Question posted in 
Good day,
I am quite concerned about whether storing custom php files within my child theme is secure, and if they would be publicly accessible since they are within the web root.
For example, if my file path was something like "https://mywebsite.com/wp-content/themes/my-child-theme/my-php-file.php" and this was called in a form as the action path, would this be able to be accessed for malicious use?
This php file could be handling pulling data from a database for example, or having the path to the configuration file with API keys in it.
I’m relatively inexperienced so I’m not sure if this is a dumb question or not, but I would really appreciate some guidance on WordPress security with custom php files, if I should be using nonces or hooks instead of the example action path.
Best regards
3
Answers
WordPress leverages both .htaccess files and server file permissions to keep key php files safe from bad-actor access. You can additionally require POST requests to your file by checking for
$_POSTdata and exiting if there isn’t any.Nonces are another method you could use to ensure your calls and files are kept safe.
To restrict access to a file in Apache webservers you can add following code in
.htaccessfile that is placed inpublic_html/directory:There are multiple concerns, let’s address them separately.
1. Files you do not want to be requested at all
Simply redirect from those with your webserver.
2. Restricting access
For example, if you want a file to only receive POST requests and to reject GET requests, you can check for the request method and either throw an error, display a warning or silently ignore badly formed requests.
3. Top-secret data
Such as database authentication credentials. Make sure you never ever version these values and if you by accident versioned these values and they are available at GitHub or something of the like, then change passwords, etc.
4. File browsing
If you want to prevent file browsing, put this line into .htaccess: