Check: Allowing Direct File Access to plugin files #603

davidperezgar · 2024-09-01T20:43:24Z

This check consists to avoid direct file access if someone directly queries a file.

For files that only contain a PHP class the risk of something funky happening when directly accessed is pretty small. For files that contain procedural code, functions and function calls, the chance of security risks is a lot bigger.

We can avoid this by putting this code at the top of all PHP files that could potentially execute code if accessed directly :
if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly

What we do actually in the internal scanner:

Check that is not an uninstall file.
Check that is valid for direct access.
Look for ABPATH or WPINC, otherwise it's wrong.

Finally in results we say all files that does not contain this header.

The text was updated successfully, but these errors were encountered:

swissspidy · 2024-09-01T21:19:30Z

WordPress/WordPress-Coding-Standards#1850

davidperezgar added Checks Audit/test of the particular part of the plugin [Team] Plugin Review Issues owned by Plugin Review Team labels Sep 1, 2024

davidperezgar assigned ernilambar and unassigned ernilambar Nov 3, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Check: Allowing Direct File Access to plugin files #603

Check: Allowing Direct File Access to plugin files #603

davidperezgar commented Sep 1, 2024

swissspidy commented Sep 1, 2024

Check: Allowing Direct File Access to plugin files #603

Check: Allowing Direct File Access to plugin files #603

Comments

davidperezgar commented Sep 1, 2024

swissspidy commented Sep 1, 2024