I have been reading some WordPress PHP code on GitHub and I found that the author (a Senior WordPress developer) was putting this line of code in the beginning of each file:
defined('ABSPATH') or die("Cannot access pages directly.");
How does this protect the file from direct access? Can't a hacker just define the constant ABSPATH and then load the file?
Also, why is direct access dangerous?
By default, PHP does not restrict which files and directories your PHP scripts can access. To restrict the directories that can be accessed, you can use PHP's open_basedir setting.
PHP is as secure as any other major language. PHP is as secure as any major server-side language. With the new PHP frameworks and tools introduced over the last few years, it is now easier than ever to manage top-notch security.
Yes, of course they could - if the server is penetrated then any file on it is visible. Yes, it's entirely possible for someone to hack a server, via an exploit, or by stealing your password, or via buggy code you or others have written, or a number of different ways.
This constant is probably set in the main WordPress PHP file, so if it's not set, then you aren't accessing the main page.
Constants aren't something a user can modify, they are in the code, and can only be changed by editing the PHP file. So, if a hacker could set this constant, then you'd have bigger problems, because that would involve him actually editing your PHP files.
Direct access may not be dangerous (don't quote me), but it's pointless. Directly accessing a WordPress plugin (for example) won't do anything, as the plugin needs to run through WordPress.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With