Knowledge

Important PHP config options

#PHP

The default php.ini is built to be safe, not to run a real website. These are the settings that actually matter in production and what to set them to.

Published by Mark van Eijk on June 30, 2026 · 2 minute read

  1. Find your php.ini
  2. memory_limit
  3. max_execution_time
  4. upload_max_filesize and post_max_size
  5. error_reporting and display_errors
  6. date.timezone
  7. opcache
  8. FPM self-healing
  9. Keep secrets out of php.ini
  10. Let Rocketeers handle it

After you install PHP, it works — but the defaults in php.ini are conservative placeholders, not production values. A handful of settings make the difference between a site that runs smoothly and one that throws cryptic errors under load. Here are the ones worth knowing.

Find your php.ini

There's a separate php.ini per version and per SAPI (CLI vs FPM). Ask PHP where each one lives:

php --ini

For a web server, the file you care about is the FPM one, usually /etc/php/8.4/fpm/php.ini. Restart FPM after any change:

sudo service php8.4-fpm restart

memory_limit

How much memory a single script may use. The default of 128M is tight for modern frameworks and image processing. 256M or 512M is a common production value:

memory_limit = 512M

Set it too low and you get allowed memory size exhausted. More detail in increase PHP memory limit.

max_execution_time

The longest a script may run before PHP kills it. The default 30 seconds is fine for web requests — keeping it low protects you from runaway scripts. Raise it only for specific long jobs, and prefer queues over long requests:

max_execution_time = 30

Hitting the limit produces maximum execution time exceeded.

upload_max_filesize and post_max_size

These cap file uploads, and they work together — post_max_size must be at least as large as upload_max_filesize, because the upload travels inside the POST body:

upload_max_filesize = 64M
post_max_size = 64M

If uploads fail silently, this pair is almost always why — see POST file exceeds upload_max_filesize.

error_reporting and display_errors

This is the setting people get backwards most often. On a production site, never show errors to visitors — log them instead:

display_errors = Off
log_errors = On
error_reporting = E_ALL

On a development machine you want the opposite, so you actually see what broke:

display_errors = On

Leaking a stack trace to the public is both ugly and a security risk. Keep it off in production.

date.timezone

An unset timezone makes PHP guess and emit warnings. Set it explicitly — UTC is the safe default for servers:

date.timezone = UTC

opcache

OPcache compiles your PHP to bytecode and keeps it in memory, which is one of the biggest free performance wins available. Make sure it's on:

opcache.enable = 1
opcache.memory_consumption = 256
opcache.max_accelerated_files = 20000

Full walkthrough in enabling OPcache, and on PHP 8 you can go further with the OPcache JIT.

FPM self-healing

In php-fpm.conf, these let the FPM master restart workers automatically if they start crashing, instead of taking the pool down with them:

emergency_restart_threshold = 10
emergency_restart_interval = 1m
process_control_timeout = 30s

Keep secrets out of php.ini

Configuration that changes between environments — database credentials, API keys — belongs in environment variables, not php.ini or your code. See environment variables in Laravel for the pattern.

Let Rocketeers handle it

Every one of these has a sensible production value, a separate file per PHP version, and an FPM restart to make it stick — and getting display_errors wrong on production is a real security hole. Rocketeers tunes php.ini and FPM to production-ready values for every PHP version it installs, so the defaults you start with are already the right ones.

Subscribe to our newsletter

Do you want to receive regular updates with fresh and exclusive content to learn more about web development, hosting, security and performance? Subscribe now!