August 29, 2023
Man at a desk in front of a monitor

Ecommerce store management has multifaceted challenges you must face to address your customers’ needs. And in some cases, those challenges might involve compromises.

One such case is your website’s security and performance. On the one hand, most online shoppers expect ecommerce websites to load in three seconds or less. On the other hand, 18 percent of customers leave ecommerce websites midway through the buyer's journey if they find the website’s payment security lacking.

Finding a balance between these requirements as a Magento store owner places you in a tight spot. For instance, you may use PHP open_basedir to restrict PHP scripts from accessing information outside specific directories, but it comes at the cost of Magento performance.

In this guide, we’ll explain what PHP open_basedir does, why you’re better off disabling it, and how to disable it.

Here’s what we’ll cover:

PHP open_basedir 101

PHP open_basedir is a PHP security feature that lets you define the directories PHP scripts can access. In other words, you can use it to restrict PHP scripts from accessing files outside the open_basedir paths.

If you’re a Magento website owner, you typically may use PHP open_dir on your Magento installation directory to:

  • Prevent PHP scripts from accessing sensitive files outside the directory, including system files and files of other websites hosted on the server.
  • Protect the server from malicious software like viruses and other malware that exploits directory access.
  • Comply with data security standards like PCI-DSS for Magento.

How to check the status of PHP open_basedir

To check if PHP open_basedir is turned on or off on your web server, create a new file named info.php with the following code in your domain’s root directory:

<?php
phpinfo();
?>

Next, check the status of PHP open_basedir by going to example.com/info.php. In our example, open_basedir has no value. In other words, open_basedir is disabled.

Checking the status of open_basedir directive by creating info.php.

Enabled PHP open_basedir Magento issues

While PHP open_basedir lets you secure your website server from overextending PHP plugins, it often causes two significant issues with Magento.

Error: open_basedir restriction in effect

Magento and its extensions typically try to access files on the server via fopen(), file_exists(), or include(). If Magento can find the requested file, all goes well.

But if you have open_basedir turned on, it might prevent Magento from finding the requested file. In that case, Magento typically returns an error or warning such as:

Warning: fopen(): open_basedir restriction in effect. File(/tmp) is not within the allowed path(s):(/var/www/vhosts/example.com:/usr/share/php)...

Poor Magento performance

While you might be able to bypass the open_basedir restriction error by manually adding the problem directories to the allowed list, open_basedir usually means more trouble for Magento than it’s worth.

You can’t benefit from PHP’s realpath cache when open_basedir is enabled. Realpath cache helps you temporarily store the pathing of files PHP scripts include or reference.

Disabled realpath cache might not be a big deal for smaller websites with a limited number of files. However, Magento relies on numerous files working together across several directories. As a result, you’ll see degraded Magento performance with PHP open_basedir.

For instance, we ran a test by adding the lstat() function to Magento code and monitoring how many lstat calls we get when loading a product page with open_basedir enabled and disabled. Here are the results.

Effect of open_basedir on Magento performance.

How to disable PHP open_basedir

How you disable PHP open_basedir depends on your web hosting provider and hosting infrastructure. Let’s discuss the three most common methods.

Editing php.ini file via cPanel

If you’re managing your server with cPanel, you can use the following steps to disable PHP open_basedir:

1. Open MultiPHP INI Editor.

Find and open MultiPHP INI Editor.

2. Open the editor mode and select your domain.

Opening editor and selecting a domain.

3. Add a semicolon (;) before open_basedir to disable it. Alternatively, you can also add none after = to disable it.

Disabling open_basedir by adding ; before it.

4. Save to update the php.ini file.

Editing Apache configuration file

If you’re using a non-cPanel host, you might need to edit an Apache config file or httpd.conf. Here’s how you can do so:

1. Access the files on your web server via FileZilla or a similar program.

Accessing virtual host’s server files via FileZilla.

2. Navigate to /etc/httpd/conf.

Opening config folder of Apache server.

3. Locate httpd.conf and view or edit it.

4. Find the entry of open_basedir and set it to:

php_admin_value open_basedir none

Contact your hosting provider

Depending on your hosting provider, you might be unable to access httpd.conf or change open_basedir settings on your end.

If you can’t find open_basedir settings in your configuration files, you’ll need to contact your hosting provider’s support for help.

In some cases, customer support might cite security reasons for not turning off open_basedir functionality. If that’s the case, you might be better off with another web host since The PHP Group itself doesn’t consider it a reliable security feature in its php.ini docs.

Caution from the PHP group regarding open_basedir.

Final thoughts: PHP open_basedir — Magento recommendations from Nexcess

While PHP open_basedir might give you false comfort as a security feature, it’s not something you should rely on at the cost of Magento performance.

You can get both high performance and robust security by opting for Nexcess Magento enterprise hosting. Our performance-optimized servers are in SOC type II audited data centers and come with powerful features like PCI-compliant security, flexible architecture, near 100 percent uptime, and 24/7/365 support.

And our plans have open_basedir disabled by default for better performance.

Check out our managed Magento plans to get started today.

Maddy Osman
Maddy Osman

Maddy Osman is a WordPress expert, WordCamp US speaker, bestselling author, and the Founder and SEO Content Strategist at The Blogsmith. She has a B.A. in Marketing from the University of Iowa and is a WordCamp Denver organizer while also operating The Blogsmith, an SEO content agency for B2B tech companies that works with clients like HubSpot, Automattic, and Sprout Social. Learn more about The Blogsmith's process and get in touch to talk content strategy: www.TheBlogsmith.com

We use cookies to understand how you interact with our site, to personalize and streamline your experience, and to tailor advertising. By continuing to use our site, you accept our use of cookies and accept our Privacy Policy.