Edit/change the following in your php.ini


safe_mode = on This will enable Safe Mode. Safe Mode relevantly checks if function in one file on the server that affects the other file all has same ownership. For e.g. If you have a page test.php wants to read the content of directory /app then Safe mode will check the UID of both, if they match the script will allow access otherwise not. This is a very useful technique to deny access by scripts outside of the normal installation directory. safe_mode_grid = on Use this if you want a group to check ownership.   safe_mode_include_dir = path/to/inc/dir safe_mode_exec_dir = path/to/exec/dir Use these to limit the directories that can contain the include and executable files.   open_basedir = path/to/web/root Use this to restrict file inclusion to web root. For e.g. /public_html. Once set files outside that directory cannot be included in scripts, thus can secure the web server/site from any attack.   disable_functions = php_uname, getmyuid, getmypid, passthru, leak, listen, diskfreespace, tmpfile, link, ignore_user_abord, shell_exec, dl, set_time_limit, exec, system, highlight_file, source, show_source, fpaththru, virtual, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix, _getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, proc_open, proc_close, proc_get_status, proc_nice, proc_terminate, phpinfo There are many functions in your PHP which you don’t want anyone to use because of the danger they possess. If also the user is or is not using the above functions, we should disable them as the attackers or hackers might access your files through them. For e.g. phpinfo can help the hackers to find out what is enabled on your server/site. Use the above to disable all possible dangerous functions.   display_errors = off Error messages are the most common method for the information disclosure. The hackers might use these information to find out some installation paths, database connectivity, confidential details, etc. So to restrict them to do so, we use the above code.   file_uploads = off If you are not using the upload functions its better to disable it as the hackers might (mis)use this to inject malicious scripts into your web application. Use the above to disable the uploading function.   upload_tmp_dir = /php_tmp upload_max_filesize = 1.8M If you want to upload file then change the default temporary folder. You may also restrict the file size to some MBs or KBs like 1.8M.   session.save_path = lib/php Session stealing is a popular attack that allows a malicious user to hijack the session of a legitimate user. Using session hijacking an attacker can bypass authorization and access portions of web applications without authorization. Changing the default location of these sessions will help.   session.cookie_httponly = 1 You may also wish to set PHP so that it writes cookies in such a way that they are inaccessible to JavaScript. If you don’t have any PHP application that utilizes JavaScript to manipulate cookies this is a great idea. Attackers will often exploit Cross Site Scripting (XSS) flaws in web applications to inject JavaScript into pages, which could be used to steal session cookies.   session.referer_check = your_url.tld You restrict JavaScript from accessing your cookies. Another small security feature is allowing PHP to check HTTP referer values so that session information is only passed internally while a user is viewing an application. This prevents users from accidentally publishing session information in a way that would allow external users to follow links and steal a session. This is especially useful if session information is being passed in a URL that could accidentally be published to a mailing list or web site.   register_globals = off Global variables are a very dangerous from the PHP 3 days. In most distributions register global variables is set to off. However, you should ensure that the directive is properly in place. Register globals allows various HTTP variables to be used without specifying their source. For e.g. If you wants to use a URL variable named ‘ir’, for instance from the URL request index.php?id=4, with globals they can simply use $ir rather than $_GET[‘ir’]. This is a great convenience but it can cause collisions. So to stop that you should ensure the above code in your php.ini is properly in place.  

source: Techmantras