Worthwhile to restrict direct access of theme files?

I’ve run across the following snippet in themes from time to time:

if ( ! defined('ABSPATH')) exit('restricted access');

It’s at the beginning of some (all?) PHP files in a theme and it’s supposed to prevent direct access of the file by nefarious sources.

I see that this isn’t included in Twenty Ten or Eleven and I’ve never seen it recommended in official WordPress documentation. It seems like a good idea to me, but I also don’t know enough about security to judge it and can’t find much with Google.

Is this something I should have in my custom themes? If so, should it be in all PHP files or just some?


Usually, you don’t need it. But … there is at least one edge case:

  • If a theme file is a template part,
  • and it is using global variables from the calling context (parent file),
  • and register_globals is on,
  • and it is just using these variables without any security check …

… an attacker can call this file, set the missing variables with GET or POST and make the theme file print those out. And then there is a security problem.

So … the best option is not a context check like the one from your example, but good code: avoid global variables, check their content before you print it out.

Leave a Comment