Security Tip: Block Direct Access To Plugin PHP Files

Plugins are usually loaded and executed along with the rest of WordPress. However, since each plugin is physically just set of .php, .css and .js files, it is also possible for someone to bypass the normal load order and execute the plugin files directly.  They just need to type the right URL in the address bar.

Security-wise, this is dangerous for two reasons:

  • Most plugins are not designed to be accessed in this way and will simply crash. The error message, if any, can disclose sensitive information about your site.
  • Most plugin developers don’t expect anyone to access the plugin .php files directly. Doing so may trigger a dangerous bug or vulnerability that they haven’t tested for.

While the chances of either happening are admittedly fairly slim, it doesn’t hurt to safe-guard your site from this type of attack. Luckily, disabling direct browser access plugin .php files is very easy. Just create a text file named “.htaccess” in your /wp-content/plugins directory and place this code in the file:

<FilesMatch "\.php$">
	Order deny,allow
	Deny from all

Now anyone who tries to load a plugin PHP file in their browser will now get a “Forbidden” error.

A word of warning

This will break some plugins. While most plugins only need their CSS, JS and image files to be accessible via the web browser, a handful also rely on .php files being directly accessible (e.g. for AJAX or dynamically generated CSS).

If you find out that one of your plugins doesn’t work, create a .htaccess file in that plugin’s directory and place the following code in the file:

<FilesMatch "\.php$">
	Order deny,allow
	Allow from all

This will re-enable browser access to .php files for just that directory.

Related posts :

2 Responses to “Security Tip: Block Direct Access To Plugin PHP Files”

  1. Buchanan says:

    Nice tip! Just a little doubt…what must I do if I use Nginx instead of Apache? .htaccess files are not used under Nginx

  2. Jānis Elsts says:

    I know virtually nothing about Nginx, but looking at the docs, it appears you could use
    HttpAccessModule to achieve the desired effect. Something like this might work (not tested):

    location ~* \/wp-content\/plugins\/.*\.php {
       deny all;

Leave a Reply