FastCGI App vs Apache Module. Is FastCGI not secure?

I am hitting exactly the same issue as the post owner on Could Virtualmin creators elaborate on this topic? I am pretty confident FastCGI is the ideal mode for all the setups, we’ve been using it without any issues for years, but Drupal’s security team thinks just the opposite.


Under most circumstances, using FCGID (and CGI) is the best mode to use, and the most secure.

With the help of suexec, it will run PHP apps as the Virtual Server owner.

If you’re receiving an error that states something isn’t writable, that suggests a configuration problem – Drupal runs quite well using FCGID, and the Virtual Server owner should always have permission to write to directories in their account.

You may want to verify that your directories are actually owned as your Virtual Server owner, and not someone else.


Hi Eric,

I know Drupal runs well using FCGID, but this always happens on any vanilla Drupal website installed on any freshly setup Virtulamin server with permissions to write to directories. Even with all the directories and files belonging to the right username it fails to pass Security Review module of Drupal. The problem is not on Virtualmin side, it is on Drupal Association or rather Acquia side, which is imposing this module to all hosting vendors. You can read some background of the issue here

In short default settings of a Drupal website created on freshly installed default Virtualmin is not good for Security Review module of Drupal. And we just wanted to hear your opinion on this matter that is driven quite ridiculous by Drupal Association and Acquia people.