PHP Handlers explained

January 11th, 2014

In order to run a PHP website, the server interprets the PHP code and generates a page when visitors access the website. The PHP handler is loads the PHP so that it can be used for interpretation. PHP handlers determine how PHP is loaded on the server. Speed and Security are two key reasons for switching PHP Handlers but there is always a trade off between the two. Each handler delivers the libraries through different files and implementations. Each file and implementation affects Apache’s performance, because it determines how Apache serves PHP.

It may seem tempting to switch PHP handlers, but you need to understand the implications of doing so because it can cause headaches if you don’t plan the process properly. You can easily end up with a load of non functioning sites. Do your homework before switching. My host offers a cloud based “pay by the hour” VPS, so I set up a server for testing. I ran into some file permission issues, particularly on CMS type sites because I was changing from SuPHP to DSO.

Below is a screenshot from WHM showing the various Handler options:

PHP Handlers

DSO (mod_php)

DSO stands for: Dynamic Shared Object. It is the oldest and fastest handler. PHP is run as an Apache module which means that PHP scripts will run as the Apache user, which is the user: ‘nobody’. The problem with this is that files created by the user ‘nobody’ are not readable and websites which create and upload files will run into all kinds of permission issues. Also if a hacker gained access to one of your sites, it could give them the ability to modify files outside of that user’s account, and that is a big security concern. DSO is ideal if you have one site, or you own all the sites on the server.


SuPHP or Single user PHP runs PHP as a CGI module instead of an Apache module. Scripts that are called from the web will run under the user that owns them, as opposed to ‘nobody’. This makes it a secure choice because you can always see which user owns the account that is running the PHP script. Also, files that have permissions set to world writeable will likewise be non-executable. This means that if one account is compromised, the malicious scripts will not be able to infect other accounts. The down side to SuPHP is that it is one of the slowest PHP handers, but if you host a large websites and need the added security, it may be suitable.


FastCGI is a high performance variation of CGI with the same security/ownership benefits of suPHP in that PHP scripts will run as the actual cPanel user as opposed to ‘nobody’. FastCGI can drastically save on CPU performance and give speeds close to that of DSO. The down side to FastCGI is that it is quite hungry on memory and difficult to administer unless you know what you are doing! If you like the security/ownership benefits of suPHP and you can afford a major increase in memory usage (meaning you already have a low average memory usage), you may wish to consider using FastCGI.


The CGI handler is not recommended because it is neither fast nor secure. If you enable suEXEC, you will be able to see which user, through the virtual host, has made the PHP request. (A virtual host allows you to host multiple domains from a single IP address. The owner of a virtual host will be the same as the account name.) However, if you disable suEXEC, your server will serve the PHP request as the user nobody.