FastCGI WordPress 500 Errors

[AITpro Admin]

Email Question:

Support –

First off, let me say that I have been searching for quite some time on how best to resolve the 500 Internal Server Error associated with WordPress/GoDaddy shared hosting. I googled your blog the other day, and you have NAILED the issue in a way that no one else can even come close to matching. I even decided to install your BPS plugin, which totally rocks.

After much forethought, I changed my file extensions to associate with PHP 5.2 cgi rather than fcgi, and added the respective handlers in my htaccess file. Nonetheless, I wanted to ask if a better solution has been found for this internal server error issue as this fix is based on the deprecated PHP 5.2 version.

Perhaps I can retain fcgi by adding some coding script to my htaccess file? Lastly, do I have to also change my programming language from PHP 5.3 to 5.2 or is PHP 5.3 just now associated with the custom extensions?

Thanks for an excellent resource and plugin!

[AITpro Admin]

The post regarding FastCGI/WordPress/PHP5.3.x and intermittent 500 Errors:  http://www.ait-pro.com/aitpro-blog/4349/misc-projects/wordpress-tips-tricks-fixes/php5-3-x-php5-4-x-user-ini-file-does-not-work-known-php5-3-x-user-ini-fastcgi-wordpress-zend-issue/

 

I did a lot of Googling to figure this one out.  It took quite a while to figure out what the real question was.  😉  Once I knew what the question was I found a couple of websites that had already figured out what the problem was and they had already figured out a solution.

I am still using PHP5.2.x, but yeah eventually PHP5.2.x will be retired.  Here is the bummer that is still happening on Go Daddy – with PHP5.2.x I can use a custom php.ini file that is very locked down, but when I switch to PHP5.3.x, not only does the FastCGI problem with intermittent 500 errors occur, but also I can no longer get my custom php.ini directives to be recognized by the Server – they are completely ignored.  The thought of not being able to disable dangerous php functions like exec, system and passthru is totally unacceptable to me.  Every single hacker Shell script uses these php functions.

Typically you add the php handler and the handler does whatever the Server is instructing it to do.  You really cannot do much about it on your end.  It is a Server thing.

I am hoping that eventually the Server changes that need to be made are made on Go Daddy and will hold out as long as PHP5.2.x is still available.  I have found a couple of Hosts that have implemented the fix so I would hate to leave Go Daddy after so many years of good service, but if it comes down to me not being able to block php functions like exec, system and passthru then I will have to part ways with GD.  😉

[AITpro Admin]

Email Reply:

AIT Pro –

I’ll try to be more succinct with my follow up questions. Please feel free to respond either directly at [phone number removed for privacy] for a more in depth response, within the paragraph spacing below or via a post to your forum.

First, on shared GD hosting, is there a way that I can add custom code to my htaccess file to retain Fast CGI or do I have to have VPS or dedicated hosting? Second, do I also have to change my PHP version within the “Programming Languages” settings from PHP 5.3 to PHP 5.2? Third, are there any plugin conflicts with WP-Firewall 2 and/or is that a redundant plugin given BPS implementation? (I keep receiving WP Firewall 2 alerts for BPS and I would rather not repeatedly whitelist generic newcontent(random number) forms).

Moreover, you stated in your reply that only PHP 5.2 (but not PHP 5.3) heeds disable functions such as exec, system, and passthru within php.ini; however, after disabling Fast CGI from within the “File Extensions Management” settings my WP-DB Manager still states that all three functions (exec, system and passthru) are enabled to perform DB backups. It doesn’t seem that I need to do so but your plugin compatibility testing states that the workaround for the WP-DB Manager plugin is to delete exec, system and passthru from the disable functions list within the php.ini file. This seems contrary to your response that “the thought of not being able to disable dangerous php functions like exec, system and passthru is totally unacceptable to me … as every single hacker Shell script uses these php functions”. Therefore, doesn’t the deletion of exec, system and pass thru from the disable functions create major vulnerabilities? Why isn’t the WP-DB Manager indicating that the functions are disabled as all of my auto DB backups still work without issue?

