[theme-reviewers] Is there really any point for blocking direct file access in a WP theme?

Otto otto at ottodestruct.com
Tue Jan 3 04:32:06 UTC 2012


On Mon, Jan 2, 2012 at 10:20 PM, Robert Ambartsumov
<robert6292 at gmail.com> wrote:
> i.e by using something like below on top of every php file
>
> defined('ABSPATH')
> or die('no direct access');
>
> except of aesthetics point, is there any point at all?

In some cases, direct file accessing for known filenames like this can
be exploited to allow for security vulnerabilities, although this is
rare.

On some hosting configurations, directly accessing files can reveal
local path information. This is called a "path disclosure" and it is
also the case sometimes in core, which is why we recommend not having
"display_errors" enabled on a production site.

It doesn't hurt anything to check for ABSPATH and die if it's
undefined, generally speaking.

-Otto


More information about the theme-reviewers mailing list