Useful PHP Configuration Tips (php.ini
)
Tuning your php.ini
settings is a simple but powerful way to improve your development experience, harden your production environment, and get the best out of your server resources.
Here are the most practical PHP configuration tips I use regularly β with clear explanations for why each setting matters.
1. π Display All Errors (for Development)
display_errors = On
display_startup_errors = On
error_reporting = E_ALL
Why?
These settings show all errors, warnings, and notices. They're essential when debugging during development so you can spot bugs early.
β οΈ Never enable in production β it exposes sensitive information.
2. π Increase Upload Limits
upload_max_filesize = 50M
post_max_size = 100M
Why?
By default, PHP has low upload limits. If you're allowing users to upload files or dealing with CSV imports or image uploads, you need to raise these limits accordingly.
-
upload_max_filesize
: Max size of an uploaded file. -
post_max_size
: Max size of the entire POST body (should be larger thanupload_max_filesize
).
3. π Increase Execution Time & Memory Limit
max_execution_time = 60
memory_limit = 512M
Why?
For operations like PDF generation, image processing, or large database imports, default limits can cause timeouts or memory errors. These settings give scripts more time and memory to complete.
4. π Enable Realpath Cache (for Faster File Access)
realpath_cache_size = 4096k
realpath_cache_ttl = 600
Why?
PHP constantly resolves file paths during execution (especially in large frameworks). This cache speeds things up by storing resolved paths, reducing filesystem lookups.
5. π Disable Dangerous Functions (for Production)
disable_functions = exec,passthru,shell_exec,system,proc_open,popen
Why?
These functions allow PHP to run system-level commands. Disabling them in production minimizes the risk of command injection vulnerabilities.
6. π΅οΈββοΈ Hide PHP Version in HTTP Headers
expose_php = Off
Why?
Prevents PHP from sending X-Powered-By: PHP/x.x.x
in HTTP headers. This reduces the attack surface by not revealing your server's PHP version.
7. π Set Your Timezone
date.timezone = "UTC"
Why?
If not set, PHP uses the server's system timezone or may throw warnings. Explicitly setting it ensures consistent behavior for date/time functions.
8. β‘ Boost Performance with OPcache
opcache.enable=1
opcache.memory_consumption=128
opcache.interned_strings_buffer=16
opcache.max_accelerated_files=10000
opcache.revalidate_freq=2
Why?
OPcache stores precompiled script bytecode in memory, significantly improving performance. These settings help allocate enough memory and control how often PHP checks for script updates.
-
memory_consumption
: More memory = more cached scripts. -
max_accelerated_files
: Higher number = more files can be cached. -
revalidate_freq
: How often OPcache checks for changes (in seconds).
9. π‘οΈ Secure PHP Sessions
session.cookie_httponly = 1
session.cookie_secure = 1
session.use_strict_mode = 1
Why?
Securing session cookies prevents common attacks:
-
cookie_httponly
: Prevents JavaScript access to the cookie. -
cookie_secure
: Ensures the cookie is only sent over HTTPS. -
use_strict_mode
: Rejects uninitialized session IDs to prevent fixation attacks.
10. π Log Errors without Displaying Them (for Production)
log_errors = On
error_log = /var/log/php_errors.log
display_errors = Off
Why?
In production, you should log errors but not display them to users. This protects sensitive details while still keeping error visibility for developers.
β Final Tip
Donβt forget to restart your web server after changing your php.ini
file:
sudo systemctl restart php8.2-fpm
# or for Apache users
sudo systemctl restart apache2
π§© Bonus Tip
Use php --ini
to find the loaded php.ini
file:
php --ini
π¬ Got more tricks or want to share your favorite setup? Ping me on Twitter!