If you’ve recently migrated your WordPress website to a new server and were greeted with this cryptic fatal error:
PHP Fatal error: Failed opening required ‘/var/www/mysite.com/public_html/aios-bootstrap.php’ (include_path=’.:/usr/share/pear:/usr/share/php’) in Unknown on line 0You’re not alone — and no, it does not have to come from an active plugin like you might think. In this article, I’ll walk you through the exact issue I ran into, how I tracked it down, and what the real fix is. Spoiler: it has to do with an overlooked .user.ini file that All In One WP Security left behind.
🚚 Migrating My WordPress Site
I recently moved my WordPress site (mysite.com) from an older CentOS 7 server to a newer Amazon Linux ARM-based server. After copying over the files, setting up NGINX, PHP 8.3, and restoring the database, I expected a smooth launch.
But instead of seeing my homepage, I got a blank screen — and this fatal error logged in /var/log/nginx/mysite.com-error.log and NGINX’s error log:
PHP Fatal error: Failed opening required ‘/var/www/mysite.com/public_html/aios-bootstrap.php’ (include_path=’.:/usr/share/pear:/usr/share/php’) in Unknown on line 0🤔 What I Thought Was the Problem
Since the error clearly pointed to a file used by the All In One WP Security plugin, my first assumption was that the plugin was somehow still active.
So, I:
• Checked the plugin folder — yep, still there.
• Moved the plugin folder outside of the plugin directory to ensure it was disabled.
• Looked inside the WordPress database (wp_options → active_plugins) to ensure it wasn’t listed. It wasn’t.
• Even used WP-CLI to deactivate everything.
Still, the fatal error persisted.
🔍 What I Tried (and Why It Didn’t Work)
I searched for any mention of aios-bootstrap.php in my site directory:
grep -R "aios-bootstrap.php" /usr/share/nginx/html/mysite.com/public_htmlThe only results came from inside the plugin folder itself.
Next, I checked all the usual suspects:
• mu-plugins (must-use plugins) — nope, the directory didn’t even exist.
• Drop-in files like object-cache.php, advanced-cache.php, db.php — nothing.
• wp-config.php — no hardcoded includes or prepend settings.
Still stuck.
💡 The Real Culprit: .user.ini and auto_prepend_file
Finally, I ran this:
grep -R "auto_prepend_file" /usr/share/nginx/html/mysite.com/public_htmlBoom. There it was — inside a lonely .user.ini file at the root of the site:
auto_prepend_file = '/var/www/mysite.com/public_html/aios-bootstrap.php'Even though the plugin was deleted, and the file was gone, PHP was still being told to preload it before every script runs, thanks to this directive.
That’s why the error said:
in Unknown on line 0Because PHP was failing before any of your WordPress code even ran.
🛠️ How I Fixed It
1. Deleted the .user.ini file:
rm /usr/share/nginx/html/mysite.com/public_html/.user.ini2. Reloaded PHP-FPM and NGINX:
sudo systemctl reload php-fpm nginx3. Cleared the opcache (optional but recommended):
You can do this by restarting PHP-FPM:
sudo systemctl restart php-fpmImmediately, the error disappeared — no more aios-bootstrap.php fatal error, and my WordPress site loaded normally.
✅ Final Thoughts
The All In One WP Security plugin can be helpful, but it goes further than most plugins by writing persistent directives in .user.ini, which many users (including me) don’t realize until something breaks.
Even after deleting the plugin, these lingering configurations can break your entire site — especially after a server migration, where file paths change.
If you ever run into a fatal error like:
Failed opening required ‘/var/www/mysite.com/aios-bootstrap.php’ in Unknown on line 0— check for .user.ini files and the auto_prepend_file directive. It may just save you hours of debugging.
🛡️ Recommended Alternatives
If you’re looking for a more predictable and server-friendly WordPress security plugin, here are a few options I’ve tested:
• Shield Security (aka WP Simple Firewall) – lightweight and clean
• Sucuri Security – great for external malware scanning
• Wordfence – powerful but heavier on resources
