WordPress Tutorial: How to Create a WordPress Plugin

Step 9 – Security: Protect Plugin Files

WordPress Plugin Security
WordPress Plugin Security

Steps to Create a WordPress Plugin

  1. Name Your WordPress Plugin
  2. Isolate Your Plugin From Other Plugins
  3. Organize Your Plugin Files
  4. Define Directory Paths
  5. Load Plugin Files
  6. Directory Structure
  7. Plugin Activation, Plugin Deactivation, and Plugin Uninstallation
  8. Essential Plugin Files
  9. Security: Protect Plugin Files
  10. Plugin Hierarchy

I like to practice security in my plugins. That is by determining when and/or how your plugin files are accessed.

Deny Direct Access to Plugin Files

This method of security will prevent anyone from directly accessing any of your plugin files. It’s only a small chunk of code to place near the top of all plugin files.

The above code will kill PHP if anyone directly accesses your plugin file. Add this code to all plugin files.

Deny Frontend Files From the Backend

You don’t want your front-end files to be included anywhere in the back-end.

Unlike denying direct access to files, you don’t want to kill PHP. Instead, just return and let PHP continue.

Deny Backend Files From the Frontend

You don’t want your back-end files to be included anywhere in the front-end.

Unlike denying direct access to files, you don’t want to kill PHP. Instead, just return and let PHP continue.

Apply Basic Security Protection to all Plugin Files

Contents of: ./wp-content/plugins/mbe-plugin/index.php:

Contents of: ./wp-content/plugins/mbe-plugin/frontend/index.php:

Contents of: ./wp-content/plugins/mbe-plugin/backend/index.php:

Contents of: ./wp-content/plugins/mbe-plugin/global/index.php:

Contents of: ./wp-content/plugins/mbe-plugin/frontend/inc/functions.php:

Contents of: ./wp-content/plugins/mbe-plugin/frontend/inc/hooks.php:

Contents of: ./wp-content/plugins/mbe-plugin/backend/inc/functions.php:

Contents of: ./wp-content/plugins/mbe-plugin/backend/inc/hooks.php:

Contents of: ./wp-content/plugins/mbe-plugin/global/inc/functions.php:

Contents of: ./wp-content/plugins/mbe-plugin/global/inc/hooks.php:

Contents of: ./wp-content/plugins/mbe-plugin/backend/inc/activation.php:

Contents of: ./wp-content/plugins/mbe-plugin/backend/inc/deactivation.php:

Contents of: ./wp-content/plugins/mbe-plugin/backend/inc/uninstallation.php:

Leave a Reply