Prevent Direct Access to Functions.php in WordPress

How to Prevent Direct Access to Functions.php in WordPress

in Security
Google+ LinkedIn

WordPress plugins and themes are usually loaded and executed along with the rest of WordPress. However, since each plugin and theme is physically located on your server in wp-config folder, it is also possible for someone to bypass the normal load order and execute the PHP files directly. They just need to type the right URL in the address bar. Directly accessible theme files will in most cases cause PHP errors which can disclose sensitive information about your server. Depending on the situation, this could be a potential security threat that could allow your site to be hacked. So it’s always a good idea to prevent direct access to your theme and plugin files.

While the chances of hacking your website could be fairly slim but it doesn’t hurt to safe-guard your site from this type of attacks. Luckily, disabling direct browser access to plugin and theme .php files is very easy. Earlier we have shown you how to protect wp-config.php, .svn folders and .htaccess files with .htaccess, in this article we show you how to prevent direct access to plugin or theme files in WordPress.

Pasting this code snippet in your functions.php will prevent direct access to functions.php file in browser. You can also add this code to all your theme PHP files but make sure to change file name.

// prevent direct access to functions.php in wordpress
if ( !empty( $_SERVER['SCRIPT_FILENAME'] ) && 'functions.php' == basename( $_SERVER['SCRIPT_FILENAME'] ) ) {
    die( 'Error!' );
}

Alternatively you can also check for constant ABSPATH to make sure that files aren’t accessed directly. When WordPress loads theme files, it will define a variable ABSPATH. And if this is not defined than WordPress has not run. So paste this following WordPress code snippet at the top of your theme files to prevent direct access to the PHP file.

// prevent direct access to functions.php in wordpress
if ( ! defined( 'ABSPATH' ) ) die( 'Error!' );

Share the love

If you like this snippet, share it with others!

Leave a Reply

Your email address will not be published. Required fields are marked *