[NOT i-MSCP RELATED] apache 2.4 LocationMatch

No

First of all, php_value directive is not the right directive here. The right directive would be php_flag.... See http://kvz.io/blog/2007/07/11/…value-php-admin-flag-etc/ or the official PHP documentation if you want learn more.

Anyway, those directives inside a vhost file or .htaccess file are only applyable when you use PHP as Apache2 module, for instance, with the apache_itk i-MSCP httpd server implementation. That's not your case as far as I can remember.

Please, remind me the i-MSCP httpd server implementation that you use and I'll provide you with a correct solution.

Edit: See my next answer.

@fulltilt

Ok, according your first post, you use the apache_fcgid i-MSCP server implementation. Solution for you is to add the following content into the /etc/apache2/imscp/<domain>.conf file and once done, restart apache2: service apache2 restart

Note that changes made in the /etc/apache2/imscp/<domain>.conf file are persistent (they are never resetted by i-MSCP on update or reconfiguration).

You're welcome.

@fulltilt

What if the watermark.php script is being overidden (replaced) by hacker?

@fulltilt

Replace:

by

Don't forget to reload apache2 service.

@fulltilt

A better solution in my eyes is:

Here, we don't remove the PHP handler. We simply deny access (hence, execution) to any PHP script other than /images/watermark.php, showing end-users appropriate 403 error page instead of PLAIN PHP script (source). Note that I assume here that the watermark.php script don't make usage of PATH_INFO (eg, URL such as /images/watermark.php/<pathinfo>)