We recently received a question about allow_url_fopen on WordPress Doctor. We believe that there is little point in turning off allow_url_fopen on WordPress Doctor for security reasons. I would like to explain the reason for this.


What is allow_url_fopen?

allow_url_fopen is a server-side PHP program setting. This one is generally enabled.

To deactivate allow_url_fopen, you must add the following to your server configuration or php.ini

allow_url_fopen=OFF

in the server configuration or in php.ini.
If allow_url_fopen is set to OFF, the PHP function file_get_contents,fopen will not be able to retrieve information from external URLs.

There are many examples of WordPress malware using file_get_contents,fopen to load malicious code from the outside, so setting allow_url_fopen to oFF may be effective in preventing such malware behavior.

The most common way for malware to load malicious code from the outside is not file_get_contents,fopen

However, the mainstream method for malware to load malicious code from the outside is not file_get_contents,fopen, which can be prohibited by setting allow_url_fopen to oFF, but rather the method using CURL.

The figure below shows an example of malware that uses CURL.
CURLのマルウェア

In other words, CURL must also be stopped to prevent mainstream external loading malware from operating.
However, both CURL and file_get_contents,fopen are often used in WordPress itself and plugins, so if both are stopped on the server, the site may malfunction or become impossible to update.

It is important to remove malware and close vulnerabilities.

As mentioned above, it is more important to remove the malware from the server than to marginalize the behavior of the remaining malware on the server.

Malware detection plug-ins, which are available free of charge, can be used to inspect and remove malware.

Free WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].

It is also important to take security measures to close vulnerabilities.

Five free WordPress security measures

We hope you find this information useful.