Frequently Asked Questions

How do I install and setup ionCube24?
After creating an account and logging in, the next step is to add a Server item and then your first Domain. The server could be named based on where you host your website, e.g. GoDaddy. The domain will be the domain name of your website. The current ionCube24 features of intrusion protection and error reporting use a plugin to PHP called the ionCube Loader. This is widely used and may be installed already, but if not your hosting provider should be able to assist. We can also give assistance. You will be guided through the necessary steps to get setup when you add your first domain.
My server is shared without root access. Can I benefit from ionCube24?
Yes! Provided that your operating system is supported and you can install the latest ionCube Loader, you should be able to use ionCube24. If you have problems getting setup or your system is not supported, please contact us so we can assist.
My site uses Cloudflare. Will ionCube24 work?
Yes, however currently you may need to whitelist our administrator IP 54.172.250.61. Cloudflare discuss whitelisting IP's in this article.
Will ionCube24 slow down my website?
Our performance tests have not shown any impact, and if your site already uses the ionCube Loader then enabling ionCube24 may actually improve performance. This is because ionCube24 eliminates the need for the Loader to check whether a file has been secured by the ionCube PHP Encoder every time it is accessed.
What are features marked as dev?
ionCube24 is evolving, with new features being work on all the time. A feature marked as dev is available to be used in its current form, but is still in an active state of development and liable to change.
Can I request features?
Sure, we are always interested to hear about features that could help your business run smoother. Whether it's a request for something that we don't offer right now, a change to an existing feature or comments on how an active dev feature is shaping up, do get in touch.
My Web Server is not accessible from the Internet. Can I still use ionCube24?
Not currently because our servers must communicate with your Web Server when you make configuration changes. However, if you can permission access to port 80 for our IP addresses, and if your server can connect back to our servers, it could be used.
How can I uninstall ionCube24?

You can disable ionCube24 on the ionCube Loader by setting the entry ic24.enable to 0 in your php.ini file:

ic24.enable = 0

This will disable ionCube24, while leaving the ionCube Loader intact. Should you wish to uninstall the ionCube Loader, you can remove the relevant zend_extension entry pointing to your ionCube Loader files from your php.ini, as well as remove any ionCube Loader files from your system.

How does ionCube24 protect my site?
The core of ionCube24 is the ionCube Loader, a widely used extension to PHP for processing secured PHP code. Before a PHP file is run the Loader checks whether the file has changed or been created after a trusted point in time (the Trustpoint). If it has, and unless the change is expected, the file is very likely to be malware and is blocked from being run. This ensures that no matter how an attacker places malware into your site, it will be stopped.
If my site has an unknown vulnerability, can ionCube24 still protect it?
Yes! ionCube24 does not need a list of known vulnerabilities to be effective. It works by blocking attempts to execute files that have changed and files that are unknown. No matter how a hacker manages to inject PHP code into your site, it can be blocked when they try to run it.
My domain has name aliases not added to ionCube24, is it still protected?

If your domain is reachable under any name other than the ones you have configured, you should enable Domain Wildcard Protection on one of the domains for your server. This will ensure that all domains on the server are protected, including those not configured in the interface. This will also protect if a domain is accessed by a fake name. As this setting will protect all domains on your server, it is best to ensure that all domains have been configured accordingly.

If your plan does not include Domain Wildcard Protection, it is recommended to ensure that your domain is reachable only by the names you have configured in ionCube24. Furthermore, your domain should not be the default domain on your server, (i.e., your webpage should not be reachable through the IP address of the server), as this may allow your site to be reached using an unprotected domain name.

If you have problems setting up your system, please contact us so we can assist.

How can I know if a problem was detected?
The ionCube24 Loader notifies our servers immediately that a file on your site is blocked. From there, an alert email can be sent to you. The ionCube24 control panel also responds to real-time events, and will update automatically if you are logged in. Alerts can be acknowledged, but if they are not, the system can send reminders. The alerting system can be customised to suit your needs as required.
How do I allow my trusted website files?

There are several mechanisms for this.

