General: Stop direct loading of files in /wp-admin that should only be included.

This changeset restricts direct access call in `/wp-admin` and its sub directories. Follow-up to [11768]. Props deepakrohilla. See #61314. Built from https://develop.svn.wordpress.org/trunk@59678 git-svn-id: http://core.svn.wordpress.org/trunk@59021 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2025-12-05 11:24:25 +01:00 · 2025-01-22 14:06:22 +00:00 · 2025-01-22 14:06:22 +00:00 · 0619c6d95a
commit 0619c6d95a
parent a79b4ef4c9
10 changed files with 46 additions and 1 deletions
--- a/wp-admin/admin-functions.php
+++ b/wp-admin/admin-functions.php
@ -9,6 +9,11 @@
 * @subpackage Administration
 */

+// Don't load directly.
+if ( ! defined( 'ABSPATH' ) ) {
+	die( '-1' );
+}
+
 _deprecated_file( basename( __FILE__ ), '2.5.0', 'wp-admin/includes/admin.php' );

 /** WordPress Administration API: Includes all Administration functions. */
--- a/wp-admin/admin-header.php
+++ b/wp-admin/admin-header.php
@ -6,6 +6,11 @@
 * @subpackage Administration
 */

+// Don't load directly.
+if ( ! defined( 'ABSPATH' ) ) {
+	die( '-1' );
+}
+
 header( 'Content-Type: ' . get_option( 'html_type' ) . '; charset=' . get_option( 'blog_charset' ) );
 if ( ! defined( 'WP_ADMIN' ) ) {
 	require_once __DIR__ . '/admin.php';
--- a/wp-admin/custom-background.php
+++ b/wp-admin/custom-background.php
@ -9,6 +9,11 @@
 * @subpackage Administration
 */

+// Don't load directly.
+if ( ! defined( 'ABSPATH' ) ) {
+	die( '-1' );
+}
+
 _deprecated_file( basename( __FILE__ ), '5.3.0', 'wp-admin/includes/class-custom-background.php' );

 /** Custom_Background class */
--- a/wp-admin/custom-header.php
+++ b/wp-admin/custom-header.php
@ -9,6 +9,11 @@
 * @subpackage Administration
 */

+// Don't load directly.
+if ( ! defined( 'ABSPATH' ) ) {
+	die( '-1' );
+}
+
 _deprecated_file( basename( __FILE__ ), '5.3.0', 'wp-admin/includes/class-custom-image-header.php' );

 /** Custom_Image_Header class */
--- a/wp-admin/menu-header.php
+++ b/wp-admin/menu-header.php
@ -6,6 +6,11 @@
 * @subpackage Administration
 */

+// Don't load directly.
+if ( ! defined( 'ABSPATH' ) ) {
+	die( '-1' );
+}
+
 /**
 * The current page.
 *
--- a/wp-admin/menu.php
+++ b/wp-admin/menu.php
@ -6,6 +6,11 @@
 * @subpackage Administration
 */

+// Don't load directly.
+if ( ! defined( 'ABSPATH' ) ) {
+	die( '-1' );
+}
+
 /**
 * Constructs the admin menu.
 *
--- a/wp-admin/network/menu.php
+++ b/wp-admin/network/menu.php
@ -7,6 +7,11 @@
 * @since 3.1.0
 */

+// Don't load directly.
+if ( ! defined( 'ABSPATH' ) ) {
+	die( '-1' );
+}
+
 /* translators: Network menu item. */
 $menu[2] = array( __( 'Dashboard' ), 'manage_network', 'index.php', '', 'menu-top menu-top-first menu-icon-dashboard', 'menu-dashboard', 'dashicons-dashboard' );

--- a/wp-admin/options-head.php
+++ b/wp-admin/options-head.php
@ -8,6 +8,11 @@
 * @subpackage Administration
 */

+// Don't load directly.
+if ( ! defined( 'ABSPATH' ) ) {
+	die( '-1' );
+}
+
 $action = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : '';

 if ( isset( $_GET['updated'] ) && isset( $_GET['page'] ) ) {
--- a/wp-admin/user/menu.php
+++ b/wp-admin/user/menu.php
@ -7,6 +7,11 @@
 * @since 3.1.0
 */

+// Don't load directly.
+if ( ! defined( 'ABSPATH' ) ) {
+	die( '-1' );
+}
+
 $menu[2] = array( __( 'Dashboard' ), 'exist', 'index.php', '', 'menu-top menu-top-first menu-icon-dashboard', 'menu-dashboard', 'dashicons-dashboard' );

 $menu[4] = array( '', 'exist', 'separator1', '', 'wp-menu-separator' );
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@ -16,7 +16,7 @@
 *
 * @global string $wp_version
 */
-$wp_version = '6.8-alpha-59677';
+$wp_version = '6.8-alpha-59678';

 /**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.