Hardening PHP Configuration When it comes to security, ignorance is definitely not blissful. There are several methods to increase the security of your PHP environment. In this article I will discuss how to secure PHP by hardening PHP 5 configuration. 1. allow_url_fopen ( enabled by default ) This directive allows PHP's file functions ( file_get_contents, include and require statements ) to retrieve data from remote locations, like FTP or HTTP. If an attacker can manipulate the arguments to those functions, they can use a URL under their control as the argument and run their own remote scripts. The vulnerability is called Remote file inclusion or RFI. ; Disable allow_url_fopen in php.ini for security reasons allow_url_fopen = Off The setting can also be applied in apache's httpd.conf : # Disable allow_url_fopen for security reasons php_admin_flag allow_url_fopen Off It prevents URLs from being used in PHP. A command like include ("http://...