Secure Your PHP Site: Essential php.ini Settings Every Backend Developer Must Apply

All PHP source‑code sites need a properly configured environment, and the php.ini file contains several settings that can directly affect security.

Key php.ini adjustments (Windows example)

Assuming PHP 7.4 is installed in D:\php, copy php.ini-development to php.ini and apply the following changes. short_open_tag = On Enables the short <?> tag syntax, which many templates (e.g., ECShop, DedeCMS, WordPress) rely on. expose_php = Off Hides the PHP version from HTTP headers, making it harder for attackers to target version‑specific vulnerabilities. extension_dir = "D:\php\ext" Specifies the directory where PHP extensions reside; remove the leading semicolon and set the correct path. max_execution_time = 300 Increases the maximum script execution time (default 30 s) to avoid timeouts on slow connections or remote servers. cgi.force_redirect = 0 Disables CGI redirection, preventing malicious URLs such as /as=.../sdf/muma.php from executing uploaded scripts. cgi.fix_pathinfo = 0 Stops PHP from executing files that appear to be images but contain PHP code (e.g., /a.jpg/1.php). fastcgi.impersonate = 1 Required for FastCGI on IIS or Nginx; leave enabled for those servers, not needed on Apache. cgi.rfc2616_headers = 1 Ensures PHP uses proper HTTP/1.1 headers. upload_tmp_dir = D:\php\temp Defines the temporary directory for file uploads.

extension=bz2
extension=curl
extension=gd2
extension=gmp
extension=mbstring
extension=php_mysql.dll
extension=mysqli
extension=pdo_mysql

Uncomment and enable these common extensions. date.timezone = Asia/Shanghai Sets the default timezone to China (UTC+8); you can also use PRC.

These configurations, especially expose_php, cgi.force_redirect, and cgi.fix_pathinfo, have direct security implications. After applying them, the php.ini file typically does not need further changes.