wordpress plugin - how do I make it so only my plugn can access its own files

Question

I'm developing a wordpress plugin and was wondering how I can make it so only my plugn can access its own files. basically looking for something similar to this:

defined('ABSPATH') or die();

I think I saw something like this in someone elses plugin once:

defined('PLUGINNAME') or die();

I didn't understand how it worked, but was wondering if there is anything similar that will only allow my plugin to "require_once(plugin_dir_path(__ FILE __).'secondpluginfile.php');" its own files. (spaces between __ and FILE because otherwise stackoverflow tries to make it bold instead) Not sure if this restriction is built into wordpress(probobly not because some plugins have add-ons), or if I have to add something to make this happen. do I just put the pluginname or something in the "defined()" function, or do I need to set something up first?

Answer 1

So basically, if your plugin was a single php file, all the functions and logic included in the file would be accessible to the rest of the application once the plugin was installed and activated.

Most plugins are not designed that way, however. The plugin filename that acts as the entry point to your plugin usually loads the rest of the files in your plugin directory either by simply including them or calling classes and functions based on events occurring on the site via hooks.

So, if you want only your plugin to be able to access its own files you could do a few things.

First of all, add defined('ABSPATH') or die(); at the top of the main plugin file. As user Ifty wrote, "ABSPATH is a constant defined in wp-config.php line 86. When wordpress will try to execute your plugin, the ABSPATH constant will be defined. But if someone else try to execute your plugins file directly, ABSPATH will not be defined and in that case your script will not get executed."

So that protects your file from being accessed directly outside the context of Wordpress.

To protect your plugin's files from the rest of the site itself, simple wrap any include or require_once statement or code in your main plugin file in a function or class which is only called based on conditions you set. For example

<?php
  /*
   Plugin Name: Example plugin 
   Plugin URI: http://stackoverflow.com/
   Version: 1.0
  */

  defined('ABSPATH') or die();

  add_action('your-custom-action', 'protector_function'); 

  function protector_function(){
      if ( current_user_can('manage_options') ) { //checks if user is admin you can use whichever conditions you want here
            require_once plugin_dir_path( __FILE__ ) . 'filename-with-plugin-code.php';

            // any other plugin code here
      }
  }

You can define your own action and call it using do_action() (reference) so that you can ensure your plugin code is only called where you have specified throughout the application.

Wordpress plugins exist to extend the functionality of Wordpress so if you do not want your code to be accessed from Wordpress in any way at all, I am not sure a plugin is the correct solution.

Hope this helps!

Answer 2

You can put

defined('ABSPATH') or die();

at the beginning of your plugins code. Actually what it does is check if ABSPATH is defined or not. If it's not defined then it will execute die() and stop executing your plugin file.

ABSPATH is a constant defined in wp-config.php line 86. When wordpress will try to execute your plugin, the ABSPATHconstant will be defined. But if someone else try to execute your plugins file directly, ABSPATHwill not be defined and in that case your script will not get executed.

Another way of accomplishing the same result is to check for add_action function.

if ( !function_exists( 'add_action' ) ) {
    echo 'Hi there!  I\'m just a plugin, not much I can do when called directly.';
    exit;
}

Code Reference: Akismet Plugin. You can take a look at their source code. As far as I know this plugin comes with wordpress package.