I am running down the security checklist and have some questions regarding php, also just kind of running through the security check list as I go along so any recommendations from the seasoned users here would be welcome.
I am having some slight confusion regarding the php security directive within the following article:
https://docs.joomla.org/Special:MyLangu ... rver_Setup
I am running on a VPS server and my only php.ini file is located in /etc/php/7.4/fpm. I do not have any other php.ini files located on my system.Use local php.ini files
On shared servers you can't edit the main php.ini file, but you may be able to add custom, local php.ini files. If so, you'll need to copy the php.ini files to every sub-directory that requires custom settings.
Code: Select all
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
I have this directive currently commented out, tell me why I need to use it? Also I am assuming I would use my web root directory such as /var/www/my-site:/tmp appended with the tmp to force it to use the systems temp folder.Consider Using PHP open_basedir
You might consider enabling open_basedir. This directive limits the files that can be opened by PHP to the specified directory-tree.
allow_url_include and allow_url_fopen are already set correctly.
Also any comments regarding the base installation of mysql 8.0 in its base configuration would be appreciated.
Alright going to go check on directory and file permission settings to make sure they are set correctly.
Oh Ya, Server config
Debian 10
Nginx 1.20.1
PHP 7.4.21
MySql 8.0
Joomla 3.9.28
Thanks,