Last Updated on 2 weeks by Sachin G
PHP is a widely used server-side scripting language, but when displaying PHP errors in the browser, PHP often displays them directly in the web browser. While this might help during development, showing errors publicly in a production environment is a major security risk. It can expose sensitive information such as file paths, database queries, or even an email address — all of which can be exploited.
To ensure a secure and professional experience for your end users, this article explains why PHP errors show up on your browser and how to prevent PHP errors from displaying on the browser or disable them securely, and the best practices to keep your production server hardened and clean.
Why Are PHP Errors Showing in the Browser?
By default, many PHP configurations (especially on local or shared hosting) have display_errors enabled to aid development.
Common Causes are :
display_errors = Oninphp.ini
- Misconfigured
error_reportingsettings
- PHP-FPM or Apache is not reloaded after configuration changes
Why You Should Disable PHP Error Display
Security: Revealing line numbers, file names, or undefined variables can provide attackers with valuable insights.
Professionalism: A website that displays Fatal errors, Warning errors, or syntax errors seems broken or amateur.
User Experience: Exposing technical details can confuse and frustrate users.
How to Disable PHP Error Display in the Browser?
Disabling the display_errors directive is a simple process that consists of changing in php configuration settings or either use .htaccess or runtime code, depending on your environment.
Method 1: Using php.ini (Recommended for full server control)
Locate the PHP Configuration File:
The default location of the php.ini file is /etc/php.in . But here I am explaining how you can find it through the phpinfo() function. The simple method is to create a PHP file eg, infophp.php, with the following content:
<?php
phpinfo();
?>To upload the file, explore your website server’s document root directory. Then, access the file through your web browser by visiting the website at https://domain_name_or_IP/infophp.php. Once the infophp.php file loads, you’ll find the path to your PHP configuration file displayed under “Loaded Configuration File”.
You can disable display_errors in several ways, depending on your server setup.
Use a vi or nano text editor to open the php.ini file. Find the display_errors directive within the php.ini file. By default, it is set to On , and we have to set the value to Off.
display_errors = On(By Default): Errors will be displayed on the browser.- display_errors = Off: Errors are silenced.
The line should look like below:
display_errors = Off
After saving and exiting from the editor, we have to restart the web server service to apply the changes. This step is necessary for the new configuration settings to take effect. Reload the phpinfo code, and you can verify that the directive should be updated.
Method 2: Using .htaccess (Shared Hosting)
If you’re on shared hosting, add this to your .htaccess file:
php_flag display_errors Off
php_flag log_errors On
Note: This only works if PHP is running as an Apache module.
Method 3: Using ini_set() In a PHP File
This method disables error display at runtime.
ini_set(‘display_errors’, 0);
ini_set(‘log_errors’, 1);
Not recommended as a permanent solution for production environments.
How to Confirm display_errors Is Disabled
Run this small script:
<?php
echo 'Display errors is: ' . ini_get('display_errors');
?>Or check via:
php -i | grep display_errorsHow to Log PHP Errors Instead of Displaying Them?
Always pair display_errors = Off with log_errors = On. This allows backend teams to monitor issues without exposing them to end users.
Configuration:
log_errors = On
error_log = /var/log/php_errors.logEnsure this file is writable by PHP and rotated regularly via logrotate.
Not entirely, but it’s a strong first step.
Is Disabling display_errors Enough for PHP Security?
Not entirely, but it’s a strong first step.
Yes, by using a .user.ini or .htaccess file within the site’s root directory, especially in shared hosting environments like cPanel or Plesk.
display_errors, but still see errors. Why?You’ve edited the correct php.ini file (use phpinfo(); to verify)
Web server (Apache, NGINX, PHP-FPM) has been restarted
No ini_set() overrides exist in scripts
No — disable displaying errors but keep logging enabled. Use log_errors to keep track of issues quietly.
I’m Sachin Gupta — a freelance IT support specialist and founder of techtransit.org. I’m certified in Linux, Ansible, OpenShift (Red Hat), cPanel, and ITIL, with over 15 years of hands-on experience. I create beginner-friendly Linux tutorials, help with Ansible automation, and offer IT support on platforms like Upwork, Freelancer, and PeoplePerHour. Follow Tech Transit for practical tips, hosting guides, and real-world Linux expertise!