What is 🗄️ File inclusion and How to prevent WordPress file inclusion attacks

File inclusion vulnerabilities allow an attacker to read (and sometimes execute) files on the WordPress website, gain unauthorized access to sensitive information and inject malicious files through the “include” functionality.

This can be very dangerous because if the webserver is misconfigured the attacker may gain access to sensitive user information and even execute arbitrary commands.

There are two types of File Inclusion vulnerabilities:

Local File Inclusion (LFI) – With Local File Inclusion (LFI), the hacker uses local files (i.e. files on the target server) when carrying out the attack.

Remote File Inclusion (RFI) – With RFI, the hacker uses a remote file (hosted on another server) when carrying out the attack.

🔴 CVE-2007-5800 BackUpWordPress plugin <=0.4.2 contains remote file inclusion vulnerability that allows anyone to add links to remote files in the backup path and those files will be executed on the server.


🔴 CVE-2018-16299 Localize My Post WordPress plugin =1.0 contains local file inclusion vulnerability that allows anyone to add links to sensitive files hosted on the target server.


LFI vulnerabilities are easy to identify and exploit. Any script that includes a file from a web server should be tested for LFI, for example:


By manipulating the file location parameter:


Which will display /etc/passwd file on a UNIX / Linux based system.

Here are some file upload vulnerability prevention measures to protect your website from LFI and RFI exploits.

Regular updates ensure that all code is part of a secure development lifecycle (SDLC). Meaning that if there are known vulnerabilities inside earlier versions, they are fixed in newer versions and your website is safe from attacks that exploit those vulnerabilities.

When a new version of a plugin or theme is available, an alert bubble is displayed in your WordPress Admin Menu and the corresponding theme or plugin is highlighted on Themes and Plugins Screens.

Since WordPress 5.5, automatic updates are available and you can enable/disable auto-updates on a plugin-by-plugin and theme-by-theme basis.

WordPress security plugins such as WordFence or MalCare have file scanners that will notify you of new or modified files on the server so that you have the time to react if malicious files are uploaded.

Poorly written themes and plugins are prone to vulnerabilities. This is why we recommend only using high-quality themes and plugins. Purchasing software from reputable markets such as Themeforest, CodeCanyon, Evanto, Mojo Marketplace, and others is a smart way to determine its quality.

WordPress plugin developers must adhere to tight standards and security protocols at reputable marketplaces. As a result, the plugins provided on these platforms are well-made and well-maintained.

Files uploaded to your WordPress website are stored in the Uploads folder (wp-content/uploads/) which is stored in the same directory as all WordPress files

If an attacker uploads malicious files in this folder, it will enable him to gain control over the public_html directory, i.e. your entire website.

To stop this from happening you can move the Uploads folder out of the public_html folder but this requires extensive knowledge of WordPress.

Here is a quick guide by Ken McGuire on How to move your WordPress uploads folder

example: this very website!

public_html/The main folder contains only index.php and .htaccess files with rewrite rules from wpxss.com/application to wpxss.com
public_html/applicationWordPress is actually installed in a subdirectory named application
media/wp-content/uploads directory contains only a .htaccess file with rewrite rules, while the actual uploaded files are stored in the media folder

To block PHP file execution in the Uploads folder create a .htaccess file and add the following:

#Block directory browsing
Options All –Indexes

#Disable php file execution
<FilesMatch “\.(php|php\.)$”> 
Order Allow,Deny 
Deny from all

If you do not need the inclusion of remote files, you can set the following in your .htacces and php.ini files to disable the inclusion of remote files:


RewriteEngine On
RewriteCond %{QUERY_STRING} (.*)(http|https|ftp)://(.*)
RewriteRule ^(.+)$ – [F,L]



Avoid PHP wrappers that can be misused to bypass WordPress input filters such as PHP Zip envelope and expect: // and always follow WordPress Coding Standards.

In this article I’ve covered various built-in WordPress functions that prevent file inclusion attacks.

Was this post helpful?

Leave a Comment