  1. Trustpoint
    The Trustpoint is the point in time before which your site is known to have files that are trusted. You can set the Trustpoint to the current time, or any time past or in the future. Files detected as changed after this time will be blocked.
  2. File Exclusion Key
    The file exclusion key is a key unique to each server. If the key appears on the first line of a PHP file, e.g. as a comment, that file will be automatically trusted. The Trustpoint is likely to be more convenient for existing files, but the exclusion key can be useful to permission dynamically created or updated files by code that is itself trusted.
  3. PHP INI Entry: Trust included files automatically
    If the ic24.sec.approve_included_files entry in your php.ini file is set to 1, files that are used by other files (i.e. included) will be automatically trusted. Dynamically created files such as cache files are likely to be used by other PHP files rather than accessed directly, and this setting can be useful to permission these. Though this setting is very permissive, files created by exploiting a vulnerability are most likely to be accessed directly by an attacker rather than by another file, and so will still be blocked. Any uploaded files processed using the PHP function move_uploaded_file() are also automatically blocked if the entry ic24.sec.block_uploaded_files is set to 1 in your php.ini file (this is the default behaviour if unset).
  4. PHP INI entry: Automatically trust certain directories
    You can configure ic24.sec.trusted_include_paths in your php.ini to automatically trust entire directories. For example, if you wanted to trust the directory '/var/cache' then simply set this setting to '/var/cache'. If you wanted to trust multiple directories, you can use ':' as a seperator (i.e. '/var/cache:/var/other'). Finally, you can prefix directories with a '+' or a '-' which either includes the directory or excludes it which might be useful for automatically trusting an entire directory except a certain sub directory. This can be doing via the following: '/var/cache:-/var/cache/private',
  5. Add Trusted Files
    Through the web interface, directories of your server can be scanned for files to be trusted, e.g. files ending with .php.
When I update my website will my changes be blocked, and how can I avoid this?

Changes are likely to be blocked because they will be unexpected, and your site is protected precisely because ionCube24 does block unexpected changes.

Before updating files, our recommended approach is first to set the Trustpoint a little way into the future, and then update the files on your website; this works because files seen as changed before the Trustpoint time should be permitted to run. Once updated, you can set the Trustpoint to the current time so there is no window of opportunity for an attacker.

If you have set ic24.sec.approve_included_files to 1 and if the changed files are only used by other files, updated and new files should not be blocked.

Another option is to have certain directories of the site automatically trusted with the ic24.sec.trusted_include_paths setting, who's usage is detailed in the section 'How do I allow trusted Website Files'.

The exclusion key can also be used to indicate that a file should be trusted. Last, you can add sets of files to be trusted via the web interface.

How do I upgrade my ionCube Loader?
Upgrading the ionCube Loader is easy. Just follow the steps below.
  1. Make sure you take a backup of the existing Loader.so file in case you wish or need to roll back.
  2. Stop your Web Server software. If you are unsure of how to do this, your domain administrator or Server documentation should assist you. Before continuing, make sure no Web Server processes are left running, including:
    • FPM
    • php-cgi
    • httpd
    • Apache
  3. Replace the current Loader.so file with the one you'd like to update to.
  4. Optionally, remove the two Loader Cache files in the ic24cache directory (the directory path is set in your php.ini).
  5. Restart your Web Server software, if this fails, the process may have gone wrong and a rollback may be neccessary.
How do I rollback to the ionCube Loader?
Rolling back to a previous ionCube Loader may be neccessary if there is a problem installing or upgrading your ionCube Loader. To roll back, simply:
  1. Stop your Web Server software. If you are unsure of how to do this, your domain administrator or Server documentation should assist you. Ensure no Web Server processes are left running before continuing, including processes such as:
    • FPM
    • php-cgi
    • httpd
    • Apache
  2. Restore your previously backed up ionCube Loader.so file.
  3. Remove any cache files in your ic24cache directory (the directory path is set in your php.ini).
  4. Restart your Web Server software. If this fails, you can always contact us at support.ioncube.com.
What does the error reporting feature do?
This feature captures realtime PHP errors as they occur on your website. It can alert you via the notifications system if there are warnings or fatal errors that may need attention, and you can view all captured errors on a per error basis.
What is the difference between Site Errors and PHP Error Notifications?

The Site Errors feature is a sortable, filterable and searchable table of PHP Errors of varying error levels such as Notice or Warning. Any errors detected by the ionCube Loader will be reported here.

Entries to the Site Errors page however, won't neccessarily generate any notifications because many sites will produce errors such as Notices which aren't fatal nor neccessarily within your control to fix. Due to this, only PHP Errors and Warnings will generate Notifications, which you can receieve through the UI, Email or Pushover.

