OPCache causes a name collision when it caches files running inside of a chroot’ed environment, opcache.validate_root makes cache keys unique per user.
opcache.validate_root=1
Bonus fine tuning
In ISPConfig, when the chroot is created for a site, a link is copied into /etc/localtime which points to whatever zone file your host is using. In my case Europe/Stockholm.
If you want to run WordPress you will need to add the file UTC to the chroot /usr/share/zoneinfo
date.timezone = Europe/Stockholm
Add X-PHP-Originating-Script: that will include uid of the script followed by the filename
mail.add_x_header = On
Whether to use strict session mode. Strict session mode does not accept an uninitialized session ID, and regenerates the session ID if the browser sends an uninitialized session ID. Strict mode protects applications from session fixation via a session adoption vulnerability. It is disabled by default for maximum compatibility, but enabling it is encouraged. https://wiki.php.net/rfc/strict_sessions
session.use_strict_mode = 1