Browsing Custom URL Standalong PHP Files

If you’re writing standalone PHP files that are not part of WordPress, using this check wouldn’t make sense because ABSPATH is specific to WordPress.

Instead, you should follow general PHP security best practices for standalone scripts. Here’s what you should consider:

Database Security: Ensure your database credentials are stored securely (e.g., in environment variables or a separate configuration file). Make sure this file is not publicly accessible.

Sanitize and Validate Input: If your script processes user input, always sanitize and validate it to prevent common attacks like SQL injection.

Authentication: If your standalone file should only be accessed by specific users, make sure to include proper authentication checks.

CSRF Protection: If your file handles sensitive operations, use tokens to prevent Cross-Site Request Forgery (CSRF) attacks.

session_start();

// Ensure user is authenticated
if (!isset($_SESSION['user_id'])) {
    exit('Unauthorized access');
}

// Sanitize and validate input
$user_id = filter_input(INPUT_POST, 'user_id', FILTER_SANITIZE_NUMBER_INT);

// Secure database operations (e.g., using prepared statements)

Hope this helps!

I would recommend adding this code to any PHP file you use in a plugin or theme in WordPress.

Still on the above tips:
To check if a user is logged in, there is this function: https://developer.www.ads-software.com/reference/functions/is_user_logged_in/ – I would strongly advise against using PHP sessions unless you know how to use them and for what purpose you are using them.

There is an article about sanitizing input in the manual: https://developer.www.ads-software.com/apis/security/sanitizing/

Dhruvik Malaviya and threadi, thank for your response and there is a lot to unpack here! So I’ll focus on what’s confusing me or where I seek further clarification.

Dhruvik, I understand what you’re saying about the general php practices and the code you’re providing. However with respect to database credentials, all my database credentials are stored in the default location in my wp-config.php file. I considered moving this file, but I trust that WP knows what they’re doing when they set up these installations. Are you recommending I move my
wp-config.php to a location outside of the default location?

threadi, when you write, “I would strongly advise against using PHP sessions unless you know how to use them and for what purpose you are using them. If I’m reading this correctly, are you saying that I should understand the “What” and “Why” of PHP sessions? If I understand the what, why, and how, then I’m ok with adding these into my code with little to no risk?

Ronald seeking clarification.

You cannot save the wp-config.php somewhere else. It must already be where it is. However, you can prevent access to it, depending on the web server used, either by making an entry in the .htaccess file or server configuration. There are also security plugins for WordPress that take care of this for you.

You didn’t write anything about PHP sessions, but they are recommended in the first answer. WordPress runs without them without any problems, but if you want to use them you have to additionally secure your code. See e.g.: https://www.ironistic.com/insights/using-php-sessions-in-wordpress/ – however, this is absolutely irrelevant for your question regarding access to individual files from the WordPress core. Only if you want to use something like this in your own programming should you think about it. You should also think about many other security criteria, which are well described in the manual: https://developer.www.ads-software.com/apis/security/