Guard Plugin and Theme PHP Files Against Direct Access

<?php
// wp-content/plugins/my-plugin/includes/helpers.php
// ❌ No guard — directly accessible via URL
 
function process_data( $input ) {
    global $wpdb;
    // Fatal error: $wpdb is null when accessed directly
    // Error message leaks server path and WordPress install location
    return $wpdb->get_var( "SELECT COUNT(*) FROM {$wpdb->prefix}posts" );
}

<?php
// ❌ File with initialization logic that runs on include
// Direct access triggers this without WordPress context
$config = include __DIR__ . '/config.php'; // May expose sensitive values
$db = new PDO( $config['dsn'] ); // Direct DB connection without WP safeguards

<?php
// ✅ First executable line in every plugin/theme PHP file
if ( ! defined( 'ABSPATH' ) ) {
    exit;
}
 
function process_data( $input ) {
    global $wpdb;
    return $wpdb->get_var(
        $wpdb->prepare( "SELECT COUNT(*) FROM {$wpdb->prefix}posts WHERE post_status = %s", 'publish' )
    );
}

<?php
// ✅ Alternative: check WPINC (defined in wp-settings.php)
defined( 'WPINC' ) || die;
 
// ✅ One-liner variant
defined( 'ABSPATH' ) || exit;

# Find PHP files missing ABSPATH guard
grep -rL "defined.*ABSPATH\|defined.*WPINC" wp-content/plugins/my-plugin/ --include="*.php" | grep -v "vendor\|node_modules"