WordPress is written in PHP. Every time a visitor loads a page on your WordPress site, the server executes PHP code to build that page. How PHP is configured on your hosting account has a direct and significant impact on your security posture - not just your performance. Most website owners never look at PHP configuration. They should.
Keeping PHP Updated Is Non-Negotiable
PHP versions follow a lifecycle: active support, then security fixes only, then end of life (EOL). Running an EOL version of PHP means your server is executing a language runtime that receives no security patches. When vulnerabilities are discovered - and they are, regularly - you are permanently exposed.
PHP 7.4 reached end of life in November 2022. If your WordPress site is still running PHP 7.4 or earlier, you are running unsupported software. Move to PHP 8.1 or 8.2 immediately.
You can check your PHP version in cPanel's MultiPHP Manager. Switching versions there takes seconds, though you should test your site after any PHP version change - some older plugins have compatibility issues with PHP 8.x that will surface as errors. Fix or replace those plugins rather than staying on an old PHP version to accommodate them.
Disabling Dangerous PHP Functions
Certain PHP functions allow scripts to execute system commands directly on the server. These are dangerous in a shared hosting environment: if a compromised plugin or uploaded file can call these functions, an attacker can potentially run arbitrary commands on the server.
The functions of most concern are exec, shell_exec, system, passthru, and proc_open. Responsible hosting providers disable these functions by default on shared hosting plans. At dotCanada, dangerous functions are disabled at the server level.
You can verify what functions are disabled on your account by checking the disable_functions directive in your PHP configuration. In cPanel, find the PHP Editor or MultiPHP INI Editor, or look at the output of a phpinfo() page. If you see these functions listed under disable_functions, your host has already taken this step. If you do not, contact your host to discuss the configuration.
Important php.ini Settings for Security
Your PHP configuration file (php.ini) contains a large number of directives that affect security. A few are particularly relevant for WordPress sites.
expose_php = Off - By default, PHP adds version information to HTTP response headers, making it easy for attackers to determine exactly which PHP version you are running and target known vulnerabilities for that version. Setting expose_php = Off removes this information disclosure. In cPanel's MultiPHP INI Editor, you can set this per domain.
allow_url_fopen - This directive controls whether PHP can open remote URLs as if they were local files. Some legitimate plugins use this functionality, but it can also enable certain classes of remote file inclusion attacks. If your site's plugins do not require it, consider disabling it.
max_execution_time - Setting a reasonable maximum execution time (30 to 60 seconds is typical) limits how long a PHP script can run. A script running indefinitely is either broken or potentially malicious. Most legitimate WordPress operations complete well within 30 seconds.
upload_max_filesize and post_max_size - Setting these to reasonable values for your site (not arbitrarily high) limits the size of files that can be uploaded through PHP. This matters for forms and media uploads.
Using the PHP INI Editor in cPanel
In cPanel, navigate to Software > MultiPHP INI Editor. You can edit PHP directives either through a guided interface for common settings or through a raw editor for the full php.ini. Changes apply to your specific domain without affecting other accounts on the server.
Start with expose_php and confirm disable_functions is set by your host. If you are making more significant changes, test on a staging environment first.
Why Old PHP Versions Are a Significant Security Risk
The risk of running EOL PHP is not theoretical. Security researchers regularly discover and publish PHP vulnerabilities. Once a version reaches end of life, those vulnerabilities are documented publicly but will never be patched. Automated scanning tools used by attackers actively look for servers running outdated PHP. Your site becomes a target by virtue of its PHP version.
Keeping PHP current is the single highest-leverage security action for a WordPress site owner. Everything else builds on that foundation.
