SuPHP is nice, makes WordPress and other php apps very easy to use, with regards to permissions and ownership of files and directories. Perfect for the beginner web site operator or those that have 100s of sites.
However, it is less secure and comes with a significant performance hit. Php code can’t be cached/optimized at the server level via php caching. Security issues arrise since the scripts are executed as your ftp user, vulnerabilities leave you at complete risk. It’s basically like running your entire site as chmod 777. True, it does protect you from other users on the server. But most clients have one ftp user name and 30+ sites. If one WordPress site is out of date and exploited, it puts all of our sites at risk.
Follow this guide to keep you most secure regardless of what method you run your server:
wordpress-security
security check list
By default, like C-Panel, our servers are setup with suPHP enabled. You can most certainly request this to be disabled.
Running WordPress without suPHP:
Make a backup of your file FIRST, then, enter this code at the bottom of your wp-config.php for each site:
NOTICE: Replace the variables below with your actual information:
## your_ftp_user
, yourpass??
, and server.host.net
##
The example below doesn’t automatically set this information so please make the adjustments beofre addig it to your file.
/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');
define('FTP_USER','your_ftp_user');
define('FTP_PASS','yourpass??');
define('FTP_HOST','server.host.net');
define( 'FTP_SSL', true );
VERY IMPORTANT Use the real server name here, not your domain. Else this may not work if your using advanced services like CDN or other caching.
We encourage you to read and study all options to suit you best:
WordPress Config
Once the file is uploaded to your server, you can request from support that we disable suPHP from your site(s). In the very near future, this option will be available from the M3 Admin Server Control Panel.