I have a theme that has an uploader utility that opens in a popup window from the theme options page. Basically I have a button labeled “Upload” which has an onclick handler that calls window.open to load a popup window containing a php file that handles various upload tasks.
The problem I’m encountering only occurs on less than 1% of all installations of the theme, but I’m unable to determine the cause.
On these sites, the window.open call opens the popup window but the contents of the window is the WordPress default “Not Found” page (instead of my php upload handler file)
Here is the call from functions.php
<button
type="button"
id="fileUpload"
onclick="window.open('<?php echo get_bloginfo('template_directory') ?>/upload-zip.php?action=uploadFile','popup','width=330,height=235,scrollbars=no,resizable=no,toolbar=no,directories=no,location=no,menubar=no,status=no'); return false" />Add/Upgrade Templates
</button>
Note: to eliminate the upload-zip.php as a source of the problem, I’ve removed the contents and just placed this into it:
<php
echo "in upload file";
die;
?>
However, it does not appear to get to this file before loading the wordpress “Not Found” page.
This is probably because you just should never directly access anything which is not JS, CSS or images on theme folders. Directly accessing PHP files in those folders is considered a security risk and people (me included) will block such an access at the server configuration level.
I assume that depending on the method used to hide the files, the webserver might not even be able to “see” that the file is there and will ask wordpress to resolve the URL which will end UP in a 404 page. But it doesn’t really matter why, just don’t write code like that.