Enabling PHPmmdrop on shared hosting

PHPmmdrop reduces php permissions to further secure and lock down websites. This has been optimized and tested most for wordpress but can be activated on other software including moodle, joomla, drupal and magento.

 

PHPmmdrop can be enabled on a VPS with some of the same features as shared hosting.

First, it is recommended to contact InterServer support to check if your package supports PHPmmdrop.

1)
To begin, edit the main .htaccess file in your wordpress install. This is the same location the wp-config.php is in. Open .htaccess and add

## BEGIN INTERSHIELD PHPMMDROP
<IfModule LiteSpeed>
AddType application/x-httpd-fastphp .php .php5 .phtml
Options -Indexes
</IfModule>
## END INTERSHIELD PHPMMDROP

Save this file. Reload your site, to ensure it is working. If you get a 403 forbidden error your account does not have mmdrop enabled yet, and support can assist you.

2) Disable wp-cron in wp-config.php. Open wp-config.php and add

define('DISABLE_WP_CRON', true);

Save this file.

3) Enable a cron job to manually run cron. Typically every hour is fine.

In cpanel open the cron job section and add

0 * * * * cd /home/YOURUSERNAME/public_html; php -q wp-cron.php

You may have ssh access and can add this using crontab -e

Note: /home/YOURUSERNAME/public_html – YOURUSERNAME should be replaced with your cpanel username. The wordpress install location may be different for an addon domain.

4) Enable normal php in the wp-admin folder.
Move to the wp-admin folder and create or edit the .htaccess file.

## BEGIN INTERSHIELD PHPMMDROP
<IfModule LiteSpeed>
AddType application/x-httpd-php71 .php .php5 .phtml
Options -Indexes
</IfModule>
## END INTERSHIELD PHPMMDROP

PHPmmdrop runs as php 7.1 so using the same in wp-admin is recommended.

Once done wordpress runs normally with reduced permissions, except files in the wp-admin folder. Additional security is on php-mmdrop servers that removes the ability to runs scripts in the wp-uploads folder, or directly call files in wp-includes – with some exceptions.

If a plugin needs higher permissions, step 4 can be used to enable it in the .htaccess file of the plugin folder.