Max_input_vars limits the number of input variables your server can use for a single function. This limitation affects $_GET, $_POST and $_COOKIE superglobal separately. For the proper working of a WordPress site, you can set the value of max_input_vars to 3000. Otherwise, there can be data loss inside the theme options and most probably, the disappearance of some widgets.
What is the purpose of Max Input Vars?
It helps lessen the severity of the DDoS (Denial of Service) attacks using hash collisions.
Effects of lower Max Input Vars limit
Although it is part of the runtime configuration, max_input_vars doesn’t always create a problem. Still, some users have repeatedly reported issues on saving a tremendous amount of data and nothing getting saved.
When ‘Display errors’ is enabled, it outputs the following (or similar) message everytime you hit the Save button:
Warning: parse_str() [function.parse-str]: Input variables exceeded 1000. To increase the limit change max_input_vars in php.ini. in/home/user/public_html/path/t0/file/causing/this/error.php on line 389.
Normally, the limit in max_input_vars affects the following:
Large Forms (such as a survey form, or a detailed contact form)
Option Forms, such as a theme or plugin options page.
Effects of higher Max Input Vars limit
The max_input_value should always be a reasonable level, which is called the ‘sanity check’. When this limit is exceeded, it makes you more vulnerable to attacks and can drench the server down.
Changing Max Input Vars
The max_input_vars value can be changed by editing/adding it in the .htaccess or the php.ini file in the root of your WordPress installation directory. The default value of max_input_vars is normally set to 1000. In several cases, there occurs a need to raise or reduce this, or you face issues in saving your data or with the security of your WordPress site. Following are the methods to change the limit:
Changing Max Input Vars in .htaccess File
Max_input_vars can be changed from the .htaccess file in the root WordPress installation directory. For this,
Locate the .htaccess file in the root of your site directory (or add one yourself if found missing).
Open the .htaccess file and add the following code at the end of the file with a desired value (for ex: 3000):
php_value max_input_vars 3000
If you have the suhosin security patch, also add the following:
php_value suhosin.get.max_vars 3000 php_value suhosin.post.max_vars 3000 php_value suhosin.request.max_vars 3000
Changing Max Input Vars in php.ini File
For this, you will need to edit your php.ini file usually located in /usr/local/lib.
Generally, shared hostings will not permit you to edit this value, even if you have a local php.ini file located in your public_html folder. In such case, you will have to
Move to a VPS or Dedicated server,
Reduce the total number of input variables,
If you are comfortable with editing php.ini,
Locate your php.ini file in the root folder of your WordPress installation.
If you have located the php.ini file, open it and search for the following line: max_input_vars = xxxx; (xxxx stands for a given value).
Now, replace the value and set it to your desired limit. (for ex: 3000)
If you can’t locate the line, add the line with the desired value: max_input_vars = 3000;
Add the following if you have the suhosin security patch:
suhosin.get.max_vars = 3000 suhosin.post.max_vars = 3000 suhosin.request.max_vars = 3000
If you don’t have access to php.ini or .htaccess File
On shared hosting, the developer may not have access to the PHP.ini or .HTACCESS file. It is also possible that the changes are not applicable. In such cases, it is best to contact your host to have them change these values if you are not able to fix yourself.
The Cross Check
To cross-check if the changes are working, you can create an info.php file, copy the following code into it, and upload it to your public_html folder.
Now type your site domain followed by /info.php. Scroll down to the core, and you can see the max_input_vars and its new value.
Note: Don’t forget to delete info.php file later, as it contains a lot of your valuable and vulnerable data.
Important: You must restart Apache for the changes to take effect.
