Sane security defaults for native PHP runtime

[fredrikekelund]

Related issues

• Fixes RSM-1691
• Builds on Avoid writing new mu-plugins if old ones are still accessible #3403

How AI was used in this PR

Claude was used to verify the list of disabled PHP functions and to review the implementation as a whole, through several iterations.

Proposed Changes

Running code from third parties on your local machine is inherently risky. There's no sandbox with our native PHP runtime, so machines could be compromised in any number of ways (extracting secrets, running malicious code, etc). This PR applies some sane security defaults that reduce risk. We aim to strike a good balance between relatively secure defaults and still allowing most typical WordPress sites to function perfectly normally.

1. Always call getDefaultPhpArgs when invoking the PHP binaries.
2. Increase memory_limit to 512 MB. This has nothing to do with security, but I noticed that the default is 128 MB, which isn't enough for a site with a few plugins installed.
3. Optionally, apply an open_basedir restriction to the PHP binary. See docs. This is applied to the web server that runs the website.
   • Generating the open_basedir list is the most complex piece of logic in this PR, because we want symlinked plugins and themes to just work. To do this, we resolve any symlinks contained in the site directory and watch the wp-content directory for new symlinks added while the site is running. The symlink watcher triggers a PHP process restart.
4. Optionally, apply a disable_functions restriction to the PHP binary that prevents PHP from doing a bunch of things that malicious plugins could use to compromise the current machine.

Testing Instructions

1. Run STUDIO_RUNTIME=native-php npm start
2. If you don't already have a site with runtime: native-php, create a new one
3. Start that site
4. Run node apps/cli/dist/cli/main.mjs wp core version and ensure it works (do this before testing wp-admin)
5. Ensure that uploading media works
6. Ensure that installing plugins work
7. Do some light smoke testing of the site and ensure that nothing is broken

Pre-merge Checklist

• Have you checked for TypeScript, React or other console errors?

[wpmobilebot]

📊 Performance Test Results

Comparing cc9e560 vs trunk

app-size

Metric	trunk	cc9e560	Diff	Change
App Size (Mac)	1409.10 MB	1409.21 MB	+0.11 MB	⚪ 0.0%

site-editor

Metric	trunk	cc9e560	Diff	Change
load	1521 ms	1499 ms	22 ms	⚪ 0.0%

site-startup

Metric	trunk	cc9e560	Diff	Change
siteCreation	8562 ms	8561 ms	1 ms	⚪ 0.0%
siteStartup	4921 ms	4952 ms	+31 ms	⚪ 0.0%

---

Results are median values from multiple test runs.

Legend: 🟢 Improvement (faster) | 🔴 Regression (slower) | ⚪ No change (<50ms diff)