Do you have any way to prevent PHP running in FPM from changing parameters via .htaccess? I'm testing this kind of scripting and I'm worried that through SetEnv PHP_VALUE (eg. SetEnv PHP_VALUE "open_basedir = /" ) I can change absolutely every parameter including open_basedir and memory_limit. Of course, I know that php.ini can't be the only security on the server (folder/file permissions etc), but that's not the point. Limits and parameters in php.ini must be controlled regardless. From what I can see, someone reported this bypass as a bug in PHP (https://bugs.php.net/bug.php?id=79417&edit=1) but I don't think anyone is going to do anything about it.