A default PHP installation exposes version information, allows dangerous functions, and may be configured permissively for development. Hardening PHP 8.4 reduces the attack surface, limits information disclosure, and protects against common PHP-specific vulnerabilities. This guide hardens PHP 8.4 on Ubuntu 26.04 LTS.

Tested and valid on:

Ubuntu 26.04 LTS

Prerequisites

Ubuntu 26.04 LTS with PHP 8.4 installed (CLI and/or FPM)
A user with sudo privileges

Step 1 – Disable PHP Version Exposure

Edit the relevant php.ini files (FPM and CLI):

sudo nano /etc/php/8.4/fpm/php.ini

Set:

expose_php = Off

Step 2 – Disable Dangerous Functions

Prevent execution of system commands from PHP:

disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

Step 3 – Disable Remote File Operations

allow_url_fopen = Off
allow_url_include = Off

Step 4 – Limit Resource Usage

max_execution_time = 30
memory_limit = 128M
post_max_size = 16M
upload_max_filesize = 16M
max_input_time = 60

Step 5 – Enable Error Logging (Not Display)

display_errors = Off
log_errors = On
error_log = /var/log/php8.4-errors.log

Step 6 – Harden Session Settings

session.cookie_httponly = 1
session.cookie_secure = 1
session.cookie_samesite = Strict
session.use_strict_mode = 1

Step 7 – Enable OPcache

opcache.enable = 1
opcache.memory_consumption = 128
opcache.interned_strings_buffer = 8
opcache.max_accelerated_files = 10000
opcache.validate_timestamps = 0

Step 8 – Restart PHP-FPM

sudo systemctl restart php8.4-fpm

Conclusion

PHP 8.4 on Ubuntu 26.04 LTS is now hardened. Regularly audit your php.ini settings, keep PHP updated, and review application code for SQL injection, XSS, and CSRF vulnerabilities.

How to Harden PHP 8.4 on Ubuntu 26.04