Opened 5 months ago
Closed 3 months ago
#63930 closed defect (bug) (duplicate)
Prevent direct access to wp-settings.php to avoid uncaught error
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | |
| Component: | General | Keywords: | has-patch has-test-info |
| Focuses: | Cc: |
Description
The wp-settings.php file should not be accessed directly. If a user attempts to load it directly, a 500 error will be returned. so i have restrict direct access call of this file to ensure all code works well.
Change History (4)
This ticket was mentioned in PR #9747 on WordPress/wordpress-develop by @amitjoel85.
5 months ago
#1
- Keywords has-patch added
#2
@
5 months ago
- Keywords has-test-info added
Test Report
Patch tested: https://github.com/WordPress/wordpress-develop/pull/9747
Steps to Reproduce or Test
- Open http://localhost:8889/wp-settings.php directly in a browser. (Or open https://YOURSITE.com/wp-settings.php on a live site.)
- 🐞 Bug occurs. It returned 500 Internal Server Error.
Expected Results
When testing a patch to validate it works as expected:
- ✅ WordPress site should die( '-1' ) just like other core files.
When reproducing a bug:
- ❌ Error condition occurs. It returned 500 Internal Server Error.
Environment
- WordPress: 6.8.2
- PHP: 8.4.10
- Server: nginx/1.26.1
- Database: mysqli (Server: 8.0.35 / Client: mysqlnd 8.4.10)
- Browser: Chrome 140.0.0.0
- OS: Windows 10/11
- Theme: ModernPress 1.0.0
- MU Plugins: None activated
- Plugins:
- Test Reports 1.2.0
Actual Results
When reproducing a bug/defect:
- ❌ Directly accessing
wp-settings.phpfile, it returned 500 Internal Server Error.
When testing the bugfix patch:
- ✅ Issue resolved with patch. Direct access correctly triggers a die( '-1' ) message.
Note: See
TracTickets for help on using
tickets.
https://core.trac.wordpress.org/ticket/63930