Recently I was doing a security audit on a Linux server and noticed some Apache and PHP items that needed to be modified to make the server more secure. One of the items that should be disabled is allow_url_fopen because the risk that it can be abused. The issue is that allow_url_fopen is on by default even though many times it is never used on a server. Modify the below line in the Linux servers php.ini file which typically located in the /etc directory.
Modify php.ini To Disable allow_url_fopen:
- ; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
- allow_url_fopen = Off
By default the allow_url_fopen will be set to On. Once you have changed the setting to “Off” you will need to restart Apache for the changes to take effect. You should also verify that allow_url_fopen is not configured in the Apache configuration files or any .htaccess files. If allow_url_fopen is needed for a specific virtual host or a specific directory you can enable it using Apache so it is limited but you should make sure the code that uses fopen is secure.