How do I set up file permissions in Windows for PHP?

When using PHP permissions are misunderstood and common response is just giving too much access which is a security nightmare!

This is extremely important when configuring IIS manually on a VPS or Dedicated server, you want each site isolated from each other. This protects your server and other websites if one site is hacked or compromised.

If you’re just developing locally this isn’t too bad but it’s good practice to always configure it correctly, this will help find errors you may encounter in production but also that we should always be thinking about security.

Any reputable Windows web host would also be configuring their servers automatically using a control panel to configure secure permissions and website isolation so there is no need to worry about this if your with a shared website host. Most control panels will allow you to change if write permissions are enabled or not, this is a common fix for shared hosts and write permission issues.

Web development has changed a lot over the years and security is now a big focus point for web developers so while some would like to leave the IIS & Windows configuration to their server admins it’s good to understand and take responsibility.

It’s not hard to configure and after you’ve done it you’ll feel great knowing that you’re website is substantially more secure so let’s go.


If your running PHP on Windows and using PHP 5.5+ including PHP 7+ the Zend OPcache comes built in by default but isn’t enabled.

You will get massive improvements on any sequential execution of a PHP pages and there is really no reason not to use the Zend OPcache.


So lets enable the PHP OPcache and gain a whole lot of PHP speed!


Httpoxy Protected

Good news if your site is hosted with Aspire Web you are already protected from the latest vulnerability,  httpoxy CVE-2016-5387.

If your interested in more technical details see:

As all our current customers are running on Windows using IIS and the FASTCGI interface for running additional scripting languages (PHP/NodeJS) our services are protected!

Microsoft have released a KB explaining how this affects IIS and how this is only an issue if you are running the old CGI interface which we have never used, see more here: