How To Secure WordPress Plugin From Direct File Access And Execution

The most current version as of .

WWordPress has a lack of security when it comes to preventing file access to core files. All files in the root of a WordPress directory as well as any subdirectory are kind of accessible. WordPress' installations are placed in the DocumentRoot of the web server, which makes each file and folder in that directory something to serve publicly for the web server.

That is a WordPress specific thing. Modern web frameworks have an entirely different concept: All application files are stored in a private directory on the web server, which is safe, because it is not configured to be a lookup place for a web server. These Frameworks interact with the web server to deliver the web server only the generated web contents. All application related files are stored securely on the server to output the application, that will be shipped to the user, but the actual application contents will never be visible to the outside.

Due to the nature, that WordPress does not do anything like that, WordPress developers are implementing different kind of security methods to protect the web application.

Concepts are to ask for the existence of something like a security constant at the beginning of each .php file. Which makes sure that the logic of these scripts is only executed, when the content was defined by a script which includes the file we are talking about.

This behavior is not only relevant to core files, it comes into play for each WordPress plugin directory as well.

So how to make sure, that .php-files are only executed by the WordPress core and not triggered through URL access from the outside.

Well, the best approach is to override the web server configuration for your plugin folder. This way, we tell the browser to deny any requests to plugin source files directly.

To do so, let’s place a .htaccess file in your plugin directory and add the following contents to it:

Deny From All
— David Wolf