10 min read
Without installing malware or launching brute-force attacks, hackers can still read system files, database information, and sensitive data directly from your website. This is how Local File Inclusion works - silently exploiting poorly controlled file-handling code, operating under the radar until the damage is already beyond recovery. Even more alarming, many websites remain under LFI attacks for long periods without the owners ever realizing it.
This article will help you clearly understand what Local File Inclusion is, how it works, why it is particularly dangerous, and how to prevent it before attackers gain deeper access to your website.
What is Local File Inclusion (LFI)?Link to heading
Local File Inclusion (LFI) is a security vulnerability that occurs when a web application allows users to directly influence the file paths that are loaded or processed on the server, without properly validating or restricting user input.
By manipulating parameters in URLs, forms, or HTTP requests, attackers can force the application to read and display internal files stored on the server. These may include configuration files, log files, database credentials, or even critical system files. In many cases, LFI can also be combined with other techniques to execute malicious code, escalate privileges, and ultimately take full control of the website.
LFI is especially dangerous because it does not require complex exploits, is difficult to detect using standard security checks, and often originates from seemingly harmless code - particularly in PHP applications that use dynamic file-loading functions such as include or require.
>>> Learn more: File upload vulnerabilities in plugins that hackers exploit
How does Local File Inclusion work?Link to heading
Local File Inclusion typically arises from the way PHP applications dynamically load files during content processing. In PHP, functions such as include, require, include_once, and require_once allow one file to be embedded and executed within another.
This mechanism enables developers to reuse code, separate logic from presentation, and build modular systems. However, serious risks emerge when file paths are taken directly from user-supplied input without strict validation.
For example, a website may use a page parameter to determine which content to display:
include($_GET['page'] . '.php');
Under normal circumstances, the application expects values like home, about, or contact. But without proper validation, attackers can manipulate this parameter to request files outside the intended scope.
This is where Path Traversal techniques come into play. By inserting sequences such as ../, attackers can move up through parent directories and access sensitive locations on the server. For example:
?page=../../../../etc/passwd
When this parameter is passed directly into the include function, the application attempts to load a system file instead of a legitimate page template. In many cases, attackers can read configuration files, log files, database connection details, or other critical internal data.
The root cause of LFI is misplaced trust in user input. Parameters such as page, file, or module are often assumed to be harmless and are used directly to determine which files are loaded. Without a whitelist, fixed base directories, or proper filtering of dangerous characters, user input effectively gains full control over the file-loading process.
It is precisely this combination of flexible include/require mechanisms, directory traversal capabilities, and inadequate input validation that makes Local File Inclusion a common, easily exploitable vulnerability with severe consequences for PHP applications.
Why is Local File Inclusion extremely dangerous?Link to heading
Reading configuration files and sensitive informationLink to heading
Through LFI, attackers can access application configuration files, database connection files, log files, and other sensitive resources. These files often contain database usernames and passwords, API keys, authentication tokens, or internal directory structures.
Once exposed, this information allows attackers to fully understand how the system operates and provides everything needed to launch deeper, more sophisticated attacks - often without immediate detection by the website owner.
Escalation to Remote Code ExecutionLink to heading
In many real-world scenarios, LFI can be combined with other techniques to escalate into Remote Code Execution (RCE). For example, attackers may inject malicious code into log files, session files, or temporary files, then use LFI to include those files and force PHP to execute the injected code.
Once RCE is achieved, attackers can run system commands, install backdoors, download additional malware, or remotely control the server - turning what initially appeared to be a “read-only” vulnerability into a full-scale security disaster.
Full takeover of the website and serverLink to heading
After successfully exploiting Local File Inclusion and escalating privileges, attackers can gain complete control over the website and potentially the entire server. They may modify or delete data, install malicious scripts, create hidden administrator accounts, use the server to attack other systems, or distribute spam and malware.
For business websites, the consequences extend far beyond data loss. They include service downtime, revenue loss, damage to brand reputation, and serious legal and compliance risks.
Signs a website may be under LFI attackLink to heading
Unusual access logsLink to heading
One of the most noticeable signs that a website is being exploited via Local File Inclusion is the presence of abnormal requests in access logs. You may observe URL parameters containing strings such as ../, %2e%2e%2f, ..%252f, or other encoded variations. These requests typically target parameters like page, file, or module to probe whether the application can be forced to load unauthorized files.
In addition, server logs may show a high volume of repeated requests within a short period, each testing different paths. This pattern indicates that the attacker is systematically identifying which files can be accessed through an LFI vulnerability.
Unauthorized access to system filesLink to heading
When LFI is successfully exploited, the system may record access to files that fall outside the website’s normal execution flow. These can include configuration files, internal log files, or even system-level files such as /etc/passwd, which are read or loaded through the web application. In some cases, the contents of these files may be displayed directly on the website, returned in HTTP responses, or recorded in error logs.
This is a critical warning sign, showing that the attacker has bypassed path control mechanisms and is exploiting LFI at a deeper level.
Abnormal website behavior with no clear causeLink to heading
LFI does not always cause immediate errors, but it can lead to unexplained and inconsistent website behavior. Pages may display incorrect content, load the wrong files, trigger random PHP errors, or behave unpredictably across different visits.
In more dangerous scenarios, when LFI is combined with malicious code execution, the website may become unusually slow, initiate suspicious outbound connections, or have backdoors installed without the administrator’s knowledge. These “hard-to-explain” symptoms are often early indicators of a serious security issue, with Local File Inclusion being a key possibility that should be investigated immediately.
