Title: Security Problem: Plugin is calling PHP file(s) directly Last modified: October 27, 2020 --- # Security Problem: Plugin is calling PHP file(s) directly * Resolved [KZeni](https://wordpress.org/support/users/kzeni/) * (@kzeni) * [5 years, 7 months ago](https://wordpress.org/support/topic/security-problem-plugin-is-calling-php-files-directly/) * **– The Problem –** It appears iframe-font-preview.php is being called directly& that’s problematic when WordPress hosting/sites are properly hardened to prevent that potentially harmful attack vector. * It’s a WordPress theme & plugin guideline to not call PHP files directly as this can be a serious security issue. Instead, the files should be included and then have their functions/hooks/etc. called via the WordPress system (which then has better control & view into what’s being done for security purposes & code interoperability as well as certifying that the code being ran wasn’t just some random file that was uploaded & is really part of the plugin/system.) * As such, there are actually WordPress hosting providers, plugins (Sucuri being one of many), and configurations that specifically disable the ability of a PHP file located in a theme or plugin from being called directly. This importantly makes it so a malicious PHP file that might somehow be uploaded to the site can’t then just be executed by visiting that file (per it then being blocked). This then, unfortunately, blocks parts of plugins/themes that don’t follow the guideline& just have PHP file(s) being called directly (when that’s totally avoidable as mentioned above.) * **– Potential Fix –** In the case of iframe-font-preview.php, I see no reason it can’t just load the parent page URL with a GET variable appended to it (with all of the others it needs for displaying the specific preview) to be noticed by a hook/function that then has it output what that direct PHP file call would show. * There might be cases outside of iframe-font-preview.php, but that one is for sure actively problematic, at the moment. * Again, this is an important security precaution where this direct PHP file being called should be redone. Also, this plugin’s actively breaking on assorted hosting/ setups where they have things hardened against this potential attack vector as a whole. * [https://wordpress.org/support/article/hardening-wordpress/#code-execution-plugins](https://wordpress.org/support/article/hardening-wordpress/#code-execution-plugins) specifically calls out this guideline and details officially recommended way ( have it display a page like any other and adapt it as needed for what’s being shown [assuming it isn’t otherwise an admin-ajax.php related function instead of a page-style output]) to avoid this problem. Viewing 2 replies - 1 through 2 (of 2 total) * Plugin Support [Jyoti Bhandari](https://wordpress.org/support/users/jyoti197/) * (@jyoti197) * [5 years, 7 months ago](https://wordpress.org/support/topic/security-problem-plugin-is-calling-php-files-directly/#post-13608750) * Hi [@kzeni](https://wordpress.org/support/users/kzeni/), * Thank you for your findings. We are glad you help us to figure out such a major security bug. The file is actually calling inside a frame and all the get requests are happening inside the iframe with direct URL access. Due to this direct file request, the font preview was actually not working through the parent page URL. We have managed to prevent direct access to the file. We understand there are many other weak points in the Titan Framework (the issue belongs to it) and we are already looking to switch to a more stable and secure framework in the coming future. we have fixed this bug please update your installed plugin to the latest version 1.6.1. * Thanks & Regards * Thread Starter [KZeni](https://wordpress.org/support/users/kzeni/) * (@kzeni) * [5 years, 3 months ago](https://wordpress.org/support/topic/security-problem-plugin-is-calling-php-files-directly/#post-14043283) * It appears this didn’t fix the issue & shouldn’t be marked as resolved yet. * I have Events Shortcodes & Templates Addon For The Events Calendar 1.7 (the latest version) installed on a site and I’m still seeing: [https://cloudup.com/cYaeyDJeHzW](https://cloudup.com/cYaeyDJeHzW) * This error message is due to Sucuri Security ([https://wordpress.org/plugins/sucuri-scanner/](https://wordpress.org/plugins/sucuri-scanner/)) having hardening in place to prevent direct PHP file access as established by [https://wordpress.org/support/article/hardening-wordpress/#code-execution-plugins](https://wordpress.org/support/article/hardening-wordpress/#code-execution-plugins) as something developers shouldn’t be doing anyway (while then preventing external entities from doing that either.) It’s a fairly basic setup that should hopefully allow you to recreate & test against to help ensure the next update fixes this issue. * Again, the fact of the matter is that this plugin currently has things break when you disallow direct PHP file access to WordPress folders that shouldn’t need/have that type of access. There must be something else coming into play that the recent update didn’t address which is allowing for this problem to linger( both the security issue as well as the plugin breaking when reasonable [and WordPress recommended] security precautions are put in place.) Viewing 2 replies - 1 through 2 (of 2 total) The topic ‘Security Problem: Plugin is calling PHP file(s) directly’ is closed to new replies. * ![](https://ps.w.org/template-events-calendar/assets/icon-256x256.gif?rev=3346193) * [Events Shortcodes For The Events Calendar](https://wordpress.org/plugins/template-events-calendar/) * [Frequently Asked Questions](https://wordpress.org/plugins/template-events-calendar/#faq) * [Support Threads](https://wordpress.org/support/plugin/template-events-calendar/) * [Active Topics](https://wordpress.org/support/plugin/template-events-calendar/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/template-events-calendar/unresolved/) * [Reviews](https://wordpress.org/support/plugin/template-events-calendar/reviews/) * 2 replies * 2 participants * Last reply from: [KZeni](https://wordpress.org/support/users/kzeni/) * Last activity: [5 years, 3 months ago](https://wordpress.org/support/topic/security-problem-plugin-is-calling-php-files-directly/#post-14043283) * Status: resolved