Plugins are usually loaded and executed along with the rest of WordPress. However, since each plugin is physically just set of .php, .css and .js files, it is also possible for someone to bypass the normal load order and execute the plugin files directly. They just need to type the right URL in the address bar.
Security-wise, this is dangerous for two reasons:
- Most plugins are not designed to be accessed in this way and will simply crash. The error message, if any, can disclose sensitive information about your site.
- Most plugin developers don’t expect anyone to access the plugin .php files directly. Doing so may trigger a dangerous bug or vulnerability that they haven’t tested for.
While the chances of either happening are admittedly fairly slim, it doesn’t hurt to safe-guard your site from this type of attack. Luckily, disabling direct browser access plugin .php files is very easy. Just create a text file named “.htaccess” in your
/wp-content/plugins directory and place this code in the file:
<FilesMatch "\.php$"> Order deny,allow Deny from all </FilesMatch>
Now anyone who tries to load a plugin PHP file in their browser will now get a “Forbidden” error.
A word of warning
This will break some plugins. While most plugins only need their CSS, JS and image files to be accessible via the web browser, a handful also rely on .php files being directly accessible (e.g. for AJAX or dynamically generated CSS).
If you find out that one of your plugins doesn’t work, create a .htaccess file in that plugin’s directory and place the following code in the file:
<FilesMatch "\.php$"> Order deny,allow Allow from all </FilesMatch>
This will re-enable browser access to .php files for just that directory.Related posts :