Articles in this section

Why is open_basedir set to none automatically after applying recommended settings through Performance Booster?

Daniel Yordanov
Updated
Plesk for Windows DoNotDelete:docref kb: how-to Plesk for Linux

Applicable to:

  • Plesk for Linux
  • Plesk for Windows

Question

  • Why is the open_basedir PHP Setting set to none automatically after applying recommended settings via Plesk > Tools & Settings > Performance Booster? Is there a security risk?
  • Is it expected that applying recommended settings through Performance Booster changes the open_basedir PHP configuration directive to none?

Answer

Disabling restriction for open_basedir increases the website loading speed significantly and according to PHP documentation keeping the restriction active doesn't provide a noticeable security benefit.

The industry standard for most of the largest web hosting companies is to have open_basedir set to none, but disabling undesired PHP functions in order to increase security instead. 

Was this article helpful?

Comments

1 comment
Date Votes
  • Avatar
    Joel Glovacki

    The problem is when you have ssh passwordless logins, combined with openbase_dir=none and plesk’s insane design choice to have the site user own the webroot AND its parent directory (including .ssh) So now it’s very easy for a compromised file to just write a public key into the authorized_keys file and gain shell access.

    0

Please sign in to leave a comment.