The Best suPHP Hosting: Who’s The Best For Your Site? [Updated: 2019]
What is suPHP?
According to the developer, suPHP is “is a tool for executing PHP scripts with the permissions of their owners. It consists of an Apache module (mod_suphp) and a setuid root binary (suphp) that is called by the Apache module to change the uid of the process executing the PHP interpreter.”
In simpler terms, suPHP is a security tool that creates a safe environment for multiple users to run PHP files in a shared server environment.
suPHP was started as a personal project but was quickly released by the developer as an open-source utility to provide added security for PHP parsing on shared servers. It was adopted by many leading hosting providers. In May of 2013, just days after releasing the most recent version of suPHP, the developer announced that formal support and development for suPHP was ending, and while many hosting providers still use suPHP many others have moved on to other security solutions with current and ongoing support for PHP processing.
What does suPHP do?
suPHP changes the way PHP files are parsed and executed by server running Apache HTTP Server. PHP:Hypertext Preprocessor language is a server-side scripting language used to generate HTML documents using information pulled from a database. Website visitors never directly interact with PHP files. Instead, when a PHP file is requested by a browser (for example: index.php for the homepage of a typical WordPress installation) the following scenario plays out:
- First, the browser sends the request to the server.
- If the requested file was an HTML file instead of a PHP file the server would just shoot it straight back to the browser. However, the server knows the requested file is a .php file and sends it to the PHP processor.
- The server’s PHP processor parses the script, pulls content out of the appropriate database, and generates HTML.
- The HTML is what the server sends back to the browser and what the browser displays to the website visitor.
So how does suPHP affect this process? suPHP affects this process in two ways:
- By default, Apache web server will process PHP files using the default server user. So all PHP files on a shared server end up run by the same anonymous server user. suPHP doesn’t allow this, but instead runs PHP and executes the file as the owner of the file.
- suPHP won’t process a file with permissions set to loosely. This forces the file owner to keep file permissions set to a minimum standard.
Both of these requirements imposed by an suPHP enabled server are critical when the web server is a shared server. Without suPHP or some other utility requiring the server to run PHP scripts as the owner all PHP scripts will be run as the default user: “nobody”, i.e. anonymously. This is a spammers paradise since they can run spam scripts anonymously on a shared server that allows PHP to run as “nobody”.
Without suPHP or some other utility in place requiring minimum permissions levels account holders might unknowingly set their permissions so loosely that anyone with access to the files can edit them. In a shared server environment the risk of someone gaining unauthorized access to files is greater.
In short, suPHP requires Apache web server to run PHP as the owner of the file that’s being parsed, and requires that file permissions be kept to a certain minimum level.