I would recommend adding this code to any PHP file you use in a plugin or theme in WordPress.
Still on the above tips:
To check if a user is logged in, there is this function: https://developer.wordpress.org/reference/functions/is_user_logged_in/ – I would strongly advise against using PHP sessions unless you know how to use them and for what purpose you are using them.
There is an article about sanitizing input in the manual: https://developer.wordpress.org/apis/security/sanitizing/
Dhruvik Malaviya and threadi, thank for your response and there is a lot to unpack here! So I’ll focus on what’s confusing me or where I seek further clarification.
Dhruvik, I understand what you’re saying about the general php practices and the code you’re providing. However with respect to database credentials, all my database credentials are stored in the default location in my wp-config.php file. I considered moving this file, but I trust that WP knows what they’re doing when they set up these installations. Are you recommending I move my
wp-config.php to a location outside of the default location?
threadi, when you write, “I would strongly advise against using PHP sessions unless you know how to use them and for what purpose you are using them. If I’m reading this correctly, are you saying that I should understand the “What” and “Why” of PHP sessions? If I understand the what, why, and how, then I’m ok with adding these into my code with little to no risk?
Ronald seeking clarification.
You cannot save the wp-config.php somewhere else. It must already be where it is. However, you can prevent access to it, depending on the web server used, either by making an entry in the .htaccess file or server configuration. There are also security plugins for WordPress that take care of this for you.
You didn’t write anything about PHP sessions, but they are recommended in the first answer. WordPress runs without them without any problems, but if you want to use them you have to additionally secure your code. See e.g.: https://www.ironistic.com/insights/using-php-sessions-in-wordpress/ – however, this is absolutely irrelevant for your question regarding access to individual files from the WordPress core. Only if you want to use something like this in your own programming should you think about it. You should also think about many other security criteria, which are well described in the manual: https://developer.wordpress.org/apis/security/
