All Categories > ​Managed WordPress ​ > ​ ​Onyx Web Hosting Guides > user.ini - Changing PHP settings and restarting PHP

user.ini - Changing PHP settings and restarting PHP

Updated 2 weeks ago by Tristan Payne

You are able to make changes to some PHP settings via a .user.ini file. This file doesn't exist by default - you will need to create it within the html folder of the relevant site.

You can create this using the Onyx File Manager or by uploading a file using FTP.

  1. Create the file in your site's root folder: /www/html/
  2. Add your required PHP settings and click Save.
    Our suggested settings are:
max_execution_time = 900
max_input_time = 600
memory_limit = 2048M
max_input_vars = 8000
Note: This file cannot be blank. Saving this file without adding data will result in the file not being created.
  1. In order for your PHP settings to take effect you'll need to restart PHP within your account.
    Click on the Tools option on the left hand side.
  2. Click on Restart PHP

  1. You can ensure your changes have taken effect by creating a phpinfo file.

Standard PHP settings

Below, you can see the default PHP values. These values will be overridden by your .user.ini file.

max_input_vars = 1000
memory_limit = 256M
post_max_size = 100M
upload_max_filesize = 100M

Hiding the user.ini file

Wordfence recommends hiding .user.ini because, on many shared hosting setups, it can be accessed directly over the web and may expose internal configuration details.

For sites using Wordfence, this file commonly contains a reference to the Wordfence WAF loader, which can reveal that Wordfence is in use and where key security files live on the disk.

While this isn't a vulnerability on its own, it does reduce the amount of guesswork for an attacker and goes against general hardening best practices.

We agree with this recommendation as part of a defence-in-depth approach, configuration files should be readable by PHP but not publicly accessible, limiting information disclosure and reducing the overall attack surface.

To block access to your .user.ini file, add the following lines to your .htaccess file:

<Files ".user.ini">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>

How did we do?

Powered by HelpDocs (opens in a new tab)
© Krystal Hosting Ltd 2002–