2.3K

How to Fix “ini_set() Has Been Disabled for Security Reasons” in Drupal 7

When a Drupal 7 website suddenly starts showing warnings like:

Warning: ini_set() has been disabled for security reasons
in drupal_environment_initialize()

it usually means that your hosting server has disabled the ini_set() PHP function at the server level.

This issue commonly appears after:

• Server migration
• Hosting provider changes
• PHP version upgrades
• Security hardening updates

Let’s understand why this happens and how to fix it properly.

Why This Error Occurs

Drupal 7 relies on the PHP function ini_set() during its bootstrap process (inside bootstrap.inc) to configure runtime settings.

If your hosting provider has disabled ini_set() globally in the server configuration (php.ini at root level), Drupal cannot modify runtime PHP settings — and it throws warnings.

This is not a Drupal bug. It is a server configuration restriction.

Step-by-Step Fix

Step 1: Confirm That ini_set() Is Disabled

Create a simple phpinfo() file:

<?php phpinfo(); ?>

Search for:

disable_functions

If you see ini_set listed there, that confirms the issue.

Step 2: Create a Custom php.ini File

Go to your public_html directory and create a file named:

php.ini

Add the following line:

disable_functions =

This clears the disabled functions list at the user level.

Step 3: Update .htaccess File

Open your .htaccess file and add:

suPHP_ConfigPath /home/username/public_html

Replace username with your actual cPanel username.

This tells suPHP to use the local php.ini instead of the global server configuration.

Important Notes

• This works only if your server runs suPHP
• Some shared hosting providers block overriding disabled functions
• On VPS or Dedicated servers, the root configuration must be updated instead

If you are using Apache with suPHP, this solution usually resolves the issue immediately.

Alternative Solution (If Above Doesn’t Work)

If your hosting provider does not allow overriding disable_functions, you must:

1. Contact your hosting provider
2. Request them to enable ini_set
3. Or move to a hosting plan where you control PHP configuration

Why This Matters for Drupal 7

Drupal 7 depends heavily on runtime configuration adjustments during bootstrapping.

When ini_set() is blocked:

• Session handling may fail
• Memory limits may not adjust
• Error reporting may not initialize properly

So this must be resolved for stable operation.

FAQ Section

What does “ini_set() has been disabled for security reasons” mean?

It means the hosting server has restricted the PHP function ini_set() in its global configuration to prevent runtime changes for security reasons.

Is disabling ini_set() dangerous?

Not necessarily. Hosting providers disable it to increase security. However, applications like Drupal 7 require it to function correctly.

Can I fix this on shared hosting?

Sometimes yes, if suPHP or local php.ini overrides are allowed. Otherwise, you must contact your hosting provider.

 
Still Issues?