php.ini: disable_functions - Disable dangerous functions (tricky to do well while supporting WordPress, Drupal, etc.)

    disable_functions = exec,passthru,system,proc_open,popen,parse_ini_file,show_source

php.ini: allow_url_fopen - Block opening of URLs as files

    allow_url_fopen = off

php.ini: open_basedir - Lock PHP to the user home directory (or even the document root directory)

• Should be added to the end of each pool's config file as:

  php_admin_value[open_basedir] = /home/<directory-name>/:/tmp/