skip to Main Content

Good day,

I am quite concerned about whether storing custom php files within my child theme is secure, and if they would be publicly accessible since they are within the web root.

For example, if my file path was something like "https://mywebsite.com/wp-content/themes/my-child-theme/my-php-file.php" and this was called in a form as the action path, would this be able to be accessed for malicious use?

This php file could be handling pulling data from a database for example, or having the path to the configuration file with API keys in it.

I’m relatively inexperienced so I’m not sure if this is a dumb question or not, but I would really appreciate some guidance on WordPress security with custom php files, if I should be using nonces or hooks instead of the example action path.

Best regards

3

Answers


  1. WordPress leverages both .htaccess files and server file permissions to keep key php files safe from bad-actor access. You can additionally require POST requests to your file by checking for $_POST data and exiting if there isn’t any.

    Nonces are another method you could use to ensure your calls and files are kept safe.

    Login or Signup to reply.
  2. To restrict access to a file in Apache webservers you can add following code in .htaccess file that is placed in public_html/ directory:

    <Files "/wp-content/themes/my-child-theme/my-php-file.php">  
      Order Allow,Deny
      Deny from all
    </Files>
    
    Login or Signup to reply.
  3. There are multiple concerns, let’s address them separately.

    1. Files you do not want to be requested at all

    Simply redirect from those with your webserver.

    2. Restricting access

    For example, if you want a file to only receive POST requests and to reject GET requests, you can check for the request method and either throw an error, display a warning or silently ignore badly formed requests.

    3. Top-secret data

    Such as database authentication credentials. Make sure you never ever version these values and if you by accident versioned these values and they are available at GitHub or something of the like, then change passwords, etc.

    4. File browsing

    If you want to prevent file browsing, put this line into .htaccess:

    Options -Indexes
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search