Why websites are vulnerable to Local File InclusionLink to heading
Uncontrolled file inclusion in codeLink to heading
The most common cause of Local File Inclusion lies in poorly controlled file inclusion practices. In many web applications - especially those written in PHP - developers rely on functions such as include, require, include_once, or require_once to load dynamic content. When file paths are constructed flexibly without strict constraints, the application may load files based directly on user-supplied values.
If valid directories are not restricted or allowed files are not explicitly defined, attackers can exploit this mechanism to reference internal files outside the intended scope, resulting in an LFI vulnerability.
Overtrusting user inputLink to heading
Another serious mistake is placing excessive trust in user input. Parameters like page, view, template, or module are often used to determine displayed content, yet they are sometimes passed directly into include functions without proper validation, filtering, or normalization. Any data provided by users can be manipulated.
Without whitelisting, removal of dangerous characters, or strict input format enforcement, user input becomes a tool that allows attackers to control the file-loading process and exploit Local File Inclusion with ease.
Outdated WordPress plugins and themesLink to heading
For WordPress websites, outdated plugins and themes are a major contributor to the prevalence of LFI vulnerabilities. Many plugins or themes are developed rapidly, lack thorough security reviews, or are not regularly updated to patch known flaws.
When these components use dynamic file inclusion mechanisms without timely fixes, attackers can exploit even minor weaknesses to read internal files or pave the way for more severe attacks. Using plugins or themes from untrusted sources, or those that are no longer maintained, further increases the risk of Local File Inclusion.
Effective ways to prevent Local File InclusionLink to heading
Never pass file paths from user input into include/require functionsLink to heading
Never use any user input (GET, POST, COOKIE, HEADER, etc.) to directly determine which file is included. This approach completely eliminates LFI vulnerabilities because there is no attack surface for attackers to manipulate file paths.
Example:
$pages = ['home' => 'views/home.php','about' => 'views/about.php','contact' => 'views/contact.php','blog' => 'views/blog.php'];$page = $_GET['page'] ?? 'home';if (array_key_exists($page, $pages)) {include $pages[$page];} else {include $pages['home']; // or display a 404 page}
Or use numeric IDs instead of file names:
$page_id = (int)$_GET['id'];$allowed = [1 => 'home.php', 2 => 'about.php', 3 => 'contact.php'];if (isset($allowed[$page_id])) {include "views/" . $allowed[$page_id];} else {// 404 error}
Apply a strict whitelist (if user input must be used to select files)Link to heading
- Create a whitelist of files that are explicitly allowed to be included.
- Accept only values present in the whitelist and reject everything else.
- Do not rely on blacklists (blocking ../, ../.., %00, etc.), as they are easily bypassed.
Example:
$allowed_files = ['home.php', 'about.php', 'contact.php', 'news.php'];$page = $_GET['page'] ?? 'home';$page = basename($page); // remove any ../ path traversalif (in_array($page, $allowed_files, true)) {include "pages/" . $page;} else {http_response_code(404);die("Page not found");}
Combine technical measures for stronger protectionLink to heading
Use realpath() and verify the base directory:
$base_dir = realpath(__DIR__ . '/pages/');$requested = realpath($base_dir . '/' . $_GET['page'] . '.php');if ($requested !== false && strpos($requested, $base_dir) === 0) {include $requested;} else {// deny access}
Note: Ensure that the file resides strictly within the allowed directory and cannot escape it.
- Avoid using dangerous functions with untrusted input: include(), require(), file_get_contents(), readfile(), etc.
- If possible, switch to a secure template engine (such as Twig or Blade) with sandboxing.
Configure the PHP server (php.ini)Link to heading
Disable dangerous features:
allow_url_include = Off ; prevent RFI (Remote File Inclusion)allow_url_fopen = Off ; if reading files from URLs is not requireddisable_functions = phpinfo, system, exec, shell_exec, passthru, popen, proc_open, show_source, ...open_basedir = /var/www/html ; restrict directories PHP can access
Using open_basedir ensures PHP can only read files within the web root. Even if LFI occurs, attackers will struggle to access files like /etc/passwd.
Additional protective measuresLink to heading
- Use a Web Application Firewall (WAF) to block common LFI payloads (../, /etc/passwd, php://filter, etc.).
- Strictly validate input: allow only alphanumeric characters, underscores, and dots (if file extensions are required).
- Log and monitor suspicious requests (multiple ../ sequences, keywords such as etc/passwd, proc/self).
- Keep PHP updated (at least PHP 8.x) to avoid legacy attack vectors such as null byte injection (%00).
>>> W7SFW is a dedicated firewall designed specifically for WordPress, built to block malicious traffic at the perimeter. With a Blacklist All approach combined with Default Rules + Whitelisting, W7SFW effectively mitigates common threats such as LFI, SQL Injection, XSS, brute force attacks, and exploits targeting outdated plugins or themes.
Activate W7SFW today to proactively secure your WordPress website, reduce the risk of hacking, and operate with peace of mind - without complex technical intervention.
ConclusionLink to heading
Local File Inclusion is not a new vulnerability, yet its severity is still widely underestimated. A single poorly controlled include statement can allow attackers to read sensitive files, escalate to remote code execution, and ultimately take full control of the website - or even the server. Rather than reacting after an incident occurs, website owners and developers must proactively prevent LFI from the very beginning.
Only by treating security as a core part of daily operations can a website remain stable, secure, and sustainable in the long term.