Hi!

Half a year ago, I mentioned that stupid hackers were trying to run template files directly and suggested a simple fix (which is also the recommended way by the WordPress team to do it).

Well, the stupid hackers are at it again: now they’ve trying, out of all possible files, to hack into 404.php, using the same technique of directly calling those pages. Why they are so keen in hacking Clean Enterprise is really beyond me… but the same trick used 6 months ago for index.php also works for 404.php, of course, as well as for any and all other template files.

My only concern is that you guys might update Clean Enterprise and overwrite these fixes. Except for creating a whole child theme from scratch, it’s not easy to ‘fix’ each and every page that is being called directly by these script kiddies. So please please please take some time to review your code, and just add this simple fix — possibly on all your themes as well (I haven’t checked).

If not, hmm, well, I guess I can always try to use auto_prepend_file as illustrated on this article. While the example is specifically shown for Apache, you can also do something similar under nginx, too (normally using the .user.ini file). It’s actually also a solution you can add to your themes, instead of having to worry if you’ve missed a file or two.

Hi there,

Looking at my logs, I saw that one ‘bad bot’ was happily trying to execute wp-content/themes/clean-enterprise/index.php directly, which is not supposed to be harmful, but annoying nevertheless.

My only concern is that there might be some bots searching for specific versions of Clean Enterprise which they believe to be hackable (that’s not likely, though).

However, just to be on the safe side of things, I made a few changes to index.php.

On line 15, where there is just get_header(), I did the following:

if (!defined('ABSPATH')) {
 	header('HTTP/1.1 403 Forbidden');
 	die('Sorry, no access outside WordPress');
 }
 if ( function_exists( "get_header" ) ) get_header(); ?>

and a bit below, on line 20, where there was if ( is_front_page() ) :
I replace it with: if ( function_exists( "is_front_page" ) && is_front_page() ) :

Strictly speaking, those checks for existing functions should not be necessary.

I am currently using Clean Enterprise theme which is working fine on desktop but it is not showing menu and sub menu items on mobile devices properly. Here is my Workdigit Site if you open this site on mobile device and then click on menu and then open all sub-menu and then scroll page then you will see that all menu items are disappear. Please help me to fix it or release your theme update which fix it.