Default php.ini should be correctly hardened
Some elements of the default php.ini are somewhat insecure, two examples :
(1) The "error_log" parameter is currently simply set to "error_log" .... this means that error logs are dumped into public_html areas by default .... not cool !
(2) The PHP is default configured to dump errors on screen instead of log them
(3) No functions are disabled by default, it would be good to disable some high-risk functions (e.g. allow_url_include,allow_webdav_methods,system, exec, shell_exec, passthru, show_source, popen, proc_open,fopen_with_path, dbmopen, dbase_open, putenv, move_uploaded_file,chdir, mkdir, rmdir, chmod, rename,filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo)