Support » Plugins » preventing random access to plugin files

  • an automated process attempted to directly access some PHP files in a plugin.
    The result(s) were random PHP errors in the log file.
    Clearly the plugin writer assumed that access would always be by “an acceptable path”.

    Would this be a bad thing to do to keep me safe from plugin misbehavior?

    1. create a .htaccess file in the plugins directory
    2. add php_value auto_prepend_file /path…/abs.php

    where abs.php is

    if (!defined('ABSPATH')) exit;

    The intention is to have every PHP file quit before doing anything if not being called in the WordPress environment.


Viewing 2 replies - 1 through 2 (of 2 total)
  • Lance Willett




    Did the errors all come from that same plugin? Plugin authors should be using security checks in their code to avoid access from outside the WP environment. For example, the check_admin_referer function checks if the referrer is accessing the page from the admin site, and has a valid nonce value (more on WordPress nonces).

    I’d suggest posting this topic to the WP-Hackers mailing list as well to see if anyone there has hardened their setup to avoid such random access. Here’s a possibly related thread on that list (from the plugin author’s viewpoint).

    Note: there may already be a WordPress plugin that does this type of security check. See

    Here’s another WordPress security tactic that also uses htaccess to limit access: Securing WordPress: A passive method for preventing unauthorized requests to wp-admin and wp-login.php.

    I agree that plugin authors *should* check to make sure that they are only called within the WP environment. That should be part of the guide to creating plugins (and themes?)

    One simple example is this one

    PHP Fatal error: Call to undefined function add_action() in /path-to-wordpress/wp-content/plugins/hello.php on line 60

    Seems that the simple, demo plugin would be a good place to “show by example”

    The biggest “problem” is having to create the .htaccess file with the full path to the source PHP program to be executed.

    For the time being I have placed my special .htaccess file in ./wp-content/ and added the line
    Options -Indexes

    just in case the wordpress blog is located in a directory that would allow Apache to show a list of files in the absence of an index file like index.php or index.html. This particular case is handled by the having “index.php” files in ./wp-content/, ./wp-content/plugins/, ./wp-content/themes/ directories, but that doesn’t solve the problem of the actual themes or plugins.

    Another example is


    which generates this error

    PHP Fatal error: Call to undefined function get_header() in /path-to-wordpress/wp-content/themes/default/index.php on line 7

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘preventing random access to plugin files’ is closed to new replies.