WordPress, PHP, Suhosin, Out of Memory and Execution Timeouts

Suhosin is a security patch for PHP. WordPress is a CMS that needs PHP for execution. Suhosin can be a real mean so-and-so who stops WordPress scripts executing fully.

If you get PHP out of memory errors or max execution time errors even after you have increased the max_execution_time and the memory_limit in php.ini then you might need to have a talk with Suhosin.

Say hello to Su Hosin

Suhosin is an advanced protection system for PHP installations. It was designed to protect your servers on the one hand against a number of well known problems in PHP applications and on the other hand against potential unknown vulnerabilities within these applications or the PHP core itself ~ Hardened PHP.

Suhosin is configured the same way we configure PHP: we set values in php.ini.

We can use phpinfo() to see details about a server environment and the server’s PHP configuration. This applies to Suhosin too.

To use phpinfo()

  • Create a PHP file on the server
  • Give the file a name such as something.php
  • Put the following code into the file then point your web browser to the file
    <?php
    
    phpinfo();
    
    ?>

You will see PHP values like the ones shown in the image below.

Remember to delete the phpinfo() script when you have finished with it. If a hacker sees the output from the file then the hacker will have gleaned valuable info about your server’s vulnerabilities.

When sharing data from phpinfo(), be careful not to share any details that might be useful to hackers.

Output from phpinfo()
Example PHP values

If phpinfo() shows a section for Suhosin, as shown in the next image, then you will need to configure values for both PHP and Suhosin when you want to change any of the values shown under the Suhosin section of your server’s  phpinfo() output.

Suhosin Section of phpinfo()
Suhosin Section of phpinfo()

Changes to the values of Suhosin directives are made exactly as they are with regular PHP directive values:

  • copy the directive name from the output of phpinfo()
  • paste the directive name into php.ini
  • add an equals sign (=)
  • add the new value e.g. suhosin.memory_limit = 256M

More about Suhosin directives and their values can be found on the Suhosin website at hardened-php.org.

Here is what I generally append to the bottom of php.ini files:

;;;;;;;;;;;;;;;;;;;
; Resource Limits ;
;;;;;;;;;;;;;;;;;;;

max_execution_time = 60
max_input_time = 90
memory_limit = 198M
upload_max_filesize = 128M
post_max_size = 64M
max_input_vars = 3000

suhosin.memory_limit = 0
suhosin.request.max_vars = 3000
suhosin.request.max_value_length = 1000000
suhosin.request.max_array_index_length = 256
suhosin.request.max_totalname_length = 8192
suhosin.post.max_vars = 3000
suhosin.post.max_array_index_length = 256
suhosin.post.max_totalname_length = 8192
suhosin.post.max_value_length = 1000000
suhosin.get.max_vars = 3000
suhosin.get.max_array_index_length = 256
suhosin.get.max_totalname_length = 8192
suhosin.get.max_value_length = 1000000
suhosin.sql.bailout_on_error = Off
suhosin.log.phpscript.is_safe = Off
suhosin.log.script = 0
suhosin.log.use-x-forwarded-for = Off

The values need to be adjusted according to server features and site needs.

Remove the directives that are prefixed with suhosin if your server dislikes the above directives or if your server does not use suhosin.

Couple of tips

When PHP scripts quit with out of memory errors, increase the memory_limit and adjust the suhosin.memory_limit.

When WordPress cannot save custom menus or save plugin settings, increase the values of max_input_vars, suhosin.request.max_vars, suhosin.post.max_vars and suhosin.get.max_vars. Do likewise for max_value_length.

WordPress memory limits

WordPress is hard coded to use a low PHP memory limit of 64MB. Add these two lines to wp-config.php just above where the words ‘That’s all, stop editing’ are written near the bottom of the file.

define( 'WP_MEMORY_LIMIT', '198M' );
define( 'WP_MAX_MEMORY_LIMIT', '198M' );

Those lines tell WordPress to use up to 198M per script run.

Are your PHP settings still not being read? Read on…

Which php.ini file does your server read?

Some hosts are not very good at configuring web servers. Hosts forget to tell server which php.ini file should be read in each virtual host environment.

.htaccess can be used to tell a server where to find the php.ini file we want the server to read and obey.

Browse to the top most directory of your server space above public_html, then

  • Open .htaccess
  • Add the following lines to the .htaccess file
    SetEnv PHPRC /home/YOUR DIRECTORY NAME/public_html/php.ini
    
    <IfModule mod_suphp.c>
        suPHP_ConfigPath /home/YOUR DIRECTORY NAME/public_html/php.ini
        <Files php.ini>
            order allow,deny
            deny from all
        </Files>
    </IfModule>
  • Update the path to php.ini file
  • Save .htaccess

The directory path to php.ini can be found with your cPanel File Manager by opening php.ini for editing and looking at the path of the file being edited. The place where the file location can be found is shown in the image below.

Find path to php.ini with cPanel File Manager
Find path to php.ini with cPanel File Manager

Now you know that when your changes to php.ini are being ignored, you need to check whether Suhosin is installed, check the server knows where to find the php.ini file you are using and define memory limits in wp-config.php (if you use WordPress).

1
Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
newest oldest most voted
Notify of

Thanks!! Now i understand why suhosin.so is important?? Thanks for the guide.

Free to your inbox

Join our mailing list to receive the latest news and updates from JournalXtra.

You have Successfully Subscribed!