I’ve run across the following snippet in themes from time to time:
if ( ! defined('ABSPATH')) exit('restricted access');
It’s at the beginning of some (all?) PHP files in a theme and it’s supposed to prevent direct access of the file by nefarious sources.
I see that this isn’t included in Twenty Ten or Eleven and I’ve never seen it recommended in official WordPress documentation. It seems like a good idea to me, but I also don’t know enough about security to judge it and can’t find much with Google.
Is this something I should have in my custom themes? If so, should it be in all PHP files or just some?
1 Answer
Usually, you don’t need it. But … there is at least one edge case:
- If a theme file is a template part,
- and it is using global variables from the calling context (parent file),
- and register_globals is
on, - and it is just using these variables without any security check …
… an attacker can call this file, set the missing variables with GET or POST and make the theme file print those out. And then there is a security problem.
So … the best option is not a context check like the one from your example, but good code: avoid global variables, check their content before you print it out.
