Calling core loading files directly
Closed this issue · 5 comments
Including wp-config.php, wp-blog-header.php, wp-load.php directly via an include is not permitted.
These calls are prone to failure as not all WordPress installs have the exact same file structure. In addition it opens your plugin to security issues, as WordPress can be easily tricked into running code in an unauthenticated manner.
Your code should always exist in functions and be called by action hooks. This is true even if you need code to exist outside of WordPress. Code should only be accessible to people who are logged in and authorized, if it needs that kind of access. Your plugin's pages should be called via the dashboard like all the other settings panels, and in that way, they'll always have access to WordPress functions.
https://developer.wordpress.org/plugins/hooks/
If you need to have a ‘page’ accessed directly by an external service, you should use query_vars and/or rewrite rules to create a virtual page which calls a function.
https://developer.wordpress.org/reference/hooks/query_vars/
https://codepen.io/the_ruther4d/post/custom-query-string-vars-in-wordpress
If you're trying to use AJAX, please read this:
https://developer.wordpress.org/plugins/javascript/ajax/
Example(s) from your plugin:
wp-ignitor-1.0.0-beta.2/views/entrance.php:24: require_once $core_files['wp-load.php'];
Abandoned the require process of "wp-load.php" and changed it to a simple header redirect.
header( 'HTTP/1.0 404 Not Found' );
Hola, Tengo el mismo probema, pudiste solucionar?
This issue has now been resolved.
However, I ended up discarding the require process in "wp-load.php".
On the other hand, the require in "wp-login.php" is not restricted, so my plugin will do a minimal job once that is accomplished.
Excuse me, Could you help me by telling me how to do this? By including wp-login.php the page directs me to login. I thank you
On my plugin I need to override the default login page URL to new custom login URL that has same features of the "wp-login.php". So I had prepared a wrapper file "views/entrance.php" that was including the "wp-login.php", as follow:
<?php
/**
* Wrapper for new login page as an alternative to "wp-login.php"
*
* @package WpIgnitor
* @since 1.0.0
*/
$_docroot = str_replace( DIRECTORY_SEPARATOR, '/', $_SERVER['DOCUMENT_ROOT'] );
define( 'WPIGNITOR_LOGIN_PAGE_DIR', str_replace( DIRECTORY_SEPARATOR, '/', dirname( __FILE__ ) ) );
define( 'WPIGNITOR_LOGIN_PAGE_FILE', basename( $_SERVER['SCRIPT_FILENAME'] ) );
define( 'WPIGNITOR_LOGIN_PAGE_URL', str_replace( $_docroot, '', WPIGNITOR_LOGIN_PAGE_DIR ) .'/'. WPIGNITOR_LOGIN_PAGE_FILE );
define( 'WPIGNITOR_LOGIN_CREDENTIAL', hash( 'sha512', 'wp-ignitor@'. $_SERVER['HTTP_HOST'] .':'. WPIGNITOR_LOGIN_PAGE_DIR .'/'. WPIGNITOR_LOGIN_PAGE_FILE ) );
$matches = glob( $_docroot .'/*/wp-login.php', GLOB_BRACE );
$core_files = [];
foreach ( $matches as $file_path ) {
if ( in_array( basename( $file_path ), [ 'wp-login.php' ], true ) ) {
$core_files[basename( $file_path )] = $file_path;// str_replace( DIRECTORY_SEPARATOR, '/', $file_path );
}
}
if ( ! empty( $core_files ) && isset( $core_files['wp-login.php'] ) ) {
$origin_login_file = str_replace( DIRECTORY_SEPARATOR, '/', $matches[0] );
require_once $origin_login_file;
} else {
header( 'HTTP/1.0 404 Not Found' );
}
exit;
Initially, we planned to load "wp-load.php" with this file and perform the original login process. However, the official WordPress plugin rules prohibit the inclusion of "wp-load.php". Therefore I had became the non-restrict "wp-login.php" inclusion.
Incidentally, the new custom login file above works by rewriting the URL from ".htaccess", as follow:
RewriteCond %{REQUEST_URI} ^/entrace
RewriteRule ^entrance(.*)$ /apps/wp-content/plugins/wp-ignitor/views/entrance\.php$1 [L]
RewriteRule "wp-login\.php(.*)$" - [R=404,L]
By the "wp-login.php" has the "wp-load.php" inclusion as firstest process, so I did not need to have the "wp-load.php" as single inclusion in my plugin.
If you want to include "wp-load.php" by itself for another purpose, my method may not be helpful.
Thanks.