Reviewing your configuration with phpinfo()

In this lesson you will learn how to inspect the effective PHP configuration that your WordPress site is actually running with. Rather than relying only on the files you've edited, you'll use phpinfo() and related tools to confirm which settings are active, which extensions are loaded, and how PHP behaves in both web and CLI contexts.

Working with your PHP configuration will be an ongoing task when managing your WordPress server. Sometimes you'll need to install a new extension, other times you'll need to increase or decrease certain limits, like memory_limit and max_execution_time. The output from phpinfo can help you diagnose configuration changes.

Security considerations

Some information in the output from phpinfo() can be sensitive. This includes passwords and other secrets leaked from environment variables, as well as potentially outdated or vulnerable modules, operating system details, and more.

It is best to keep this information private. Most guides and tutorials advise readers to delete their phpinfo.php file after they're done, but given the hundreds of times I've seen similar files left lying around in publicly accessible directories, I believe the best strategy is to protect it.

Here are a few ways you can protect it, from easiest to hardest:

• Use a filename that's hard to guess
• Simple $_GET parameter check before displaying PHP info
• Restrict access by IP
• Basic Authentication

I usually use a combination of two of these.

phpinfo()

In our public_html directory, let's create a new file using a cryptic filename that's hard to guess. I like to use tr for this, but you can also use a password manager to generate a strong unique filename:

cd /sites/uncached.org/public_html
touch phpinfo-$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 32).php
sudo chown www-data:www-data phpinfo-*
ls -l phpinfo-*

Inside this file I'll check my IP address to make sure it's me, before calling phpinfo():

<?php
if ( $_SERVER['REMOTE_ADDR'] !== 'MY_IP_ADDRESS' ) {
    die( 'Nothing to see here.' );
}

phpinfo();

Note that if you've done the Cloudflare, Nginx and realip configuration in the previous lesson correctly, this will be resolved to the IP address of the visitor connecting to Cloudflare, and not a Cloudflare IP. This could also be an IPv6 address if your ISP or VPN uses one.

There are plenty of sections to explore here and note that this is the PHP-FPM pool configuration, which combines your global php.ini configuration with your site-specific pool config.

Increase memory_limit

Let's use the browser search to find memory_limit. Mine is set to 128M for both local and master values. Usually more than enough to run a lightweight WordPress site, but we're anticipating WooCommerce and LearnDash and various page builders, so let's raise this limit.

Edit your site's PHP pool configuration file, and add a new php_admin_value for memory_limit. My configuration file is in /config/php/uncached.org.conf:

php_admin_value[memory_limit] = 512M

Reload the PHP-FPM service and refresh your phpinfo page:

sudo systemctl reload php8.3-fpm.service

You should now see the memory limit at 512M in your Core section of the phpinfo() output. As mentioned earlier, this is your PHP pool configuration for this specific site, and this setting does not affect other sites or PHP CLI runs.

CLI

We might want more memory for PHP in a CLI context as we may run heavier tasks, like cron jobs, imports, product syncs and other things. You can view the entire CLI configuration using:

php -i | less

If I know what I'm looking for, I like to use it with grep. The first value is the local value (can usually be changed with things like ini_set), the second one is the master value.

php -i | grep memory_limit

memory_limit => 128M => 128M

Let's create a new CLI-only configuration for PHP to increase this limit. I'll call this cli.ini and place it in /config/php/cli.ini with the following contents:

[php]
memory_limit = 1G

Make sure the file is owned by root, and symlinked to the PHP CLI conf.d directory:

ln -sfn /config/php/cli.ini /etc/php/8.3/cli/conf.d/cli.ini

Verify that the change has worked (no restarts/reloads necessary for CLI):

php -i | grep memory_limit

memory_limit => 1G => 1G

And that it hasn't affected our global default PHP-FPM configuration:

php-fpm8.3 -i | grep memory_limit

memory_limit => 128M => 128M

If you'd like to change something globally for both PHP CLI and PHP-FPM pools, you can use the main /config/php/php.ini file which is loaded in every context.

Cleaning up

Don't forget to add, commit and push your config changes to the Git repository. If you didn't follow my advice on securing your phpinfo() file, now is a good time to delete it.