WordPress.org

Ready to get started?Download WordPress

Forums

Block direct access to files (1 post)

  1. zeroday
    Member
    Posted 5 years ago #

    AFAIK, wordpress allows direct access to any file. My suggestion for this is to have a constant defined in index.php or somewhere, which must be defined if the file will be loaded.

    Eg:

    Index.php:

    <?php
    define('_IN_WP', true);
    ....
    ?>

    wp-includes/*.php

    <?php
    defined('_IN_WP') or die();
    ....
    ?>

    etc.

    I'm not sure if not having this could be a security risk (e.g. wp-includes/somefile.php?SQL-INJECTION-HERE), but it makes sense to prevent files from loading unless WP is loading them internally. Also, you might get people directly accessing files to make them spit out php errors to get a clearer pic of the site structure.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags