Worthwhile to restrict direct access of theme files?

1 Views

I’ve run across the following snippet in themes from time to time: 

if ( ! defined('ABSPATH')) exit('restricted access');

It’s at the beginning of some (all?) PHP files in a theme and it’s supposed to prevent direct access of the file by nefarious sources.

Read More

I see that this isn’t included in Twenty Ten or Eleven and I’ve never seen it recommended in official WordPress documentation. It seems like a good idea to me, but I also don’t know enough about security to judge it and can’t find much with Google.

Is this something I should have in my custom themes? If so, should it be in all PHP files or just some?

Post Views: 1

Related posts

Leave a Reply

1 comment

  1. Usually, you don’t need it. But … there is at least one edge case:

    • If a theme file is a template part,
    • and it is using global variables from the calling context (parent file),
    • and register_globals is on,
    • and it is just using these variables without any security check …

    … an attacker can call this file, set the missing variables with GET or POST and make the theme file print those out. And then there is a security problem.

    So … the best option is not a context check like the one from your example, but good code: avoid global variables, check their content before you print it out.