When configuring a domain and we have no idea what the site will be used for, it may make sense to allow both CGI and SuEXEC, so that the site admin can do whatever they want to do. But if we know a site is going to run WordPress or some other common CMS or framework, and none of the files are owned by www-data, is there any good reason to leave CGI checked? I'm asking for a couple reasons: Personally I'd like to eliminate the extra cruft out of the vhost files, and I think it's a good security precaution to eliminate the chance of CGI issues if we're sure the site doesn't need that feature. Also, I don't know if the CGI settings in vhost files are required for PHP-FPM or anything else we typically use or have configured in php.ini. Thanks.
CGI option is for CGI scripts, it is not PHP related. CGI should not be enabled unless you want to run CGI scripts like PERL scripts. There are just very few sites today that still might need to run CGI scripts, so I'll recommend not enabling CGI as a default.
