Odd, I just noticed that php.ini is in public_html (for all the world to see). Publishing the site's configuration is always an invitation to hackers. Is there any way to hide it?
When I removed php.ini, PHP started using a different configuration file in a place that I could not access. I assume that this is some sort of shared php.ini.
I guess one way to avoid publishing my site's configuration to the world would be to start using the default php.ini. Using a shared configuration file brings up the scary question about changes to the shared file. How often does Bluehost change the file, and how do I learn about changes to the configuration?