Ecommerce store management has multifaceted challenges you must face to address your customers’ needs. And in some cases, those challenges might involve compromises.
One such case is your website’s security and performance. On the one hand, most online shoppers expect ecommerce websites to load in three seconds or less. On the other hand, 18 percent of customers leave ecommerce websites midway through the buyer’s journey if they find the website’s payment security lacking.
Finding a balance between these requirements as a Magento store owner places you in a tight spot. For instance, you may use PHP open_basedir to restrict PHP scripts from accessing information outside specific directories, but it comes at the cost of Magento performance.
In this guide, we’ll explain what PHP open_basedir does, why you’re better off disabling it, and how to disable it.
Here’s what we’ll cover:
PHP open_basedir 101
PHP open_basedir is a PHP security feature that lets you define the directories PHP scripts can access. In other words, you can use it to restrict PHP scripts from accessing files outside the open_basedir paths.
If you’re a Magento website owner, you typically may use PHP open_dir on your Magento installation directory to:
- Prevent PHP scripts from accessing sensitive files outside the directory, including system files and files of other websites hosted on the server.
- Protect the server from malicious software like viruses and other malware that exploits directory access.
- Comply with data security standards like PCI-DSS for Magento.
How to check the status of PHP open_basedir
To check if PHP open_basedir is turned on or off on your web server, create a new file named info.php with the following code in your domain’s root directory:
<?php
phpinfo();
?>
Next, check the status of PHP open_basedir by going to example.com/info.php. In our example, open_basedir has no value. In other words, open_basedir is disabled.
Enabled PHP open_basedir Magento issues
While PHP open_basedir lets you secure your website server from overextending PHP plugins, it often causes two significant issues with Magento.
Error: open_basedir restriction in effect
Magento and its extensions typically try to access files on the server via fopen(), file_exists(), or include(). If Magento can find the requested file, all goes well.
But if you have open_basedir turned on, it might prevent Magento from finding the requested file. In that case, Magento typically returns an error or warning such as:
Warning: fopen(): open_basedir restriction in effect. File(/tmp) is not within the allowed path(s):(/var/www/vhosts/example.com:/usr/share/php)…
Poor Magento performance
While you might be able to bypass the open_basedir restriction error by manually adding the problem directories to the allowed list, open_basedir usually means more trouble for Magento than it’s worth.
You can’t benefit from PHP’s realpath cache when open_basedir is enabled. Realpath cache helps you temporarily store the pathing of files PHP scripts include or reference.
Disabled realpath cache might not be a big deal for smaller websites with a limited number of files. However, Magento relies on numerous files working together across several directories. As a result, you’ll see degraded Magento performance with PHP open_basedir.
For instance, we ran a test by adding the lstat() function to Magento code and monitoring how many lstat calls we get when loading a product page with open_basedir enabled and disabled. Here are the results.
How to disable PHP open_basedir
How you disable PHP open_basedir depends on your web hosting provider and hosting infrastructure. Let’s discuss the three most common methods.
Editing php.ini file via cPanel
If you’re managing your server with cPanel, you can use the following steps to disable PHP open_basedir:
1. Open MultiPHP INI Editor.
2. Open the editor mode and select your domain.
3. Add a semicolon (;) before open_basedir to disable it. Alternatively, you can also add none after = to disable it.
4. Save to update the php.ini file.
Editing Apache configuration file
If you’re using a non-cPanel host, you might need to edit an Apache config file or httpd.conf. Here’s how you can do so:
1. Access the files on your web server via FileZilla or a similar program.
2. Navigate to /etc/httpd/conf.
3. Locate httpd.conf and view or edit it.
4. Find the entry of open_basedir and set it to:
php_admin_value open_basedir none
Contact your hosting provider
Depending on your hosting provider, you might be unable to access httpd.conf or change open_basedir settings on your end.
If you can’t find open_basedir settings in your configuration files, you’ll need to contact your hosting provider’s support for help.
In some cases, customer support might cite security reasons for not turning off open_basedir functionality. If that’s the case, you might be better off with another web host since The PHP Group itself doesn’t consider it a reliable security feature in its php.ini docs.
Final thoughts: PHP open_basedir — Magento recommendations from Nexcess
While PHP open_basedir might give you false comfort as a security feature, it’s not something you should rely on at the cost of Magento performance.
You can get both high performance and robust security by opting for Nexcess Magento enterprise hosting. Our performance-optimized servers are in SOC type II audited data centers and come with powerful features like PCI-compliant security, flexible architecture, near 100 percent uptime, and 24/7/365 support.
And our plans have open_basedir disabled by default for better performance.
Check out our managed Magento plans to get started today.