On shared servers you can't edit the main php.ini file, but you may be able to add custom, local php.ini files.
There are a few important things to keep in mind.
Localphp.inifilesonlyhave an effect if your server is configured to use them.
Localphp.inifiles only effect.phpfiles that are located within the same directory (or included() or required() from those files).
If you have aphp.inifile in every directory, some script probably did this for you. If you didn't intend it to happen, you probably should root them out, but given #2 above, you probably only have to panic about thephp.inifiles inhttp_rootand theadministratordirectories.
Use PHP disable_functions
Usedisable_functionsto disable dangerous PHP functions that are not needed by your site. Here is a typical setup for a Joomla! site:
open_basedirshould be enabled and correctly configured. This directive limits the files that can be opened by PHP to the specified directory-tree. This directive is NOT affected by whether Safe Mode is ON or OFF.
The restriction specified with open_basedir is a prefix, not a directory name. This means thatopen_basedir = /dir/inclallows access to/dir/includeand/dir/inclsif they exist. To restrict access to only the specified directory, end with a slash.
open_basedir = /home/users/you/public_html
Additionally, ifopen_basediris set it may be necessary to set PHPupload_tmp_dirconfiguration directive to a path that falls within the scope ofopen_basediror, alternatively, add theupload_tmp_dirpath toopen_basedirusing the appropriate path separator for the host system.
open_basedir = /home/users/you/public_html:/tmp
PHP will use the system's temporary directory whenupload_tmp_diris not set or when it is set but the directory does not exist, therefore it may be necessary to add it toopen_basediras above to avoid uploading errors within Joomla.
Adjust themagic_quotes_gpcdirective as needed for your site. The safest method is to turnmagic_quotes_gpcoff and avoid all poorly-written extensions, period.
magic_quotes_gpc = 1
Don't use PHP safe_mode
Avoid the use of PHP safe_mode. This is a valid but incomplete solution to a deeper problem and provides a false sense of security. See the official PHP site for an explanation of this issue.
safe_mode = 0
Don't use PHP register_globals
Automatically registering global variables was probably one of the dumbest decisions the developers of PHP made. This directive determines whether or not to register the EGPCS (Environment, GET, POST, Cookie, Server) variables as global variables where they become immediately available to all PHP scripts, and where they can easily overwrite your own variable if you're not careful. Luckily, the PHP developers long since realized the mistake and have depreciated this 'feature'.
If your site is on a shared server with a hosting provider that insistsregister_globalsmust be on, you should be very worried. Although you can often turn register_globals off for your own site with a local php.ini file, this adds little security as other sites on the same server remain vulnerable to attacks which can then launch attacks against your site from within the server. register_globals = 0
Don't use PHP allow_url_fopen
Don't use PHPallow_url_fopen. This option enables the URL-aware fopen wrappers that enable accessing URL object like files. Default wrappers are provided for the access of remote files using the ftp or http protocol, some extensions like zlib may register additional wrappers. Note: This can only be set in php.ini due to security reasons.