PHP Security

/etc/php.ini
disable_functions = "show_source, parse_ini_file, curl_exec, curl_multi_exec, create_function, apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode"
expose_php=Off
allow_url_fopen=Off
allow_url_include=Off
sql.safe_mode=On
cgi.force_redirect=On
iptables
### iptables
/sbin/iptables --new-chain CHAIN_APACHE
/sbin/iptables --append OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables --append OUTPUT -m owner --uid-owner nginx -j CHAIN_APACHE
/sbin/iptables --append OUTPUT -m owner --uid-owner apache -j CHAIN_APACHE
# allow apache user to connec to our smtp server
/sbin/iptables --append CHAIN_APACHE -p tcp --syn -d mail.server.addr --dport 25 -j RETURN
# drop other
/sbin/iptables --append CHAIN_APACHE -j DROP

### /etc/sysconfig/iptables
:CHAIN_APACHE - [0:0]
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m owner --uid-owner apache -j CHAIN_APACHE
-A OUTPUT -m owner --uid-owner nginx -j CHAIN_APACHE
-A CHAIN_APACHE -d 127.0.0.1/32 -j RETURN
-A CHAIN_APACHE -d mail.server.addr/32 -p tcp -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -j RETURN
-A CHAIN_APACHE -j DROP
selinux
getsebool -a | grep httpd
setsebool -P httpd_enable_cgi off

semanage fcontext -a -t httpd_sys_content_t "/your/project(/.*)?"
restorecon -R /your/project