Lastly, I have experienced the most bizarre server behavior. After disabling Fast CGI from within the “File Extensions Management” settings, I was configuring my website a few days later from within the WP admin section and I suddenly noticed that my (i) BPS security was not enabled, (ii) htaccess secure file was incomplete (almost truncated), htaccess permissions changed from 404 to 644 and (iv) Fast CGI was reactivated within “File Extensions Management” settings. I do not believe that all of these events occurred simultaneously but I looked more closely into it after again receiving 500 Internal Server Errors. Do you have any idea how or why this may have happened?

My sincerest thanks for your insights to resolve these issues.

Best Regards

[AITpro Admin]

Go Daddy php/php.ini handlers to put/add in the Root Custom Code top text box:

If your PHP Server version is PHP5.2.x and you are NOT using FastCGI…

# GODADDY PHPINI CODE for PHP5.2.x
AddHandler x-httpd-php5-cgi .php
AddHandler x-httpd-php5-cgi .php5

If your PHP Server version is PHP5.2.x and you ARE using FastCGI…

# Godaddy phpini Code for PHP5.2.x with FastCGI
AddHandler x-httpd-php5 .php

If your PHP Server version is PHP5.3.x – by default Go Daddy PHP5.3.x has FastCGI enabled.  Note: I am pretty sure that if you do not use this php/php.ini handler below on Go Daddy then another 5.3.x version is automatically loaded. Example:  5.3.12 vs 5.3.1

#GoDaddy phpini Code for PHP5.3.x
AddHandler x-httpd-php5-3 .php

Second, do I also have to change my PHP version within the “Programming Languages” settings from PHP 5.3 to PHP 5.2?

I do not understand the question above.

I believe there are not any conflicts between Firewall 2 and BPS.  As far as redundancy goes I believe there is not any redundancy.

You would change PHP Server/php.ini settings in a custom php.ini file (configuration file for PHP).  If you are changing PHP/php.ini configuration settings and you are not seeing changes reflected then your particular Server is ignoring your changes/settings.  Every single Host and Server types within each Host have different requirements and rules for custom php.ini files.  There is no one size fits all with php.ini files.  You will need to contact Hosting support for your particular Host to get the specific technical details about php.ini files that ONLY your Host will know.

the thought of not being able to disable dangerous php functions like exec, system and passthru is totally unacceptable to me … as every single hacker Shell script uses these php functions

Yep, this is my final stance regarding the disable_functions directive and any other statements that were made should be disregarded.

My guess is that by changing your PHP Server configuration from the Host control panel wrote new .htaccess code to your root .htaccess file.  Probably just the php/php.ini handler, which was added to the top of your root .htaccess file and which then caused BPS to not see the BPS version number correctly in the string position that it is told to look for that version number.  You would need to cut and paste the php/php.ini handler that was added to your root .htaccess file to the top Custom Code text box, click the save button, go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

 

[AITpro Admin]

Email Reply:

AIT pro –

Thanks for your reply.  Having considered all possible options, I finally decided to transfer my hosting and domain from Go Daddy to Hostgator.  Additionally, I’m planning on buying your BPS Pro to create the appropriate custom php.ini file post server migration.  I’ll let you know how it all goes.  Lastly, in addition to your insights, I thought you might find the following extremely helpful as it’s the best explanation I have found regarding the implications associated with varying server configurations.  http://boomshadow.net/tech/php-handlers/

Thanks again.

[AITpro Admin]

Yep, HostGator is a great Host.  I have a HostGator hosting account as well as some other hosting accounts with other Hosts.  I am very impressed with HostGator. 😉

Yep, I refer to the same boomshadow post throughout relevant Forum posts in this Forum and also on the WordPress.org site since the information is so well written for folks at all levels – novice to expert.

[Author]

Posts