WordPress.org

Make WordPress Core

Opened 3 months ago

Closed 3 months ago

Last modified 3 months ago

#53183 closed defect (bug) (duplicate)

Twenty Twenty-One: Check if ABSPATH is defined in each file

Reported by: tomjdevisser Owned by:
Milestone: Priority: normal
Severity: normal Version: 5.7.1
Component: Bundled Theme Keywords: dev-feedback
Focuses: docs, coding-standards Cc:

Description

I think it would be a nice addition to the Plugin Developers Handbook to add a small recommendation to the Plugin Security section. Basically adding the next snippet to all executable files:

<?php
// Make sure no one can call this file directly
defined( 'ABSPATH' ) or die;

I think most plugin devs will already use this, and it's something that comes up a lot, so I wondered why it was not yet in the documentation. @themiked thought there might be ramifications unknown to us about doing this, so he asked me to make a ticket here. Please share your thoughts.

Some more information on using this:
https://stackoverflow.com/questions/43212340/what-is-meant-by-if-defined-abspath
https://wordpress.stackexchange.com/questions/108418/what-are-the-differences-between-wpinc-and-abspath

PS: This is my first ticket, and I don't know exactly what focuses/type/keywords would fit. If anything needs changing, constructive feedback is highly appreciated.

Change History (8)

This ticket was mentioned in Slack in #docs by tomjdevisser. View the logs.


3 months ago

#2 @tomjdevisser
3 months ago

  • Summary changed from Recommending "defined( 'ABSPATH' ) or die;" in the Plugin Dev Handbook to Missing code in TwentyTwentyone theme

This ticket was mentioned in Slack in #docs by tomjdevisser. View the logs.


3 months ago

#4 @tomjdevisser
3 months ago

For added security, I think it would be a nice addition to the theme to add the following code to each file in the theme:

<?php
<?php
// Make sure no one can call this file directly
defined( 'ABSPATH' ) or die;

Some more information on using this:
https://stackoverflow.com/questions/43212340/what-is-meant-by-if-defined-abspath
https://wordpress.stackexchange.com/questions/108418/what-are-the-differences-between-wpinc-and-abspath

PS: This is my first ticket, and I don't know exactly what focuses/type/keywords would fit. If anything needs changing, constructive feedback is highly appreciated. Changed the ticket after getting feedback from themiked.

Last edited 3 months ago by tomjdevisser (previous) (diff)

#5 @SergeyBiryukov
3 months ago

  • Summary changed from Missing code in TwentyTwentyone theme to Twenty Twenty-One: Check if ABSPATH is defined in each file

#6 follow-up: @SergeyBiryukov
3 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Hi there, welcome to WordPress Trac!

Thanks for the ticket, we're already tracking this enhancement in #47154.

#7 in reply to: ↑ 6 @tomjdevisser
3 months ago

Replying to SergeyBiryukov:

Hi there, welcome to WordPress Trac!

Thanks for the ticket, we're already tracking this enhancement in #47154.

Great, thanks!

This ticket was mentioned in Slack in #docs by tomjdevisser. View the logs.


3 months ago

Note: See TracTickets for help on using tickets.