From c7cd04c7b708a9a122776325c0592c144063412f Mon Sep 17 00:00:00 2001
From: Jb Audras <audrasjb@git.wordpress.org>
Date: Wed, 22 Jan 2025 14:04:34 +0000
Subject: [PATCH] General: Stop direct loading of files in `/wp-admin` that
 should only be included.

This changeset restricts direct access call in `/wp-admin` and its sub directories.

Follow-up to [11768].

Props deepakrohilla.
See #61314.




git-svn-id: https://develop.svn.wordpress.org/trunk@59678 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-admin/admin-functions.php   | 5 +++++
 src/wp-admin/admin-header.php      | 5 +++++
 src/wp-admin/custom-background.php | 5 +++++
 src/wp-admin/custom-header.php     | 5 +++++
 src/wp-admin/menu-header.php       | 5 +++++
 src/wp-admin/menu.php              | 5 +++++
 src/wp-admin/network/menu.php      | 5 +++++
 src/wp-admin/options-head.php      | 5 +++++
 src/wp-admin/user/menu.php         | 5 +++++
 9 files changed, 45 insertions(+)

diff --git a/src/wp-admin/admin-functions.php b/src/wp-admin/admin-functions.php
index a9ff3f44b99f7..6ce4e06c47007 100644
--- a/src/wp-admin/admin-functions.php
+++ b/src/wp-admin/admin-functions.php
@@ -9,6 +9,11 @@
  * @subpackage Administration
  */
 
+// Don't load directly.
+if ( ! defined( 'ABSPATH' ) ) {
+	die( '-1' );
+}
+
 _deprecated_file( basename( __FILE__ ), '2.5.0', 'wp-admin/includes/admin.php' );
 
 /** WordPress Administration API: Includes all Administration functions. */
diff --git a/src/wp-admin/admin-header.php b/src/wp-admin/admin-header.php
index 235468f1461c0..54bcc11ca55b3 100644
--- a/src/wp-admin/admin-header.php
+++ b/src/wp-admin/admin-header.php
@@ -6,6 +6,11 @@
  * @subpackage Administration
  */
 
+// Don't load directly.
+if ( ! defined( 'ABSPATH' ) ) {
+	die( '-1' );
+}
+
 header( 'Content-Type: ' . get_option( 'html_type' ) . '; charset=' . get_option( 'blog_charset' ) );
 if ( ! defined( 'WP_ADMIN' ) ) {
 	require_once __DIR__ . '/admin.php';
diff --git a/src/wp-admin/custom-background.php b/src/wp-admin/custom-background.php
index 37b8c3d8b8403..bbd56bdb6cee2 100644
--- a/src/wp-admin/custom-background.php
+++ b/src/wp-admin/custom-background.php
@@ -9,6 +9,11 @@
  * @subpackage Administration
  */
 
+// Don't load directly.
+if ( ! defined( 'ABSPATH' ) ) {
+	die( '-1' );
+}
+
 _deprecated_file( basename( __FILE__ ), '5.3.0', 'wp-admin/includes/class-custom-background.php' );
 
 /** Custom_Background class */
diff --git a/src/wp-admin/custom-header.php b/src/wp-admin/custom-header.php
index d89f03bbaab2a..31c78dcb5b372 100644
--- a/src/wp-admin/custom-header.php
+++ b/src/wp-admin/custom-header.php
@@ -9,6 +9,11 @@
  * @subpackage Administration
  */
 
+// Don't load directly.
+if ( ! defined( 'ABSPATH' ) ) {
+	die( '-1' );
+}
+
 _deprecated_file( basename( __FILE__ ), '5.3.0', 'wp-admin/includes/class-custom-image-header.php' );
 
 /** Custom_Image_Header class */
diff --git a/src/wp-admin/menu-header.php b/src/wp-admin/menu-header.php
index 878779d325ec9..9887dcb9964c6 100644
--- a/src/wp-admin/menu-header.php
+++ b/src/wp-admin/menu-header.php
@@ -6,6 +6,11 @@
  * @subpackage Administration
  */
 
+// Don't load directly.
+if ( ! defined( 'ABSPATH' ) ) {
+	die( '-1' );
+}
+
 /**
  * The current page.
  *
diff --git a/src/wp-admin/menu.php b/src/wp-admin/menu.php
index 3f0a773414a1a..5726570da6b8a 100644
--- a/src/wp-admin/menu.php
+++ b/src/wp-admin/menu.php
@@ -6,6 +6,11 @@
  * @subpackage Administration
  */
 
+// Don't load directly.
+if ( ! defined( 'ABSPATH' ) ) {
+	die( '-1' );
+}
+
 /**
  * Constructs the admin menu.
  *
diff --git a/src/wp-admin/network/menu.php b/src/wp-admin/network/menu.php
index 73cc86b23484d..852c36004cbab 100644
--- a/src/wp-admin/network/menu.php
+++ b/src/wp-admin/network/menu.php
@@ -7,6 +7,11 @@
  * @since 3.1.0
  */
 
+// Don't load directly.
+if ( ! defined( 'ABSPATH' ) ) {
+	die( '-1' );
+}
+
 /* translators: Network menu item. */
 $menu[2] = array( __( 'Dashboard' ), 'manage_network', 'index.php', '', 'menu-top menu-top-first menu-icon-dashboard', 'menu-dashboard', 'dashicons-dashboard' );
 
diff --git a/src/wp-admin/options-head.php b/src/wp-admin/options-head.php
index 9dba3703c5ad7..c951b77419505 100644
--- a/src/wp-admin/options-head.php
+++ b/src/wp-admin/options-head.php
@@ -8,6 +8,11 @@
  * @subpackage Administration
  */
 
+// Don't load directly.
+if ( ! defined( 'ABSPATH' ) ) {
+	die( '-1' );
+}
+
 $action = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : '';
 
 if ( isset( $_GET['updated'] ) && isset( $_GET['page'] ) ) {
diff --git a/src/wp-admin/user/menu.php b/src/wp-admin/user/menu.php
index 23e81a892c273..587d0ec1762dc 100644
--- a/src/wp-admin/user/menu.php
+++ b/src/wp-admin/user/menu.php
@@ -7,6 +7,11 @@
  * @since 3.1.0
  */
 
+// Don't load directly.
+if ( ! defined( 'ABSPATH' ) ) {
+	die( '-1' );
+}
+
 $menu[2] = array( __( 'Dashboard' ), 'exist', 'index.php', '', 'menu-top menu-top-first menu-icon-dashboard', 'menu-dashboard', 'dashicons-dashboard' );
 
 $menu[4] = array( '', 'exist', 'separator1', '', 'wp-menu-separator' );