Wordfence – fopen warning on PHP 7.2

Hi @linksbreaker,

Can you try editing php.ini and searching for allow_url_fopen.

It should be set as allow_url_fopen = 1.

If you don’t have access to php.ini, you will want to ask your host for assistance.

Dave

Hi @wfdave,

I understand, but I have a question about setting as “allow_url_fopen = 1”

Could this adjustment create a security problem related to vulverabilities?
As I understand, WP does not need to be enabled.

Could you help understand this topic better?

Thanks for your time.

Hi again,

Wordpress doesn’t need allow_url_fopen, but Wordfence uses it as its main driver to fetch remote files. (/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/http.php)

Is allow_url_fopen a security concern?

It is a security risk if you have exploits in your scripts already:
For example, suppose I have a script that displays information from a text file:

https://example.com/?display=document.txt

And the script might look like:

<?php

echo file_get_contents($_GET['display']);

A possible exploit would be

1) Changing document.txt to a remote URL
2) Changing it to files outside of the directory using ?display=../../../someother_file.txt

So yes, it does open up some risk, but that is if your script was already lacking in security to start with.

Dave

Got it! Thanks again, Dave.