Support article
How to Enable and Disable allow_url_fopen in PHP
Learn how to enable or disable allow_url_fopen in PHP from your php.ini file, and understand its security risks.
Introduction
allow_url_fopen is a PHP directive that lets certain scripts open remote files or resources via a URL — for example using http://, https://, or ftp:// — in a similar way to opening a local file.
In some cases, an application, plugin, theme, or custom development may need this option to connect to external resources. However, for security reasons, it’s recommended to keep it disabled if your site doesn’t need it.
In this guide you’ll see how to enable or disable allow_url_fopen from your own php.ini file.
Before you start
This article assumes you already have your own php.ini file installed and available on your hosting service.
If you don’t have your own php.ini file yet, or don’t know how to create one, contact support and we’ll guide you.
What allow_url_fopen does
When allow_url_fopen is enabled, PHP can use file-compatible functions to access remote resources via a URL.
For example, a script could try to open an external resource as if it were a file:
https://example.com/file.txt
This can be useful for certain developments, but it also carries risks if the site’s code doesn’t validate URLs correctly or allows a user to enter external addresses without control.
Why it’s usually disabled
By default, this function may be disabled because it poses a potential security risk.
Enabling it doesn’t automatically mean your site will have a problem, but it does increase the responsibility placed on the code running in your hosting account. That’s why, before enabling it, make sure your application actually needs it.
How to enable allow_url_fopen in PHP
To enable allow_url_fopen, edit your php.ini file and add or modify this line:
allow_url_fopen = on
After saving the file, check your website or application to confirm the change works correctly.
How to disable allow_url_fopen in PHP
To disable allow_url_fopen, edit your php.ini file and change the directive to:
allow_url_fopen = off
Save the changes and test your website again. If the site works correctly, it’s best to keep this option disabled.
Useful tips
Before modifying your php.ini file, save a backup copy of the original file. This will let you restore it quickly if something doesn’t work as expected.
Only enable allow_url_fopen if an application, plugin, or script explicitly requires it. If you’re not sure, check the application’s documentation first or contact support.
Avoid using code that opens external URLs without validation. If a URL can be entered by a user, the script must check it properly before using it.
Don’t confuse allow_url_fopen with allow_url_include. The allow_url_fopen directive allows opening remote resources with compatible functions, while allow_url_include relates to including remote files through statements such as include or require.
Common problems
I enabled allow_url_fopen and my site still shows the same error
Check that you edited the correct php.ini file and that the line is written without errors:
allow_url_fopen = on
It’s also possible your application needs another PHP extension or additional configuration.
I can’t find the php.ini file
If you don’t have your own php.ini file, you need to create or install one according to your hosting service’s instructions. If you’re not sure where to place it, contact support with the affected domain and the change you need to make.
The site shows an error after modifying php.ini
Restore the previous copy of the php.ini file or revert the directive to how it was before. A syntax error in this file can affect how PHP works.
Is it mandatory to enable allow_url_fopen?
No. You should only enable it if an application or development needs it. If your site works correctly with this option disabled, it’s best to leave it that way.
Frequently asked questions
What is allow_url_fopen?
allow_url_fopen is a PHP directive that allows opening remote resources via URL from functions that work with files.
Is it safe to enable allow_url_fopen?
It depends on your site’s code. If the code is well developed and validates URLs correctly, it can be used when necessary. Even so, for security reasons, it’s best to keep it disabled if it isn’t needed.
Where do I change allow_url_fopen?
You change it in your hosting account’s php.ini file, by adding or modifying the corresponding line with on to enable it or off to disable it.
Which value should I use: on or off?
Use on if you need to enable the function:
allow_url_fopen = on
Use off if you want to disable it:
allow_url_fopen = off
Can I enable allow_url_fopen for just one site?
It depends on how your hosting environment is set up and where your php.ini file applies. If you have several sites on the same account and aren’t sure about the scope of the change, check with support before modifying it.
Conclusion
To enable or disable allow_url_fopen in PHP, you just need to edit your php.ini file and set the directive to on or off.
If your application doesn’t need to open remote resources, it’s best to keep this option disabled for security. If you have questions about the php.ini file or the change doesn’t apply correctly, you can contact miHosting support with the affected domain and the setting you need reviewed.