We recently received a question about allow_url_fopen on WordPress Doctor. We believe that there is little point in turning off allow_url_fopen on WordPress Doctor for security reasons. I would like to explain the reason for this.


What is allow_url_fopen?

allow_url_fopen is a server-side PHP program setting. This one is generally enabled.

To deactivate allow_url_fopen, you must add the following to your server configuration or php.ini

allow_url_fopen=OFF

in the server configuration or in php.ini.
If allow_url_fopen is set to OFF, the PHP function file_get_contents,fopen will not be able to retrieve information from external URLs.

There are many examples of WordPress malware using file_get_contents,fopen to load malicious code from the outside, so setting allow_url_fopen to oFF may be effective in preventing such malware behavior.

The most common way for malware to load malicious code from the outside is not file_get_contents,fopen

However, the mainstream method for malware to load malicious code from the outside is not file_get_contents,fopen, which can be prohibited by setting allow_url_fopen to oFF, but rather the method using CURL.

The figure below shows an example of malware that uses CURL.
CURLのマルウェア

In other words, CURL must also be stopped to prevent mainstream external loading malware from operating.
However, both CURL and file_get_contents,fopen are often used in WordPress itself and plugins, so if both are stopped on the server, the site may malfunction or become impossible to update.

It is important to remove malware and close vulnerabilities.

As mentioned above, it is more important to remove the malware from the server than to marginalize the behavior of the remaining malware on the server.

Malware detection plug-ins, which are available free of charge, can be used to inspect and remove malware.

Free WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].

It is also important to take security measures to close vulnerabilities.

Five free WordPress security measures

We hope you find this information useful.

Related Posts:

  1. What is Japanese SEO Spam, a type of WordPress malware?
    We will explain about Japanese SEO Spam, which is a malware that embeds fake Japanese product sites in WordPress....
  2. How to Prevent WordPress Site-to-Site Malware Infection
    Taking advantage of the convenience of being able to operate multiple domain sites under a single server contract, malware today often analyzes the server folder structure and spreads infection from one site to the folders of other sites (domains)....
  3. What is the most common vulnerability cross-site scripting in WordPress?
    The most common vulnerability in WordPress is called Cross Site Scripting (XSS). We would like to explain about this vulnerability....
  4. What is a WordPress injection attack?
    There are various methods by which WordPress can be hacked, the most common of which is called an injection attack. This section describes these injection attacks....
  5. WordPress malware Fake browser update page
    Recently there has been an increase in WordPress malware that displays a fake browser update page. We will explain this malware....
  6. What is Content Security Policy CSP? How to set it up in WordPress
    Content Security Policy and how to set it up in WordPress....