Wordpress - Does My Child-Theme Functions.php Need if{die} Security In It?
Does it need it? Probably not (other than this edge case, props @bravokeyl). Should you add it? In my opinion, yes:
- From a coding/architecture POV, you're declaring "this file needs WordPress".
- Any direct hit to one of your theme's files (curious users, bots, "script kiddies" etc.) has the potential to leak a little bit of info (most likely filesystem) and/or litter your error logs (e.g.
Undefined function get_header in /bada/bing/bada/boom
) - Reiterating 1), it's just good practice.
However, I absolutely hate this:
die( 'Direct Access Not Permitted' );
IMO it should simply be:
if ( ! defined( 'ABSPATH' ) )
exit;
There is just no point in having that "message". And I'm a big fan of exit
. It communicates the fact that this is an expected possible scenario, and in that scenario, I simply wish to quit. I use die
for "unexpected" scenarios, like filesystem write errors, database errors etc.
Most of the times there is no need to check for defined( 'ABSPATH' )
in the child theme.
No, functions.php
would generate PHP fatals if loaded directly as it uses the WordPress API.
If functions.php
tried to bootstrap and load WordPress however, then yes, it would be necessary, but if you've done that then something has gone horribly wrong and you need to start from scratch