Worthwhile to restrict direct access of theme files?

Usually, you don’t need it. But … there is at least one edge case:

  • If a theme file is a template part,
  • and it is using global variables from the calling context (parent file),
  • and register_globals is on,
  • and it is just using these variables without any security check …

… an attacker can call this file, set the missing variables with GET or POST and make the theme file print those out. And then there is a security problem.

So … the best option is not a context check like the one from your example, but good code: avoid global variables, check their content before you print it out.

Related Posts:

  1. Should `get_template_directory_uri()` be escaped?
  2. Is it good to rename theme folder downloaded from WordPress.org?
  3. How to sanitize select box values in post meta?
  4. When to use esc_url, esc_html, esc_attr, and friends?
  5. Worthwhile to restrict direct access of theme files?
  6. Where i should not use if (!defined(‘ABSPATH’)) { exit; }?
  7. Whats the safest way to output custom JavaScript and Css code entered by the admin in the Theme Settings?
  8. Is it safe to enqueue a font style without putting http or https?
  9. Using esc_url with a hard coded url
  10. What is the safe way to print tracking code / pixel code before tag or tag
  11. Underscore Based Theme File Permissions in Git
  12. correct tags for validating input types
  13. How to escape multiple attribute at once in WordPress?
  14. Contact Form Security
  15. Do I need to escape get_the_post_thumbnail function?
  16. Strict Folder and File Permissions for WordPress Themes Folder
  17. hide theme files for admin beneath root
  18. Should we escape the values of constants?
  19. If necessary, how should wp_get_attachment_image() and its parameters be escaped?
  20. Theme Customizer not loading JS for live preview
  21. get_search_form() and aria_label
  22. Can’t remove DIV from hooks in Storefront child theme [closed]
  23. Admin: sub menu doesnt display under apperance when activate my themes
  24. Get data from style.css file and from from users->your profile
  25. Getting Different Size Of Attachment Images
  26. 2 loops, is_home won’t work, count is off
  27. how to remove the gallery shortcode in wordpress?
  28. How can I specify that an area of my theme contains widgets?
  29. How to dequeue css files?
  30. How to disable thumbnail filter for a specific template part or image size?
  31. get_template_part() doesn’t work
  32. Show for a particular page ID only title and short summary
  33. wpautop on section
  34. Extract all shortcode data from post into loop variables?
  35. wp_nav_menu and its fallback
  36. registering a global template wordpress 6.0
  37. Copying the theme style files and images to duplicate the website but with a difference
  38. reduce duplicate code in wordpress
  39. Assign custom classes to the divs inside the loop
  40. How to set Post meta-box defaults based on the choices made by user in Customizer?
  41. Theme Action to hook for one time only function [duplicate]
  42. Proper way to move a Bootstrap site to WordPress [closed]
  43. Theme development: How to add CSS classes to menu items?
  44. Woocommerce Product attribute not imported with wordpress Importer [closed]
  45. HTTP Error when uploading images over specific dimensions
  46. iPad WordPress theme?
  47. Adding link post format to theme and permalink to rss feed
  48. custom Background not showing after upgrade?
  49. How do I assign a particular post to a particular page in WordPress?
  50. Rolling your own WordPress Themes
  51. What are the permalinks options for “Category” base and removing it?
  52. Designing a custom archive.php inspired by the Autofocus theme
  53. Is a site with 1,500 pages, (1000 of which are E-Commerce Pages) Too Big to Migrate to WordPress?
  54. How to get blog-id of an MU site from functions.php
  55. Does single webpage do not need navigation to create a slug in permalink?
  56. Posts Page shows Classic Editor interface not Gutenberg
  57. Comment Form Development Issue
  58. Removing element from DOM with jquery through plugin Custom Scripts for Customizer
  59. WordPress theme doesn’t read my translations from pt_BR.po file
  60. Get gallery images description not work for some images id
  61. How to load jQuery with Ajax in WP version 5.3.2?
  62. How to get full native language instead of iso?
  63. Move the social media icons to the left of a WordPress nav menu for Soledad child Theme
  64. Is a multipurpose theme an alternative to modifying or creating a theme from scratch?
  65. Two instances of the theme folder in the URL
  66. I want to change the author name
  67. Does any JavaScript file load automatically for index.php file?
  68. WordPress menu walker – Get parent item text inside end_lvl function
  69. Display content on Single page
  70. WordPress Ajax Spitting out a page as a response?
  71. Filter URL and shortcodes from the_excerpt
  72. Check if redirected from a specific page template
  73. Postname permalink page not found error
  74. Horizontal Navigation
  75. Trouble creating custom sanitization function when uploading video files
  76. How to store and retrieve the attachment alignment?
  77. What’s the policy for building a theme that doesn’t support widgets/menus?
  78. Incorporate zilla shortcode into theme
  79. Custom image size doesn’t work
  80. Paginated WP_Query doesn’t return 404’s, even when posts don’t exist
  81. The content not wrapped in paragraph tags with get_page_by_title()
  82. How to assign the default file at “Appearance > Editor”?
  83. Not Found when using activity stream as front page with BuddyPress
  84. Import/Export WordPress demo
  85. Creating custom function in wordpress to return data from database
  86. How customizable is a self-hosted WordPress blog compared to a Blogger blog?
  87. Why we do need wp_enqueue_script() function?
  88. Is it possible to use “wordpress.org Theme Handbook” look&feel as a theme in my own site? [closed]
  89. getting id of page
  90. sanitize_option_{$option} filter returns null
  91. WP Customizer get control value on change
  92. Execute javscript when theme customizer loads (autosave issue)
  93. How to set the margin on an innerBlock in a block variation?
  94. Does a custom WordPress theme require updates to it’s source code?
  95. New directory created each time I upload new theme zip
  96. WordPress theme.json: Why doesn’t “contentSize” work
  97. Which is recommended to learn first: classic themes or block themes?
  98. WP “optimizing” PNGs into thumbnails 5X larger than originals – FIX
  99. Disable interactivity for core navigation
  100. WordPress function::: get_header();

Leave a Comment