Let us take a closer look at how to Disable Allow_url_fopen cPanel and the steps necessary to disable it with the support of our cPanel/WHM support services at Bobcares.
What is allow_url_fopen?
The Allow_url_fopen function can retrieve information from a remote server. This function will be in deactivation server-wide for all domains on the majority of shared servers. We have to disable this since it poses a severe security risk.
For security reasons, in a shared hosting account allow_url_fopen is disabled by default. Note that in a shared account the allow_url_fopen is by default disabled.
The allow_url_fopen PHP option specifies whether or not PHP is permitted to fetch URL objects such as files. This feature is frequently disabled for security reasons, although some scripts may require it to function properly.
Users who attempt to enable or disable this via the MultiPHP INI Editor in cPanel may notice that their scripts or PHP information pages are not updated.
Disable allow_url_fopen on a Linux/cPanel Server
There is a high probability for a website to get weak for hackers if the allow_url_fopen is in the activation stage on the server.
So most hosting companies opt to disable it to ensure security. The probability and the chances of website compromisation if this directive is active globally on the server.
How to check whether allow_url_fopen is inactive globally?
We can check whether the “allow_url_fopen” is active or not on the server by typing in the following command line:
Command : php -i | grep allow_url_fopen
root@server [~]# php -i | grep allow_url_fopen
allow_url_fopen => On => On
The above server has allow_url_fopen enabled. Disable allow url_fopen in the PHP main configuration file.
To find the location of the primary PHP configuration file, run the following command:
Command : php -i | grep php.ini
root@server [~]# php -i | grep php.ini
Configuration File (php.ini) Path => /usr/local/lib
Loaded Configuration File => /usr/local/lib/php.ini
After that, we must use the vi editor to change “allow_url_fopen = On” to “allow_url_fopen = Off” in the PHP main configuration file /usr/local/lib/php.ini. Save the changes and then quit.
Users can still enable allow_url_fopen for their website by adding a custom php.ini file to their website’s root directory.
If we want to block people from enabling allow_url _open, we may utilize the procedures below to create a custom php.ini.
- Enter the allow_url_fopen to disable_functions.
- After that, use a vi editor to update “disable functions = allow_url_fopen, fopen” in the PHP configuration file /usr/local/lib/php.ini.
- Finally, save the file configurations and exit.
Enable/Disable allow_url_fopen on Easyapache 4 server
We can enable or disable allow_url_fopen on Easyapache 4 server in a few simple steps:
- Firstly we have to Log into the server via SSH as ‘root’ user.
- After that, to find the PHP configuration file we have to ype “php –ini” command.
[root@server ~]# php –ini
Configuration File (php.ini) Path: /opt/cpanel/ea-php56/root/etc. Loaded Configuration File: /opt/cpanel/ea-php56/root/etc/php.ini.
On the above server, the PHP configuration file is located in /opt/cpanel/ea-php56/root/etc/php.ini.
- After that, we must modify “allow_url_fopen = Off” in the above file.
- Finally, we have to restart the web server.
Note that we can go through the same steps from the WHM other than disabling or allow_url_fopen cPanel:
- Firstly, log in to WHM.
- After that, we have to navigate to the “MultiPHP INI Editor” in WHM.
- Then, click on “MultiPHP INI Editor” under “Software”. WHM Home, navigate to the Software and MultiPHP INI Editor.
- After that we have to click the “Basic Mode” option in the “MultiPHP INI Editor”
- We can select the PHP version from the dropdown menu.
- Finally, we can use the toggle key to Disable it.
[Need assistance with similar queries? We are here to help]
To conclude we have gone through the necessity to disable allow_url_fopen cPanel and how easily a website can become vulnerable to attacks. With the support of our cPanel/WHM support services, we have gone through all of the configuration steps to disable the feature easily.
var google_conversion_label = “owonCMyG5nEQ0aD71QM”;