Wordfence protection for allow_url_fopen

  • Resolved confusedkoala

    (@confusedkoala)


    4 years, 10 months ago

    hi all.

    i am not well versed in security stuff and wordfence is the only place i know where the makers are nice and helpful.

    i have a plugin which requires allow_url_fopen to be On.

    i did a search on google and found many articles stating that On = security risk.

    Am hoping to get a better understanding here on what security risk is it ( its just the usual unavoidable risk or its a major open doors kind of risk? ) and whether wordfence will protect my site against that?

    Much appreciated

    • This topic was modified 4 years, 10 months ago by confusedkoala.
Viewing 4 replies - 1 through 4 (of 4 total)

  • Hi @confusedkoala,

    In PHP, a common way to read local files is to use the function file_get_contents.

    A lot of programmers forget that this function can also be used to download remote files.

    As a result, these programmers do not sanitize their URLs, and this causes PHP to inadvertently download remote files.

    So in itself, allow_url_fopen = On is not a security risk. It just depends on whether or not the programmer remembered to account for remote URLs being fed into file_get_contents.

    Can Wordfence protect against this?

    No, because this would mean blocking any URLs in the query string, which would forwarding URLs. For example https://example.com/?continue=www.nextpage.com.

    Dave

    Thread Starter confusedkoala

    (@confusedkoala)

    thank you Dave..

    just to clarify, you mentioned it is not a risk..

    so the only issue i will get is if i run a plugin that is poorly done or maliciously done right?

    assuming all is well on the wordpress side, a malicious actor cannot use this unilaterally to “break” into my website ya?

    appreciate ??

    Hi again!

    Yes, that is correct. Note that if your code has an exploit, and you replace file_get_contents with cURL – you will still have the same exploit.

    Just having allow_url_fopen enabled does not mean you site is instantly an open door for hackers.

    Dave

    Hi @confusedkoala,

    We haven’t heard back from you in a while, so I’ve gone ahead and marked this thread as resolved.

    Please feel free to open another thread if you’re still having issues with Wordfence.

    Thanks,

    Gerroald

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Wordfence protection for allow_url_fopen’ is closed to new replies.