Yet another fix for hackers trying to run scripts directly

Hi!

Half a year ago, I mentioned that stupid hackers were trying to run template files directly and suggested a simple fix (which is also the recommended way by the WordPress team to do it).

Well, the stupid hackers are at it again: now they’ve trying, out of all possible files, to hack into 404.php, using the same technique of directly calling those pages. Why they are so keen in hacking Clean Enterprise is really beyond me… but the same trick used 6 months ago for index.php also works for 404.php, of course, as well as for any and all other template files.

My only concern is that you guys might update Clean Enterprise and overwrite these fixes. Except for creating a whole child theme from scratch, it’s not easy to ‘fix’ each and every page that is being called directly by these script kiddies. So please please please take some time to review your code, and just add this simple fix — possibly on all your themes as well (I haven’t checked).

If not, hmm, well, I guess I can always try to use auto_prepend_file as illustrated on this article. While the example is specifically shown for Apache, you can also do something similar under nginx, too (normally using the .user.ini file). It’s actually also a solution you can add to your themes, instead of having to worry if you’ve missed a file or two.