgid
  • posix_getpgrp
  • posix_getpid
  • posix_getppid
  • posix_getpwnam
  • posix_getpwuid
  • posix_getrlimit
  • posix_getsid
  • posix_getuid
  • posix_isatty
  • posix_kill
  • posix_mkfifo
  • posix_setegid
  • posix_seteuid
  • posix_setgid
  • posix_setpgid
  • posix_setsid
  • posix_setuid
  • posix_times
  • posix_ttyname
  • posix_uname
  • proc_close
  • proc_get_status
  • proc_nice
  • proc_open
  • proc_terminate
  • shell_exec
  • show_source
  • source
  • system
  • virtual

In version 2.9.0 we disabled:

  • php_uname
  • getmyuid
  • getmypid
  • passthru
  • leak
  • listen
  • diskfreespace
  • tmpfile
  • link
  • ignore_user_abort
  • shell_exec
  • dl
  • set_time_limit
  • exec
  • system
  • highlight_file
  • source
  • show_source
  • fpassthru
  • virtual
  • posix_ctermid
  • posix_getcwd
  • posix_getegid
  • posix_geteuid
  • posix_getgid
  • posix_getgrgid
  • posix_getgrnam
  • posix_getgroups
  • posix_getlogin
  • posix_getpgid
  • posix_getpgrp
  • posix_getpid
  • posix
  • posix_getppid
  • posix_getpwnam
  • posix_getpwuid
  • posix_getrlimit
  • posix_getsid
  • posix_getuid
  • posix_isatty
  • posix_kill
  • posix_mkfifo
  • posix_setegid
  • posix_seteuid
  • posix_setgid
  • posix_setpgid
  • posix_setsid
  • posix_setuid
  • posix_times
  • posix_ttyname
  • posix_uname
  • proc_open
  • proc_close
  • proc_get_status
  • proc_nice
  • proc_terminate
  • phpinfo

Share: