Worthwhile to restrict direct access of theme files?

Usually, you don’t need it. But … there is at least one edge case:

  • If a theme file is a template part,
  • and it is using global variables from the calling context (parent file),
  • and register_globals is on,
  • and it is just using these variables without any security check …

… an attacker can call this file, set the missing variables with GET or POST and make the theme file print those out. And then there is a security problem.

So … the best option is not a context check like the one from your example, but good code: avoid global variables, check their content before you print it out.

Related Posts:

  1. Should `get_template_directory_uri()` be escaped?
  2. Is it good to rename theme folder downloaded from WordPress.org?
  3. How to sanitize select box values in post meta?
  4. When to use esc_url, esc_html, esc_attr, and friends?
  5. Worthwhile to restrict direct access of theme files?
  6. Where i should not use if (!defined(‘ABSPATH’)) { exit; }?
  7. Whats the safest way to output custom JavaScript and Css code entered by the admin in the Theme Settings?
  8. Is it safe to enqueue a font style without putting http or https?
  9. Using esc_url with a hard coded url
  10. What is the safe way to print tracking code / pixel code before tag or tag
  11. Underscore Based Theme File Permissions in Git
  12. correct tags for validating input types
  13. How to escape multiple attribute at once in WordPress?
  14. Contact Form Security
  15. Do I need to escape get_the_post_thumbnail function?
  16. Strict Folder and File Permissions for WordPress Themes Folder
  17. hide theme files for admin beneath root
  18. Should we escape the values of constants?
  19. WordPress Theme Preview Image
  20. What is a Theme textdomain?
  21. What are the advantages and disadvantages of Option Tree over the Customization API?
  22. Splitting WordPress theme CSS into multiple files, good or bad?
  23. Edit srcset and sizes attributes in Gutenberg image, cover and gallery – blocks
  24. do_shortcode() doesn’t do shortcodes ;)
  25. How do I check if a menu exists?
  26. How to concatenate inside the _e() function the right way?
  27. Why to check if function doesn’t exists in functions.php?
  28. Pages: frontpage.php, home.php, posts page etc
  29. How to add a WYSIWYG text editor to the Category Edit Screen
  30. Different wordpress 404 template for different post type [duplicate]
  31. How to choose which template to be used for multiple taxonomy query?
  32. How to programmatically bring back “excerpts” field in post editor in WP 3.1+
  33. How to set dimensions of the post thumbnails (featured images)
  34. Fatal error: Call to undefined function get_header()
  35. Add a theme via symlink
  36. Alterntives to BEM syntax that comply with WordPress coding standards? [closed]
  37. How to determine which registered sidebar area a custom widget is loaded into
  38. Integrating Html5Boilerplate’s Builder into a WP Theme
  39. Including wp-blog-header.php from functions.php remote call?
  40. Administration Pages Styling
  41. Theme settings keep getting reset/erased
  42. Custom button block doesn’t work
  43. How can i convert the figma design into wordpress [closed]
  44. A custom theme with support for multiple layouts
  45. WordPress Local Install Theme Folder Permission To Edit
  46. Display div only on the HOMEPAGE
  47. WordPress is adding margins and padding to my custom menu?
  48. What is the best way to organize template parts?
  49. Keep sticky posts out of query unless they have featured image
  50. wp_enqueue_script outside functions.php file?
  51. How can I make my options in an array and store theme in WP options one DB row?
  52. Differences between developing custom themes for wordpress.com and wordpress.org?
  53. Easy to develop on a URL that is changed for production?
  54. Following Web Performance Optimization techniques to output static and dynamic css
  55. How to control on which pages the Aldehyde theme’s main slider is shown?
  56. How to support letting users add their OWN logo to a custom theme?
  57. WordPress stylesheet isn’t being added
  58. How to detect and display a page only for IE?
  59. Does code in function.php differ from theme to theme
  60. How can I optimize this code? [closed]
  61. Issue on Getting Custom post type Thumbnail’s URL
  62. Forms won’t submit
  63. Change image size depending on page
  64. How do I provide for multiple crops of the same image in a theme?
  65. Why WordPress AJAX returns undefined however it works fine when I add static url instead of dynamic function?
  66. Twenty Seventeen Pages Loop
  67. What and where are the WordPress core-bundled scripts?
  68. How to add pages in wordpress using codes?
  69. How does the loop know which post to view?
  70. How to use multiple check-box values to work in a function and insert values in database
  71. How to make a function occurs for one time?
  72. How to know if I am on 1st page
  73. security concerns if using html data-* attribute for l10n?
  74. How to create a robust and logic class naming system in WordPress theme developing?
  75. How to enable admin to upload multiple images to support header carousel slider theme in WordPress?
  76. function ‘theme_settings_page’ not found
  77. I don’t know why categories are showing below post
  78. Is there a way to create sections under “Colors” panel in the Theme Customizer?
  79. Need help with adding custom wordpress menu and sub-menu
  80. get currently showed author ID in theme functions.php
  81. WordPress Custom font not found
  82. How do I control the header space in non-front pages in Twenty Seventeen?
  83. How to load mediaelement.js in theme template?
  84. Customizer API way function is_customize_preview() works only in main page?
  85. Advantages/Disadvantages Using Theme Editor Instead of Pages
  86. using theme check plugin to remove waring and errors from my theme
  87. paragraph format in WYSIWYG on a custom theme?
  88. unable to display the image meta value as background
  89. editor style css and page template with and without sidebar
  90. 3 x 3 grid of posts on the home page
  91. Suppress the_content filter in a nested loop
  92. The normal loop with different styles doesn’t work in search.php
  93. Pass custom css class to add_menu_page
  94. URL conflict with a ‘Single Page Layout’
  95. loading custom.js file after jquery is loaded
  96. How to determine if it is legal to remove credit link from theme?
  97. Display recent posts on front page
  98. How to create sub-menu in “Allure Real Estate Theme for Placester”?
  99. Configuring static page with add_rewrite_rule gives 404 after navigating to Permalinks admin panel
  100. How to Enable Hot Module Replacement with Webpack

Leave a Comment

Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)