Despite taking careful security precautions, I've been hacked before and I expect it will happen again. I run multiple Wordpress blogs and PHP-based forums on the same VPS, so I want each app isolated as much as possible so if/when it gets hacked, it's isolated to just that particular app instance. I already run each in a separate database with a db user dedicated to only that particular db, now I'd like them each to run as a separate linux user that can only access files for that particular app. I looked into this, and it looks like this can be accomplished with separate PHP-FPM pools, one for each app. But I'm unclear how to tell Nginx to pass PHP requests to the proper pool. It looks like the handoff currently happens in this file: centminmod/php.conf at 123.08centos7beta02 · centminmod/centminmod · GitHub Each domain's vhost file includes the same php.conf file, so everything hands off to the same pool. Is there an easy way to override the following line? Code: fastcgi_pass 127.0.0.1:9000; Currently, I've got a single vhost file for each domain. Although most domains only have one php app, a few have more than one, so I want to specify the port of the php-fpm pool within the location block for the app, not just within the vhost file for the entire domain. So how to best tell Nginx within the location blocks for each app to pass php requests (and only php requests) onto the correct port for the php-fpm pool for that app? I could just create a copy of the entire php.conf file for each domain, but this feels really kludgy when I'm only changing the port, and leaving everything else alone. It also won't allow sending different apps to different php-fpm pools--all apps on the same domain would go to the same pool, which isn't what I want. I could move the php include directive in the vhost to be within the location block of the app--that should accomplish what I want--but it still feels kludgy to duplicate the entire config file when only one line is changing. Is there an easier way to override just that one line on a per-app basis within the nginx Vhost file? Once I get Nginx sending requests to the different port, it looks like it's pretty simple to configure each php-fpm pool and which port they should listen on thanks to @eva2000 's handy example here: centminmod/php-fpm-2pools.conf at 123.08centos7beta02 · centminmod/centminmod · GitHub Two other questions: Will each FPM pool have it's own Zend OPCache instance or do they share the same cache? When updating Nginx or Php using centmin.sh script, will it clobber any of my customizations to either the php.conf or php-fpm-2pools.conf file? Very aware that Centminmod is provided as-is (and grateful that it's provided), but hoping that others in the community might be able to help--I suspect I'm not the only one who's tried to do this. Or at least I won't be the only one once folks realize the security benefits of isolating each app so it runs under a separate linux user preventing a hacked app from messing with other apps.