Disable shell_exec

If you're on a shared (reseller included) server make sure your host disables the PHP function shell_exec. I just discovered that with shell_exec, anyone on the server who knows your username can look inside your www directory and check out what's in your config.php file, or any other file. Not such a good thing when admin passwords are kept in flat files. I don't know if most hosts disable it already, but you might ask them about it.

If your hosts uses WHM/Cpanel, then it's really easy to get someone's username. I spent about 10 minutes writing a script that figured out usernames, and displayed the contents of their home directories. My host denied it being a problem until I showed them what I got from it.

Know of any other PHP functions that should be disabled on a shared server?