Recommended php.ini Settings for WordPress: Optimizing Performance and Security

Properly configuring the php.ini file is essential for improving the performance and security of your WordPress website. This article provides detailed recommendations for php.ini settings to help you optimize your WordPress environment and resolve common issues.

1. Error Logging (error_log): Disable

Recommendation: Disable
The error_log directive records PHP errors in a log file. While useful during development, it’s recommended to disable it in production environments to prevent sensitive information from being exposed to potential attackers.

error_log = Off

If you decide to keep error logging enabled, ensure the log file is stored in a secure directory with restricted access.

2. Output Buffering (output_buffering): Enable

Recommendation: Enable
Output buffering stores PHP-generated content in memory before sending it to the browser, improving performance and enabling better control over output. For WordPress, enabling this feature is highly recommended.

output_buffering = On

Once enabled, PHP buffers all output until the script finishes or the flush() function is explicitly called.

3. File Uploads (file_uploads): Enable

Recommendation: Enable
WordPress relies on the ability to upload files, such as images and videos. Disabling file uploads will break WordPress’s media upload functionality, so ensure this is enabled.

file_uploads = On

4. Restrict PHP Functions: Improve Security

To enhance server security, certain PHP functions should be disabled to prevent misuse by malicious actors.

4.1 chown: Disable

The chown function allows changing file ownership, which could be exploited in shared hosting environments. Disable this function:

disable_functions = chown

4.2 chmod: Disable

The chmod function changes file permissions and can be abused by malicious scripts. Disable it for better security:

disable_functions = chmod

4.3 fsockopen: Enable

Important: Must Be Enabled
The fsockopen function is used for opening network connections, such as sending emails or accessing third-party APIs. If disabled, WordPress email functionality and plugins like WP SMTP will not work.

disable_functions =

Make sure this function is not disabled. If you encounter the “WP SMTP connection error” message when using the WP SMTP plugin, it is likely due to fsockopen being disabled.

5. Request Order (request_order): Set to GP

The request_order directive controls how PHP retrieves GET, POST, and COOKIE data. Setting it to GP ensures only GET and POST data are considered, improving security by ignoring COOKIE data.

request_order = "GP"

This helps reduce the risk of cross-site scripting (XSS) attacks and other vulnerabilities.

6. File Upload Size Limit (upload_max_filesize): 22MB

WordPress has a default file upload size limit. If your site requires uploading larger images or videos, you can adjust the upload_max_filesize value.

Recommendation: Set to 22MB
Adjust the upload limit according to your needs:

upload_max_filesize = 22M

Additionally, update related settings to ensure compatibility:

max_execution_time = 300
post_max_size = 25M
memory_limit = 128M

Ensure that post_max_size is larger than upload_max_filesize to prevent file upload errors.

7. Resolving WP SMTP Plugin Errors

If you are using the WP SMTP plugin to send emails, you may encounter the following error:

WP SMTP connection error
Seems like there are some problems with the entered information. Please re-check & re-enter it and hit the "Save changes" button.

Solution

1. Check if fsockopen is Enabled
   Ensure that the fsockopen function is not disabled in your php.ini configuration. If it is disabled, update the configuration as follows:

disable_functions =

2. Re-enter SMTP Username and Password
   WP SMTP recently introduced encryption for storing usernames and passwords. Re-entering and saving your SMTP credentials can resolve the issue.
3. Verify SMTP Settings
   If the issue persists, ensure the SMTP server details are correct. For example, Gmail’s SMTP configuration is as follows:

• Hostname: smtp.gmail.com
• Port: 587 (for TLS) or 465 (for SSL)
• Authentication: Enabled
• Encryption: TLS or SSL

8. Additional Recommendations

8.1 Disable Dangerous Functions

In addition to chown and chmod, you can disable other risky PHP functions that are not required for WordPress operation:

disable_functions = exec, shell_exec, system, passthru, eval, popen, proc_open

8.2 Enable Safe Mode (For Older PHP Versions)

If your PHP version supports Safe Mode (Safe Mode is deprecated in later versions), enabling it can restrict untrusted scripts from executing on your server.

safe_mode = On

Conclusion

By properly configuring the php.ini file, you can significantly enhance the performance and security of your WordPress site. Below is a quick overview of the recommended settings:

Make sure to tailor these settings based on your specific requirements and regularly monitor your site’s performance. If you face any issues, adjusting the php.ini configuration or consulting your server administrator should help resolve them.