General: Stop direct loading of files in /wp-admin that should only…

… be included. This changeset restricts direct access call in `/wp-admin` and its sub directories. Follow-up to [11768]. Props deepakrohilla. See #61314. git-svn-id: https://develop.svn.wordpress.org/trunk@59678 602fd350-edb4-49c9-b593-d223f7449a82
WordPress · Jan 22, 2025 · c7cd04c · c7cd04c
1 parent 0f2334d
commit c7cd04c
Show file tree

Hide file tree

Showing 9 changed files with 45 additions and 0 deletions.
diff --git a/src/wp-admin/admin-functions.php b/src/wp-admin/admin-functions.php
@@ -9,6 +9,11 @@
  * @subpackage Administration
  */
 
+// Don't load directly.
+if ( ! defined( 'ABSPATH' ) ) {
+	die( '-1' );
+}
+
 _deprecated_file( basename( __FILE__ ), '2.5.0', 'wp-admin/includes/admin.php' );
 
 /** WordPress Administration API: Includes all Administration functions. */

diff --git a/src/wp-admin/admin-header.php b/src/wp-admin/admin-header.php
@@ -6,6 +6,11 @@
  * @subpackage Administration
  */
 
+// Don't load directly.
+if ( ! defined( 'ABSPATH' ) ) {
+	die( '-1' );
+}
+
 header( 'Content-Type: ' . get_option( 'html_type' ) . '; charset=' . get_option( 'blog_charset' ) );
 if ( ! defined( 'WP_ADMIN' ) ) {
 	require_once __DIR__ . '/admin.php';

diff --git a/src/wp-admin/custom-background.php b/src/wp-admin/custom-background.php
@@ -9,6 +9,11 @@
  * @subpackage Administration
  */
 
+// Don't load directly.
+if ( ! defined( 'ABSPATH' ) ) {
+	die( '-1' );
+}
+
 _deprecated_file( basename( __FILE__ ), '5.3.0', 'wp-admin/includes/class-custom-background.php' );
 
 /** Custom_Background class */

diff --git a/src/wp-admin/custom-header.php b/src/wp-admin/custom-header.php
@@ -9,6 +9,11 @@
  * @subpackage Administration
  */
 
+// Don't load directly.
+if ( ! defined( 'ABSPATH' ) ) {
+	die( '-1' );
+}
+
 _deprecated_file( basename( __FILE__ ), '5.3.0', 'wp-admin/includes/class-custom-image-header.php' );
 
 /** Custom_Image_Header class */

diff --git a/src/wp-admin/menu-header.php b/src/wp-admin/menu-header.php
@@ -6,6 +6,11 @@
  * @subpackage Administration
  */
 
+// Don't load directly.
+if ( ! defined( 'ABSPATH' ) ) {
+	die( '-1' );
+}
+
 /**
  * The current page.
  *

diff --git a/src/wp-admin/menu.php b/src/wp-admin/menu.php
@@ -6,6 +6,11 @@
  * @subpackage Administration
  */
 
+// Don't load directly.
+if ( ! defined( 'ABSPATH' ) ) {
+	die( '-1' );
+}
+
 /**
  * Constructs the admin menu.
  *

diff --git a/src/wp-admin/network/menu.php b/src/wp-admin/network/menu.php
@@ -7,6 +7,11 @@
  * @since 3.1.0
  */
 
+// Don't load directly.
+if ( ! defined( 'ABSPATH' ) ) {
+	die( '-1' );
+}
+
 /* translators: Network menu item. */
 $menu[2] = array( __( 'Dashboard' ), 'manage_network', 'index.php', '', 'menu-top menu-top-first menu-icon-dashboard', 'menu-dashboard', 'dashicons-dashboard' );
 

diff --git a/src/wp-admin/options-head.php b/src/wp-admin/options-head.php
@@ -8,6 +8,11 @@
  * @subpackage Administration
  */
 
+// Don't load directly.
+if ( ! defined( 'ABSPATH' ) ) {
+	die( '-1' );
+}
+
 $action = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : '';
 
 if ( isset( $_GET['updated'] ) && isset( $_GET['page'] ) ) {

diff --git a/src/wp-admin/user/menu.php b/src/wp-admin/user/menu.php
@@ -7,6 +7,11 @@
  * @since 3.1.0
  */
 
+// Don't load directly.
+if ( ! defined( 'ABSPATH' ) ) {
+	die( '-1' );
+}
+
 $menu[2] = array( __( 'Dashboard' ), 'exist', 'index.php', '', 'menu-top menu-top-first menu-icon-dashboard', 'menu-dashboard', 'dashicons-dashboard' );
 
 $menu[4] = array( '', 'exist', 'separator1', '', 'wp-menu-separator' );