2. Algorithm
  3. security - WordPress restrict plugin file direct access

security - WordPress restrict plugin file direct access

admin2025-06-05  2

I am developing a WordPress plugin, but before that I have checked the code for the few plugin already developed. I have seen a common approach to restrict the direct where the plugin developer starts the plugin code by the following line 

//  If accessed directly, abort
if ( ! defined( 'WPINC' ) ) {
    die;
}

This is in the plugin index file. My question is when we install the plugin this is the first file to be executed so where it is defined before and it is not abort the execution on the file ?

I am developing a WordPress plugin, but before that I have checked the code for the few plugin already developed. I have seen a common approach to restrict the direct where the plugin developer starts the plugin code by the following line 

//  If accessed directly, abort
if ( ! defined( 'WPINC' ) ) {
    die;
}

This is in the plugin index file. My question is when we install the plugin this is the first file to be executed so where it is defined before and it is not abort the execution on the file ?

  • plugin-development
  • security
Share Improve this question edited Nov 8, 2018 at 8:17 Krzysiek Dróżdż 25.6k9 gold badges53 silver badges74 bronze badges asked Feb 9, 2016 at 18:44 MeharMehar 2601 gold badge4 silver badges13 bronze badges
Add a comment  | 

3 Answers 3

Reset to default 5

Question 1. so where it is defined before
Answer:

It is defined in WordPress core.

Here a quick online reference or for a local reference take a look at the following file in the root of WordPress: wp-settings.php. In that file (around line 18) following code is shown:

define( 'WPINC', 'wp-includes' );

Question 2. and it is not abort the execution on the file
Answer:

The use (the goal so to say) of it is to protect plugins from direct access
(from the outside, preventing any unauthorized access to your code)
Two ways to achieve this protection, some developers use WPINC and others use ABSPATH as in:

  • if (!defined('ABSPATH')) exit; (or replace exit with die("No cheating!") or other txt)
  • if ( ! defined( 'WPINC' ) ) die; (or use exitin same way as above)

Both defined as follow:

  • define( 'ABSPATH', dirname(dirname(__FILE__)) . '/' );
  • define( 'WPINC', 'wp-includes' );

dirname (generic PHP) simply returns the directory from a full path.
wp-includes is pretty self explanatory.

You are free to decide which to use. I personally think there is no real right way , both have the same purpose. I use only ABSPATH but it is all up to your personal preference.
Just remember to add it directly below the header section or at least near the top of your plugin.

WPINC is defined by WP before plugins are loaded; so, the fact that it is already defined indicates the plugin is being loaded by WP rather than a direct request.

You can also use this one as well. It is defined in Akismet Anti-Spam Plugin.

// Make sure we don't expose any info if called directly
if ( !function_exists( 'add_action' ) ) {
    echo 'Hi there!  I\'m just a plugin, not much I can do when called directly.';
    exit;
}
转载请注明原文地址:http://conceptsofalgorithm.com/Algorithm/1749078723a316177.html

securityWordPress restrict plugin file direct access

最新回复(0)