Knowledge
Important PHP config options
#PHP
The default php.ini is built to be safe, not to run a real website. These are the settings that actually matter in production and what to set them to.
Published by Mark van Eijk on June 30, 2026 · 2 minute read
- Find your php.ini
- memory_limit
- max_execution_time
- upload_max_filesize and post_max_size
- error_reporting and display_errors
- date.timezone
- opcache
- FPM self-healing
- Keep secrets out of php.ini
- Let Rocketeers handle it
After you install PHP, it works — but the defaults in php.ini are conservative placeholders, not production values. A handful of settings make the difference between a site that runs smoothly and one that throws cryptic errors under load. Here are the ones worth knowing.
Find your php.ini
There's a separate php.ini per version and per SAPI (CLI vs FPM). Ask PHP where each one lives:
php --ini
For a web server, the file you care about is the FPM one, usually /etc/php/8.4/fpm/php.ini. Restart FPM after any change:
sudo service php8.4-fpm restart
memory_limit
How much memory a single script may use. The default of 128M is tight for modern frameworks and image processing. 256M or 512M is a common production value:
memory_limit = 512M
Set it too low and you get allowed memory size exhausted. More detail in increase PHP memory limit.
max_execution_time
The longest a script may run before PHP kills it. The default 30 seconds is fine for web requests — keeping it low protects you from runaway scripts. Raise it only for specific long jobs, and prefer queues over long requests:
max_execution_time = 30
Hitting the limit produces maximum execution time exceeded.
upload_max_filesize and post_max_size
These cap file uploads, and they work together — post_max_size must be at least as large as upload_max_filesize, because the upload travels inside the POST body:
upload_max_filesize = 64M
post_max_size = 64M
If uploads fail silently, this pair is almost always why — see POST file exceeds upload_max_filesize.
error_reporting and display_errors
This is the setting people get backwards most often. On a production site, never show errors to visitors — log them instead:
display_errors = Off
log_errors = On
error_reporting = E_ALL
On a development machine you want the opposite, so you actually see what broke:
display_errors = On
Leaking a stack trace to the public is both ugly and a security risk. Keep it off in production.
date.timezone
An unset timezone makes PHP guess and emit warnings. Set it explicitly — UTC is the safe default for servers:
date.timezone = UTC
opcache
OPcache compiles your PHP to bytecode and keeps it in memory, which is one of the biggest free performance wins available. Make sure it's on:
opcache.enable = 1
opcache.memory_consumption = 256
opcache.max_accelerated_files = 20000
Full walkthrough in enabling OPcache, and on PHP 8 you can go further with the OPcache JIT.
FPM self-healing
In php-fpm.conf, these let the FPM master restart workers automatically if they start crashing, instead of taking the pool down with them:
emergency_restart_threshold = 10
emergency_restart_interval = 1m
process_control_timeout = 30s
Keep secrets out of php.ini
Configuration that changes between environments — database credentials, API keys — belongs in environment variables, not php.ini or your code. See environment variables in Laravel for the pattern.
Let Rocketeers handle it
Every one of these has a sensible production value, a separate file per PHP version, and an FPM restart to make it stick — and getting display_errors wrong on production is a real security hole. Rocketeers tunes php.ini and FPM to production-ready values for every PHP version it installs, so the defaults you start with are already the right ones.
Subscribe to our newsletter
Do you want to receive regular updates with fresh and exclusive content to learn more about web development, hosting, security and performance? Subscribe now!