Facebook
Twitter- Server operating system version
- AlmaLinux 8.7
- Plesk version and microupdate number
- Plesk Obsidian Versie 18.0.52 Update #3
Yesterday, I tried the new Sitejet Builder extension. It feels like a great addition. It's easy to use and has lots of options. Kudos to the WebPro team for this extension!
When I tested the contact forms, an error appeared in the error_log about allow_url_fopen:
"AH01071: Got error '
PHP message: PHP Warning: file_get_contents(): https:// wrapper is disabled in the server configuration by allow_url_fopen=0 in /var/www/vhosts/domain.com/api.php on line 204
PHP message: PHP Warning: file_get_contents(https://api.sitehub.io/website/elements/107557859): Failed to open stream: no suitable wrapper could be found in /var/www/vhosts/domain.com/api.php on line 204"
From my experiences in the shared hosting business, enabling allow_url_fopen used to be a security risk. Therefore, I always disable this setting.
What do you guys think of this? Is this still a security risk on a shared hosting server, or am I being paranoid about this setting?
Note that allow_url_include is already disabled, and the insecure PHP functions are also disabled:
"disable_functions=exec,passthru,shell_exec,system,popen,show_source,pcntl_exec,proc_open,proc_terminate,proc_close,pfsockopen"
When I tested the contact forms, an error appeared in the error_log about allow_url_fopen:
"AH01071: Got error '
PHP message: PHP Warning: file_get_contents(): https:// wrapper is disabled in the server configuration by allow_url_fopen=0 in /var/www/vhosts/domain.com/api.php on line 204
PHP message: PHP Warning: file_get_contents(https://api.sitehub.io/website/elements/107557859): Failed to open stream: no suitable wrapper could be found in /var/www/vhosts/domain.com/api.php on line 204"
From my experiences in the shared hosting business, enabling allow_url_fopen used to be a security risk. Therefore, I always disable this setting.
What do you guys think of this? Is this still a security risk on a shared hosting server, or am I being paranoid about this setting?
Note that allow_url_include is already disabled, and the insecure PHP functions are also disabled:
"disable_functions=exec,passthru,shell_exec,system,popen,show_source,pcntl_exec,proc_open,proc_terminate,proc_close,pfsockopen"
