Beyond just disabling Apache directory listing, another crucial security step for your XAMPP web server is to disable PHP functions, which are exec, passthru, and shell_exec functions.
In PHP, functions like exec, passthru, and shell_exec are powerful tools that allow your scripts to execute commands directly on the server.
If left enabled, they create a significant security vulnerability. A hacker could potentially inject malicious code into a PHP script, giving them the ability to run commands on your server.
Here’s how to properly disable PHP functions and test that your changes have taken effect.
How to Disable PHP Functions (XAMPP): exec, passthru, and shell_exec
This vulnerability is one of the main reasons why XAMPP is not recommended for a live production server. However, if you must use XAMPP, here’s how you can secure it:
- Open the XAMPP Control Panel and click the Config button on the Apache module row.
- From the dropdown menu, select PHP (php.ini) to open the main PHP configuration file.
- Inside the php.ini file, use the search function (Ctrl+F or Cmd+F) to find the line disable_functions =.
- Add the functions you want to disable to this line. To disable exec, passthru, and shell_exec, it should look like this:
- Save the changes to the php.ini file and restart the Apache server from the XAMPP Control Panel for the new configuration to take effect.
- That’s it! The functions are now disabled.
How to Test If the Functions Are Disabled
To confirm that you have successfully disabled PHP functions (exec, passthru, and shell_exec), you can run a simple test:
- Create a new PHP file with the following code. You can name it something like function_check.php.
<?php echo "<pre>"; var_dump(function_exists('exec')); var_dump(function_exists('passthru')); var_dump(function_exists('shell_exec')); echo "</pre>"; - Save this file inside your htdocs folder, which is the root directory for your XAMPP web server.
- Access the file through your browser (e.g., http://localhost/function_check.php). If you see bool(false) printed for each function, it means all three have been successfully disabled.
Ensuring your website’s security is vital, which is why choosing the right technology for your production environment should never be taken lightly.
For secure and professional website development, consider partnering with experienced web developers like Tonjoo. Our team has a proven track record of developing websites for major brands and institutions, including UGM, Unpad, and even Unilever.
Let’s discuss your website needs. Get in touch through our contact page, and our team will be happy to help!
Read similar articles by Moch. Nasikhun Amin on the Tonjoo blog about WordPress, WooCommerce, plugins, and other web development topics.
Updated on July 31, 2025 by Moch. Nasikhun Amin
