Choosing PHP handler

PHP is an important part of your cPanel server. One aspect of PHP’s configuration that can be overlooked is the PHP handler. The PHP handler is the specific implementation of PHP on your server that interfaces with Apache. On a cPanel server, there are four main PHP Handlers:

• DSO
• CGI
• SuPHP
• FCGI

Each has a distinct way of processing PHP code, and has its own benefits and drawbacks. In simplest terms, the decision of which PHP handler to choose comes down to your site’s specific needs.

DSO

DSO (Dynamic Shared Object) runs as an Apache module and, because it has so little overhead, it is extremely fast. However, DSO works only with Apache in non-threaded mode.
Opting for the pure speed of DSO means forgoing the performance benefits of Apache’s other Multi-Processing Modules, such as better process management and the ability to handle more connections using fewer server resources. You will need to evaluate your site’s specific needs before deciding whether to make that compromise.
By default, PHP scripts with DSO run as the Apache user “nobody”, which can have implications for security. In that configuration, scripts are not confined to a particular domain, and a malicious script could potentially gain access to files outside the site’s home directory. DSO’s standard permissions also can create some extra work when using a Content Management System (CMS). Both the security and compatibility concerns can be addressed by compiling Apache with the mod_ruid2 module, which allows scripts to run as the Linux user who owns the domain, but DSO still would require Apache to run with the single-threaded Prefork MPM.

CGI

CGI (Common Gateway Interface) is highly configurable and can run PHP scripts as the Apache user or as the Linux user which owns the domain via SuExec (which is enabled by default in WHM). However, as the slowest of the PHP handlers, it no longer is widely used. FCGI is the preferred alternative.

SuPHP

SuPHP (Single User PHP) was designed with stronger security in mind. SuPHP only executes PHP scripts as the owner of the domain, effectively isolating each user from the others.
That makes it easy to pinpoint users with resource-intensive or compromised scripts, but it also means that SuPHP is slower than either DSO or FCGI. And since a new process is created for each incoming request, a high-traffic server also could experience elevated load during a surge as processes are spawned in rapid succession. SuPHP works with any Apache MPM, though, and both the Worker and Event MPMs can help to improve resource utilization.
Because scripts run as the user, it is a common choice for sites running a CMS and doesn’t require the same changes to permissions as DSO. However, switching from DSO running as the Apache user to SuPHP would involve modifying the permissions of scripts.

FCGI

FCGI (FastCGI) was written with speed in mind, and it is fast. With SuExec enabled, FCGI runs PHP scripts as the user, offering the same benefits for CMS sites as SuPHP, but with the bonus of added speed. It also provides enhanced security compared with DSO.
It can, however, be difficult to configure, but with some optimization it is an ideal PHP handler of choice for most servers.
At Liquid Web, we have spent several months testing and optimizing FCGI on cPanel servers to achieve maximum performance and stability while minimizing its use of resources. As a result, our Fully Managed CentOS 6 and CentOS 7 templates now include FCGI with optimized, custom settings by default.

PHP Handlers

By default, cPanel & WHM offers four PHP Handlers. Your selections in EasyApache determine which options are available.

suPHP

We recommend that you select suPHP as your PHP handler unless you select the MPM ITK option in EasyApache. If you select suPHP, you will be able to see which user owns the account that is running the PHP script. To use this function, enable the Mod SuPHP option when you configure EasyApache.

Warning:

suPHP is not compatible with FCGI or MPM ITK.

Note:

If you use suPHP as your PHP handler, extensions that handle caching (such as EAccelerator and XCache) will not provide any benefits on your server.

DSO

This option provides the version of PHP that you select through the libphp5.so library. We recommend the DSO option if you are using MPM ITK rather than the default CGI handler. The DSO handler is generally the fastest way to respond to PHP requests, but does not provide a mechanism to identify the owner of a PHP script. If you build EasyApache with MPM ITK and DSO, processes run as the user. If you build EasyApache with MPM Prefork and DSO, processes run as the nobody user.

CGI

The CGI handler provides the version of PHP you select through mod_cgi or mod_cgid. If you enable suEXEC, you will be able to see which virtual host has made the PHP request. A virtual host allows you to host multiple domains from a single IP address. The owner of a virtual host will be the same as the account name. However, if you disable suEXEC, your server will serve the PHP request as the nobody user.
We recommend that you only use the CGI PHP handler if you are unable to use any of the other PHP handlers. This method is not fast or secure unless you use MPM ITK, regardless of whether you enable suEXEC.

None

This option provides no access to the version of PHP that you select.

FCGI

FCGI is an alternate implementation for the CGI handler and stands for "fast CGI." It attempts to lower the overhead of interfacing Apache with CGI programs. This allows the server to serve web pages more quickly and in higher volume.