Securely Working with phpinfo

Important security considerations when working with phpinfo on your Pantheon Drupal site.

Discuss in our Forum Discuss in Slack

We serve our customers by provisioning isolated Linux containers with an optimized PHP stack. The php.ini is part of a highly tuned configuration and is not user-configurable. We continually deploy new builds of PHP and you also have the ability to upgrade PHP versions. If you'd like to see a comprehensive list of what's installed with the version of PHP in use by a particular environment, you may use phpinfo. We also have example PHP info for each version of PHP on the platform.

Important Security Notes

  • phpinfo exposes sensitive information like the password to connect to the DB
  • If you create a phpinfo file, delete the file immediately after review

Drupal Note

Drupal makes the phpinfo available to privileged users at

Review phpinfo

  1. Lock environment (if the environment does not currently need to be publicly accessible).

  2. Create a php file with an obscure filename that uses phpinfo.

  3. To minimize the information exposed over the web, omit sensitive sections from the phpinfo output. The recommended way to call phpinfo is:

  4. Visit the file in a web browser to view phpinfo.


  5. Delete the file immediately so you do not expose sensitive information, such as a password, to connect to the DB.


As an alternative to exposing these values on a web accessible URL, you can use Terminus to check these values:

terminus remote:drush <SITE>.<ENV> -- ev "print(phpinfo())"