This is a common problem around the web on PHP servers so I’m making a note here for my own reference as I recently had to deal with some people that find it ‘funny’ to script kiddy hack servers:

  1. Make sure that all web directories are only writeable if they absolutely need to be (obvious, but you’d be surprised)
  2. Change php.ini to add the following:
disable_functions = exec, passthru, shell_exec, system, proc_open, popen, curl_exec, curl_multi_exec, parse_ini_file, show_source

What option 2 will do is stop PHP scripts from executing any commands under any user context at all. This will ensure that even IF something did get installed, it would be quite hard for it to do very much.

I’m sure there are many other PHP commands that are worth disabling – I’d be interested to learn of them.