However, Site Error entries and PHP Error Notifications do share functionality in that reading a Site Error Warning or Error will also read its corresponding PHP Notification and vice versa. Note that whilst Site Errors and PHP Errors are linked via the ability to read notifications, ignoring Notifications or Site Errors are not linked and will produce different effects. More info can be found in the "Can I ignore a notification permanently?" entry below.

Notifications can also be raised via other means such as our Security feature. These are not related to Site Errors in any way.

ionCube24 reports many PHP errors for my site but it still seems to work. Why is this?

PHP has several error levels. These include non-critical Notices that may be due to poor coding, Warnings of operations that failed but that did not stop the request, and Errors that caused a request to fail and usually giving a blank page. PHP can also warn when a program uses Deprecated features that are going to be removed from PHP in the future, and cases where code did not follow Strict usage guidelines.

A well coded website should produce no errors at all, however many websites will produce errors, with Notices being the most common. As they are not fatal errors, they will not prevent the site from working, however in some cases Notices can be an indication of bugs. If these occur in your own code, you should aim to resolve them.

Can I ignore a notification permanently?

Yes. You can silence a non-security notification by clicking the icon before marking it as read with .

Use the Filter dropdown if you wish to show ignored notifications later.

Because only PHP Errors and Warnings generate notifications however, there is a difference between ignoring a notification and a entry on the Site Errors table. Ignoring the notification will prevent the same notification from reappearing whereas ignoring the Site Errors entry will hide it from the table

Can I hide all errors of a certain type?

Yes. Use the Site Error Reporting > Global Settings feature to select types of errors to ignore. Note that this will take effect for all domains across all servers.

You can also ignore errors with a setting in the php.ini file. Suppose you want to ignore all Notice level notifications. Add the following setting to your php.ini file:

ic24.phperr.ignore = E_NOTICE

Error types can also be combined as in the following examples:

;; Ignore notices, strict and deprecated warnings ic24.phperr.ignore = E_NOTICE | E_STRICT | E_DEPRECATED ;; Ignore all except fatal errors and warnings ic24.phperr.ignore = E_ALL & ~E_ERROR & ~E_WARNING
Where can I find the ionCube24 API documentation?
The documentation is available here, as well as on the API Keys section of your profile settings.
How can I obtain an API key?
Visit the API Keys section of your profile settings, then select "Create new key". A user may only have two API keys at any given time.
What operations are suppported by the API?
For the time being, only operations related to setting the TrustPoint are supported. An example using cURL of setting the TrustPoint for domain xyz.com 5 minutes into the future would be:

curl -sS -d {' "trustpoint_delta": 5 }' \
-X POST -H 'Authorization: API key="XYsdfhooufhukwerhuosrghoisgho348734sdfbukZ"' \
-H 'Content-Type: application/json' https://ioncube24.com/api/v1/domains/xyz.com/trustpoint

Note: The authorisation key is an example, and you should use an API key specific to your account.
How much does ionCube24 cost?
Plans are priced monthly as follows based on the number of domains that are covered:

  • Free
    The default plan is free for 24 days and covers one website.
  • Single Site - $15
    Our entry level plan covers one website.
  • Multi Site 5 - $45
    Our mid level plan covers up to 5 websites.
  • Multi Site 15 - $125
    Our top plan covers up to 15 websites.

Each plan also offers a longer data retention period than the preceding plan. Please contact us if you need a plan for more than 15 domains. Further details are available in the pricing table.

Is a credit card required to use ionCube24?
The 24 days FREE plan does not require any credit card or other details. Payment details are only required if you choose to purchase one of our paid plans.
Can I change my plan at any time?
Yes, you can upgrade or unsubscribe from your current plan at any time. If you upgrade, your account will instantly gain access to the plan's features - if you decide to unsubscribe, you can still use all the features until the end of your billing cycle.
What payment methods are available?
We currently accept PayPal payments, with more payment options coming in the future.
The plans do not fit my requirements. Can you help?
Sure! We offer custom plans specifically tailored for your needs. Just contact us at sales@ioncube.com or open a ticket at our Support HelpDesk and tell us what you need!
How do I get support?
If you need support, simply contact create a ticket in our support helpdesk at support.ioncube.com and we'll be happy to assist.
How do I contact sales?
For sales assistance, please email sales@ioncube.com or create a ticket in our helpdesk at support.ioncube.com.