suPHP vs. PHP-FPM

This article provides an in-depth comparison of two PHP handlers. For an introduction to PHP handlers, refer to our article discussing what a PHP handler is and which PHP handlers are available.

Long the PHP handler of choice, suPHP securely runs PHP websites like WordPress using the Apache web server. However, PHP-FPM is rapidly replacing suPHP as the most popular PHP handler thanks to its improved security, performance, and stability. InMotion Hosting’s WordPress Hosting platform uses PHP-FPM to provide excellent PHP performance for WordPress.

Why use suPHP?

suPHP provides modules used by the Apache web server to dynamically change the user ID of the running Apache web server process over to the owner of a requested PHP script. By default, an Apache web server running WordPress (and/or other PHP web applications) processes PHP scripts itself. This means PHP scripts run using the same permissions and level of access that the Apache web server’s own processes have. When properly configured, an Apache web server’s processes usually run as their own special user. This prevents scripts that the web server runs from accessing restricted folders and files. However, in environments with multiple websites or multiple users on the same server (as in a shared hosting environment), executing PHP scripts as the Apache web server’s user allows PHP scripts to access every user’s or website’s files and folders. suPHP prevents this by restricting PHP scripts, only allowing them to access the files and directories that the scripts’ owners can access. suPHP’s security enhancements provided a huge leap forward for PHP handling using the Apache web server. Without suPHP, shared hosting platforms would have been extremely difficult to secure. Those platforms rely on suPHP to maintain discrete, isolated user spaces for multiple users on the same server.

Fortunately, suPHP is also extremely easy to configure on virtual private servers (VPS) and dedicated servers, especially when using popular server management tools like cPanel. However, users typically require root access to install suPHP. cPanel, for example, makes installing suPHP very simple using its EasyApache 4 configuration tool. suPHP can require much less configuration and maintenance than PHP-FPM due to its simple functionality.

Why use PHP-FPM?

While suPHP provides many benefits and represented a huge leap forward in security for shared hosting environments, PHP-FPM has risen to take its place in many ways. PHP-FPM not only provides better security than suPHP, but it also processes PHP scripts much more efficiently than suPHP. When configured properly, PHP-FPM provides completely isolated pools of memory and processes for each user and website for handling PHP scripts as that script’s owner. On the other hand, PHP scripts processed using suPHP start execution as the Apache web server’s user and only change to the PHP script’s owner part way through execution. The system still executes PHP scripts as part of the Apache web server process even though suPHP changes the process’s user ID while running the requested PHP script.

Event-driven Architecture

PHP-FPM can also achieve much higher performance than suPHP due to its event-driven architecture. When using PHP-FPM, PHP processing completes outside of the web server’s processes. Each request for a PHP script gets sent to a dedicated PHP-FPM service for processing. Using a separate service allows PHP processing to use only as many server resources as required. PHP-FPM’s independence from the web server also enables fine tuning of PHP-FPM to provide the best performance for WordPress and other PHP applications.

Opcode Caching

More importantly, the isolated user memory pools PHP-FPM uses makes opcode caching possible. PHP-FPM can use opcode caching to save a compiled copy of each PHP script into the user’s memory pool. When PHP-FPM receives a request for a cached script it can use the cached copy of the PHP script to skip reading and compiling before executing the PHP script. Even if a user enables opcode caching on suPHP, each PHP script processes in complete isolation and cannot access a shared pool of memory for storing compiled copies of PHP scripts. Opcode caching provides the key factor for PHP-FPM, enabling it to provide high performance PHP processing. Websites run using PHP-FPM and opcode caching can serve more visitors more quickly than websites using suPHP.

Why InMotion Hosting Recommends PHP-FPM

Notably, the original suPHP project no longer receives updates or further development. suPHP does not even receive patches for any security vulnerabilities that researchers may discover. This does not necessarily mean that websites or servers using suPHP are currently vulnerable; however, for long-term security, users should replace suPHP with another PHP handler such as PHP-FPM. Quickly becoming the desired PHP handler for PHP, PHP-FPM will continue to receive development and support for years to come as suPHP gradually phases out of use.

Although PHP-FPM can be more difficult to configure than suPHP, cPanel and other server management tools have started providing pre-built configurations and packages for easily installing it on virtual private servers and dedicated servers. Even with these tools, however, PHP-FPM utilizes a more complex and advanced technology that can require more planning and work in order to get the most out of it. InMotion Hosting suggests working with a server administrator experienced in using PHP-FPM.

InMotion Hosting’s WordPress Hosting platform provides PHP-FPM installed and pre-configured by web hosting experts to provide a secure, high-performance environment for WordPress websites.

Leave a Reply