If you look at the PHP source code of a WordPress theme or plugin, you will see in many of its files that if ( ! defined( ‘ABSPATH’ )) at the top. I would like to explain the reason for this statement and its effect.
defined( ‘ABSPATH’ ){The meaning of this PHP code
This code is expected to look like the following.
if ( ! defined( 'ABSPATH' ) ) {exit;}
The meaning of this code is that if ABSPATH is not defined, the code execution should stop immediately.
ABSPATH is a variable defined at the beginning of the WordPress runtime that indicates the path on the server of the folder where WordPress is installed.
Why stop processing if ABSPATH is not defined?
PHP programs for WordPress plugins and themes are loaded after the original WordPress is executed.
That is, after ABSPATH is naturally defined.
However, if ABSPATH is not defined and this PHP program is executed, it means that this PHP program was accessed directly without WordPress as an intermediary.
Considering why some PHP programs were accessed directly without the need to do so, it may be that hackers are trying to take advantage of a vulnerability in the program.
For this reason, even if a program has a vulnerability, if ( ! defined( ‘ABSPATH’ ){ is stated by the programmer for security reasons.
Security in WordPress plugin and theme development
More than 60% of the reasons why WordPress is hacked are vulnerabilities in the PHP program. However, most of them are vulnerabilities in known and popular plugins, so it is very rare that vulnerabilities in original themes or plugins that are not popular (or not intended to be popular) are targeted.
However, it is certainly a good idea for developers to be mindful of creating programs that are free of security holes.
If ( ! defined( 'ABSPATH' ) ) {exit;}
at the top of a program that is not directly accessed is a good idea because it makes it difficult to exploit the vulnerability.