Prevent Direct access of your wordpress plugin files

Prevent Direct access of your wordpress plugin files

Being a plugin developer you have take care every security  aspect of your plugin and the site where it would be installed. WordPress is such popular a CMS  and its not hard to guess get the url of your plugin files. Hackers will get advantage if they get a chance to look into you code. So its important to prevent access of your plugin files.

There are two ways to do that.

1) Allow to load wordpress first then run plugin codes

 

Lets assume, you have plugin name “Example” and inside it you have a file name example.php which print current post ID by using get_the_ID() function. Now if someone try to access you plugin file by direct url (example: yoursite.com/wp-content/plugins/Example/example.php) and it will show error like function “get_the_ID” is not exist. So it means your wordpress site not load when you access plugin files directly.

There are some functions runs as soon as wordpress loaded such as “add_action” (Popularly known as wordpress hooks).
So first check your function “add_action” is exist or not to check wordpress has loaded properly.

Eample:

 

<?php
// Make sure we don't expose any info if called directly
if ( !function_exists( 'add_action' ) ) {
  echo 'Hi there!  I\'m just a plugin, not much I can do when called directly.';
  exit;
}

 

2) Check  ABSPATH is constant defined or not

 

This is a wordpress constant which defined in wp-config.php and it gives you the your wordpress installation path. And it also run as soon as wordprees load. So you can use this also to prevent direct assess.

Example:

 

if ( ! defined( 'ABSPATH' ) ) {
    exit; // Exit if accessed directly
}

 

 

 

 

 

 

Facebook Comments
No Comments

Sorry, the comment form is closed at this time.