I recently decided to include a great system stats plugins with every wordpress install. LINK: http://wordpress.org/extend/plugins/tpc-memory-usage/screenshots/
One of the features of this plugin provides a tab where it analyses specific php/server settings and suggests changes.
What I am curious about is what you expert feel are the correct settings for some errors its spitting out at me. These include:
open_basedir Out of ALL php settings I seem to always run into issues with plugin installs and even file uploads or plugin installs whenever this is set to a value so I have always set this to "none". What I would like to know is what the ideal value is for this php directive and how important you guys think it is to set this to a value other than "none". As far as I am aware it limits the PHP process from accessing files outside of the specified directories. It is strongly suggested that you set open_basedir to your web site documents and shared libraries only.
safe_mode Interestingly, I have always felt this setting to be set to "ON" for security reasons but interestingly, this plugin is saying that this feature is depreciated in PHP 5.3 and is removed in PHP 6.0. Relying on this feature is architecturally incorrect, as this should not be solved at the PHP level. What are you opinions on this?
ServerSignature I have this set to "ON" and this plugin claims that by setting this to on it means that your server software version, and other important details are public, which can give hackers information necessary to exploit version and software-specific vulnerabilities. If I set this to off are you guys aware of any issues this might have?
allow_url_fopen I currently have these set to ON but the suggestion is to disable allow_url_fopen for security reasons. How do you guys feel about this? Apparently with this set to on it allows PHP file functions, such as include, require, and file_get_contents(), to retrieve data from remote locations (Example: FTP, web site). According to PHP Security Consortium, a large number of code injection vulnerabilities are caused by the combination of enabling allow_url_fopen, and bad input filtering.
mod_security I don't have this installed because I alway seem to run into some types of issues with it. What are your opinions on this?
