WordPress restrict plugin file direct access

Question 1. so where it is defined before
Answer:

It is defined in WordPress core.

Here a quick online reference or for a local reference take a look at the following file in the root of WordPress: wp-settings.php. In that file (around line 18) following code is shown:

define( 'WPINC', 'wp-includes' );

Question 2. and it is not abort the execution on the file
Answer:

The use (the goal so to say) of it is to protect plugins from direct access
(from the outside, preventing any unauthorized access to your code)
Two ways to achieve this protection, some developers use WPINC and others use ABSPATH as in:

  • if (!defined('ABSPATH')) exit; (or replace exit with die("No cheating!") or other txt)
  • if ( ! defined( 'WPINC' ) ) die; (or use exitin same way as above)

Both defined as follow:

  • define( 'ABSPATH', dirname(dirname(__FILE__)) . "https://wordpress.stackexchange.com/" );
  • define( 'WPINC', 'wp-includes' );

dirname (generic PHP) simply returns the directory from a full path.
wp-includes is pretty self explanatory.

You are free to decide which to use. I personally think there is no real right way , both have the same purpose. I use only ABSPATH but it is all up to your personal preference.
Just remember to add it directly below the header section or at least near the top of your plugin.

Related Posts:

  1. How to store username and password to API in wordpress option DB?
  2. In Which Contexts are Plugins Responsible for Data Validation/Sanitization?
  3. How to properly validate data from $_GET or $_REQUEST using WordPress functions?
  4. Nonces can be reused multiple times? Bug / Security issue?
  5. Can someone explain what wp_session_tokens are, and what are they used for?
  6. WordPress and PHP Sessions – Security and Performance
  7. What is the difference between esc_html and wp_filter_nohtml_kses?
  8. Nonce in settings API with tabbed navigation
  9. Log in from one wordpress website to another wordpress website
  10. Escaping built-in WP function return strings
  11. What is the difference between strip_tags and wp_filter_nohtml_kses?
  12. WP Cron doesn’t save or in post body
  13. Plugin development: is adding empty index.php files necessary?
  14. Confusion on WP Nonce usage in my Plugin
  15. Coding a plugin on WordPress; when should I sanitize? [duplicate]
  16. Correct way check nonce (security) using old Options API
  17. Why do I need to check if wp_nonce_field() exists before using it
  18. Is there any way to check for user login and send him to login?
  19. WordPress security issue to output data from user input from theme option form
  20. Verify if user is wordpress logged in from another app since wordpress 4.0
  21. Secure Pages Best Practice
  22. Securing/Escaping Output of file content – reading via fread() in PHP
  23. best way to make a WordPresss multisite that is secure but at the same time supporting my plugin development efforts
  24. Video Security just like facebook [closed]
  25. Is disabling test_form in wp_handle_upload a security concern?
  26. How to connect my wordpress plugin to a remote database securely?
  27. wp_nonce_field displaying twice
  28. Is it necessary to do validation again when retrieving data from database?
  29. Checking a WordPress for OWASP top 10 vulnerabilities [closed]
  30. How do I have now a duplicated user entry if this is not allowed (and I cannot replicate it)?
  31. add_submenu_page hooked function must explicitly check user capabilities – why?
  32. Are there any security risks when submitting data-attribute data through AJAX?
  33. Why would you use esc_attr() on internal functions?
  34. Is it possible to use WP-CLI in a plugin (or theme)?
  35. Secruity Questions on a timer
  36. Using HTML links within translatable string
  37. How can I save a password securely as a settings field
  38. Using password protection to load different page elements?
  39. HTML Elements in my WP Plugin being generated in JS. Security and Translated Text Question about this method being used
  40. How to store sensitive user data (passwords)
  41. How do I make secure API calls from my WordPress plugin?
  42. esc_attr() on hard coded string
  43. how to add security questions on wp-registration page and validate it
  44. Experts opinions needed: How (in)secure is this approach?
  45. What is more secure checking capabilities of user or checking role of user in WordPress plugin development
  46. Data Validation, dynamically generated fields (select for example)
  47. esc_url, esc_url_raw or sanitize_url?
  48. How do I add CSS options to my plugin without using inline styles?
  49. How to override existing plugin action with new action
  50. Add custom TinyMCE 4 Button, Usable since WordPress 3.9-beta1
  51. How do I create links at the top of WP_List_table?
  52. Why Does get_posts() Return an Empty Set?
  53. Where to enqueue stylesheets for plugin?
  54. stray elements
  55. Deletion of shared options using uninstall.php
  56. Plugin Settings not Saving on Ajax re-ordered table
  57. Timeout on Admin-Ajax?
  58. Is there a way to verified if an add_filter is already applied?
  59. Rearranging Dashboard meta boxes with use of plugin/functions.php
  60. When I deactive WooCommerce Plugin, I want to take a action in My plugin
  61. Hiding WordPress Plugin Source Code
  62. Create a custom display order in the main menu
  63. Override the default Add/Edit site forms of the Network Panel in custom plugin
  64. add more custom post types and custom role to the code
  65. Executing a function upon webhook calling wordpress
  66. How to display additional info in the plugins admin table?
  67. A better way to include localized labels in WordPress plugins
  68. How a deprecated function can crash WordPress site while upgrading
  69. plugin settings – uploading multiple files with a single button
  70. Getting term_id for newly created or edited term
  71. How to insert text at the current cursor position in Gutenberg?
  72. Remove unwanted elements for a wp_nav_menu
  73. What is the proper method of using global $post?
  74. how to add stylesheet to particular plugin only?
  75. Difference between wp_salt schemes
  76. WordPress daily cron is executing more frequently than once a day
  77. How can I replace the search results displayed by WordPress?
  78. What is the best way to store a few fields?
  79. I18n not working in plugin
  80. Mixing l18n string from my plugin with WordPress’ translations
  81. Non editable custom taxonomy
  82. How to resize WordPress images on upload to specific height and width without cropping it
  83. Get section of input passed to the sanitize_callback
  84. Checking for existing title in custom db query not working
  85. Security of a WordPress Plugin
  86. How to know if current plugin is going to be used while rendering the page?
  87. Dynamically modify content added to table via javascript
  88. functions won’t fire after I converted my code from procedural code to OOP
  89. How to prevent wp_insert_post from creating a new post every second?
  90. CPT UI and custom database table
  91. Updating a WP Plugin SVN not showing on WordPress Website or Zip
  92. Download stopped working in 4.7.4
  93. $wpdb Mysql trigger problem
  94. WordPress postboxes On Tabbed Views and Hiding Registered Pages
  95. grouping my widgets wordpress
  96. Yet another wp_insert_post infinite loop. What is wrong?
  97. How to set init for maximum script execution, memory limit and max files upload in wordpress
  98. Fetch Custom Woocomerce filed data and check the data avialble in Wp-user table as nicname or username using function.php
  99. How to get locale within WP REST Request?
  100. How to add extra EXIF data when images are uploaded?
tech